Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
The Courts Government News

FBI Releases Updated DDoS Detection Tools 432

Alex Prestin writes, "In an effort to control the recent distributed Denial of Service attacks which everyone's heard about, the FBI has released Linux and Solaris tools to detect the presence (or absence) of the various DDoS daemons. They're available in binary form only (for now). You can get them here." Quote from the page: "Recipients are asked to report significant or suspected criminal activity to their local FBI office." Update: 02/10 07:37 by H :Here's some more information:The author of the DDoS analyses (at staff.washington.edu/dittrich) has released a network scanner to scan for active agents on your network. It includes source, and is available here. PLEASE use it responsibly.
This discussion has been archived. No new comments can be posted.

FBI Releases Updated DDoS Detection Tools

Comments Filter:
  • And more importantly, since they're binary only, does anyone trust them?
    --
    Peace,
    Lord Omlette
    AOL IM: jeanlucpikachu
  • It may be coming in proprietary form, but at least they're releasing it with MD5 checksums, which:
    • Suggests that they support that MD5 is hard to "spoof,"
    • Means that some verification of correctness is possible.
    I'd be more impressed if they offered a 1-800 number where you could call in to verify the MD5 checksum.

    Better still would be to encourage people to call their local FBI office to get that number, which makes it Rather Harder to Spoof...

  • I just don't trust running binary only programs from the US government. This program scans your whole directory tree, looking for signs of the offending program. But, since we don't have the source, we don't know what else it's looking for, or who it's contacting. It also must run be run with root permissions. Personally, I find this a much bigger threat than not being able to day-trade for a few hours.
  • So... I have the ultimate revenge. Load DoS software on the computer of the person you don't like. Then rat them out to the Feds.
    <BR>
    <BR>Mr. FBI Agent: Sure you didn't install that software yourself...
  • by Nathaniel ( 2984 ) on Thursday February 10, 2000 @08:30AM (#1287280)
    Releasing only a binary version of the detection tools is a boneheaded move. The tools will not be installed on nearly as many machines as simply because the source is not available.

    There are already people clamoring over conspricy theories. Now they will suggest that the detection tools might contribute to the problem.

  • by sampowers ( 54424 ) on Thursday February 10, 2000 @08:32AM (#1287283)
    Okay, Let's say i'm an admin of a free unix shell service. I have about 10,000 users (shellyeah.org has this many). I use their tools to find that about 150 of my users are running these ddosd's. Why should I report it to them? I'd simply terminate their access and the daemons. (And maybe report them to their ISP's, tell their mommies, etc).

    Bottom line, why would i want the FBI to take care of it when i can take care of it myself? I could watch the daemons for about a week and try to figure out who else is on the ddos network, and report it to those sysadmins. The 'net isn't FBI ground, no matter what they try to force on the public.
  • It doesn't have to run with root permissions, it will run just fine without although it will give a error message asking if you really want to run it with no permissions.

    strace shows that it is doing what it says it does, scanning everything. As for what it's really looking for... Who knows?

  • What scares the crap out of me is the thought that there is a hugely growing number of Windows boxes being run by people who know little or nothing about even the basics of security that are permanently attached to the net. I can easily imagine some sort of worm program that exploited some piece of poor security in Win95/98 to install itself on tens of thousands of machines. If done correctly, using some sort of chaining scheme, the actual creator would not have to actually touch the vast majority of these systems, making him almost impossible to find. Just send some trigger sequence to one machine, which signals the two it infected, which signals the four it infected, etc, etc.
  • Well, I am running the tool, and folks should know that it looks as though it is written to keep allocating memory as long as it can.. my system has 128megs of RAM and 256megs of swap, and the find_ddos program has totally exhausted my swap space.

    Whatever it's doing, it's doing a lot of it. Be careful not to run it on production systems unless you can stand a bit of a DoS yourself while it runs.

  • OK, this is paranoid but I need to get it off of my chest.

    Others have postulated that government is behind DoS attacks as a publicity strategy to drum up sentiment for pervasive internet monitoring. Rather than government, I wonder if it could be the supporters of the Digital Millenium Copyright Act, such as members of the Software Publishers Association and the Motion Picture and Recording industries They're painting the DVD defendants as "hackers" (which they use incorrectly to mean "computer criminal"). Here's something more to stir up hysteria about "hackers".

    Sure, it could be a blackmail stunt as some people say. But the perpetrators are bound to be caught if that's the case, because they will have to persist in DoS attacks for the protection racket to work, and the persistence will get them caught.

    Thus, I think it might more likely be a ploy to discredit.

    Thanks

    Bruce

  • Requiring root permissions makes sense because it includes the option of scanning running processes, and saving core dumps of them.

    Expecting people to download a binary and run it as root, on the other hand, doesn't show much understanding of the culture.

  • For anyone who's interested in actually doing this blantly illegal activity I have a test machine set up in a computer lab. DoS away at:
    144.35.152.144
  • However, like some others have said, who the hell cares if yahoo goes down for an hour?

    No shit, I realize that terrorism is a bad thing. But i don't run in terror when I can't load /. (i just curse and get back to work). As much as I depend on the Internet to keep me informed and entertained, it's a nice break sometimes to turn the whole thing off and only see the world that my five senses, um, sense.

    I don't see a reason to panic or even get all fluffed up. These attacks can't stay hidden forever, nor can they do it forever without getting caught.

    Personally I think this very much legitimizes the old (cr/h)acker defense "We're doing it to show you how bad your security is." That seems like exactly what is happening, on a massive scale, it's about time, IMHO.
  • by KMSelf ( 361 ) <karsten@linuxmafia.com> on Thursday February 10, 2000 @08:59AM (#1287328) Homepage

    What's particulary painful is that this is a clear case in which source distribution would be a major plus. If this code is a work of the US Federal Government, then it is not protected by copyright under 17 USC 105 [cornell.edu].

    Interestingly, this means that the GNU GPL is powerless to protect the work -- something which is public domain cannot be sheltered by copyright -- but it should be eminantly possible to reverse engineer and enhance the program. Modifications themselve should be covered under copyright law, and might be governed by the GPL or another license.

    I would be far happier seeing full source to any such tools before installing them on my own systems.

    IANAL. This is not legal advice.

    What part of "Gestalt" don't you understand?

  • I'd like to know more about the DoS that it looks for.

    There was an extensive analysis of trinoo DoS networks on Bugtraq last month. You'll learn a lot more from Security Focus" [securityfocus.com] that you will from the binary or its source.

    Here are some and [washington.edu]Trinoo [washington.edu] links.

    But, dosn't anyone realize that having the source makes it easier for the trinoo coders to see how they are being detected and then modify the clients?
    Anomalous: inconsistent with or deviating from what is usual, normal, or expected
  • I'm not sure why (or how) they are doing this.

    First, wouldn't such a daemon have to be proxing a lot of ports to be affective or is it just a packet sniffer?

    If there is a DoS attack, would it only log IP (which maybe bogus) addresses after your system has be comprimized or can it actually prevent such attacks?

    Wouldn't a properly configured firewall be more effective using things like connection to connection limits and log files/grep/wc?

    Besides the security issues of installing closed-source FBI software on mission critical servers, is there any advantage to using such software or is it only to help FBI nab script-kiddies not necessarily in the US?

