Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
The Courts Government News

DDoS Attacks Traced to UCSB, Stanford 307

michael.creasy writes, "BBC Online reports that the DDoS attacks have been traced to California." The article says there is no evidence that employees or students at Stanford or the University of California at Santa Barbara [UCSB] were connected with the attacks - they were just "zombie" sites - but that the FBI is now zeroing in on California and Oregon as the region from which the attacks most likely originated.
This discussion has been archived. No new comments can be posted.

DDoS Attacks Traced to UCSB, Stanford

Comments Filter:
  • by Anonymous Coward
    You are wrong. These attacks were coming from various IP addresses (many spoofed) and were a mix of syn floods and ICMP. Rate limiting and router dropping isn't going to do anything when they take down your entire link.

    The only thing you can do to stop this is setup spoofed packet filters at every gateway/router connected to the internet and then easily track down the sources because we can't spoof out of a certain range anymore.

    The problem? It would cost tons of money and lots of time.

    What you mention in that previous post is completely invalid, especially when the attack is so massive and when it is randomly spoofed. About the only thing large ISP's can do now is block certain IANA reserved and local ranges so that they can block maybe 1/4 of all randomly spoofed packets.

  • Stanford is one of the top CS schools around, they oughta know better.

    Well, I'm at Stanford, and I can tell you that the univeristy sysadmins and CS people don't run all the systems in campus. In fact, there's many people running insecure linux systems in their offices/rooms which Stanford does not administer.

    ---

  • One thing I haven't seen in any news stories or most of the commentaries posted is what specific hosts and operating systems are being compromised. There was the withdrawn story to Computer Currents yesterday which claimed only Linux and Solaris were involved. I find this hard to believe. I've heard anectdotal evidence that Windows machines are the most frequently compromised hosts, via viruses.

    If the truth is lurking somewhere in earshot, could it please make itself heard?

    What part of "Gestalt" don't you understand?

  • by KMSelf ( 361 )

    The idea of an RBL type system is something I've thought of independently. It seems attractive. Like the UDP and real RBL, it could be a loose affiliation, decentralized, and advisory in nature. No need to bring the government in -- little that it could likely do anyway.

    Realistically, what would be required is for a given network gateway to monitor its peer and child connections. Portscanning might not be necessary, depending on the signatures of an attack. A particular peer/child which exhibited behavior indicative of compromised host(s) could be blocked off, with appropriate messages sent to administrative contacts.

    At the ISP level, this would include monitoring both individual dialup/fixed IP hosts, and connections to other IP aggregators. A sufficient level of filtering/blocking would act like a circuit breaker -- portions of the net might be slowed or cut off, but global abuses of the sort experienced in the past few weeks would be avoided.

    What part of "Gestalt" don't you understand?

  • ...on finding actual crackers? What will it accomplish? They already seen machines that were broken into, so they know (and the rest of people can make educated guess, and most likely would be right), which holes were exploited, and what DoS tools were used. At this point the only thing that can improve the situation is writing short HOWTO about anti-spoof routing and security updates, and using media to make sure that even the most pointy-haired PHB of all PHBs, and laziest head of department in university will get the idea that he should demand it from local sysadmin and ISP that he uses ("Hey, remember that I asked you last year about Y2K updates? Now make sure that spoof-protection is in place, too.").

    Even if they will find someone, no one will believe them that they got the right people (=> bad publicity for FBI), and no one who would want to repeat this attack would be stopped by that. They can't lock in the cell the knowledge about bugs and DoS tools -- it's already everywhere, and if it wasn't, it could be easily found again, so why waste the money, time and effort on finding some (bad) people if it can be spent by making things invulnerable to them?

  • Why would it be really silly to decrypt it first? Decrpyting it allows it to be distributed to anyone on any media that you choose. It allows it to be used in players that don't respect Region Enconding. Lastly, it allows you to compress it into another format with near perfect results.

    Because no other existing media can store this amount of information without either being extremely expensive (hard drives) or slow (tapes), and?

    With an encrypted DVD, your limited to making byte for byte copies to another DVD that only play in MPAA blessed DVD players.

    For the purpose of piracy it makes no sense because buyers have the same DVDCCA-blessed players -- and copying data for playing on other devices by legal owner of the copy is legitimate use under existing copyright law -- as legitimate as playing it.

  • Seems amazing that anyone at UCSB would have the brain power to do any hacking at all. They must have really cleaned up IV. The cost of living has risen so much you pretty much have to be a celebrity to go there anymore. Inflation? We're not having any inflation.
  • by jd ( 1658 ) <imipak&yahoo,com> on Saturday February 12, 2000 @11:19AM (#1280914) Homepage Journal
    So, we're all pretty much agreed that:

    a) The attackers aren't 100% stupid,

    b) That it'd be 100% stupid to launch an attack from a computer you're associated with, on paper,

    c) Therefore, the attackers aren't likely to be in Oregon or California.

    Where does that leave us? Well, 99.999% of the planet. Though I think we can rule out the oceans. (Not completely, as Navy ships have Internet access, and nobody's entirely certain what dolphins have been up to, given that the US won't sign any environmental acts to protect their food and migratory routes.)

