Stop Microsoft
Operating Systems => Linux and UNIX => Topic started by: cloudstrife on 19 December 2002, 06:07
-
I don't know how many of you guys noticed, but www.slackware.com (http://www.slackware.com) was down for a while... turns out they were the target of DoS attacks.
Slackware hompage (http://www.slackware.com) has more about it.
-
Ive had enough of these skript kiddies. Why would anyone want to take down a website that offers free software as a service to the community. That would be like someone robbing the Red Cross. Only a deranged loser piece of shit would do this. Fuck all DDoS'ing skript kiddie bastards.
-
yes, i hope they hunt down those responsible and allow something unfortunate to happen to them.
Why don't those DDoSing morons go and target microsoft or nestle or somebody who deserves to be DDoSd?
-
quote:
Originally posted by Xfree86 Release 11:
We need to start a website, but ill post this on Websites considering usually the people on this bored who have enough bandwidth are to friggen selfish. So i wont even ask about it here, but I will goto slashdot.
what?
was that a joke? or was it a real insult?
i am having a lot of trouble understanding what you're on about, i'm sorry to say...
-
I see why people hate kiddies so. However, how do you know someone didn't have a hidden agenda against Linux? Of course there is the possibility of script kiddies thinking MS is great and Linux s|_|><0rz, but why slackware? Why not linux.com or linux.org, something far more symbolic? Maybe im just reading into this too much, and it is just a random website attack...
-
quote:
Originally posted by Xfree86 Release 11:
We need to start a website, but ill post this on Websites considering usually the people on this bored who have enough bandwidth are to friggen selfish. So i wont even ask about it here, but I will goto slashdot.
Huh???
-
what he is saying, after careful consideration of his post, is that someone should start up a website where people can go to find out the details of any script kiddie action that is going on. basically you can go there and find out what sites are down, why, who did it and how to retaliate and sort it out quickly. EG if a DDoS happens, all the people who can't access the site would think 'aha! i'll just go to that website about script kiddies', then they'd go there and the info on which ip addresses were responsible and so on would be posted there and those people could then go into action.
X11 then goes on to say that he would willingly admin such a site however he does not have the capability to host it, due to lack of bandwidth. he then goes on to say that many forum members could do this as they do have the bandwidth but that he is not even going to ask them to as he believes that they would refuse to host this site.
ah! (deep breath out)...
well that's what i think X11 is saying anyway!
-
quote:
Originally posted by Xfree86 Release 11:
You can be rest assured it was not at you, i have no interest in starting a flame war so i will not name the people, but some people here are all for themselfs. But i will not mention, there is one who might do it but im not mentioning who that is because im sure slashdot has more people.
I believe he is talking about me. I will not let him have any space on my machine on my Cable connection for a web site. Are you talking about me?
Back on the topic of DDoS. You know if all the ISPs in the world had their routers properly configured DDoS attacks would no longer exist. Cisco has written papers about how to properly filter the type of traffic used in DDoS which will not effect normal activity. I recall reading these articles 2 or 3 years ago..
[ December 19, 2002: Message edited by: void main ]
-
Wouldn't the site have to be VERY adopted by everyone? And wouldn't that give another reason for script kiddies to do this? "Check is out homie G wigga, I made the top list on i-really-dislike-script-kiddies-that-do-ddos-attacks.com!"
-
Here's one article from a couple of years ago but I don't believe it was the exact one I read:
http://www.cisco.com/warp/public/707/newsflash.html (http://www.cisco.com/warp/public/707/newsflash.html)
But of course this requires ISPs and businesses to actually configure their router rather than just taking it out of the box and plugging in T1 lines. It's so sad...
[ December 19, 2002: Message edited by: void main ]
-
True, but I only got it because the other guy didn't know anything about Linux and wanted someone to help. I was bored, up for a challenge, and ready to improve my Linux skills (it's always so much easier when you need to know something but you don't know it so you end up searching google franticly (http://smile.gif) ). Edit: also, because I'm not charging money.
I could actually host something like that without a problem on belg88.com. Although, I doubt anyone would submit DDoS attacks, and I really won't have any time to maintain it. . .
Void: I haven't read the article, but I know that a router could handle a giant DoS attack without crashing - so why won't companies like Cisco configure things like "packet filtering" automaticlly? I mean, it's not hard to realize you're being attacked when the same packets are sent at a trillion megabits a second. . .