    Also, is it possible that guys like Amazon.com and Yahoo have nothing more than poorly configured firewalls?

    Ozwald
  • by jesser ( 77961 ) on Thursday February 10, 2000 @09:02AM (#1287336) Homepage Journal
    Thursday, February 11, 2000
    Computer hackers bring down FBI website

    Computer hackers used a large distributed attack against the FBI website (http://www.fbi.org) yesterday for two hours between 2 PM and 5 PM, Eastern U.S. time.

    FBI officials said that most of the compromised computers requested two specific files, suggesting that the hackers might have been attempting to exploit a file-system bug that might have led to additional slowdown.

    Many of the computers used in the attack sent messages causing the webpage requests to appear to come from different types of browsers, making them difficult to block.

    Top FBI spook Drawoc Suomynona finally figured out how to block the attacker. "Most of the requests sent the 'referring page' as the page for a recent slashdot article. We just blocked all requests with that referrer, and the FBI server quickly became unclogged."

    Slashdot (http://www.slashdot.org) is a well-known geek news site. Slashdot editor Rob Malda declined to comment, but was heard mumbling "It's crackers, not hackers, goddamnit."

    Suomynona added, "We still have not found the source of these distributed attacks against websites, but we will step up our efforts to find them."

    --

  • I still am leaning toward the government. When Reno comes on and says "We are doing everything is our power to find out who is doing this and working to get the funds to better police the Internet" it seems to me they have the most to benefit from this, i.e. getting exactly what they've been asking Congress for. No one else stands to gain as much from massive FUD about the Internet.
  • So they only have tools for detecting the multi-source denial of service program for Linux and Solaris? This would suggest to me that the current round of attacks are all based on compromised hosts running those OSs. This is the first technical information on this attack that I've run into. Everything else I've seen seems to be targeted to the non-geek crowd.
  • So have you configured your box to tell you when you're being scanned? You'll be surprised how often it happens. Next, check your system to see if you've already been broken into. Please.
  • No way I'll run it. I was going to email them, explaining why, but there's no email address to be found.

    Are there other tools available to detect these programs?
    ----
  • I found an email address - NIPC@fbi.gov

    Email them _nicely_ and explain why you won't use the program without the source. Leave out the conspiracy theories, for obvious reasons...

    Suggestion: Use "Please provide find_ddos source code" as the subject - about 100 messages with the same subject, all asking nicely, should get their attention. :)

    Oh yeah - ask nicely.

    Did I mention that you should ask _nicely_?
    ----
  • Bruce, I respect you, but this level of paranoia is discomforting. (I even looked to see if there was a . after your name.)

    There have been some analyses of Tribe and Trinoo DoS networks posted on Bugtraq in November and December of last year. The people who have been setting this up have been working on it for over a year.

    The difficulty with determining where the attack comes from is because of the several levels of indirection going on. In a trinoo network there is a master (a compromised machine hosting a daemon) which controls a number of slaves (also compromised machines). By sending a specially built ICMP reply message (i.e. a ping reply -- most firewalls don't filter these) to the master, it begins the DoS attack. The master sends a special ICMP packet to the slaves who then all forge packets sent to innocent systems with the victim's IP address.

    From the victim's point of view, you see packets coming at you from all over. You have to find the slaves that sent the forged packets. Then you have to find the masters that sent the ICMP command to the slaves. Then you have to find the machine that sent the packet that started the attack. Now that machine is probably compromised as well, so you have to find who broke into that one. . .

    Anomalous: inconsistent with or deviating from what is usual, normal, or expected
  • I don't think it makes it much easier than having a binary which does the detection. Run binary, run program. See if program triggers binary. Recode program and try again.
  • by rangek ( 16645 ) on Thursday February 10, 2000 @09:18AM (#1287377)

    his is the first technical information on this attack that I've run into. Everything else I've seen seems to be targeted to the non-geek crowd.

    Check out some of these [lwn.net] links for a more "technical" report.


  • Logging output to: LOG
    Scanning running processes...
    Scanning "/tmp"...
    Scanning "/"...

    Message from syslogd@localhost at Thu Feb 10 14:22:26 2000 ...
    localhost kernel: : rw=1, want=530244, limit=530113
    Segmentation fault

  • we don't know what else it's looking for, or who it's contacting.

    Anyone concerned about security should already know how to use tracing tools to see what a program is doing. All the good Unixes come with some kind of native execution tracing tool (called trace or truss or whatever) as well as network tools to monitor connections. Plus you have all of the various third-party tools available as well.

    If you think it's looking for specific files other than the DoS programs, trace it on a test machine. If you think it's contacting the FBI and uploading your pr0n collection, put the NIC into promiscuous mode and watch for packets. The program is no different from any of the others.

    Personally, I suspect that the programs are okay, if only because the FBI knows that the programs will be under this kind of scrutiny. They're not stupid.

  • I judge by your URL that you're from the UK. I'll skip the usual anti-monarchist comments :) and jump right to agreeing with you. Your statement is a true statement. The premise is true. The conclusion is true. Any questions?
  • They're available in binary form only

    Let me ask the FBI a purely philosophical question: Just how stupid do you think I am?
    /.

  • 225 years ago, your country tought my country not to trust the police.

    -jwb

  • for god's sake, can you read the fucking README? go to the site linked in the original port, and read the fucking manual.

    some of these ddos tools encrypt information like IPs; the keys are in the binaries. find_ddos decrypts the encrypted information.

    being paranoid about installing some binary the fbi gives you is one thing, but being woefully underinformed and shooting off your mouth is intolerable as far as I'm concerned.
  • There is no WAY I'm going to install an FBI-supplied object-only daemon that runs as root.

    Given that they claim to have just written this thing, there is absolutely no excuse for not releasing it as source.

    Such a program could view any file and report anything it finds to an external source of its own chosing. It could install trapdoors. It could expose private crypto keys. It could monitor traffic on internal nets - or even attack external sites. It could monitor email. I could go on.

    But stop a distributed DoS attack? Does this thing sink its hooks into the kernel? (Would you install it if it did?) Or does it just scan all the disks and tables for "bad" source or object code or file/program names, in the hope the perpetrator (or his sysadmin) installs it on his own machine.

    This might be worth reverse-engineering. But there's no WAY anybody concerned about his system's security will execute this puppy.
  • I'm amazed that nobody has commented on how this is coming from the FBI's National Infrastructure Protection Center (NIPC), which has repeatedly proven itself to be utterly clueless when it comes to the Internet it is charged with protecting.

    The NIPC's director, Michael Vatis, seems bent on using every single hiccup on the Net to prove how Essential and Important (TM) the NIPC is. When the Melissa virus hit, NIPC was running around screaming about the end of the world. After that the NIPC was warning about the evil "Y2K viruses" [fbi.gov] that never really existed (oops!). (The NIPC alert I linked to is a scream; it basically says that there are lots of Nasty Viruses out there, and that, if someone could write a Nasty Virus, they could probably write a Y2K virus, so you should panic immediately.) Now, since Melissa and Y2K failed to destroy civilization, the NIPC is beating the drum over the DoS issue, calling a bunch of script kiddies who inconvenience some people "cyber terrorists".

    The common thread here is that the Net is a nasty, brutish place, and only the big tough NIPC can protect us.