    Who are the list of suspects, oh Great and Wonderful Sherlock Holmes, Solver of a Thousand Cases, and Drinker of a Thousand More?

    Well, Watson, this leaves the whole of China, Russia, Serbia, Chechnya, Greece, Iraq, Iran, France, Germany, Denmark, Cuba, virtually the entire European Union, every University on the planet, every dissatisfied citizen of the US, every bored cracker on the planet, the Luddite movement, the Internet 2 consortium, the DVD consortium, the RIAA, the MPAA, Microsoft, every company developing anti-DDOS tools, any newspaper in need of better circulation, the US Government (including the FBI), and a pack of crazed ferrits.

    My goodness, Mr Holmes! How are the authorities going to work out who did it?

    Elementary, my dear Watson! They're going to keep arresting people, without bail or charge, until the attacks stop. And then, so as to not look bad, they'll charge all the innocent people with something else, such as wasting police time and occupying cells without a permit.

  • Um I think you carried the analogy pretty poorly. To try and use your analogy:

    Some immigrants (e-commerce sitse) moved onto an island by the thousands and set up houses. The natives of the island don't like it, so they've set up baracades in front of a couple of the biggest houses.

    Of course the people involved haven't given any manifesto or anything so this is still speculation. My guess is that they're bothering the big e-commerce sites simply because they're the big e-commerce sites, not because they're trying to prove something about security (such as leaving your door open). And they're certainly not lighting their houses on fire and/or nuking them. If they were to stop right now, things would carry on as if it had never happened (with the exception of the media reports).
  • I guess you missed that part.
    DeCSS decrypts the movie (obviously), which can allow you to save it on a local file, and distribute it to anyone you'd like. That's the whole basis for the DeCSS trial. No one cares that it was created so people who own DVD Movies can watch it on their computer. They care that it could be used to help pirate movies.
  • hnn [hackernews.com] says that there seems to have been an attack on excite this mornning.
  • Eugene is where the black-clad anarchists in the Seattle riots were from, its also the place where the people who tried to sever the power lines on the night of Jan. 1st were from.


    For anarchists, they're pretty cool. They're just entirely too predictable.

  • Why do people keep trying to implicate Microsoft and China in everything? It's really stupid.
  • child-killers that fake insanity...


    If you're referring to Kip, I think the best evidence shows he was completely off his fscking nut. Not that that makes him a non-problem.

  • Does anyone else recall the time that members of the L0pht testified before the senate, and Sn. Fred Thompson called them heroes for writing these programs that expose the vulnerability of America's computer infrastructure?


    Fickle, aren't we.

  • My suspicion is that anyone who knew enough about a *nix to crack it would suddenly be overqualified to work at Microsoft and go get a real job.
  • For purposes of future conclusion jumping, these countries/organizations are also unfriendly to the US:


    Hizb'ollah

    Russia

    The Republican Party

    Iran

    Serbia

    O.P.E.C.

    North Korea

    Network Solutions Inc.

    Greece

    France

    The International Action Center

    The Mousad

    Iraq

    Pakistan

    India

    Christmas Island

    The WTO

    The Democratic Party

    Cuba

    Guatemala

    The Toronto Bluejays

    Ayn Rand

  • Schmidt said the intruder was 'sloppy' in his work and failed to destroy all the logs monitoring activity on the server.
    "There wasn't a great effort to hide their presence.."


    Which could mean that they were sloppy, or that they perhaps forged some logs for the FBI to find, knowing that the media would eat it up with a spoon. No way to tell at this point.

  • True, but a protest without a message is really just mass loitering.
    If they were trying to protest, they should have at least suggested what they were protesting against.
  • They may be democratic today, but we were arming them to the teeth ever since they were the military dictatorship of General Chiang. The CCP won China fair and square from those corrupt and incompetent nationalists, and if Truman hadn't parked the 7th fleet in the Taiwan strait, China would be one today.


    And FYI, Taiwan isn't really a country.

  • Naw, I don't necessarily thing that fooling with the video is necessarily illegal. For instance, on my Mac, the ATI DVD decoder card sends output to the screen, but should you try to do a screen capture or whatnot you'd find that all the computer is aware of is a green region where the card inserts the video.

    You're telling me that kludging together a system where I could watch a DVD on a screen not directly hooked up to that card (e.g. if I have multiple screens) would be illegal? Why? What's the difference?
  • My reading of the The Hacker Crackdown was interrupted when an attempt to load the next chapter timed out. That was a few hours ago and www.eff.org is still down.

    Bring on the conspiracy theories :-)

    Seriously though, anybody know what's up with www.eff.org?
    --

  • Agreed. They could have been protesting was the size of their own dicks. (Yes, I am assuming GUYS were behind this). Leaving us to guess their motive is the ultimate in lameness. Jesus, flood infoseek or someone associated with _something_. EBay? They sell hardware for ridiculous low prices. CNN? Well, that is not bad. But SAY SO.

    It will be interesting if this happens again, say 5 days before Xmas.

    kabloie

  • Where is the trollflood originating from? AOL??
  • You know, the anarchists, no really they're anarchists, who started the WTO riots are based in Oregon.

