Forgot your password?
typodupeerror
Security United States News

Online Attack Hits US Government Web Sites 199

Posted by Soulskill
from the world-war-three-point-oh dept.
angry tapir writes "A botnet composed of about 50,000 infected computers has been waging a war against US government Web sites and causing headaches for businesses in the US and South Korea. The attack started Saturday, and security experts have credited it with knocking the Federal Trade Commission's (FTC's) web site offline for parts of Monday and Tuesday. Several other government Web sites have also been targeted, including the Department of Transportation."
This discussion has been archived. No new comments can be posted.

Online Attack Hits US Government Web Sites

Comments Filter:
  • Internet Sovereignty (Score:4, Interesting)

    by andrewd18 (989408) on Wednesday July 08, 2009 @10:01AM (#28621503)
    I'm just curious when or if rules are going to be put up about Internet sovereignty, so that an attack on a website is seen as an act of war.

    I can totally see a situation where a US gov't website or economic hub (e.g. stock exchange servers) would get hit by a series of computers based out of N. Korea, the US declares war on N. Korea for violating US internet sovereignty, and the whole thing was a setup by a third party looking to create and exploit a power vacuum.

    Maybe I've been reading too many NetForce novels, but the whole idea scares me, and I have the feeling that most people in America wouldn't understand why... particularly the people who make the laws about this kind of thing.
    • by rastilin (752802) on Wednesday July 08, 2009 @10:06AM (#28621571)

      I'm just curious when or if rules are going to be put up about Internet sovereignty, so that an attack on a website is seen as an act of war. I can totally see a situation where a US gov't website or economic hub (e.g. stock exchange servers) would get hit by a series of computers based out of N. Korea, the US declares war on N. Korea for violating US internet sovereignty, and the whole thing was a setup by a third party looking to create and exploit a power vacuum. Maybe I've been reading too many NetForce novels, but the whole idea scares me, and I have the feeling that most people in America wouldn't understand why... particularly the people who make the laws about this kind of thing.

      What stops people doing that is the same thing that stops them doing it in the physical world. People have been trying to frame others for military attacks since the dawn of human history and the main deterrant is that if it backfires not only will the government become destabilized from within as people oppose the subterfuge but both involved nations with pile on it simultaneously.

      Not to mention, even if they succeed, it will come back to haunt them at some later point after their intervention is discovered.

    • That's actually an interesting brain teaser. On so many levels.

      First, nothing's more trivial than to frame someone in such an attack. The computers participating are usually bots, the server is often a hacked box as well (and if not, you can rent one for little money), it's nothing you could easily trace to the source.

      Second, will people understand why they should fight and possibly die for a virtual attack, people who don't use a computer and don't know the importance of the internet to modern commerce and

      • by sjames (1099)

        I could see it going fully virtual. N. Korea attacks .gov servers, you get a notice from the DoD that your computer has been drafted to fight in the war, slamming N.Korea's routers with a DDOS.

        Next they hit the middle schools offering various awards to the kiddez who hack N. Korean websites.

  • Who Cares? (Score:5, Insightful)

    by VoxMagis (1036530) on Wednesday July 08, 2009 @10:15AM (#28621727)

    I'm sorry, but if this has nothing to do with Michael Jackson, apparently no one cares.

  • by Chrisq (894406) on Wednesday July 08, 2009 @10:16AM (#28621743)
    US Government websites attacked... but slashdot is OK so what the heck.
    • Re: (Score:2, Insightful)

      by RileyBryan (1475681)
      An attack on Slashdot would be an attack on precisely the wrong demographic: the ones who are capable of defending themselves.
  • by castironpigeon (1056188) on Wednesday July 08, 2009 @10:28AM (#28621909)
    Seriously, if SC2 were out already those Asian tweens would have something else to keep them busy.
  • by 2obvious4u (871996) on Wednesday July 08, 2009 @10:29AM (#28621939)
    Honestly, when was the last time you went to ftc.gov [ftc.gov]? Nobody goes to those sites...

    Now if google [google.com], wiki [wikipedia.org], or itunes [apple.com] goes down, then PANIC!
    • Lots of people go to ftc.gov -- its traffic rank is around 10,000...

    • Re: (Score:3, Informative)

      by biobogonics (513416)

      ftc.gov? Nobody goes to those sites...

      I do. It's the home of the National Do Not Call Registry. www.donotcall.gov.

      Also notice that registrations there no longer expire every 5 years!