    I'm not sure why they keep doing this, unless Vatis is such a publicity hound that he will take any excuse to "alert" people of "threats", even if those alerts do more damage than help by panicking people into distrusting the reliability of the Net. His fearmongering has become so blatant and counterproductive that he's become a favorite target of ridicule [kumite.com] for Rob Rosenberger [kumite.com], the crusader for common sense regarding computer viruses.

    Sure, it's bad that these big sites are suffering DoS. But it's not "terrorism", and slinging around that word only proves how cushy daily life for most people in America truly is. It's hard to imagine anyone rationally being able to compare congestion at Yahoo! to blowing up a federal building. Maybe if Vatis stopped to think for a moment before lunging to get his agency in front of the cameras of the press, he'd realize this too.


    -- Jason A. Lefkowitz

  • Also, is it possible that guys like Amazon.com and Yahoo have nothing more than poorly configured firewalls?

    With a DDoS attack a firewall becomes just another box to get choked on traffic. And even if it is able to filter out the attack, it can't do anything to unclog routers upstream.

    When Amazon, Yahoo!, and so on say that there is no guaranteed way to prevent such attacks, they're not just trying to cover their asses. All they can do is have the routers upstream of an attack configured to filter it out-- which generally means blocking some legitimate traffic along that route as well. The latter is why they are limited in the precautions they can take beforehand.

    -Ed
  • Well, I fought off the pangs of paranoia and doubt and su'ed and ran this thing. Scanning running processes... Scanning /tmp... Scanning /... OOPS.. load JUMPS, mem AND swap usage jumps from 15% and 0% to 100% and 100%. X halts: mouse doesn't move, xmms pauses. I try to telnet in from another machine for about 6 minutes, NOTHING. I finally go back, and it's killed X along with rc5des and itself.

    Sounds like a denial of service attack itself. geez. Now I feel dirty, excuse me while I go buy a new harddrive. eww.
  • I know I'm breaking my own rule here, but from now on I will no longer reply to him either. He's just posting shit like this to get the bonus karma from heavily-replied-to comments.

    What he says is controversial only to those who would bother to reply to such inane, stupid viewpoints to begin with. Please do not give him forum.

    - A.P.
    --


    "One World, one Web, one Program" - Microsoft promotional ad

  • by Coward, Anonymous ( 55185 ) on Thursday February 10, 2000 @10:02AM (#1287443)
    Personally I think this very much legitimizes the old (cr/h)acker defense "We're doing it to show you how bad your security is." That seems like exactly what is happening, on a massive scale, it's about time, IMHO.

    Does your window provide adequate security against a rock? Would it be okay for me to show you just how little security your clothing provides against a knife blade? Does your car frame have sufficient security against a sledgehammer? Should the victims of Son of Sam be greatful for demonstrating just how vulnerable they are to high velocity projectiles?

    Are any of these defenses legitimate? If you were on a jury and the defendant claimed that he killed someone to demonstrate that people can be killed, would you find him innocent?

    What have the DoS'ers proved? That crime can be comitted? Great, but I knew that already. I can shut down a mall with nothing more than a fork (repeatedly jam the fork into someone's face until they are dead, the mall will be closed for the day) and I can probably shut down an individual store by doing no more than pulling my pants down and taking a dump in the middle of the store; even if all the customers don't leave, the employees won't be able to help the customers because they'll spend all their time arguing over who cleans it up.

    If you fill up a company's pipe with data, legitimate traffic can't get through. We knew this already, we don't need it demonstrated anymore than we need it demonstrated that streets are vulnerable to dynamite.
  • by Anonymous Coward
    We do have something called the freedom of information act. Unless the information falls into certain specifically designated sensitive categories, it must be released on request. Why not file one with the FBI to obtain the source for these utilities?
  • I don't know if I am comfortable with blindly installing binaries from the government or anyone else for that matter.
  • OK, they've been working for a year but we still don't know who they are. Dirty tricks do happen. I'm one of those folks who thinks that some viruses are written by the virus-scanner manufacturers, too.

    So, do I have it right that we need to have every router on the net disable source routing so that this packet forgery doesn't occurr?

    Bruce

  • ...to forward this to Reuters. :)
  • I know I'm breaking my own rule here, but from now on I will no longer reply to him either. He's just posting shit like this to get the bonus karma from heavily-replied-to comments.

    Well thanks for the slame Wakko I sure that a "mature" person like you can just silence dissidents and pretend they aren't here.

    I am not deliberately interested in gaining karma however I am interested in figuring out why I should care when I and the vast majority of Americans cannot see why anyone should care about issues that are mainly concerned with the security of machines that has historically cost several thousand dollars and had even more expensive per month costs to achieve them.

    Essentially what people do when they do little scare tactics is that they try to subdue the isolation of their plight. I had a reasonable idea (from many periodicals and reference books about computer security) that internet security was pretty much fixed for most uses.

    What he says is controversial only to those who would bother to reply to such inane, stupid viewpoints to begin with. Please do not give him forum.

    Now, now, now little man do you realise that I care little for what happens. I can just as easily just get another account on slashdot change my wording slightly and then succeede. It's that simple. Bingo. Do you know that I have been on slashdot's database in my third account reincarnation. I have had people flame those 2 other accounts before and I just bounced back. I know I am unpopular and quite frankly I see this as a plus. I want to probe the world before I get out in it.

    Largely security concerns are not valid if I just have say crap on my machine. Tell me what the problems are if you have nothing but OS system components and a net connection? What possible problems could actualyl happen say someone could actually crack your box? I have backups and such and I don't really care if some ass manages to format the partition. With all the modern hardware out there and the speed and ease of installation there is little reason to care.
  • bugged Martin Luther King Well, at least King was a private citizen. They snuck bugs into Detroit Mayor Coleman Young's office, pretending to be the janitor. They then proceeded to listen to him for a decade, without ever charging him of a crime. Can you say 'First black mayor of a major US city?'

    In the FBI's defense, Mr. Young was engaged in mild corruption, general governmental misuse, AND he owned every nude strip club in Wayne county at a time when it wasn't legal to run those sorts of establishments.
  • This is the alert posted jointly from DOJ, the FBI and NIPC

