DDoS Attacks Traced to UCSB, Stanford 307
michael.creasy writes, "BBC Online reports that the DDoS attacks have been traced to California." The article says there is no evidence that employees or students at Stanford or the University of California at Santa Barbara [UCSB] were connected with the attacks - they were just "zombie" sites - but that the FBI is now zeroing in on California and Oregon as the region from which the attacks most likely originated.
Re:This problem is fixable (again) (Score:1)
The only thing you can do to stop this is setup spoofed packet filters at every gateway/router connected to the internet and then easily track down the sources because we can't spoof out of a certain range anymore.
The problem? It would cost tons of money and lots of time.
What you mention in that previous post is completely invalid, especially when the attack is so massive and when it is randomly spoofed. About the only thing large ISP's can do now is block certain IANA reserved and local ranges so that they can block maybe 1/4 of all randomly spoofed packets.
Re:The best and the brightest... (Score:1)
Stanford is one of the top CS schools around, they oughta know better.
Well, I'm at Stanford, and I can tell you that the univeristy sysadmins and CS people don't run all the systems in campus. In fact, there's many people running insecure linux systems in their offices/rooms which Stanford does not administer.
---
Compromised hosts -- what OSs? (Score:2)
One thing I haven't seen in any news stories or most of the commentaries posted is what specific hosts and operating systems are being compromised. There was the withdrawn story to Computer Currents yesterday which claimed only Linux and Solaris were involved. I find this hard to believe. I've heard anectdotal evidence that Windows machines are the most frequently compromised hosts, via viruses.
If the truth is lurking somewhere in earshot, could it please make itself heard?
What part of "Gestalt" don't you understand?
RBL (Score:2)
The idea of an RBL type system is something I've thought of independently. It seems attractive. Like the UDP and real RBL, it could be a loose affiliation, decentralized, and advisory in nature. No need to bring the government in -- little that it could likely do anyway.
Realistically, what would be required is for a given network gateway to monitor its peer and child connections. Portscanning might not be necessary, depending on the signatures of an attack. A particular peer/child which exhibited behavior indicative of compromised host(s) could be blocked off, with appropriate messages sent to administrative contacts.
At the ISP level, this would include monitoring both individual dialup/fixed IP hosts, and connections to other IP aggregators. A sufficient level of filtering/blocking would act like a circuit breaker -- portions of the net might be slowed or cut off, but global abuses of the sort experienced in the past few weeks would be avoided.
What part of "Gestalt" don't you understand?
Why should anyone waste time... (Score:2)
Even if they will find someone, no one will believe them that they got the right people (=> bad publicity for FBI), and no one who would want to repeat this attack would be stopped by that. They can't lock in the cell the knowledge about bugs and DoS tools -- it's already everywhere, and if it wasn't, it could be easily found again, so why waste the money, time and effort on finding some (bad) people if it can be spent by making things invulnerable to them?
Re:DeCSS? (Score:2)
Why would it be really silly to decrypt it first? Decrpyting it allows it to be distributed to anyone on any media that you choose. It allows it to be used in players that don't respect Region Enconding. Lastly, it allows you to compress it into another format with near perfect results.
Because no other existing media can store this amount of information without either being extremely expensive (hard drives) or slow (tapes), and?
With an encrypted DVD, your limited to making byte for byte copies to another DVD that only play in MPAA blessed DVD players.
For the purpose of piracy it makes no sense because buyers have the same DVDCCA-blessed players -- and copying data for playing on other devices by legal owner of the copy is legitimate use under existing copyright law -- as legitimate as playing it.
How can a UCSB student be smart enough to do that? (Score:1)
Let's get this sorted. (Score:3)
a) The attackers aren't 100% stupid,
b) That it'd be 100% stupid to launch an attack from a computer you're associated with, on paper,
c) Therefore, the attackers aren't likely to be in Oregon or California.
