Kuro5hin.org: technology and culture, from the trenches
create account | help/FAQ | contact | links | search | IRC | site news
[ Everything | Diaries | Technology | Science | Culture | Politics | Media | News | Internet | Op-Ed | Fiction | Meta | MLP ]
We need your support: buy an ad | premium membership

[P]
What do we do?

By angelic in Internet
Thu Feb 20, 2003 at 05:04:10 PM EST
Tags: Help! (Ask Kuro5hin) (all tags)
Help! (Ask Kuro5hin)

I thought i would be writing a post asking for help with our AUP, seems we're not going to get that far.

We are a small IRC network, managed by a small number of people who give a damn about the internet community and just wanted to give something back.


In a small amount of time we had built a community, our users felt at home, our principles and philosophies were different, it was never about status or power, our IRCops wanted to be there, to help users, to give something back.

Do you know what it's like to see something that you've put your heart and soul into creating grow and flourish and become one of those communities? What it feels like to give back to someone, someone just discovering the Internet, those same feelings of wonder and awe and warmth and community and friendship that you found? To receive, not the welcome random bit of thanks here and there, but the far deeper and more wonderful knowledge that you've built and maintained something that people are using and using to do things and see things and think things that they otherwise would never be able to do or would have no outlet for? -- Russ Allbery, "A Rant about Usenet"

That's what we were, are, about.

Like many Networks we have been attacked. Two kiddiots came to our small network and "demanded respect". We were torn. They were trying to trick our users into giving them their passwords by asking them to carry out commands that would message the kiddiots passwords. We decided to protect our users, thinking most people use the same password for all things, and so we banned these kids. This was *disrespectful* to them, to two 14 year old kids, and so they DDoS'ed us.

They have been attacking us most nights for over a week. This time they have given us a time scale, they kindly messaged us and told us the attack would last 27 hours.

We are volunteers, we fund almost everything ourselves and rely on one server kindly donated by our amazing sponsors, but as you know, sponsors have *real* customers to think about.

So, because we are not losing huge amounts of money no one cares, the authorities aren't interested, the kids have access to so many compromised machines we aren't sure of their isp, and so can't report them through that channel. They claim to have a BotNet consisting of 8000 machines. They goad us, they threaten us, they make demands and blackmail us.

They know we care, they win.

What do we do? A flourishing community brought down by two kids. Do we try to find more sponsors to try and secure a longer existance? or do we give up? I don't want to give up. I don't fucking want to. But we have no where else to go, we have an awesome staff team, we have amazing users, we have a clueful sponsor, we were making a difference to peoples online lives.

What do we do?

angelic liveharmony.org

Sponsors

Voxel dot net
o Managed Hosting
o VoxCAST Content Delivery
o Raw Infrastructure

Login

Related Links
o "A Rant about Usenet"
o liveharmon y.org
o Also by angelic


Display: Sort:
What do we do? | 83 comments (80 topical, 3 editorial, 1 hidden)
This is how IRC networks get in trouble. (3.42 / 7) (#1)
by RyoCokey on Wed Feb 19, 2003 at 11:12:28 PM EST

We decided to protect our users, thinking most people use the same password for all things, and so we banned these kids.

This is always how these things happen. Don't mess with the script kiddiez. Yes, they are worthless, antisocial pieces of shit, but other than BS around and harass people, they don't do a whole lot unless provoked. Inevitably, some IRCop decides to smack one around, and the next thing you know the servers won't stay up for more than 10 minutes straight. Heck, DALnet, one of the biggest nets, had to stop allowing file sharing after their net was pretty much knocked off 24-7.

I'm afraid I can't offer you a whole lot of practical advice on what to do though. Considering their doing this for "respect" you could always capitulate, apologize (Eck) and they'd probably spend the next year or so bragging about it. In the mean time, you'd still have your network, which all your legitimate users could use again.



Pacifism in this poor world in which we live -- this lost world -- means that we desert the people who need our greatest help.
-- Francis Schaeffer,
actually (4.00 / 2) (#3)
by martingale on Wed Feb 19, 2003 at 11:38:25 PM EST

Your comment might be more helpful than you think. Who's responsible for DALnet, what are the other big IRC networks, and more importantly, who among their staff/volunteers might have experience on this that they would be willing to share with the article's authors? As you might have guessed, I have zero experience with IRC myself, but pointing out knowledgeable people/irc addresses is perhaps the most useful thing we can offer these guys and girls on k5.