    It would be interesting to see if they are the ones getting the FBI's attention. If they did it, then they have to be one of the coolest anarchist groups I've ever seen in the US. Then again, if they didn't, the FBI may use it as an opportunity to get the people they couldn't after the WTO riot.

    be seeing you,
    doc
  • by JPelorat ( 5320 )
    Hehe, we know yas done it ya dirty rat, now come out wit yer hands up or we'll perforate yas!
  • We find the people responsible for this particular attack, so what?

    The problem is in the architecture of the Internet. The FBI will say that they need more access to snoop on traffic, but what if the FBI gets cracked? (or heaven forbid, the US government turns out to be untrustworthy).

    Strong authentication all along the data path is what we really need. That won't stop the attacks but it will help point the finger of blame and that can be an excellent incentive to strengthen an organizations security practices. Just imagine if UCSB and Stanford got blacklisted by their upstream provider until they could prove that they had fixed their security problems.

    It's not the attackers' fault that 99.9% of the organizations on the Internet don't take security seriously. There's a problem with the system people and it needs fixin'.
  • It's the FBI's job to hunt these guys down (maybe, do they have jurisdiction if the attack is launched from another country?) But the media has fixated on the cops and robbers aspect of this story.

    If we don't solve the underlying problem this will just keep happening and we'll all be dependent on the FBI to come and save our e-commerce asses.

    If you build your house on a cliff made of silt, it is your fault if it slides into the ocean.

    DDoS attacks are just one kind of the "forces of nature" you get on the Internet.

    Maybe an individual is ultimately responsible for this attack but catching him won't make anyone significantly safer.
  • I am a UCSB student.
    In my opinion, the administrator responsible for this security breach on a University owned machine, should apologize not only to the businesses attacked, but also to the University and its students for making us all look like helpless newbies. If this person is unable or unwilling to installed pre made patches on the University owned machines on University's network, he might not be the best one for the job.
    I also blame the IT suits, whose unwillingness to let select students take part in the network administration and maintenance, partially caused this very embarrassing situation. Thanks for thinking that it's better to hire incompetent, and/or lazy systems admins, than to let the students who use these machines the most take care of them.

    And Kevin Schmidt, the great hero, who enjoys sniffing traffic and scanning student computers a bit too much, however unethical that is, claims that hackers were untrained.
    They might be script kiddies, but they broke into University computers twice, and probably filled at least 100 Mbits/sec of our OC15 backbone for hours before they got stopped. Maybe you system administrators are untrained?

    This whole thing makes _ME_ look bad too, and yes, I am pissed.
  • The attack did not come from a student computer on UCSB Residential Network as far as I know. From what I've heard it was one of the UNIX boxes (either Solaris or HP/UX) in ECI lab. NFS was compromised.
  • even for a AC, you are a dumbass
  • You are absolutely clueless. UCSB is connected to the CalRen2 network by the fastest available connection in the whole area. From anywhere on University network you can get >1Mbyte/sec transfer speeds.
    If you are talking about Residental Network (ResNet), you can blame school for providing only 10 Mbits/sec connection to bunch of porn downloaders for free. I am on the Resnet, and if it too slow for you feel free to get a Cable modem or DSL.
    Please do research before you post next time.
  • Can you read?
    I am asking from them to let the students help.
    Read my post again.
    If your post is troll, please fell to ignore my response.
  • <rant>
    ... is why the fuck they are even doing this? It isn't for political reasons, it isn't for money, it isn't for fun. Packeting popular websites is worthless. I sometimes wonder why people do the things they do. Go out and get high or something, stop being a bunch of dumb fucks and do something productive.
    </rant>

  • Since no OS (even OpenBSD, as good as they are) is completely impervious to attack, your liability-based solution means everyone on the net has to buy hefty insurance, and the trial lawyers take 1/3 of the cash for every damage award. Sorry, it's the wrong approach.

    And what about the Linux newbie with a DSL line and a static IP address? He downloads a distro and pushes the buttons, but the default is an insecure system. Who's liable? The distributor? (You can try to exempt the distributor and say that the newbie is responsible, but no jury's going to buy that -- and the law has to treat Microsoft and Linux vendors equally).

    OK, Red Hat can afford it. But Debian has to disband. You've just killed them. The developers can work very hard to be sure they're secure, but can they bet their life savings on it?

    There is one thing that should be mandated, possibly by agreement but if that fails, by law. If you operate an ISP and you and your customers are assigned a given segment of IP space, it's trivial to configure your routers so that packets that lie about where they came from (giving a source IP address not in your IP space) can't escape to the rest of the net. It's negligence not to do this. You can make the filtering even tighter, by filtering packets coming from customers (except where there are peering agreements or other arrangements) so they can't spoof the other customers. This kind of filtering is probably going to have to be a legal requirement (or a contractual requirement imposed by the backbone folks on their customers).

  • actually, you might want to take a closer look at the injunction. EVEN if the only purpose of DeCSS was to watch movies under Linux (this is a paraphrase of part of the injunction) it is still illegal becasue it circumvents barriers to access, which is illegal under the DMCA.

    pity, ain't it?

    Lea
  • Eureka! I've got it!