Where does that leave us? Well, 99.999% of the planet. Though I think we can rule out the oceans. (Not completely, as Navy ships have Internet access, and nobody's entirely certain what dolphins have been up to, given that the US won't sign any environmental acts to protect their food and migratory routes.)
Who are the list of suspects, oh Great and Wonderful Sherlock Holmes, Solver of a Thousand Cases, and Drinker of a Thousand More?
Well, Watson, this leaves the whole of China, Russia, Serbia, Chechnya, Greece, Iraq, Iran, France, Germany, Denmark, Cuba, virtually the entire European Union, every University on the planet, every dissatisfied citizen of the US, every bored cracker on the planet, the Luddite movement, the Internet 2 consortium, the DVD consortium, the RIAA, the MPAA, Microsoft, every company developing anti-DDOS tools, any newspaper in need of better circulation, the US Government (including the FBI), and a pack of crazed ferrits.
My goodness, Mr Holmes! How are the authorities going to work out who did it?
Elementary, my dear Watson! They're going to keep arresting people, without bail or charge, until the attacks stop. And then, so as to not look bad, they'll charge all the innocent people with something else, such as wasting police time and occupying cells without a permit.
Re:Oh, come on. (Score:1)
Some immigrants (e-commerce sitse) moved onto an island by the thousands and set up houses. The natives of the island don't like it, so they've set up baracades in front of a couple of the biggest houses.
Of course the people involved haven't given any manifesto or anything so this is still speculation. My guess is that they're bothering the big e-commerce sites simply because they're the big e-commerce sites, not because they're trying to prove something about security (such as leaving your door open). And they're certainly not lighting their houses on fire and/or nuking them. If they were to stop right now, things would carry on as if it had never happened (with the exception of the media reports).
Re:DeCSS? (Score:1)
DeCSS decrypts the movie (obviously), which can allow you to save it on a local file, and distribute it to anyone you'd like. That's the whole basis for the DeCSS trial. No one cares that it was created so people who own DVD Movies can watch it on their computer. They care that it could be used to help pirate movies.
DDOS still going on on Sat? (Score:1)
My money's on Eugene, OR. (Score:1)
For anarchists, they're pretty cool. They're just entirely too predictable.
Duh. (Score:1)
Re:FBI going to focus on Oregon... (Score:1)
If you're referring to Kip, I think the best evidence shows he was completely off his fscking nut. Not that that makes him a non-problem.
L0pht before the senate. (Score:1)
Fickle, aren't we.
Re:hmmm... (Score:1)
ST's list of Other Possible Scapegoats (Score:1)
Hizb'ollah
Russia
The Republican Party
Iran
Serbia
O.P.E.C.
North Korea
Network Solutions Inc.
Greece
France
The International Action Center
The Mousad
Iraq
Pakistan
India
Christmas Island
The WTO
The Democratic Party
Cuba
Guatemala
The Toronto Bluejays
Ayn Rand
Re:I work at UC Santa Barbara (Score:1)
"There wasn't a great effort to hide their presence.."
Which could mean that they were sloppy, or that they perhaps forged some logs for the FBI to find, knowing that the media would eat it up with a spoon. No way to tell at this point.
Re:Oh, come on. (Score:1)
If they were trying to protest, they should have at least suggested what they were protesting against.
Re:Two reasons (Score:1)
And FYI, Taiwan isn't really a country.
Re:DeCSS? (Score:1)
You're telling me that kludging together a system where I could watch a DVD on a screen not directly hooked up to that card (e.g. if I have multiple screens) would be illegal? Why? What's the difference?
www.eff.org (Score:1)
Bring on the conspiracy theories :-)
Seriously though, anybody know what's up with www.eff.org?