    NIPC Alert 00-034 and re-issue of National Infrastructure Protection Center Information System Alert NIPC Alert 99-029 originally issued 12/6/99; Unclassified
    Beginning on 7 February 2000, a number of high-profile Denial of Service (DOS) attacks temporarily disabled significant electronic commerce Internet web sites. These cyber attacks targeted companies sites like Yahoo.com, Amazon.com, CNN.com, Buy.com, Ebay.com, Stamps.com, Exodus.com, E-trade.com, and Zdnet.com; reported victims have apparently recovered from the attacks within a few hours. Public reporting cites coordinated, Distributed Denial of Service (DDOS) attacks originating from multiple points on the Internet. The FBI is now investigating a number of these attacks; in view of these events the NIPC is re-issuing its original alert describing the DDOS exploit. Additional information can also be found on the NIPC web page at www.nipc.gov and at the Carnegie Mellon Computer Emergency Response Team Coordination Center (CERT/CC) web page at www.cert.org.
    Beginning in the fall of 1999, the FBI/NIPC became aware of several instances where intruders installed DDOS tools on various computer systems to create large host networks capable of launching significant coordinated packet flooding denial of service attacks. Installation was accomplished primarily through compromises exploiting known Sun RPC vulnerabilities. These multiple denial of service tools include Trin00, Tribe Flood Network (or TFN, TFN2k, and Stacheldraht,) and were reported on different civilian, university and U.S. Government systems. The FBI continues investigation of many of these incidents, and was and is highly concerned about the scale and significance of these incidents, for the following reasons:
    A.) Many of the targets are universities or other sites with high bandwidth Internet connections, representing a possibly significant threat to Internet traffic.
    B.) The known cases involve real and substantial financial loss.
    C) The activity ties back to significant numbers and locations of domestic and overseas Internet Protocol (IP) addresses.
    D) The technical vulnerabilities used to install these denial of service tools are widespread, well-known and readily accessible on most networked systems throughout the Internet.
    E) The tools appear to be undergoing active development, testing and deployment on the Internet.
    F) The activity often stops once system owners start filtering for Trinoo/TFN and related activity.
    Possible motives for this malicious activity range from exploit demonstration, to exploration or reconnaissance, to preparation for widespread denial of service attacks. NIPC was concerned that these tools could have been prepared for employment during the Y2K period, and remains concerned this activity could continue targeting other significant commercial, government or national sites.
    NIPC requests that all computer network owners and organizations rapidly examine their systems for evidence of these distributed denial of service tools, in order to be able to quickly implement corrective measures (specific technical instructions are available from CERT/CC, SANS, NIPC, or other sources). These checks should be done to both check and clear systems of Trinoo/TFN, and related threats, and to support law enforcement efforts investigating these exploits. Recipients are asked to report significant or suspected criminal activity to their local FBI office NIPC or ANSIR Coordinator, computer emergency response support and other law enforcement agencies, as appropriate. The NIPC web site is located at www.nipc.gov.

  • by jjeffries ( 17675 ) on Thursday February 10, 2000 @10:19AM (#1287461)
    "someone's taken down the 'net!"
    it used to happen all the time
    back in the day when it was new
    and didn't run on Wall Street's dime

    there was no panic way back then
    when a packet would get lost
    but now each one is good as gold
    and every downtime has a cost

    suits came and tried taking over
    and the hackers said, "hey, we're not fools,
    stop what you're doing to our 'net!"
    and they broke out their hacking tools

    the 'net is quite a complex thing
    so there are ways to take it on
    to abuse the bugs and the backdoors
    which open up when knocked upon

    clueless experts on the tube
    while at the suits the hackers laugh,
    "it was so simple for our group
    to cut your backbone right in half!"

    some suits think that they're immune
    their net's protection is quite strong
    but if you think that you'll be safe...
    you might find out that you're all wrong!
  • Yea, I guess you're right *everyone* already knew this stuff.

    No, wait a second, actually most people don't know a damn thing about any of this. Maybe that's why it's on the news, and it's big news. You'd think something so obvious wouldn't be such big news, but that's because you take for granted that it is so obvious.

    I'm not defending their actions, I'm saying that the cost (so far) is outweighed by the benefit.

    Does your window provide adequate security against a rock? Would it be okay for me to show you just how little security your clothing provides against a knife blade? Does your car frame have sufficient security against a sledgehammer? Should the victims of Son of Sam be greatful for demonstrating just how vulnerable they are to high velocity projectiles?

    That's funny. I type in Yahoo dot com and a page comes up. Yet, my window is still broken, my chest is still bleeding, my car is still dented, and murder victims are still dead. This was a Denial of Service attack. Roughly akin to getting a busy signal when you try and call a business, wait, not roughly, exactly.

    Personally I'm all for a little bit of inconvenience to increase public knowledge about the Internet. What I don't like is people associating these type of acts with violent crime, that's when you get enough FUD involved to convice people to give up thier online rights, freedom, and privacy, in exchange for the illusion of protection that the government will promise.
  • So have you configured your box to tell you when you're being scanned? You'll be surprised how often it happens. Next, check your system to see if you've already been broken into. Please.

    I don't really need to. Essentially when I get the chance for some real power I will anything and everything that currently will allow for itself to be networked. I have seen too many cases where anal sysadmins just didn't want to let people do anything because they were idiots and wanted to stop people from using a small ammount of vast system resources.

    The mere fact that you have theories that suggest that people should not run various servers is indicative of that fact that they want total and compelte control over every facet of our lives.

    If I were quite wealthy I would just run a system where I would allow free use of resources for almost anything. As such I would just put a little disclaimer that whatever people do is non of my business and that I take no legal responsibility. Plain and simple.
  • for kicks, I downloaded the second program listed in the article posting (the one from staff.washington.edu that comes as source) and compiled it on a 2.2.12smp box. I had to comment out the LIBS line to get it to compile, and I don't know enough about Linux libraries to know whether that was a good idea or not. It seems to do what it says when run as root, and it didn't find anything on my machine or one of the others in my area. FWIW.

  • by warpeightbot ( 19472 ) on Thursday February 10, 2000 @10:46AM (#1287488) Homepage
    OK, let's add'em up.

    1) Unknown crackers launch DoS against biggest commercial websites. No one takes credit. Matter of fact, no one that I know of has posted a trace on these jokers.

    2) NSA has been yelling about this sort of thing for months.

    3) The current administration just happens to be trying to fund its current Internet security initiative.

    4) The FBI just happens to have something that they "just wrote" in order to deal with precisely this kind of attack, one we haven't seen before on this scale. It's closed source. It wants to run as root.

    Yeah, right.

    Where are spaf and the boys when you need them? I'd like to see them take the Fibbie's code apart byte by byte and make sure they're not up to something themselves.

    Gods help us if they are.

    (I know, call me paranoid, fsck my karma to hell, but bigod no steenking revenooer is getting in MY box quite so easily....hmph.)

    --
    "We are the FBI, we have no sense of humor that we know of." -- Tommy Lee Jones ("K"), "Men In Black"

  • You are assuming an unusual amount of intelligence for a government agency.

    You know that not everyone who works for the government is an idiot.

    Your points are somewhat valid except for the first one (anybody around here trusts the FBI? Anyone? Anybody?), but again you assume that the Feds have no more important hidden goals that you know nothing about.

    I trust them more than I trust the god damned bastards who run the local PD where I live. Believe the level of shall we say improper conduct is a lot greater at the local level.

    I would still not run it and would not recommend to people to run it. Besides, it is not that hard to check, e.g., standard trin00 ports with other tools.

    Well I state similar things and get flamed I guess you are luckier.
  • It topped out at 291M Bytes of ram used on my system, and took a little over 1 hour to run. It also didn't do any network traffic.
  • Do you have any idea how much stuff sysadmins ignore in a given week or month? It's quite a bit of foolishness that nobody ever knows that we saw. And often the logs are kept sparser than they could because we would really rather not remember what your favorite e-commerce sex shoppe is.

    It's enough to get several people reprimanded/fired and a few criminal cases filed in your average year. Uptight, play strictly by the rules admins can make mini 1984's out of any company. Most of us don't want to. Be glad that this behavior seems rooted in the culture of sysadmins. The FBI is a very different story.