    The dolphins have discovered crystals in the ruins of Atlantis that focus their sound waves into electromagnetic broadcasts. These interface with satellites orbiting the Earth. The satellites interprete these signals into packets than are then used to flood CNN.com, Yahoo, and others. This is their revenge for all the wrongs that mankind has done them over the years. The only course of action is to detonate the entire arsenal of all the militaries of the world into the oceans to end this threat once and for all!

    "Where do you get off thinking any OS is superior to DOS?"
  • I highly doubt an intelligent person or persons would attack from a local area. Who is to say this attack didn't start from say China. However, who says it wasn't script kiddies that did it.

    If I were in China and I wanted to hose some US sites...

    1. Break into serveral US .edu hosts.
    2. Route like hell from nation to nation.
    3. Log into the slowest speed school.
    4. Log into the next highest speed.
    5. Reapeat until all shells are open.
    6. DDoS

    It would be very hard to trace someone going through 3+ nations with 5+ levels of subnet changes per nation. In fact I'd say you couldn't without breaking the laws yourself. ( Not all nations would give info, or care about X attack. )

    Just my US coin dollar...
  • I remember NSA asking for more funds recently. Who knows they could've done it, lol. The point is someone had a motive, but until the motive is knowm we can't really know who it is... unless we trace and trace and read log after log.

    Unfortunately, we may never know for sure... I want to know, so I hope they trace and read over the logs. However, there is still a chance the last link in the chain was a setup. =/
  • "Yea, but the loss from doing all that back/forth wouldn't allow you to get the rates that these guys were moving at..."

    That's incorrect. You'd be attaching *from the remote machines, not from yours *via the machines. This is a common misconception about networking + shells/X. You can run code remotely on say machine A and have output on B, put simply...

    I hope you see how this works in the large now, AC.
  • Inconceivable!
  • In real life, do cops go to every house and search just to check if there're loads of crack lying around?
    Hmmm... But aren't there gated communities where rent-a-cops do wander 'round rattling the windows and checking the doors to make sure everything's secure? Are there any reliable virtual equivalents?
  • by Duke of URL ( 10219 ) on Saturday February 12, 2000 @11:15AM (#1280950)
    I work at UC Santa Barbara. For are you little orangutans out there saying the FBI is wasting its time trolling around here at UCSB, well go read the news a little more carefully. The intruder did a sloppy job and didn't clean up on his way out; therefore there may be information worth investigating.

    Kevin's qouted in the CNN article [cnn.com]:
    "Schmidt said the intruder was 'sloppy' in his work and failed to destroy all the logs monitoring activity on the server. "There wasn't a great effort to hide their presence.."

    Scroll down to the part that says "Method of attack at UCSB."

    It was really odd to see cameras and suits out and about though.

  • And it would be a really dumb platform to use too when there a bazillion NT machines hooked to the 'Net 24/7.

    My guess is that somebody has figured out that you can even attach a few bytes to a Ping packet,
    like a note to a carrier pigeon's leg (holding the 'victim' IP address and the date and time of the attack.) They even have Ping on Windows NT.

    Actually Ping would be the perfect program to infect. Its a system service so its always running. It has fast response to an incoming stream coming it on it has it sown socket and the machine is definitely hooked up to a network.

    If Ping can get a response to a ping of the 'victim,' it can participate in the attack. If not, it just waits for the next "carrier pigeon" ping.

    At the appointed date and time Ping it the ideal weapon to unleash a small stream of packets to the network.

    Ten thousand small streams from ten thousand sources makes for a flood on the 'victim' address.

    It doesn't even have to be spread by virus. It could have been done years ago by someone on the inside at Microsoft. As long as the code doers what its supposed to, nobody in QA ever seems to check what _else_ it can do. (There's a made-for-TV movie plot in there somewhere.)
  • Less then a t1 actually. My cable modem off campus is infinately faster then the dorms was

  • Comment removed based on user account deletion
  • Comment removed based on user account deletion
  • Comment removed based on user account deletion
  • Comment removed based on user account deletion
  • Hasn't anyone actually learned anything from 'The Cuckoo's Egg'? If these people at least have some idea what they're doing, they aren't going to be anywhere near the computers that they used to carry out the attack.. why are law enforcement agents 'zeroing in' on California and Oregon, when these people could be anywhere in the world, and simply using computers in California and Oregon?

    Just my $2x10^-2 worth
    -KS

  • We were hacked at work early this morning. We run RedHat 6.1, and the attacker used the PAM exploit to create a root account for himself. He downloaded and compiled programs from port scanning and for coordinating DoS attacks.

    Fortunately our network admin was logged into the server at the time, so he watched the situation before pulling the plug on the machine. We investigated the logs this morning. We determined that he was coming from New York through a jump from a California IP, so he could definitely be a part of what's been going down.

    The account he created for himself was "TEK". Does anyone know of a cracker group that uses that name or initials?

  • Actually, the ucsb admin was doing some sluething, so the odds are if the hacker was sloppy, he's better moving on.

    SB Newspress: http://news.newspress.com/toplocal/computer.htm [newspress.com]

    And of course the unposted, slashdot brings ucsb network to it's knees
    "The unusual activity from the campus computer was noticed by UCSB's network programmer, Kevin Schmidt, around midnight Tuesday after he conducted a routine check of the system from his home. He spent the night running a check to see if there had been an intrusion, and found that a campus computer was involved in what is called a "distributed denial of service" attack.