--
Re:Oh, come on. (Score:1)
It will be interesting if this happens again, say 5 days before Xmas.
kabloie
What about slashdot? (Score:1)
Oregon you say? (Score:1)
It would be interesting to see if they are the ones getting the FBI's attention. If they did it, then they have to be one of the coolest anarchist groups I've ever seen in the US. Then again, if they didn't, the FBI may use it as an opportunity to get the people they couldn't after the WTO riot.
be seeing you,
doc
Aha! (Score:1)
Misplaced effort? (Score:1)
The problem is in the architecture of the Internet. The FBI will say that they need more access to snoop on traffic, but what if the FBI gets cracked? (or heaven forbid, the US government turns out to be untrustworthy).
Strong authentication all along the data path is what we really need. That won't stop the attacks but it will help point the finger of blame and that can be an excellent incentive to strengthen an organizations security practices. Just imagine if UCSB and Stanford got blacklisted by their upstream provider until they could prove that they had fixed their security problems.
It's not the attackers' fault that 99.9% of the organizations on the Internet don't take security seriously. There's a problem with the system people and it needs fixin'.
Re:Oh, come on. (Score:2)
If we don't solve the underlying problem this will just keep happening and we'll all be dependent on the FBI to come and save our e-commerce asses.
If you build your house on a cliff made of silt, it is your fault if it slides into the ocean.
DDoS attacks are just one kind of the "forces of nature" you get on the Internet.
Maybe an individual is ultimately responsible for this attack but catching him won't make anyone significantly safer.
UCSB, Re:The best and the brightest... (Score:1)
In my opinion, the administrator responsible for this security breach on a University owned machine, should apologize not only to the businesses attacked, but also to the University and its students for making us all look like helpless newbies. If this person is unable or unwilling to installed pre made patches on the University owned machines on University's network, he might not be the best one for the job.
I also blame the IT suits, whose unwillingness to let select students take part in the network administration and maintenance, partially caused this very embarrassing situation. Thanks for thinking that it's better to hire incompetent, and/or lazy systems admins, than to let the students who use these machines the most take care of them.
And Kevin Schmidt, the great hero, who enjoys sniffing traffic and scanning student computers a bit too much, however unethical that is, claims that hackers were untrained.
They might be script kiddies, but they broke into University computers twice, and probably filled at least 100 Mbits/sec of our OC15 backbone for hours before they got stopped. Maybe you system administrators are untrained?
This whole thing makes _ME_ look bad too, and yes, I am pissed.
Re:Lax security at UCSB, Stanford != students' fau (Score:1)
OC12, not OC15 (No text) (Score:1)
Re:UCSB, Re:The best and the brightest... (Score:1)
Get a clue. (WAS: Re:UCSB . . . not a shocker) (Score:1)
If you are talking about Residental Network (ResNet), you can blame school for providing only 10 Mbits/sec connection to bunch of porn downloaders for free. I am on the Resnet, and if it too slow for you feel free to get a Cable modem or DSL.
Please do research before you post next time.
Re:UCSB, Re:The best and the brightest... (Score:1)
I am asking from them to let the students help.
Read my post again.
If your post is troll, please fell to ignore my response.
what I just don't understand... (Score:1)
... is why the fuck they are even doing this? It isn't for political reasons, it isn't for money, it isn't for fun. Packeting popular websites is worthless. I sometimes wonder why people do the things they do. Go out and get high or something, stop being a bunch of dumb fucks and do something productive.
</rant>
The trial lawyers will love you (Score:2)
Since no OS (even OpenBSD, as good as they are) is completely impervious to attack, your liability-based solution means everyone on the net has to buy hefty insurance, and the trial lawyers take 1/3 of the cash for every damage award. Sorry, it's the wrong approach.
And what about the Linux newbie with a DSL line and a static IP address? He downloads a distro and pushes the buttons, but the default is an insecure system. Who's liable? The distributor? (You can try to exempt the distributor and say that the newbie is responsible, but no jury's going to buy that -- and the law has to treat Microsoft and Linux vendors equally).