[ Parent ]
Coincidence (5.00 / 1) (#10)
by DarkZero on Thu Feb 20, 2003 at 12:47:46 AM EST

Heck, DALnet, one of the biggest nets, had to stop allowing file sharing after their net was pretty much knocked off 24-7.

The return of Dalnet and Dalnet's decision to stop file sharing was coincidental. As soon as Dalnet returned, one of the first things that they had to handle as a matter of standard operating procedure was a cease and desist letter from the MPAA. A similar letter had gone to Irc-Chat.net, a server that most of Dalnet's file swappers had gone to when Dalnet went down, around the same time.

[ Parent ]

I'm utterly amazed (1.00 / 1) (#17)
by pyramid termite on Thu Feb 20, 2003 at 05:35:31 AM EST

Considering their doing this for "respect" you could always capitulate, apologize (Eck) and they'd probably spend the next year or so bragging about it.

But let us not invade Iraq and it would be appeasement. There's a glaring inconsistency there.

On the Internet, anyone can accuse you of being a dog.
[ Parent ]
Not at all (none / 0) (#52)
by RyoCokey on Thu Feb 20, 2003 at 07:19:14 PM EST

Iraq isn't run by a bunch of neurotic little boys, it's run by a professional hitman with grand territorial ambitions. If we back away, he'll shrug his shoulders and continue building himself a force to annihilate Israel, Iran, and any of his neighbors who dare stand up to him.

Furthermore, while the person writing this question has little ability to attack the script kiddiez, we possess the ability to erase his nation from the face of the earth, or really any lesser amount of harm we wish to inflict.

Leave the trolling to seasoned professionals like psychologist, Noam and turmeric.



Pacifism in this poor world in which we live -- this lost world -- means that we desert the people who need our greatest help.
-- Francis Schaeffer,
[ Parent ]
The Better Analogy... (none / 0) (#54)
by Wah on Thu Feb 20, 2003 at 08:33:23 PM EST

...is the street punk.  If you catch his eyes and try to meet his glare, then he is much more likely to pull his glock and aerate your intestines.  Drop the bravado, avoid the confrontation and the let punk grow up.  If you can't fight on their terms and have a lot more to lose, it's not worth the effort.
--
YAR
[
Parent ]
democratic (none / 0) (#30)
by turmeric on Thu Feb 20, 2003 at 11:07:27 AM EST

if ircops were not arbitrary, ie, if you had to be voted off via a ban, rather than reprimanded by one single asshole who was pissed off, it might work better. [people wpould be less likeyl to be pissed.

[ Parent ]
That doesn't help at all (4.50 / 2) (#45)
by fluffy grue on Thu Feb 20, 2003 at 04:04:44 PM EST

The problem is that the skript kiddies want IRCop status as a power grab. They don't care about what other people want, they just want to masturbate over how much "power" they have.
--
"Is not orange" is not orange.
"Is not a quine" is not a quine.

Cats: Nature's entropy generators

[ Hug Your Trikuare
[
Parent ]

and in a democracy (none / 0) (#56)
by turmeric on Thu Feb 20, 2003 at 11:02:38 PM EST

.... who has power? there isnt as much to grab.

[ Parent ]
I don't think you understand the issue here (4.00 / 1) (#57)
by fluffy grue on Thu Feb 20, 2003 at 11:04:39 PM EST

Even if it were totally democratic, that doesn't stop skript kiddies from trying to grab everyone else's power away. That's what they're going for... that rush of power, of keeping everyone else begging at their mercy.

They don't want to maintain the existing power structure, they want to overthrow it and instill their own pathetic little dictatorship.
--
"Is not orange" is not orange.
"Is not a quine" is not a quine.