    "We were a victim," Schmidt said. "And our computer network system was abused."
    After detecting the problem, Schmidt contacted CNN and then the FBI.
    Whoever broke into the system attempted to cover his tracks by rotating the origination addresses, but was "sloppy" and left some information intact. Still, computer experts said Friday that finding the culprit or culprits will be difficult because numerous layers of connections may be involved."

    And of course the worthless press release:
    HACKERS BREAK INTO UC SANTA BARBARA COMPUTERS; HIT CNN [ucsb.edu]
  • The machine cracked was a research lab machine.

    If it's stable, and running, most people don't like admins fucking with thier machines. The machine works, it runs the software needed, and it gets the job done. Let an admin screw with it. No way.
    Would you let people fuck with your linux box?

    Now that a machine on campus has been cracked, the poor admins will be saying, "we patch or you get no network connection", Before the crack, no admin had any weight to toss around. "Damn alarmist administrator" With the attack, the admins have a bit of weight to toss around for a month or two.
  • Like we don't have enough trouble with our child-killers that fake insanity, cops harassing our potheads when they should be out looking for murderers, the government trying to kill our assisted-suicide laws, our cabbies being killed for pocket change...
  • well,maybe i should have rephrased that. he IS off his fscking nut, but the insanity defense, at least to me, means that his lawyers can claim he didn't know wrong from right. That is bs.
  • Schmidt said the intruder was 'sloppy'

    Whoa, whoa, let's not name names just yet...


    ---
  • Why not ban pens? Who cared what they were made for, they can be used to copy books for sale on the black market.

    If pens were just now hitting the market, they wouldn't hesitate a moment to have them banned under DMCA.

    Too many people already use pens, though, so attacking them at this point would go against the whole 'divide and conquer' approach.


    ---
  • My thoughts exactly. I heard this news item on friggin radio two or three days ago.

    Slashdot ain't what it used to be, thats for sure.

    (Sorry, Rob. Its just my own observation.)



    Bowie J. Poag
    Project Manager, PROPAGANDA For Linux (http://propaganda.themes.org [themes.org])
  • I believe thats the Mossad..
  • by Wanker ( 17907 ) on Saturday February 12, 2000 @12:12PM (#1280967)

    Talk about a complete lack of research-- these guys just made up something that sounded good. According to Kirk McKusick, current copyright holder of the BSD Daemon [mckusick.com], the term 'daemon' comes directly from the mythological creatures of the same name responsible for taking care of mundane tasks.

    For more detail, see Webster's dictionary [m-w.com], in this case we are looking at variant 2, "an attendant power or spirit". Whether daemons are evil as in "demon" variant 1 depends on whether they are working or not. Some days sendmail definately qualifies as the latter.

  • Eat more fiber.

    (Ask a stupid question...)
  • Hmmmm....yes. Portscanning. Then place the results on a PUBLIC, NON-ENCRYPTED, high-profile Web site that port monkeys and script kiddies visit a lot (Slashdot sounds good :) and then allow the 1337 D00DZ HAVE AT EM!!!

    Yeah, let's do it! :)

  • by mTor ( 18585 )
    I was under an impression that spooks did this ;) They are the only ones who will profit from this (security companies as well).

    There's no way that "script kiddies" did this.

    This reminds me of the virii... who makes them? Anti virii companies of course =)

    nick


    --
    GroundAndPound.com [groundandpound.com] News and info for martial artists of all styles.
  • ...the FBI is now zeroing in on California and Oregon as the region from which the attacks most likely originated

    Only a couple of hours ago (around 10pm CET) CNN Text was featuring a story that said that the attacks were originating from Germany and were done by a program called "barbed wire" (yah, that's a translated term, I forgot the German).

    Apparently everyone's pointing at something in such a hurry that no-one is really trying to figure out who *really* did it. Maybe the FBI should work a bit more coordinated both on their research and their press-releases.

  • Is there anything wrong/funny about that? It is a much used rationalisation for the term daemon, though afaik the original reason for choosing the name is that it lurks, with the perpetrator of an act not knowing it is there. (ie, I drop something in the print spool, the daemon does its thing with it).
  • You obviously have not been in this business very long. All the major OS's have had expoits that comprimised them at one time or another - including Linux.
  • Of course using DeCSS as part of the process of playing a movie that was sold and purchased for that purpose might not amount to "circumventing".
  • The article states, "A university spokesman confirmed that a flood of hacker messages had been sent to CNN's site via one of the servers at the campus."

    To the hackers, wherever you are, whoever you are:

    Please stop sending 'hacker messages' -- do it for the children.