OK, Red Hat can afford it. But Debian has to disband. You've just killed them. The developers can work very hard to be sure they're secure, but can they bet their life savings on it?
There is one thing that should be mandated, possibly by agreement but if that fails, by law. If you operate an ISP and you and your customers are assigned a given segment of IP space, it's trivial to configure your routers so that packets that lie about where they came from (giving a source IP address not in your IP space) can't escape to the rest of the net. It's negligence not to do this. You can make the filtering even tighter, by filtering packets coming from customers (except where there are peering agreements or other arrangements) so they can't spoof the other customers. This kind of filtering is probably going to have to be a legal requirement (or a contractual requirement imposed by the backbone folks on their customers).
Re:DeCSS? (Score:2)
pity, ain't it?
Lea
Re:Let's get this sorted. (Score:1)
The dolphins have discovered crystals in the ruins of Atlantis that focus their sound waves into electromagnetic broadcasts. These interface with satellites orbiting the Earth. The satellites interprete these signals into packets than are then used to flood CNN.com, Yahoo, and others. This is their revenge for all the wrongs that mankind has done them over the years. The only course of action is to detonate the entire arsenal of all the militaries of the world into the oceans to end this threat once and for all!
"Where do you get off thinking any OS is superior to DOS?"
Re:The best and the brightest... (Score:1)
If I were in China and I wanted to hose some US sites...
1. Break into serveral US
2. Route like hell from nation to nation.
3. Log into the slowest speed school.
4. Log into the next highest speed.
5. Reapeat until all shells are open.
6. DDoS
It would be very hard to trace someone going through 3+ nations with 5+ levels of subnet changes per nation. In fact I'd say you couldn't without breaking the laws yourself. ( Not all nations would give info, or care about X attack. )
Just my US coin dollar...
FBI/NSA plan? (Score:1)
Unfortunately, we may never know for sure... I want to know, so I hope they trace and read over the logs. However, there is still a chance the last link in the chain was a setup. =/
Re:The best and the brightest... (Score:1)
That's incorrect. You'd be attaching *from the remote machines, not from yours *via the machines. This is a common misconception about networking + shells/X. You can run code remotely on say machine A and have output on B, put simply...
I hope you see how this works in the large now, AC.
Re:FBI Stupidity (Score:1)
Re:Innocent until proven guilty, but then... (Score:2)
I work at UC Santa Barbara (Score:3)
Kevin's qouted in the CNN article [cnn.com]:
"Schmidt said the intruder was 'sloppy' in his work and failed to destroy all the logs monitoring activity on the server. "There wasn't a great effort to hide their presence.."
Scroll down to the part that says "Method of attack at UCSB."
It was really odd to see cameras and suits out and about though.
That would be a really dumb way to do it. (Score:1)
My guess is that somebody has figured out that you can even attach a few bytes to a Ping packet,
like a note to a carrier pigeon's leg (holding the 'victim' IP address and the date and time of the attack.) They even have Ping on Windows NT.
Actually Ping would be the perfect program to infect. Its a system service so its always running. It has fast response to an incoming stream coming it on it has it sown socket and the machine is definitely hooked up to a network.
If Ping can get a response to a ping of the 'victim,' it can participate in the attack. If not, it just waits for the next "carrier pigeon" ping.
At the appointed date and time Ping it the ideal weapon to unleash a small stream of packets to the network.
Ten thousand small streams from ten thousand sources makes for a flood on the 'victim' address.
It doesn't even have to be spread by virus. It could have been done years ago by someone on the inside at Microsoft. As long as the code doers what its supposed to, nobody in QA ever seems to check what _else_ it can do. (There's a made-for-TV movie plot in there somewhere.)
Re:UCSB's net connection (Score:1)
Re: (Score:1)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Silly (Score:1)
Just my $2x10^-2 worth
-KS
Attacked at work, Attacker traced to California (Score:1)
Fortunately our network admin was logged into the server at the time, so he watched the situation before pulling the plug on the machine. We investigated the logs this morning. We determined that he was coming from New York through a jump from a California IP, so he could definitely be a part of what's been going down.
