Slackware is the target of DoS attacks.

[voidmain]

quote:Originally posted by Y12:
Void: I haven't read the article, but I know that a router could handle a giant DoS attack without crashing - so why won't companies like Cisco configure things like "packet filtering" automaticlly? I mean, it's not hard to realize you're being attacked when the same packets are sent at a trillion megabits a second. . .

Actually you have it backwards. In order to stop DDoS attacks it has to be taken care of at the source, not the destination. For instance, DDoS is accomplished by rooting many computers over many different networks. At some point they are told to gang up and attack one or two specific targets. The targets are basically helpless and bandwidth is consumed over many networks.

The way to properly stop it is have all routers configured properly at all ISPs for "outgoing" traffic. Stop them at the source and not the destination. You can't really set them up by default because you have to define specific IP ranges and access-lists. They could put it into the menu configs when so when you do the "setup" command in the router it will prompt you to configure this.

Of course *everyone* must do this for it to be effective. By everyone I mean all business and ISPs should have their perimeter router(s) configured to block this sort of traffic coming from their networks. It won't prevent hackers/crackers from rooting their boxes if they are poorly set up but those boxes once rooted will not be able to participate in a DDoS attack on someone else.

[ December 20, 2002: Message edited by: void main ]

[TheQuirk]

quote:Originally posted by void main:
The way to properly stop it is have all routers configured properly at all ISPs for "outgoing" traffic. Stop them at the source and not the destination. You can't really set them up by default because you have to define specific IP ranges and access-lists. They could put it into the menu configs when so when you do the "setup" command in the router it will prompt you to configure this.[ December 20, 2002: Message edited by: void main ]

If it's that easy, why the hell aren't people doing it?

[voidmain]

Good question. I first read the Cisco articles right after YaHoo got blasted a couple of years ago. I think part of the reason is that most people that install routers really struggle just to get them configured to work at all, let alone add access lists. That might also explain why their servers weren't up to date and got rooted.

A lot of companies can't afford a CCIE to come in and configure their routers. And most CCIE's probably don't add these protections. They do just enough to get the routers configured to route traffic and hopefully set up secure passwords but don't account for preventing outbound DDoS attacks.

[ December 20, 2002: Message edited by: void main ]

[TheQuirk]

Maybe you should write a little paper on that and submit it to various IT websites (and maybe even /.)

[voidmain]

quote:Originally posted by TheQuirk:
Maybe you should write a little paper on that and submit it to various IT websites (and maybe even /.)

Bah, I quit reading /. a long time ago. It's full of M$ dweebs now. It used to be a pretty good site.

[TheQuirk]

quote:Originally posted by void main:


Bah, I quit reading /. a long time ago. It's full of M$ dweebs now. It used to be a pretty good site.

Oh? There are lots of Linux guys on /. - of course, I heared the router-packet-filtering thing _on_ slashdot, so there _might_ be a _little_ inaccurate info there  

It's pretty interesting to read all the trolls, and some good response, countered by better responses, countered by fresh new jamin replies such as "u all sux lol lol lol" with a +5 score on "funny."

I still like Slashdot. What do you read, anyway? I'm quite partial to everything2.com, but it's not news. (Owned by the same guys that made Slashdot, but not by OSDN).

[voidmain]

I don't like the sites that have *tons* of replies, like /.. Just too time consuming to filter through all the crap. The thing I don't like and I've seen it a lot on the few times I have been back there browsing around is there will be a pro M$ post that is left in full where there will be equally or better Linux posts that are moded down.

Lately I've only been checking 3 sites daily which only consumes about 15 minutes of my day. That would be www.theregister.co.uk, linuxtoday.com, and newsforge.com. You have to make sure you have your ad filter turned on to view newsforge though as they have a lot of M$ ads. I like them because you can keep up to date on everything they have fairly quickly. Not a lot of traffic. And of course I spend the rest of my day here.  

[Calum]

i like the register and will try the other two as well upon your recommendation...

the DDoS info site is a bad idea as people would not submit the info in time, plus the point about it being another incentive for morons to do these DDoS attacks is another good reason this DDoS index site shouldn't exist. finally, if you host a site of this nature, yes it would need to be the definitive one where everybody goes. like google is for search engines, or like i imagine netcraft is for finding out what software a host is running, or like sourceforge is the first stop for finding some piece of source code and rpmfind is the first stop for finding an rpm.

The promotion alone would make this a ridiculous venture, and at the end of the day, this site would be the number one target for DDoS attacks itself and nobody would probably ever be able to access it as a result.

[ December 20, 2002: Message edited by: Calum ]

[lazygamer]

I have theregister set up as my homepage. I wonder though, what happened to the www.theregus.com?

Ok here is a n00b question about this DoS/DDoS stuff. Script kiddies are dumbasses who don't realize how big a trail they leave. So can professional crackers do this sort of thing, and be able to cover their tracks?

[Calum]

not entirely, but the tracks they leave are all on private server and router logs, so you need to actually ring up the admins of each of the computers involved and ask them to go through their logs and so on.

am i right, people-who-know-these-things?

[voidmain]

But these sites already exist. There are many security sites. The defacto standard unbiased site is: http://www.cert.org/

The problem is, the ISPs and primarily businesses just plain don't give a fuck. You can even go so far as to offer to go in and fix their routers for them and they will probably ignore you or think you are a hacker.

One other minor correction. I have cleaned up machines that have been exploited and I don't believe "virus" is the correct term to use in how they are exploited and set up to participate in a DDoS. It could have been an automated process to install the root kit and start the scanning process but on the machines I have cleaned up they were not set up to exploit other machines so I would certainly not consider it a virus.

Usually a scan is done for a specific vulnerability on a block of IP addresses. If the exploit is detected a root kit is installed via the exploited security hole. Usually these root kits contain a password sniffer that monitors the local network the machine is on for clear text passwords (grabbed from telnet or ftp sessions since they are not encrypted). At regular intervals the passwords that have been collected are emailed to a collection email address. They also have a DDoS process running that is waiting on commands from headquarters to attack.

They install these programs in a directory that they create in some obsure location like "/dev/.hardrive". Then as part of the root kit are modified copies of "ps", "top", "ls", "netstat", etc. When these replacement commands are run they will hide the bad processes, directories, and network ports so it would appear that everything that should be running is running and nothing more. At least to someone who doesn't run tripwire and other intrusion detection utilities.

I once had someone call me because they said they noticed a minor difference in their "top" command. They said a few days previous when they ran it, it showed both processors in the CPU stats (was a dual processor box) and now it only showed one processor. I logged in and looked at it and initially said they were crazy. The assured me that this was so. So I did a "rpm -V procps" and sure enough it was not the original top and I knew immediately this machine had been rooted.

The first thing I did was to copy some known good copies of "ls", "ps", "find", etc to a separate directory and adjusted my PATH to look in that directory first. After figuring out some dates and running the "find" command based on those dates I found most of the root kit and I could see what sniffer and DDoS processes were running etc. Once you find part of it, finding the rest isn't very hard by analyzing what you have found. And of course "rpm -V" every package on the system to check for any other things that have changed. You also want to check over your /etc/passwd file for any users they may have added and changing all passwords is a must for any users that have login capability. It's almost easier to restore the entire system from a backup. Or copy all configuration files and data and reinstall from scratch.

And lastly of course, update the system and close the holes. And tripwire is a good tool but it's sad how few people use it. It's good to have as many security utilities running as you can so if they check for and defeat one you may get them with the others. Of course if you are that security concious from the start you likely never would have been rooted because you would have been keeping up with the CERT advisories and fixed any known exploits.

[KernelPanic]

Bravo!