  • Why would china want to exspose all of its shells by DoSing a couple of 'dot-com' companies for a few hours? If they were really interested in info-war, I'm sure they'd keep it secret, untill they could actualy use the advantage

    [ c h a d o k e r e ] [dhs.org]
  • >FBI is now zeroing in on California and Oregon as >the region from which the attacks most likely
    > originated

    If the FBI is going to be using logic like there is no chance of ever finding the packet monkeys.
    The Internet is a global network. If I am going to launch an attack, I would just as soon use a university 1000 miles away, rather than the one down the street.
    Ping times, not driving times. ;-)
  • It's a play on words from vaxen as a clutch of vaxes. Boxes is too sterile a term.
  • I'd be surprised if stanford and ucsb were the only computers involved. :^|
    It sounds more like they were the only ones who noticed. That's a pretty important distinction, if you're going to blame the sysadmins for security holes... at least they turned in their machines and whatever logs still exist on them. Perhaps they (like exodus/global center) were running network monitoring tools to detect and respond to this kind of thing.

    One example of these would be netscout [slashdot.org], though they actually get their hardware from cisco.

    Now _unfortunately_, these tools also make scanning for plaintext passwords over a WAN trivial so they should probably be banned as well, but that's just another problem for the fbi. :^)
  • UCSB Local Press/Press release

    by just someone on 04:15 PM February 12th, 2000 EST
    (#49 [slashdot.org])

    (just someone User Info [slashdot.org])
    "Actually, the ucsb admin was doing some sluething..."

    check out his summary of an actually informative article:

    SB Newspress: http://news.newspress.com/toplocal/computer.htm [newspress.com]
  • hmmm, i guess it was overrated mr. moderator. But then again, you don't have much time to be creative when you're trying to get...

    FIRST POST !!!!

    hahahahahaha... relax, its Saturday, the snow is falling, and for some strange reason my head hurts.
  • Rdiculous moderation in action... A first post is marked redundant, while a four page AC post of a WWF sex fantasy is left untouched. Classic.
  • so does that point the finger back at the gov't again? No sorry, what was I thinking, a government agency lying for political gain, I must be on crack again. Thank god for the CIA! [usdoj.gov]

    (google's got the Valentines feeling, how sweet)
  • USAToday (dead tree) had quotes from our hero JohnV as well as quotes from /. and some AOL chatrooms. Looks like we're in good company....
  • Depends on what you mean by "has faulty brakes". Most vehicles don't leave the factory with faulty breaks, so if your particular car has faulty brakes and you could "prove" it in court, you'd also have to prove that they had just went out, otherwise you'd probably be looking at a reckless driving situation as well as a red light.
  • No DDoS attacks are not a kind of force of nature. A force of nature is something that happens on it's own, not something that is initiated by a person.

    By the logic you used in the parent to this thread, it would be your fault if somebody was to shoot you dead, because "you could have been wearing a bullet proof vest."

    Even though there are problems with the net, act of senseless stupidity are not to be excused because they can be done.
  • As someone else who was "there" when all this started, I can state the major problem with your theory: the NSF stopped funding the backbone. Sure you'd have the occasional techy running some kind of site across his isdn line or modem, but you would definitely not see the kind of bandwidth that exists today without all the ecommerce to fund it.
  • And so, Dear Reader, the trail eventually led up to a little backwoods town in Washington named Redmond, the last place anyone would have thought to look for an evil computer nerd trying to destroy the Internet...
  • This is true, but just because a very risk-averse person should have used far-off computers does not mean that this is the case. What is familiar and convenient often trumps what is rather more sensible, especially in the mind of someone who believes that he's already been so clever that he could never be caught in any case. And the Chinese army probably would've been a bit more subtle. Maybe.
  • Moderator points come in sets of five, not magic moderation rings with an infinite number of wishes. (Unlike the ability of trolls to post.)

    Some moderators try to use them mainly for moderating interesting stuff UP, rather than moderating trolls down. If they burn them all on the latter, they don't get to call your attention to important stuff.

    Later comments are seen by fewer moderators, and thus less likely to be dinged.

    Moderation is done by readers of the already-posted items - not by a hypothetical staff approving or disapproving of postings before they're made. So items following-up an item already moderated down are less likely to be looked at and disapproved, even if the moderator is willing to waste his points on the Nth followup on an off-topic thread.

    And moderators can't moderate responses to articles where they've already posted a response. (I, for instance, currently have three moderator points left, and am blowing my ability to use them anywhere in this article by posting this reply.)

    So don't look for consistency in moderation. Be greatful you get any benefit from it at all.
  • Strong authentication all along the data path is what we really need. That won't stop the attacks but it will help point the finger of blame and that can be an excellent incentive to strengthen an organizations security practices.

    But strong authentication comes from strong crypto. And strong crypto in the US has been crippled by the US Government's export controls, which remove most of the financial reward for work on it by US programmers. (They can't export their products, so such products can't become a world standard, so they can't become a US standard, so they can't be sold. So the programmers find something else to do, where they CAN make some money.)

    And who are the biggest lobbiests against removing those export controls?

    The FBI and the NSA.

    And why did they want the controls to remain?

    So they can read everybody's wiretapped communications (NSA, FBI) and confiscated or copied disks (FBI, NSA).

    And maybe so they can install their OWN intrusionware, so they can read it when the traffic hasn't been in the US (NSA, FBI drug warriors) or without having to sieze the computers and tip off those observed (FBI, NSA).