The account he created for himself was "TEK". Does anyone know of a cracker group that uses that name or initials?
UCSB Local Press/Press release (Score:1)
SB Newspress: http://news.newspress.com/toplocal/computer.htm [newspress.com]
And of course the unposted, slashdot brings ucsb network to it's knees
"The unusual activity from the campus computer was noticed by UCSB's network programmer, Kevin Schmidt, around midnight Tuesday after he conducted a routine check of the system from his home. He spent the night running a check to see if there had been an intrusion, and found that a campus computer was involved in what is called a "distributed denial of service" attack.
"We were a victim," Schmidt said. "And our computer network system was abused."
After detecting the problem, Schmidt contacted CNN and then the FBI.
Whoever broke into the system attempted to cover his tracks by rotating the origination addresses, but was "sloppy" and left some information intact. Still, computer experts said Friday that finding the culprit or culprits will be difficult because numerous layers of connections may be involved."
And of course the worthless press release:
HACKERS BREAK INTO UC SANTA BARBARA COMPUTERS; HIT CNN [ucsb.edu]
Would you let someone admin your linux box? (Score:1)
If it's stable, and running, most people don't like admins fucking with thier machines. The machine works, it runs the software needed, and it gets the job done. Let an admin screw with it. No way.
Would you let people fuck with your linux box?
Now that a machine on campus has been cracked, the poor admins will be saying, "we patch or you get no network connection", Before the crack, no admin had any weight to toss around. "Damn alarmist administrator" With the attack, the admins have a bit of weight to toss around for a month or two.
FBI going to focus on Oregon... (Score:1)
Re:FBI going to focus on Oregon... (Score:1)
Re:I work at UC Santa Barbara (Score:1)
Whoa, whoa, let's not name names just yet...
---
Re:DeCSS? (Score:1)
If pens were just now hitting the market, they wouldn't hesitate a moment to have them banned under DMCA.
Too many people already use pens, though, so attacking them at this point would go against the whole 'divide and conquer' approach.
---
Re:Slashdot == local news? (Score:1)
Slashdot ain't what it used to be, thats for sure.
(Sorry, Rob. Its just my own observation.)
Bowie J. Poag
Project Manager, PROPAGANDA For Linux (http://propaganda.themes.org [themes.org])
Re:ST's list of Other Possible Scapegoats (Score:1)
"Disk and Execution Monitor" (Score:3)
Talk about a complete lack of research-- these guys just made up something that sounded good. According to Kirk McKusick, current copyright holder of the BSD Daemon [mckusick.com], the term 'daemon' comes directly from the mythological creatures of the same name responsible for taking care of mundane tasks.
For more detail, see Webster's dictionary [m-w.com], in this case we are looking at variant 2, "an attendant power or spirit". Whether daemons are evil as in "demon" variant 1 depends on whether they are working or not. Some days sendmail definately qualifies as the latter.
Re:DOS and my butt (Score:2)
(Ask a stupid question...)
Re:If the government decides to "do" something (Score:2)
Yeah, let's do it!
Spooks (Score:1)
There's no way that "script kiddies" did this.
This reminds me of the virii... who makes them? Anti virii companies of course =)
nick
--
GroundAndPound.com [groundandpound.com] News and info for martial artists of all styles.
Does FBI or media actually have *ANY* clue? (Score:1)
Only a couple of hours ago (around 10pm CET) CNN Text was featuring a story that said that the attacks were originating from Germany and were done by a program called "barbed wire" (yah, that's a translated term, I forgot the German).
Apparently everyone's pointing at something in such a hurry that no-one is really trying to figure out who *really* did it. Maybe the FBI should work a bit more coordinated both on their research and their press-releases.