Cats: Nature's entropy generators

[ Hug Your Trikuare
[
Parent ]

then why (2.66 / 3) (#68)
by turmeric on Fri Feb 21, 2003 at 10:22:19 AM EST

does k5 has less trolls than slashdot

[ Parent ]
Because the K5 system is robust (5.00 / 1) (#73)
by fluffy grue on Fri Feb 21, 2003 at 01:52:15 PM EST

For starters, it's easy for the majority of the users here to "censor" a troll. Then, it's a lot more difficult for someone to launch a DDoS against K5 for a variety of protocol-level reasons; all comment posting is authenticated (anon posting used to be allowed but it's not anymore, because it was used in a large DDoS), it's throttled (you can't script-spam to the point of a DoS, at least not directly; there's still a few loopholes but the kiddies haven't figured them out yet), and so on.

Also, DDoSing/kiddie-hacking is different than trolling. You need to understand that the mentality of an IRC skript kiddie is totally different than the mentality of a /. troll. The trolls don't want to gain power of a site, they just want to have fun at other peoples' expenses. The IRC skript kiddies actually want to gain power of a site, and feel that if they can't have a server, then nobody can.

Also, every now and then, someone will be democratically "booted" from K5, and will go completely apeshit and try to ruin the site for everyone else, but it's a simple matter for an admin to block a subnet from creating new accounts, kill the user's existing accounts, and undo the damage, assuming it's even necessary to begin with.
--
"Is a hyperlink" is a hyperlink.
"Is not a quine" is not a quine.

Cats: Nature's entropy generators

[ [ Parent ]

No it isn't. (none / 0) (#76)
by pb on Fri Feb 21, 2003 at 03:35:21 PM EST

Both slashdot and kuro5hin have the same gaping hole--anyone can create and register multiple accounts.  Then these accounts can be used to systematically manipulate the system, especially the moderation system.

Slashdot allows anonymous posting, but other than that it has even more posting controls than K5 does, and it handles things like large numbers of comments much more readily (and has handy built-in features that help with this, like comment pagination).

You're right about the difference in motivation, though.  And it's generally much easier to block an angry idiot from kuro5hin than it is to block an angry skript kiddie.
---
"See what the drooling, ravening, flesh-eating hordes^W^W^W^WKuro5hin.org readers have to say."
-- pwhysall
[ Parent ]

I meant more robust than IRC (5.00 / 1) (#77)
by fluffy grue on Fri Feb 21, 2003 at 03:52:55 PM EST

IRC, at a protocol level, typically has no controls over connections and so on. (Yes, I know that the protocol allows for password authentication, but open IRC networks don't use this.) And yeah, it's quite simple for a DDoS to happen on both K5 and /. as they are right now, but it'll take a lot of planning and is so easy for the admins to stop that it's just not worth the effort (and there's nothing to be gained from it, really).

Also, it's a lot easier to get upstreams to block specific sorts of connections to a web server (because the web is "important") than to an IRC server (because IRC isn't).


--
"Is a hyperlink" is a hyperlink.
"Is not a quine" is not a quine.

Cats: Nature's entropy generators

[ [ Parent ]

People are giving low scores to parent... (5.00 / 1) (#49)
by floydian on Thu Feb 20, 2003 at 06:19:59 PM EST

but ask Steve Gibson, and he'd say this is probably the best advice you're gonna hear.

[ Parent ]
treat script kiddiez like terrorists... (5.00 / 1) (#50)
by jonboy on Thu Feb 20, 2003 at 06:59:46 PM EST

Never negotiate with terrorists.

Same applies to script kiddies. Appeasing them will only lead to more script kiddies abusing the net for their own personal gain.
--
The above post is overrated.
[ Parent ]

You can avoid negotiating (none / 0) (#51)
by RyoCokey on Thu Feb 20, 2003 at 07:13:57 PM EST

...when you have a definitely superior force. These aren't really "terrorists" so much as "dictatorial nutjobs with large armies."



Pacifism in this poor world in which we live -- this lost world -- means that we desert the people who need our greatest help.
-- Francis Schaeffer,
[ Parent ]
not saying they're terrorists, (none / 0) (#53)
by jonboy on Thu Feb 20, 2003 at 08:14:16 PM EST

Just saying they should be treated the same way. If you don't have the resources to track them down, next best thing is probably to ignore them, and (quietly) encourage others to do the same. If no one reports the kiddies, the kiddies lose.
--
The above post is overrated.
[ Parent ]
huh? (none / 0) (#71)
by Danse on Fri Feb 21, 2003 at 12:34:56 PM EST

If no one reports them, they're still ddosing your network, aren't they? Your servers are still screwed, aren't they?






