Online Attack Hits US Government Web Sites 199
angry tapir writes "A botnet composed of about 50,000 infected computers has been waging a war against US government Web sites and causing headaches for businesses in the US and South Korea. The attack started Saturday, and security experts have credited it with knocking the Federal Trade Commission's (FTC's) web site offline for parts of Monday and Tuesday. Several other government Web sites have also been targeted, including the Department of Transportation."
Re:blame China (Score:4, Informative)
Pull the Gdamn plug! (Score:4, Informative)
All that is required is to pull the damn plug on these bots. Each of these machines has and IP address which it advertises every time it makes an attack. That's right folks: The return IP address is part of the header. You can't route packets without this information.
These feral packets _ALSO_ come into the ISP's routers. It is easy to identify them. Uninfected machines don't normally sit there and hammer away at port Blah. Some of the worst ports are 80 (html), 25 (mail) and 22 (SSH).
One really needs to only look at the ports that the botnet tries to exploit.
A simple solution is to pull the plug. A solution which is slightly more difficult is to block the ports the botnet is trying to attack on and then redirect any web access to a banner page advising the owner their machine is cracked and what to do about it... or a tech could phone the client.
_any_ ISP can do this. If they don't do it then they don't want to. As for consumer rights - crap! Its the ISP's which write the Terms of Service. They can put pretty much any terms they want providing said terms are considered reasonable. The public will probably not object. Spammers might however but then who cares if they can't find an uplink.
So the first place to start is at the ISP level.
Next: I've blocked botnets of more than 50,000 machines. I use OpenBSD on the webservers and on the firewalls. Its not that hard to do. Pf can easily handle this. If the server admins over at the "US Government Web Sites" can't handle this then IMHO they are incompetent. If reference, here is an example of how to block these bots in PF:
pfctl -t spammers -T add 190.174.220.241
pfctl -t spammers -T add 67.10.200.220
pfctl -t spammers -T add 125.161.37.199
pfctl -t spammers -T add 71.218.209.198
pfctl -t spammers -T add 202.28.120.19
This is a shell script BTW. extracting the list of bots can be done by scanning the appropriate logs.
Re:blame China (Score:3, Informative)
purple monkey dishwasher
Re:Brilliant insight - yet used wrong... (Score:3, Informative)
> As you have so insightfully put it "How much connectivity does NK have?"
That's irrelevant. The bots are not in North Korea and the goverment behind the attack could communicate with the controllers (who could be anywhwere) via short-wave radio. The attacker may not even have created the botnet: they may have purchased it on the open market.
I agree that there is no direct evidence of North Korean involvement, though.
Re:Pull the Gdamn plug! (Score:5, Informative)
Each of these machines has and IP address which it advertises every time it makes an attack. That's right folks: The return IP address is part of the header. You can't route packets without this information.
Not necessarily. For SYN flood [wikipedia.org] the src address can be spoofed, since the attacker doesn't care if he gets the SYN-ACK.
What the ISPs could do for this is to filter outbound traffic such that if the src IP is not on their network (i.e., is spoofed) the packet is dropped.
Re:How do you know they went down? (Score:3, Informative)
ftc.gov? Nobody goes to those sites...
I do. It's the home of the National Do Not Call Registry. www.donotcall.gov.
Also notice that registrations there no longer expire every 5 years!
Re:How do you know they went down? (Score:3, Informative)
Honestly, when was the last time you went to ftc.gov?
I send people here [ftc.gov] all the time to point out credit card misconceptions.
Re:Internet Sovereignty (Score:1, Informative)
U.S. and N.K. are still at war, no need to declare a new one.