Re:Two Words: (Score:1)
re: Solaris responsible, Linux claims are false! (Score:1)
Re:DeCSS? (Score:1)
No more! (Score:2)
To the hackers, wherever you are, whoever you are:
Please stop sending 'hacker messages' -- do it for the children.
I don't think its china (Score:2)
[ c h a d o k e r e ] [dhs.org]
FBI Stupidity (Score:1)
> originated
If the FBI is going to be using logic like there is no chance of ever finding the packet monkeys.
The Internet is a global network. If I am going to launch an attack, I would just as soon use a university 1000 miles away, rather than the one down the street.
Ping times, not driving times.
boxen. (Score:1)
Only Stanford&UCSB noticed? (Score:1)
It sounds more like they were the only ones who noticed. That's a pretty important distinction, if you're going to blame the sysadmins for security holes... at least they turned in their machines and whatever logs still exist on them. Perhaps they (like exodus/global center) were running network monitoring tools to detect and respond to this kind of thing.
One example of these would be netscout [slashdot.org], though they actually get their hardware from cisco.
Now _unfortunately_, these tools also make scanning for plaintext passwords over a WAN trivial so they should probably be banned as well, but that's just another problem for the fbi.
or perhaps not... moderate _just_someone_ up! (Score:1)
by just someone on 04:15 PM February 12th, 2000 EST
(#49 [slashdot.org])
(just someone User Info [slashdot.org])
"Actually, the ucsb admin was doing some sluething..."
check out his summary of an actually informative article:
SB Newspress: http://news.newspress.com/toplocal/computer.htm [newspress.com]
Re:LL Hack J (Score:1)
FIRST POST !!!!
hahahahahaha... relax, its Saturday, the snow is falling, and for some strange reason my head hurts.
Re:LL Hack J (Score:1)
Re:They'll probably be made illegal (Score:2)
(google's got the Valentines feeling, how sweet)
Re:Red Herring for the press .... (Score:2)
Re:**you** are responsble for what your computer d (Score:1)
Re:Oh, come on. (Score:2)
By the logic you used in the parent to this thread, it would be your fault if somebody was to shoot you dead, because "you could have been wearing a bullet proof vest."
Even though there are problems with the net, act of senseless stupidity are not to be excused because they can be done.
Re:Oh, come on. (Score:2)
Re:LL Hack J (Score:1)
True, but... (Score:1)
Moderation in all things, including moderation. (Score:2)
Some moderators try to use them mainly for moderating interesting stuff UP, rather than moderating trolls down. If they burn them all on the latter, they don't get to call your attention to important stuff.
Later comments are seen by fewer moderators, and thus less likely to be dinged.
Moderation is done by readers of the already-posted items - not by a hypothetical staff approving or disapproving of postings before they're made. So items following-up an item already moderated down are less likely to be looked at and disapproved, even if the moderator is willing to waste his points on the Nth followup on an off-topic thread.
And moderators can't moderate responses to articles where they've already posted a response. (I, for instance, currently have three moderator points left, and am blowing my ability to use them anywhere in this article by posting this reply.)
So don't look for consistency in moderation. Be greatful you get any benefit from it at all.
So it IS the fault of the FBI and NSA? (Score:2)
But strong authentication comes from strong crypto. And strong crypto in the US has been crippled by the US Government's export controls, which remove most of the financial reward for work on it by US programmers. (They can't export their products, so such products can't become a world standard, so they can't become a US standard, so they can't be sold. So the programmers find something else to do, where they CAN make some money.)
And who are the biggest lobbiests against removing those export controls?
The FBI and the NSA.
And why did they want the controls to remain?
So they can read everybody's wiretapped communications (NSA, FBI) and confiscated or copied disks (FBI, NSA).
And maybe so they can install their OWN intrusionware, so they can read it when the traffic hasn't been in the US (NSA, FBI drug warriors) or without having to sieze the computers and tip off those observed (FBI, NSA).