    And maybe so they can plant things, disrupt targeted organizations' operations, or play damaging and often fatal "dirty tricks" on those they don't like (as both the FBI and the spook agencies are known to have done in every decade since their inception).

    So now their interference with crypto has come home to roost - by leaving the US information infrastructure open to attack, until a large scale attack is under weigh.

    Don't they both have charters that say they're supposed to work toward preventing that sort of thing?
  • Granted what they pulled off was quite impressive, is it really "hacking" in the true sense of the word?

    Loath as I am to give psychopaths any reenforcement...

    The trinoo/TFN/stacheldraht tools do show there's some talent under a couple of the black hats.

    Some coboys ARE cattle rustlers. Some sailors ARE pirates. And some hackers ARE crackers and/or vandals.

    Talent and psychopathy aren't well correlated, so there are a small number of people who have both. About one in a hundred is a psychopath, and that applies to hackers as well as every other group. Some fraction of psychopaths don't learn enlightened self-interest, and so remain amoral and prone to doing great damage to others to obtain minor, short-term benefits to themselves.

    Of course, once the tools {and their install tools} are written, it doesn't take brains to install and use them. Just access to the tools and a lack of morals.
  • **you** are responsble for what your computer does

    Can't handle that? Then get your machine off of the net. This is no different than your kid or one of his friends finding your gun, unsecured laying loose in a drawer, and using it to blow someone away.


    It might be argued that having a bulldozer with a lock that can be picked with a hairpin makes you partly to blame when somebody steals it and uses it to knock down a department store. But if you accept that argument...

    Who is at fault for the loose security on the bulldozer when all the bulldozers come from each of the handfull of bulldozer factories with such locks, all identical? Must every customer install his own lock? Must every customer become a better locksmith than the experts working at the factories? Shouldn't there at least be something in the manual telling the customers that they need to change the lock?

    And who is at fault for the loose security on the bulldozer when the government bans locks that can't be picked with a hairpin?

    Let's stick to putting the blame where it belongs: on the criminal.

    And let's stick to solving the problem at its sources, which include the government's ban on strong cryptography.
  • I'd expect that China would hold off on actual use of its intrusionware until it could use it as part of a coordinated effort.

    Shooting at someone makes them tend to put on body armor. Making a series of attacks with intrusionware puts a lot of experts to work rendering that particular style of intrusionware unworkable - and making future intrusionware more difficult to write.
  • I think that these announcements are probably red herrings intended to keep the press happy - "look we're doing something ..." ... from the description on last night's news these were hacked machines which had been used as part of a tribe-attack - the report I heard really didn't explain well that these people were victims too.

    Even more disgusting was hearing the TV news quoting antionline as to where the crackers are located .... :-( I guess some people are making money from this

  • I don't think that they're looking for the actual packet monkeys in California/Oregon, but evidence that will lead them to the real location. By analyzing the logs of the machines used in the attacks they can help narrow down the location of the perps.

    However, I doubt they'll have much luck. As has been said, while the machines that were compromised no doubt hold clues to the origin of the attacks, the people involved probably did a good job of covering their tracks. I somehow doubt they just telnetted in from their houses and executed the attacks. Nevertheless, closing in on a point where we know there's been a break-in is simply the best way to start.

    I do blame the media for propagating the idea that the perps are in the California/Oregon area, though. This case has shoown just how difficult it is to describe the real way the Internet works to the average person on the street.
  • How 'bout if the GOVERNMENT goes around port-scanning the machines in the net for exploitable holes, and then requires that those people take their machines off the net until they've got the holes fixed up?

    (I know, I know, it would piss off a lot of people, who would complain about government interference - it would be an odd sort of backlash though: "The government wouldn't let me keep my system insecure!")

    Maybe you could do something like the RBL system, where you have people cooperatively portscanning the net, reporting machines that they find "open", then trying to get the owners to fix them up (providing advice where necessary), but RBLing them if they don't cooperate?
  • SO what about the 2nd part of my comment, about doing a "black-hole list"-type setup where many people through the net cooperate with each other to portscan the whole net, identify open systems, then help those systems to become secure or cooperatively block them if they won't?
  • A News.com article [cnet.com]says that the FBI is now looking for a German programmer named, "Mixter" who allegedly wrote the programs that were used in the DoS attacks.

    He vehemently denies any involvement with these incidents and does not condone people using his tools for such nefarious purposes. The article goes on to say, "Their[people who write these kind of tools] work is controversial, however, because the programs they write can fall into the wrong hands when posted on the Web." This brings up an interesting point. Since these tools have been written everybody needs to assume that they are already in the wrong hands, and anyone responsible for the security of their networks should be pounding themselves with DoS attempts using these tools, so that they can learn how to protect themselves.
  • I've seen DVDs copied. It would be really silly to decrypt it first. That would be like reading a text file off the screen, writing it to a piece of paper, then firing up vi and writing it to a new file on a floppy. It would be a little easier to copy it.