    DB
  • Your box gets cracked and they don't touch your stuff (as you predict). They do, however use your box to launch a DDoS against whitehouse.gov or even worse from your perspective crack boxes further on that launch a DDoS. A few
    days later, the secret service is knocking on your door and taking your hardware away and you end up spending thousands in legal fees.


    But you can clearly indicate that someone connected and that it wasn't you. Furthermore you could very easily say that you had a little disclaimer that indicated that you in fact were not liable for anything that went wrong. This can absolve you.

    Do you still think, no harm, no foul?

    Oh there is foul but that's what targeted hits are for.
  • That's funny. I type in Yahoo dot com and a page comes up. Yet, my window is still broken

    It wasn't a crime against you, it was a crime against yahoo. If I break your window, it doesn't affect anyone else. Your window is broken and it will cost you money. The attack against Yahoo cost Yahoo money, primarily in lost revenue. If I broke a window at Yahoo's office, it would never affect you, but it is still illegal and there is no legitimate argument for it.

    Personally I'm all for a little bit of inconvenience to increase public knowledge about the Internet

    Would you be so generous if you were the victim? Would you happily say goodbye to your car if it could educate people to the threat of car theft? I mean, you're going to buy a car to replace the one that was lost, so it's not like you're actually out a car, you're just out a bunch of money.

    You weren't the victim, Yahoo was.
  • It makes perfect sense, the more power you have, the less corrupt you are.

    Let's just say I haven't seen examples of the FBI beating up people, buddying up with people, taking bribes, working for their own personal agenda, violating civil rights, etc.
  • Yeah! I agree!

    Mostly because "CERTs have retsin" and this whole thing is pretty stinky.

  • I contacted the Hayward office of the FBI and spoke with a plesant young man who had never heard of Slashdot. He will be passing a suggestion up the chain of command of adding the source code of find_ddos to SourceForge as well as making it available on the FBI web site.

    This conversation took place prior to the update pointing to Dave Dittrich's site. It appears the source code is public domain, so perhaps one of the knowledgeable people here can start a source tree on SourceForge for this tool.

    Richard Bottoms

  • Would you happily say goodbye to your car if it could educate people to the threat of car theft? I mean, you're going to buy a car to replace the one that was lost, so it's not like you're actually out a car, you're just out a bunch of money.

    Yes, *if* the vast majority of people on the planet didn't know a car could be stolen. Actually that's a funny example since I don't own a car (by choice, my feet and my bike work great).

    Yahoo can take the hit, mainly because they have this ridiculous valuation based on the potential on the Internet. Well, guess what, the Net also raised the potential power of every person on it, who understands how it works. For these companies, in a brand new industry in a brand new medium doing something that has never been done before, to get hit with a few hours of downtime does a great deal to show people that this is not your father's cyberspace. People (I'm talking about "regular" folks now) haven't realized how much different things are, by forcing them to take a harder look, it helps *everyone* realize that computer security is not a joke, and should be taken every bit as seriously as the need to lock your car. If you don't want to get it stolen, that is. Or used in a DoS attack against your local highway.
  • The DOS attack is destructive with no productive benefit. It's a pointless and criminal way of saying "Hey, lookee here!" about a bunch of compromised hosts running the masters and daemons.

    So I guess the grey-hat response to this black-hat action would be to write more interesting things to put on "owned" systems. Just imagine if, instead of taking down yahoo, your local script kiddie could send the seti@home score of his favorite alias through the roof in just hours. That way, he's still providing the service (calling attention to security holes) without the stupid brute-force collateral damage to Yahoo et al.

    I'm kidding about seti@home. But seriously: isn't there something more productive you could do with a distributed network of "owned" systems? Something that would appeal to the script kiddie mentality without fucking things up too badly? Taggers can graduate to real grafitti artworks; where's the upward path for the script kiddie?

    I suspect that the answer would have something to do with w4rez or MP3's. (Run Napster instead of trin00 on all the compromised hosts). I'm not endorsing copyright violation here, just saying that it would be a lot better than just crashing shit.
  • So have you configured your box to tell you when you're being scanned? You'll be surprised how often it happens. Next, check your system to see if you've already been broken into. Please.

    Actually yes I do... I run a modified version of iplog (check freshmeat) and my system logs get simulcast to another server with no other functions save for sending email out. I imagine I could make it even more secure by sending the logs to it via a serial port (entry in my knowledgebase [mixdown.org] about this) or using a 2nd network card in the server but this suffices for now and allows me to have several servers send logs to the same log box.

    Every night I have a cron which greps the shit out of the log and what's left is anything unusual. (90000+ lines in 24-hour period usually drops to about 150 lines when I'm done grepping the normal stuff out) I review that every day. I also have other cron jobs which page me if my 5min load is over 5, my disk space gets too low or if there are more than 6 people logged in.

    I also am working with a friend on a modified patch to Bash (the original is on the same page as iplog) which drops the connection if it's being executed as root and the terminal is not a (v)tty. Hoping to add functionality where it also sets up a -j DROP in ipmasq and mails me on it too.

    Finally, there are other security measures in place like md5summing critical parts of the system before the backup, not allowing telnet or root/empty password ssh and such and so forth.

    Paranoid? Yes. But then again that's what I'm paid to be.

  • I ran the fbi prog and sigQUITted it after less then a minute. It dumped a core file that would put netscape to shame.
    -rw------- 1 root root 58589184 Feb 10 17:07 core

    I'm currently straceing it, and if I find anything interesting, I'll post it here.
    #include <signal.h> \ #include <stdlib.h> \ int main(void){signal(ABRT,SIGIGN);while(1){abort(-1); }return(0);}
  • by Wah ( 30840 ) on Thursday February 10, 2000 @12:34PM (#1287547) Homepage Journal
    Did you see that Ruby Ridge/Waco double feature last week?
  • As has been pointed out by at least one person on this discussion, there are some good reasons to be mistrustful of an FBI-distributed binary as root on your Unix system, considering the FBI's track record in respecting the personal privacy of the citizens it was created to protect. It is a shame that its long and consistent track record has necessitated such caution on the part of practically everyone outside the agency, because this DDoS scanner really does need to be run as a binary. Here's why:

    Unlike CERN, the FBI can kick down doors and stop a DDoS by arresting its perpetrators and confiscating their computers. The best way to do this is to catch the perps in the act. The best way to do this is to identify and monitor a DDos the moment it begins. To do this, there must be detection software in place, and that detection software must notify the FBI instantly.

    Now, if the source code to the application is readily available, it will document not only the means of discovery but also the means of FBI notification. The perpetrators of the DDoS could use this knowledge to revise their DDoS. In all likelihood they could not get around the means of discovery. However, they could easily subvert the means of notification. All they have to do is launch a simultaneous attack against the FBI's machine--jamming it with bad packets, or overloading its mail server, or simply flooding it with false positives. If the fifty or so real DDoS-origin addresses are buried under a hundred thousand bogus addresses, the perps have created such an effective smoke screen that they will almost certainly get away yet again.

    Will a binary-only tool prevent this? No. But by using good obfuscation techniques they could delay decompilation for so long that the tool actually has a chance to work.

    Probably the best thing the FBI could do if they wanted to nail these jerks would be to find a couple of high-profile potential targets, give them the source code to a tool under an NDA, and give the site the opportunity to inspect, approve of, compile and install the tool themselves.