And maybe so they can plant things, disrupt targeted organizations' operations, or play damaging and often fatal "dirty tricks" on those they don't like (as both the FBI and the spook agencies are known to have done in every decade since their inception).
So now their interference with crypto has come home to roost - by leaving the US information infrastructure open to attack, until a large scale attack is under weigh.
Don't they both have charters that say they're supposed to work toward preventing that sort of thing?
Re:Finally someone got the name right! (Score:2)
Loath as I am to give psychopaths any reenforcement...
The trinoo/TFN/stacheldraht tools do show there's some talent under a couple of the black hats.
Some coboys ARE cattle rustlers. Some sailors ARE pirates. And some hackers ARE crackers and/or vandals.
Talent and psychopathy aren't well correlated, so there are a small number of people who have both. About one in a hundred is a psychopath, and that applies to hackers as well as every other group. Some fraction of psychopaths don't learn enlightened self-interest, and so remain amoral and prone to doing great damage to others to obtain minor, short-term benefits to themselves.
Of course, once the tools {and their install tools} are written, it doesn't take brains to install and use them. Just access to the tools and a lack of morals.
Lock bans. (Score:2)
Can't handle that? Then get your machine off of the net. This is no different than your kid or one of his friends finding your gun, unsecured laying loose in a drawer, and using it to blow someone away.
It might be argued that having a bulldozer with a lock that can be picked with a hairpin makes you partly to blame when somebody steals it and uses it to knock down a department store. But if you accept that argument...
Who is at fault for the loose security on the bulldozer when all the bulldozers come from each of the handfull of bulldozer factories with such locks, all identical? Must every customer install his own lock? Must every customer become a better locksmith than the experts working at the factories? Shouldn't there at least be something in the manual telling the customers that they need to change the lock?
And who is at fault for the loose security on the bulldozer when the government bans locks that can't be picked with a hairpin?
Let's stick to putting the blame where it belongs: on the criminal.
And let's stick to solving the problem at its sources, which include the government's ban on strong cryptography.
China isn't due yet. (Score:2)
Shooting at someone makes them tend to put on body armor. Making a series of attacks with intrusionware puts a lot of experts to work rendering that particular style of intrusionware unworkable - and making future intrusionware more difficult to write.
Red Herring for the press .... (Score:2)
Even more disgusting was hearing the TV news quoting antionline as to where the crackers are located .... :-( I guess some people are making money from this
Missing the point... (Score:2)
However, I doubt they'll have much luck. As has been said, while the machines that were compromised no doubt hold clues to the origin of the attacks, the people involved probably did a good job of covering their tracks. I somehow doubt they just telnetted in from their houses and executed the attacks. Nevertheless, closing in on a point where we know there's been a break-in is simply the best way to start.
I do blame the media for propagating the idea that the perps are in the California/Oregon area, though. This case has shoown just how difficult it is to describe the real way the Internet works to the average person on the street.
If the government decides to "do" something (Score:2)
(I know, I know, it would piss off a lot of people, who would complain about government interference - it would be an odd sort of backlash though: "The government wouldn't let me keep my system insecure!")
Maybe you could do something like the RBL system, where you have people cooperatively portscanning the net, reporting machines that they find "open", then trying to get the owners to fix them up (providing advice where necessary), but RBLing them if they don't cooperate?
Re:If the government decides to "do" something (Score:2)
FBI Seeking a German Programmer (Score:2)
He vehemently denies any involvement with these incidents and does not condone people using his tools for such nefarious purposes. The article goes on to say, "Their[people who write these kind of tools] work is controversial, however, because the programs they write can fall into the wrong hands when posted on the Web." This brings up an interesting point. Since these tools have been written everybody needs to assume that they are already in the wrong hands, and anyone responsible for the security of their networks should be pounding themselves with DoS attempts using these tools, so that they can learn how to protect themselves.