    Why would it be really silly to decrypt it first? Decrpyting it allows it to be distributed to anyone on any media that you choose. It allows it to be used in players that don't respect Region Enconding. Lastly, it allows you to compress it into another format with near perfect results. With an encrypted DVD, your limited to making byte for byte copies to another DVD that only play in MPAA blessed DVD players.
  • You could just play into a video capture card

    But the video would have to be digital to analog converted and than analog to digital converted. This would result in a substantial loss in quality. The movie industry is only concerned about perfect digital copies of their work being freely available.
  • The problem is in the architecture of the Internet. The FBI will say that they need more access to snoop on traffic, but what if the FBI gets cracked? (or heaven forbid, the US government turns out to be untrustworthy).

    Is this a joke??????

    Were you being facetious????

    How many times does our government have to prove they can't be trusted? Where have you been?

  • by Animats ( 122034 ) on Sunday February 13, 2000 @09:05AM (#1281058) Homepage
    Anonymous Coward writes: You are wrong. These attacks were coming from various IP addresses (many spoofed) and were a mix of syn floods and ICMP. Rate limiting and router dropping isn't going to do anything when they take down your entire link.

    It's hard to overload a major site with T3 or more bandwidth coming in just by sending junk packets that don't do anything. Web sites generally have equal bandwidth going in and out, but send far more than they receive. So there's lots of excess inbound capacity. Dropping an inbound packet is a cheap operation.

    The problem with SYN floods is that the server resources used are all out of proportion to the message sent. One TCP SYN message with a random IP address chews up a few K of server RAM for tens of seconds, maybe a minute. In some servers, each TCP SYN uses a slot in the pending-connection queue for the socket at which they're aimed, and worse, some servers have only a few such slots. Those servers can be locked up with a very modest attack bandwidth.

    There are a few other problems, such as machines dumb enough to reply to ICMP broadcast packets and, even dumber, those that will allow an outsider to get the UDP junk message generator service (which nobody needs turned on) talking to the UDP echo service (which isn't very useful either). But those are out-and-out bugs, for which fixes are known.

    Once you plug all the holes which allow small amounts of one-way attack data to use large amounts of server resources, the problem should become manageable.

    All this assumes that the number of attacking zombies is in the thousands, not the hundreds of thousands. I agree that if someone takes over enough machines, and aims them all at the same target, it creates more difficult problems. But that's a lot of zombies to run without somebody figuring out who's behind the attack.

    John Nagle
    Menlo Park, CA

  • by Animats ( 122034 ) on Saturday February 12, 2000 @05:18PM (#1281059) Homepage
    As I pointed out previously [slashdot.org], this problem is fixable, despite stupid press reports to the contrary. Protective measures [cert.org] against SYN flooding were developed back in 1997, but unfortunately, the two open-source patches developed, for BSD and Linux, weren't of good enough quality to deploy widely and leave on all the time. That could be easily fixed with a few days work by competent people. Presumably that work will get done now.

    Once you stop SYN flood attacks, and have the fixes in for stupid bugs like the "Ping of death" and IP broadcast packet expansion, everything else that can happen has a reachable IP address associated with it. Those attacks are traceable back at least one level, and you can make them ineffective by imposing some kind of quota system or block based on source IP address at various levels of the server. Web servers like Apache might need to be smartened up a bit so they don't choke when a huge number of requests come in from the same IP address (and that mechanism needs to know about major proxy servers like AOL), but that's not too tough.

    The key points to understand are this:

    • There are technical fixes to these vulnerabilities. We're talking weeks of work on a few specific pieces of software, not re-engineering the whole Internet.
    • We don't need a massive FBI presence, $2 billion, or Presidential involvement to fix the problem.
    • Journalistic coverage of this event has grossly overstated the problem.

    John Nagle / Menlo Park, CA

  • It's the FBI's job to hunt these guys down (maybe, do they have jurisdiction if the attack is launched from another country?) But the media has fixated on the cops and robbers aspect of this story.


    My understanding is that the FBI's Charter has changed in the last ~5 years, so that they are no longer prohibited from conducting international operations. At the same time, the CIA's Charter was changed, so that they are no longer prohibited from conducting domestic operations.

    Although Mongoose raised the point jokingly, it is not such an outlandish idea that NSA may have been involved in this as a fundraising effort. Anyone remember a little incident in Waco, Texas a few years ago...? You know, ATF, FBI, Army National Guard (Delta Force?). There have been, IMHO, credible claims that ATF's beef with Koresh started as a fundraiser. BTW - what in the HELL does the Bureau of Alcohol, Tobacco, and Firearms need OV-10 Broncos for!?

    Anyway, while I am all for the concept of 'LAW ENFORCEMENT' (as lbergstr said), I think it is important to ask what law was broken here, who should be enforcing that law, and what methods should they use? Frankly, I would be less concerned about NSA fundraising activities than media stunts aimed at increasing NSA/FBI/CIA's power to intrude into our lives.

    I predict Bill Clinton will propose to increase federal law enforcement agencies' power to crack down on 'Cyber-Terrorism' after next week's meeting [yahoo.com]. Then again, he may simply issue another "classified" executive order...

    Question Authority

  • Stanford is one of the top CS schools around, they oughta know better. On the other hand, they also probably have one of the best connections. As for UCSB, they were in one of the very first ARPAnet tests back in the 60s, so they should know what they're doing with this stuff, too.

Don't get suckered in by the comments -- they can be terribly misleading. Debug only code. -- Dave Storer

Working...