    --

  • I don't really need to. Essentially when I get the chance for some real power I will anything and everything that currently will allow for itself to be networked. I have seen too many cases where anal sysadmins just didn't want to
    let people do anything because they were idiots and wanted to stop people from using a small ammount of vast system resources. The mere fact that you have theories that suggest that people should not run various servers is
    indicative of that fact that they want total and compelte control over every facet of our lives. WHoa run that last sentence by me again! That's right, this DDOS detector is really a secret government plot to gain "complete control
    over every facet of our lives." So you better not run it. Terminal doesn't need to check security because he "doen't really need to." Well I think that's obvious because " Essentially when I [Terminal] get the chance for some real power
    I will anything and everything that currently will allow for itself to be networked. Whatever that means, anyone else confused besides me?


    *Sigh* sometimes I get a little carried away with myself.

    What I mean to say is that given the chance for some real insane bandwidth I would run all of the nice ammenities like an irc server, an http server, a cvs server, sendmail, web based interface for email (aks atdot), slashdot code, mangband, regularly pull html pages (slashdot's), gimp interface, ftp, ssh, etc. This is what I mean. Any person with any administrative ability could very easily to this and still be secure. All of these things are possible except hardly anyone does them because they are lame and foolish. I think that what we really need from the world is what we had back a few years ago when there were more free services.

    Free services were the backbone of emerging internet factors back in the early days. This is what I mean. Instead of being afraid of your own shadow you should really allow more freedom.
  • There's been a ton of discussion on the NANOG [nanog.com] mailing list about these attacks and it seems to be the general consensus that these attacks didn't use source spoofing. It was just a huge amount of traffic from many different places around the net. The way most of these attacks work is the perp(s) crack a system to use as the home base of the attack and run scripts on that machine to find other machines to crack and park the dDoS daemons on. This way they just have tons of machines throwing traffic at the victim and since it all looks like real traffic (ie: it's not spoofed), it all gets through until they start blocking specific addresses at the edge of the network.

    This is not to say that disabling source spoofing on every router in the world wouldn't be a great great thing but it wouldn't have helped in these cases.
  • you can? you think if I broke into your machine and initiated a DoS attack, I wouldn't take the time to remove myself from your logs?

    in 1992 my machine at NYU was broken into and used as a stepping stone to break into some machines in Germany. *I* was the one who had to deal with the university coming down and unplugging my stuff and trying to kick me out of housing, and I'm the one with my name in some FBI file somewhere; in my situation, it was quite clear from the logs on my machine that it was being used by someone else to attack systems.

    I assure you that you don't want to deal with a situation like this, and if you're young and stupid (or perhaps just stupid) and you don't secure your machines at least enough so that Joe Skriptkiddie can't immediately root you up, you run a very considerable risk of gettign owned and used like I was.
  • The FBI programme brought down my system and it is currently fscking. At last check it was using over 80M of RAM. In a few minutes I'll see the strace log to see if it tells me anything. I do not recommend any one else runs this programme.

    End alert.
    #include <signal.h> \ #include <stdlib.h> \ int main(void){signal(ABRT,SIGIGN);while(1){abort(-1); }return(0);}
  • I'm pretty sure all the online brokerages also offer 1-800 numbers where you can place trades when you are away from the Internet. I know E*TRADE does.
  • Yeah but how many average people decide to stockpile guns and spout anti-government propaganda. Of course in any area when you tell people they such they are not going to be on your good side from the get go.
  • You're really deluded.

    The more services that you make available to everyone on the internet, the more likely you are to be compromised due to some bug in some software that you're running that noone knows about today, but that someone's goign to find out about and exploit tomorrow.

    You can't say that anyone with any administrative ability can put up all sorts of stuff and not get rooted. that's simply not true. you would have to be very very lucky to run a machine with that kind of availability and that much code accessible to the general public and not eventually get broken into.
  • Port scans. There are tools that people use to continuously probe for machines that run various operating systems. Especially if you are a student and don't have a strong firewall. Crackers will break into the network and scan for users
    with various operating systems. If they find one that they know how to break, they'll do so. It's a lot like leaving your car in a dark parking lot without having a good security system. Thieves can break in within a matter of seconds.
    The same is true with crackers.


    Tell me how do these people actually live and how do they earn a living if they spend all day running port scanners?

    Some crackers are just script kiddies trying out there new/old tools/toys. Others are professionals that are testing their skills. Either way, its good to be prepared if you are on the net. Win 95 has poor connections (no daemons and
    such) and probably will not have a problem. But if you use NT, you better be careful. The default settings of RedHat are not very secure, and should be turned off. Did you select "Everything" on your install?


    Suppose I am running a version of Red Hat or Debian that is extremely secure and everything is non exploitable (there are some distros out there that meet these requirements) what then? Is is still bad not to really care about security?

    The best thing to do with a Linux distribution, is to install without any services. Then go back and only install the ones you use. At least you will know what you do and don't have.

    One of my great dreams is to create a httpd server over a good modem link. Run the slash code and have a kick ass site without mucho buckos. The linux gazette in one of it's earlier issues discussed about taking a free page and then having your linux machine dynamically update a link on said page to your current IP number assigned and whamo instant slashdot clone!
  • I wrote a bit of a note to the NIPC suggesting that find_ddos be open-sourced, and pointing out some of the advantages which would accrue, including portability, expansion, and increased trust. I also asked that the license under which it is distributed be clarified, so that I could know if I can legally mirror it. Here's the answer I got back:

    "The NIPC has determined that it is important not to release the source code publicly. We do, however, have measures in place to help ensure that the executable on our website is not compromised. We will forward your comments to the appropriate personnel for consideration in this matter. Thank you for contacting us."

    How's that for null program?

  • by Foz ( 17040 ) on Thursday February 10, 2000 @01:06PM (#1287570)
    I believe in paranoia... I think it's a good thing. However, I do not think the FBI is stupid enough to trojan something like this. It would be found, and they know that...

    I ran it on my DSL connected firewall box, as root... I also trussed and sotrussed it and monitored for network traffic. It looks to me like it's doing exactly what it claims to do. I don't claim to be an expert, but it's good enough for me.

    Come on, people... if you honestly think the Feds are stupid enough to try and trojan this you need to take off the tinfoil hats and get out in the sun a little more. And if you don't think it's worth your time to ensure security of your machine you really should think a little harder. It goes way beyond just a recursive rm or two... if your box is compromised it allows someone to then use your box to stage other attacks, to spam people from your system, etc. etc. etc. And if you think you're secure just because you're obscure you are, quite simply, a fool.

    I believe that just about any system can be owned given the time and resources and attention of the right people. The same goes with locks on your front doors. It won't keep the dedicated criminals at bay, but it filters out 99% of the riff raff and lets you focus on detection of the other 1%. I run a firewall on my system not because I think I'm a stud or anything, but to try and keep out the truly lame as well as to try and prevent someone from using my resources to bring down YOUR machine or spam YOUR email account or otherwise be nasty to all my internet neighbors.

    I won't tell you to run the FBI binaries because I also believe they should have released source... but I will tell you to CHECK your damned systems to make sure you're not compromised and stay vigilant. If you're running a host on the internet you have a responsibility to all the other people on the internet to try and keep your box clean. If you don't want to keep your box clean, go back to AOL and reformat and reinstall windows every 3 months.