Re:DeCSS? (Score:2)
Why would it be really silly to decrypt it first? Decrpyting it allows it to be distributed to anyone on any media that you choose. It allows it to be used in players that don't respect Region Enconding. Lastly, it allows you to compress it into another format with near perfect results. With an encrypted DVD, your limited to making byte for byte copies to another DVD that only play in MPAA blessed DVD players.
Re:DeCSS? (Score:2)
But the video would have to be digital to analog converted and than analog to digital converted. This would result in a substantial loss in quality. The movie industry is only concerned about perfect digital copies of their work being freely available.
Re:Misplaced effort? (Score:2)
Is this a joke??????
Were you being facetious????
How many times does our government have to prove they can't be trusted? Where have you been?
Re:This problem is fixable (again) (Score:3)
It's hard to overload a major site with T3 or more bandwidth coming in just by sending junk packets that don't do anything. Web sites generally have equal bandwidth going in and out, but send far more than they receive. So there's lots of excess inbound capacity. Dropping an inbound packet is a cheap operation.
The problem with SYN floods is that the server resources used are all out of proportion to the message sent. One TCP SYN message with a random IP address chews up a few K of server RAM for tens of seconds, maybe a minute. In some servers, each TCP SYN uses a slot in the pending-connection queue for the socket at which they're aimed, and worse, some servers have only a few such slots. Those servers can be locked up with a very modest attack bandwidth.
There are a few other problems, such as machines dumb enough to reply to ICMP broadcast packets and, even dumber, those that will allow an outsider to get the UDP junk message generator service (which nobody needs turned on) talking to the UDP echo service (which isn't very useful either). But those are out-and-out bugs, for which fixes are known.
Once you plug all the holes which allow small amounts of one-way attack data to use large amounts of server resources, the problem should become manageable.
All this assumes that the number of attacking zombies is in the thousands, not the hundreds of thousands. I agree that if someone takes over enough machines, and aims them all at the same target, it creates more difficult problems. But that's a lot of zombies to run without somebody figuring out who's behind the attack.
John Nagle
Menlo Park, CA
This problem is fixable (again) (Score:4)
Once you stop SYN flood attacks, and have the fixes in for stupid bugs like the "Ping of death" and IP broadcast packet expansion, everything else that can happen has a reachable IP address associated with it. Those attacks are traceable back at least one level, and you can make them ineffective by imposing some kind of quota system or block based on source IP address at various levels of the server. Web servers like Apache might need to be smartened up a bit so they don't choke when a huge number of requests come in from the same IP address (and that mechanism needs to know about major proxy servers like AOL), but that's not too tough.
The key points to understand are this:
John Nagle / Menlo Park, CA
Re:Oh, come on. (Score:2)
My understanding is that the FBI's Charter has changed in the last ~5 years, so that they are no longer prohibited from conducting international operations. At the same time, the CIA's Charter was changed, so that they are no longer prohibited from conducting domestic operations.
Although Mongoose raised the point jokingly, it is not such an outlandish idea that NSA may have been involved in this as a fundraising effort. Anyone remember a little incident in Waco, Texas a few years ago...? You know, ATF, FBI, Army National Guard (Delta Force?). There have been, IMHO, credible claims that ATF's beef with Koresh started as a fundraiser. BTW - what in the HELL does the Bureau of Alcohol, Tobacco, and Firearms need OV-10 Broncos for!?
Anyway, while I am all for the concept of 'LAW ENFORCEMENT' (as lbergstr said), I think it is important to ask what law was broken here, who should be enforcing that law, and what methods should they use? Frankly, I would be less concerned about NSA fundraising activities than media stunts aimed at increasing NSA/FBI/CIA's power to intrude into our lives.
I predict Bill Clinton will propose to increase federal law enforcement agencies' power to crack down on 'Cyber-Terrorism' after next week's meeting [yahoo.com]. Then again, he may simply issue another "classified" executive order...
Question Authority
The best and the brightest... (Score:2)