    • Re: (Score:3, Informative)

      by skeeto (1138903)

      Honestly, when was the last time you went to ftc.gov?

      I send people here [ftc.gov] all the time to point out credit card misconceptions.

    • Actually, in the best tradition of the "dog at midnight" (http://en.wikipedia.org/wiki/Silver_Blaze), what's most significant are the sites that are NOT reporting problems, including *.mil, dhs.gov and state.gov. Thus it seems to me that some parts of government have much better/more hardened infrastructures than others.

      A couple of posts below this "Pull the Gdamn plug!" and some of the responses, lay down thoughts on shutting down DDOS attacks.

      My first thought was "OK, was this attack targeted to anything

  • Pull the Gdamn plug! (Score:4, Informative)

    by cdn-programmer (468978) <terr@terralo[ ].net ['gic' in gap]> on Wednesday July 08, 2009 @10:32AM (#28621979)

    All that is required is to pull the damn plug on these bots. Each of these machines has and IP address which it advertises every time it makes an attack. That's right folks: The return IP address is part of the header. You can't route packets without this information.

    These feral packets _ALSO_ come into the ISP's routers. It is easy to identify them. Uninfected machines don't normally sit there and hammer away at port Blah. Some of the worst ports are 80 (html), 25 (mail) and 22 (SSH).

    One really needs to only look at the ports that the botnet tries to exploit.

    A simple solution is to pull the plug. A solution which is slightly more difficult is to block the ports the botnet is trying to attack on and then redirect any web access to a banner page advising the owner their machine is cracked and what to do about it... or a tech could phone the client.

    _any_ ISP can do this. If they don't do it then they don't want to. As for consumer rights - crap! Its the ISP's which write the Terms of Service. They can put pretty much any terms they want providing said terms are considered reasonable. The public will probably not object. Spammers might however but then who cares if they can't find an uplink.

    So the first place to start is at the ISP level.

    Next: I've blocked botnets of more than 50,000 machines. I use OpenBSD on the webservers and on the firewalls. Its not that hard to do. Pf can easily handle this. If the server admins over at the "US Government Web Sites" can't handle this then IMHO they are incompetent. If reference, here is an example of how to block these bots in PF:

      pfctl -t spammers -T add 190.174.220.241
      pfctl -t spammers -T add 67.10.200.220
      pfctl -t spammers -T add 125.161.37.199
      pfctl -t spammers -T add 71.218.209.198
      pfctl -t spammers -T add 202.28.120.19

    This is a shell script BTW. extracting the list of bots can be done by scanning the appropriate logs.

    • by oneiros27 (46144) on Wednesday July 08, 2009 @10:46AM (#28622225) Homepage

      Although this might help against some types of denial of service attempt where they're making your machine work harder by servicing what look to be legitimate requests, it does not help against attempts at network saturation from incoming packets unless you can block it at the upstream router.

      • Re: (Score:3, Insightful)

        unless you can block it at the upstream router.

        Yes - we need to block at the upstream router. This is why the ISP who connects the bot to the net has to become proactive and stop burying their collective heads in the sand.

        We all know who these ISP's are too. They tend to be the big boys.

        The thing is that they can even write into their terms of service that the customer _agrees_ to a reasonable fee to correct zombie machines. Then they can make money on the "service" they provide.

        OTOH... let me advise o

    • by kybred (795293) on Wednesday July 08, 2009 @11:20AM (#28622809)

      Each of these machines has and IP address which it advertises every time it makes an attack. That's right folks: The return IP address is part of the header. You can't route packets without this information.

      Not necessarily. For SYN flood [wikipedia.org] the src address can be spoofed, since the attacker doesn't care if he gets the SYN-ACK.

      What the ISPs could do for this is to filter outbound traffic such that if the src IP is not on their network (i.e., is spoofed) the packet is dropped.

      • Re: (Score:3, Insightful)

        by shentino (1139071)
        I would not mind if it were made illegal not to do so.

        I cannot think of one legitimate case where spoofed IPs is legitimate.
    • by The Moof (859402)

      This is a shell script BTW. extracting the list of bots can be done by scanning the appropriate logs.

      You can do the same via PF's built in features. Search the FAQ/man pages for the stateful tracking options. It's got several options to restrict/limit the connections per address and lets you start dumping offending addresses into a table automatically.

    • by shentino (1139071)
      IP spoof much?

16.5 feet in the Twilight Zone = 1 Rod Serling

Working...