[ December 19, 2002: Message edited by: Y12 ]
-
too bad you can't find out were those assholes live. slackware is volunteer based. lamerz anybody got any ip's, or know who hosts them? becuase DoSing their hosts /*well, aiming it at them and dragging the hosts network down after each of lamerz DoS attacks, might get them and us banned*/
-
Hey now, if the comment was directed to Voidman, its wrong.
He helps ALOT of people here. From basic what is GNU questions, to complex technical questions, on how to set up a web server, firewalls, shell scripts, C++ questions, samba, hardware troubleshooting.
No matter how stupid a question is, he will answer it. So back off.
And no am not kissing his ass. I have no reason to do that.
Anyway, I have cable connection but i was way over my head these three last months.
I already have made my home page. The site will deal with only Linux things.
I will be leaving for NYC on Monday, for the holidays, when I will come back, I will have time for my small project, and if someone wants to host something in my web server (that of my Computer's or that of my ISP's) just send me a PM.
I will be MORE than happy to do so, and give back something to the Linux community that helped/helps me alot, in more than one ways.
-
quote:
Originally posted by X11:
Yes indeed, but for example people in Quirks position, and others )there are many more( would just plug things in and watch em work!
If you mean that I just stick things in and hope they work, then you're wrong. . . I usually read up a lot before installing anything critecal, I'm signed up with anything-security-news-letter that has to do with me, and make sure to have everything updated. In fact, I'm about to update Ensim right now.
-
X11, they get done being DDoSd and you try to get it slashdotted? :D
-
quote:
Originally posted by Y12:
Void: I haven't read the article, but I know that a router could handle a giant DoS attack without crashing - so why won't companies like Cisco configure things like "packet filtering" automaticlly? I mean, it's not hard to realize you're being attacked when the same packets are sent at a trillion megabits a second. . .
Actually you have it backwards. In order to stop DDoS attacks it has to be taken care of at the source, not the destination. For instance, DDoS is accomplished by rooting many computers over many different networks. At some point they are told to gang up and attack one or two specific targets. The targets are basically helpless and bandwidth is consumed over many networks.
The way to properly stop it is have all routers configured properly at all ISPs for "outgoing" traffic. Stop them at the source and not the destination. You can't really set them up by default because you have to define specific IP ranges and access-lists. They could put it into the menu configs when so when you do the "setup" command in the router it will prompt you to configure this.
Of course *everyone* must do this for it to be effective. By everyone I mean all business and ISPs should have their perimeter router(s) configured to block this sort of traffic coming from their networks. It won't prevent hackers/crackers from rooting their boxes if they are poorly set up but those boxes once rooted will not be able to participate in a DDoS attack on someone else.
[ December 20, 2002: Message edited by: void main ]
-
quote:
Originally posted by void main:
The way to properly stop it is have all routers configured properly at all ISPs for "outgoing" traffic. Stop them at the source and not the destination. You can't really set them up by default because you have to define specific IP ranges and access-lists. They could put it into the menu configs when so when you do the "setup" command in the router it will prompt you to configure this.[ December 20, 2002: Message edited by: void main ]
If it's that easy, why the hell aren't people doing it?
-
Good question. I first read the Cisco articles right after YaHoo got blasted a couple of years ago. I think part of the reason is that most people that install routers really struggle just to get them configured to work at all, let alone add access lists. That might also explain why their servers weren't up to date and got rooted.
A lot of companies can't afford a CCIE to come in and configure their routers. And most CCIE's probably don't add these protections. They do just enough to get the routers configured to route traffic and hopefully set up secure passwords but don't account for preventing outbound DDoS attacks.
[ December 20, 2002: Message edited by: void main ]
-
Maybe you should write a little paper on that and submit it to various IT websites (and maybe even /.)
-
quote:
Originally posted by TheQuirk:
Maybe you should write a little paper on that and submit it to various IT websites (and maybe even /.)
Bah, I quit reading /. a long time ago. It's full of M$ dweebs now. It used to be a pretty good site.
-
quote:
Originally posted by void main:
Bah, I quit reading /. a long time ago. It's full of M$ dweebs now. It used to be a pretty good site.
Oh? There are lots of Linux guys on /. - of course, I heared the router-packet-filtering thing _on_ slashdot, so there _might_ be a _little_ inaccurate info there (http://smile.gif)
It's pretty interesting to read all the trolls, and some good response, countered by better responses, countered by fresh new jamin replies such as "u all sux lol lol lol" with a +5 score on "funny."
I still like Slashdot. What do you read, anyway? I'm quite partial to everything2.com, but it's not news. (Owned by the same guys that made Slashdot, but not by OSDN).