    The internet was built on the theory of COOPERATION... remember? It's the same thing you all whine about day after day after day... "oh, but why is the internet going to hell... it's all these AOL lusers" everyone says. But I've got news for you, it's not the AOL lusers, it's the lusers who don't take the initiative and personal responsibility to keep their own systems clean and allow the shitheads out there to run rampant.

    -- Gary F.
  • Here is a situation in which you might wish to report the transgression to the FBI:

    I'm a user on a network of 12000 computers. I run this program, and discover that 150 have DDoS programs running. I manage to contact 100 of these users, who remove their computers from the network (I have a lot of free time, don't I.) However, 50 of the rest are unknown to me. I've contacted the network administrator, but they are uninterested in doing anything about the issue. They feel that the increased traffic will not affect our network, which is circuit-switched OC3.

    At this point, I'm concerned because I cannot get the last 50 DDoS computers off the network. So, I give in an contact the FBI. I give them the ip's, and the network admin contact number. This is why.

    The other reason is if you find something that might point to the originating culprit. That way justice can be served. A final reason is so that the charges against the hooligans can be increased because the FBI now has record of another 150 computers afflicted and 'damaged' and 'tresspassed' upon.

    I find the last reason most convincing.

    -B
  • The more services that you make available to everyone on the internet, the more likely you are to be compromised due to some bug in some software that you're running that noone knows about today, but that someone's goign to
    find out about and exploit tomorrow.


    What about Red Hat 5.2 right *looks at time on watch now!!!* or perhaps Debian 2.0? How about slackware release 3.0? I think these things are plenty old to get out all the bugs.

    You can't say that anyone with any administrative ability can put up all sorts of stuff and not get rooted. that's simply not true. you would have to be very very lucky to run a machine with that kind of availability and that much code
    accessible to the general public and not eventually get broken into.


    What if I do something like this *sly grin*.

    Any connections that originate from anywhere outside of the "approved" range and that do not originate from usage of the login program or any other apporved command and do not contain a proper exit code will drop into a restricted shell where each and every command is logged and perhaps access is not given to net enabled commands?
  • The real danger is that these punks (or punk, co ordinated attacks could be one guppy with a pile o passwords and a little time on their hands) are forcing the PTB to take action. With or without government conspiracy the PTB will
    march forth with constricting and stiltifying regulations that will hinder and shackle the rest of us, and not being able to get online or search Yahoo will make Joe newbie their ally in doing so. Sayyyy... when did that Mitnick feller
    get sprung ;-)


    What is a PTB? government?
  • Why would one want to bugger a serial port? Unless your equipment is miniscule, it's going to lack a certain amount of... I/O , if you know what I mean. I mean, if you want to hump your box, that's what fufme.com is for!
  • My system ground to a standstill. I couldn't even check out the running processes. I have 96MB ram/130MB swap on a K6-400.

    I ran it on my desktop because I was a little wary of running it on my server without knowing anything about it. My mouse all but stopped. I moved it northeast about a centimeter and the pointer was still moving, a tiny bit at a time, with a huge interval, 5 minutes later. My HD light didn't stop. I gave up waiting and came back later to find the following output:

    checking /tmp...
    checking /...
    killed

    Strange. Needless to say I deleted the software and didn't bother running it on my server, which is less endowed than my desktop. That binary is way too large to do nothing but simple checks.

    Then I remembered, "hey, this is the US Government, they can't do anything right!"

    Never attribute to malevolence that which can be achieved through incompetence...
  • Read your first sentence again, then read the first two amendments [nara.gov] from here. BTW, how old are you? You've been very vocal today, and after reading quite a bit, I'm guessing 14.
  • a. using really old code is a way to get owned quicker. slack 3.0 probably has some ancient version of sendmail which is guaranteed rootable remotely, among other holes. your best bet is to get new everything, and keep updated regarding patches. but thats just the problem - bugs exist BEFORE patches, and eventually, someone will find a bug in somethign that youre runnign with privs, and then U R 0wn3d as they say. how long has sendmail been around? longer than slackware, and you can bet there are probably a few holes in it still that noone has been clever enough to find (or nice enough to distribute).

    b. your access restriction would be a great idea, as long as you can guarantee with absolute certainty that the programs you use to authenticate "legitimate users" are 100% bug free. if they aren't, theres a possibility of getting rooted, and once that happens, all these clever logs and tripwires of yours do you exactly 0 good. how do you think people running sshd with RSAREF felt when this "secure" shell daemon turned out to be remotely exploitable?

    dont trust the internet to connect to a computer that you dont want rooted. it's a losing bet in the long run.
  • ...this code is a work of the US Federal Government, then it is not protected by copyright under 17 USC 105....

    Interestingly, this means that the GNU GPL is powerless to protect the work...


    Are there any strong arguments against modifying copyright law to allow the United States government to release information under copyright, but only under the GPL or a GPL-style license?

    --

  • by Animats ( 122034 ) on Thursday February 10, 2000 @03:05PM (#1287609) Homepage
    These vulnerabilities can be fixed. Here's how:
    • SYN flooding
      The basic problem is that protocol stacks derived from BSD commit substantial resources on the receipt of a SYN packet. That makes them vulnerable to TCP SYN packets with forged source IP addresses. The proper solution is to allocate only a small control block at the LISTEN -> SYN_RCVD transition, and allocate the full resources for a TCP connection only at the SYN_RCVD -> ESTAB transition. In a SYN flood, the connection never gets beyond SYN_RCVD, so this confines the attack to using up these small control blocks.

      The lookup used during SYN_RCVD should be hashed, so it doesn't slow down as the number of connections in that state increases, and the allowed number of connections in SYN_RCVD should be made very large (maybe as big as 100,000) in a large server. This allows for a huge SYN flooding overload without impacting real connections much.

      There's a commercial firewall [checkpoint.com] from Israel that does something like this, but it really should be part of the protocol stack.

    • ICMP broadcast floods
      Don't reply to ICMP packets sent to broadcast addresses. This is an out-and-out bug, known for over a decade, and should have been fixed everywhere by now. Vendors that haven't fixed it yet should be subjected to public embarassment, if not litigation.

    • HTTP request overload
      This is the tough one - being attacked by a large number of completely valid requests. One answer is to impose fairness by source IP address within the server, so that each source IP address gets equal responsiveness. This fix won't stop the problem, but it will slow it down substantially. It's going to take some new development, but the concept is conceptually similar to fair queuing [fh-koeln.de], which I invented long ago. Most of the same issues apply within a server as apply in a congested router.

    Implement all this, and the problem will go from being headline news to a minor nusance. Linux network hackers, get going.

    I'm not currently doing protocol implementations, but I'd be glad to talk to anybody working actively on the problem. I did substantial work on TCP/IP in its early days, before going on to other things, so I do know what I'm talking about here.

  • I'm missing your meaning here.

    I believe the original rationale for disallowing copyright in federal government works was to prevent the government from, say, passing a new law, but not providing legal right for anyone to publish the law. Think through the various wrinkles on that one. There are a number of avenues for abuse.

    Note that the prohibition applies only to the US Federal government. State governments may, if allowed under their own statutes, hold copyright in their own work. Other national goverments may also, if allowed under their own statutes, claim copyright in their own works. I believe there have been cases in which each of these mechanisms have been used, most recent on the international scope involving Australia and encryption policy, IIRC.

    Note also that the US government can hold copyright if it has been assigned the copyright by the former rights holder.

    Not sure what all the legal arguments are, but the case for allowing US Gov't claims to copyright for GPLd works of its own authorship are weak. In many cases, the government is in somewhat the same position as academics who created the BSD and X licenses -- reuse, either under free or proprietary terms, is to be encouraged.

    Once code has been authored (or modified) and released under the GPL by another party, the problem should be moot.

    What part of "Gestalt" don't you understand?

  • There's no need; I just 'strace'd the entire thing and it's kosher. It does scan every file on your hard drive, which is kind of annoying, but fair enough they tell you that's what it does in the docs. Of course, I've only used the Linux version, so YMMV on BSD and Solaris, and if you're a real conspiracy theorist then you've got to assume that I downloaded a tainted version as I have not MD5'd it :)

    --
  • Sorry to disappoint you all, conspiracy theorists, but this binary is kosher, despite what you may wish to the contrary. How about next time, instead of just slathering on the FUD to each post, try doing a little investigation, and you might just keep from sounding like another crazed anti-government wacko. That's what I did, and lo and behold, it doesn't phone home, beam the contents of your hard drive to a secret bunker on the moon, or anything else. Of course, I could just be a minion of the Ministry of Truth myself... in fact, I am! And we're after you, Wilson! But don't take my word for it - trace out the system calls and you'll see that you have nothing to worry about. Try it:

    strace -e trace=network ./find_ddos -p -y

    No system calls for networking are made. I bypassed the full hard drive scan for the sake of time, but I've done that too and you have nothing to fear. So either use the tool or don't - really, I don't care - but please refrain from polluting the message boards up with more anti-government FUD. As if there wasn't enough already.

    --
  • Hah.. I called him Wilson. Even I'm not so sci-fi illiterate as to forget it's WINSTON, and I'd prefer Conrad to Crichton any day of the week :)

    --
  • Update: somebody already tried that fix to SYN flooding [nasa.gov] and put it into some versions of BSD. This issue was worked on in 1997, and there are some solutions. I'm not totally in agreement with that fix (Dave Borman's), because it doesn't retransmit SYN ACKs, and that's a protocol violation which could affect legitimate connections.

    There's a patch for Linux, too, using something called a "SYN-cookie". [www.tao.ca] This is a marginal idea, and I don't know if it made it into any of the standard Linux distributions. But if you're under attack, you might want to turn it on.

  • I've downloaded the source mentioned in the update, but when I "make dds" I get...

    ld: cannot open -lsocket: No such file or directory

    It's been five years since I failed my programming course. I've never been the primary admin for a Un*x box before this job. I can keep the thing running, but my lack of knowledge of what our Linux box is doing at any given time is troublesome when there's a security scare going on. As far as I know, it's a fairly typical Red Hat distro, but our ISP guys set it up. What do I need to do to get it to compile?

    I'd much a Windows app that can monitor the network from one location (either our NT server or my portable). In that vain I've downloaded "Nuke Nabber" which has an option for "Syslogd" - which seems to be some sort of communications standard for Un*x boxen. How do I enable it, or more importantly, how do I check to make sure it's running.

    Basically, the problem is that the Internet is one big dark alley - most people can't see what's going on around them in the "virtual world". If someone can help me setup some tools to turn the street lights on in my local neighbourhood, I'd be most grateful.

    (Actually, it'd be cool if anti-virus packages were expanded to cover ports and assorted network attacks...)

  • Thanks. That worked.

    Now, syslogd... I got it to work for a moment, but I can't workout where to add the "-r" so it always interacts with the network. Does anyone know which .conf file (or whatever) I need to edit to permanantly enable remote logging from syslogd?

  • Geez you have horrible spelling. No offense.
  • No offense at all but a good book is Linux for Dummies published by IDG. If you prefer you can pick up Unix for Dummies which has general Unix knowlege along with Linux commands that correspond to ones for say Solaris or FreeBSD. Both books are pretty good and written with a sense of humour. They talk more about using Linux rather than admining it, there are admin books though, I would imagine IDG publishes several of them.
  • this all rather entertaining. These people should be given a medal for exemplifying problems that needed solving. The first part of the problem is a bunch of Windows users on their spiffy new cable modems without following directions and leaving file sharing on and not installing a firewall of some sort. To aid the script kiddies' attacks most people with really high bandwidth connections don't take the proper precautions security wise and leave themselves very open to trojans that the kiddies can use for DoS attacks. The second problem is the fact that these supposedly high power high profile websites don't have adquate security and/or fault tolderant systems so a backup could be brought online if an attack was taking place.
  • The type of high-test geek networking knowledge about the Internet that these DoS attacks teaches is pretty much lost on Jane Q. Public.

    True, but it pressures every admin out there to make sure their network is secure, which is a good thing. It also raises a general awareness and encourages all users to get their updates, and helps to cut down on the number of machines available to the vandals.

    But it does get pretty tiresome hearing the same sanctimonious line of BS about freedom, privacy and online rights everytime a pack of delinquents pulls some stunt.

    That comes from an overreaction from a misinformed public. The more awareness is raised and the more information that is spread about the problem helps to minimize the Fear, Uncertainty, and Doubt that might lead people to support overly-restrictive legislation. Just another oppurtunity to educate.
  • I also have other cron jobs which page me if my 5min load is over 5, my disk space gets too low or if there are more than 6 people logged in.
    Can someone do me something like a cron job that sends me an e-mail every time anyone logs into our (Red Hat) Linux box? Something "For Dummies"-esque. Only me and our security maintence contractors should ever log in. (BTW: we use SSH, not Telnet, if that makes any difference). TIA,
  • This kinda neatly illustrates that the solution needs to be implemented before the packets hit the target. Obviously making sure your hardware can't be used in a DDoS attack is just as important, if not more so, than putting in filter rules to block sus packets.

    As for countries that don't care, it's easy enough to put an axe (or backhoe) through the connection of most of those.. ;)

  • Fine. No one trusts the US' FBI. So where can I find some decent ICE (intrusion countermeasure electronics) that's as easy to deploy as an anti-virus package? I don't mind turning my company's network into a data fortress as long as someone provides some reliable, trustworthy, off-the-shelf tools.
  • and/or it detects it's running under strace (or truss, as a local admin trussed it with the same results)...

    :-)

  • There's a patch for Linux, too, using something called a "SYN-cookie". This is a marginal idea, and I don't know if it made it into any of the standard Linux distributions. But if you're under attack, you might want to turn it on.

    It appears to be fairly standard in the major distributions (whether or not it is enabled by default is another matter -- and a question to which I don't know the answer). I have been using SYN cookies for nearly a year now (although the few SYN floods directed at me may have had little result anyway). I tend to make my machines look as much like black holes as possible... and I'm also not Yahoo. :->

  • Can someone do me something like a cron job that sends me an e-mail every time anyone logs into our (Red Hat) Linux box?

    The way I checked for > x users was just parsing the output of 'w' in a cron script. For your needs I would perhaps replace the login program with a wrapper which emails.

/earth: file system full.

Working...