-
I don't like the sites that have *tons* of replies, like /.. Just too time consuming to filter through all the crap. The thing I don't like and I've seen it a lot on the few times I have been back there browsing around is there will be a pro M$ post that is left in full where there will be equally or better Linux posts that are moded down.
Lately I've only been checking 3 sites daily which only consumes about 15 minutes of my day. That would be www.theregister.co.uk, (http://www.theregister.co.uk,) linuxtoday.com, and newsforge.com. You have to make sure you have your ad filter turned on to view newsforge though as they have a lot of M$ ads. I like them because you can keep up to date on everything they have fairly quickly. Not a lot of traffic. And of course I spend the rest of my day here. (http://smile.gif)
-
i like the register and will try the other two as well upon your recommendation...
the DDoS info site is a bad idea as people would not submit the info in time, plus the point about it being another incentive for morons to do these DDoS attacks is another good reason this DDoS index site shouldn't exist. finally, if you host a site of this nature, yes it would need to be the definitive one where everybody goes. like google is for search engines, or like i imagine netcraft is for finding out what software a host is running, or like sourceforge is the first stop for finding some piece of source code and rpmfind is the first stop for finding an rpm.
The promotion alone would make this a ridiculous venture, and at the end of the day, this site would be the number one target for DDoS attacks itself and nobody would probably ever be able to access it as a result.
[ December 20, 2002: Message edited by: Calum ]
-
I have theregister set up as my homepage. I wonder though, what happened to the www.theregus.com? (http://www.theregus.com?)
Ok here is a n00b question about this DoS/DDoS stuff. Script kiddies are dumbasses who don't realize how big a trail they leave. So can professional crackers do this sort of thing, and be able to cover their tracks?
-
not entirely, but the tracks they leave are all on private server and router logs, so you need to actually ring up the admins of each of the computers involved and ask them to go through their logs and so on.
am i right, people-who-know-these-things?
-
But these sites already exist. There are many security sites. The defacto standard unbiased site is: http://www.cert.org/ (http://www.cert.org/)
The problem is, the ISPs and primarily businesses just plain don't give a fuck. You can even go so far as to offer to go in and fix their routers for them and they will probably ignore you or think you are a hacker.
One other minor correction. I have cleaned up machines that have been exploited and I don't believe "virus" is the correct term to use in how they are exploited and set up to participate in a DDoS. It could have been an automated process to install the root kit and start the scanning process but on the machines I have cleaned up they were not set up to exploit other machines so I would certainly not consider it a virus.
Usually a scan is done for a specific vulnerability on a block of IP addresses. If the exploit is detected a root kit is installed via the exploited security hole. Usually these root kits contain a password sniffer that monitors the local network the machine is on for clear text passwords (grabbed from telnet or ftp sessions since they are not encrypted). At regular intervals the passwords that have been collected are emailed to a collection email address. They also have a DDoS process running that is waiting on commands from headquarters to attack.
They install these programs in a directory that they create in some obsure location like "/dev/.hardrive". Then as part of the root kit are modified copies of "ps", "top", "ls", "netstat", etc. When these replacement commands are run they will hide the bad processes, directories, and network ports so it would appear that everything that should be running is running and nothing more. At least to someone who doesn't run tripwire and other intrusion detection utilities.
I once had someone call me because they said they noticed a minor difference in their "top" command. They said a few days previous when they ran it, it showed both processors in the CPU stats (was a dual processor box) and now it only showed one processor. I logged in and looked at it and initially said they were crazy. The assured me that this was so. So I did a "rpm -V procps" and sure enough it was not the original top and I knew immediately this machine had been rooted.
The first thing I did was to copy some known good copies of "ls", "ps", "find", etc to a separate directory and adjusted my PATH to look in that directory first. After figuring out some dates and running the "find" command based on those dates I found most of the root kit and I could see what sniffer and DDoS processes were running etc. Once you find part of it, finding the rest isn't very hard by analyzing what you have found. And of course "rpm -V" every package on the system to check for any other things that have changed. You also want to check over your /etc/passwd file for any users they may have added and changing all passwords is a must for any users that have login capability. It's almost easier to restore the entire system from a backup. Or copy all configuration files and data and reinstall from scratch.
And lastly of course, update the system and close the holes. And tripwire is a good tool but it's sad how few people use it. It's good to have as many security utilities running as you can so if they check for and defeat one you may get them with the others. Of course if you are that security concious from the start you likely never would have been rooted because you would have been keeping up with the CERT advisories and fixed any known exploits.
-
Bravo!