An honest debate between Bush and Kerry
[ Parent ]
yeah, but... (none / 0) (#72)
by jonboy on Fri Feb 21, 2003 at 01:02:37 PM EST

I think in most cases the goal of the attackers is attention, and not to take down your servers. And besides, if you *do* report them, your servers are still down, aren't they?
--
The above post is overrated.
[ Parent ]
well.. (none / 0) (#81)
by Danse on Fri Feb 21, 2003 at 06:55:06 PM EST

The fact that your servers are down lets them brag to their friends about what 1337 h4x0rz they are. That's often good enough for them. Higher standing among their peers.






An honest debate between Bush and Kerry
[ Parent ]
true (none / 0) (#82)
by jonboy on Fri Feb 21, 2003 at 09:32:47 PM EST

That's true, but it's even worse if they can also point and say "l@@k! 1 m4d3 kuro5hin!!! I'm so 1337!!!!!"
--
The above post is overrated.
[ Parent ]
I know almost nothing about IRC works, (4.00 / 1) (#2)
by stfrn on Wed Feb 19, 2003 at 11:22:57 PM EST

But is there anyway for you to chnage how your networks setup? Change your name, change software, change permisions, do something so that your users can still access it, but the SK will not find it intersting? Barring that, you can humor then- tell them that you "respect" them and ignore them just as you would any other random person crying for attention.

Anouther possiblity would be monitor for an attack- and go offline. Nothing to attack. Wait five minutes- and go back online. Repeat as required. Either they will get bored of waiting for you to get back online so then can attack you for a few seconds, or they will realize they have no power over you.

Sorry your network is being disrupted tho.

"Man, I'm going to bed. I can't even insult people properly tonight." - Imperfect
What would you recomend to someone who doesn't like SPAM?

Absolutely nothing (4.00 / 1) (#41)
by X3nocide on Thu Feb 20, 2003 at 02:47:58 PM EST

Its impossible to stop the DDoS by changing the irc network once its started. Making it less interesting for them would basically mean removing chanserv, nickserv, and other network wide service bots designed with stability in mind. Essentially rolling yourself back to EFnet. And don't get me wrong, there's tons of crap like that going on, but certain stupider kiddies can't take it and troll around mIRC's built in list.

What ends up happening is a manual pushback of filters. The zombies flooding your servers are generating crap packets; they have the right address but they make up the return address. You could change the ip as a temporary solution but it doesn't change the fact that your pipe is flooded. So instead you have a router filter the incoming packets to the server, then one admin talks to another company's admin and they set up another filter until the situation settles down.

During this process for most purposes your network is down. Any changes made would have to be revealed to users and therefore kiddies as well.

pwnguin.net
[ Parent ]

What about your ISP? (5.00 / 6) (#4)
by j1mmy on Wed Feb 19, 2003 at 11:40:37 PM EST

These attacks are taking up valuable bandwidth on your ISP's pipe. It's in your ISP's interests to pursue these kids. Work with them to set up filtering or some other protection against the unwanted traffic.

Another option is to hunt them down yourself.

Steve Gibson has dealt with such things before. You probably don't need to go as far as he did, but you can take some action.

Investigate the ip addresses of the machines attacking you. Even if they're just bots, notify the owner of those machines or the subnet they're on. If you're really lucky, one of these people might actually be able to trace the attack back to it's source.


ISPs (4.50 / 2) (#8)
by DarkZero on Thu Feb 20, 2003 at 12:43:12 AM EST

These attacks are taking up valuable bandwidth on your ISP's pipe. It's in your ISP's interests to pursue these kids. Work with them to set up filtering or some other protection against the unwanted traffic.

The ISP essentially has three options here:

  1. Put up with the DDoS attack.
  2. Attempt to hunt down the script kiddies, wading through bots, zombies, and the various methods of hiding them.
  3. Drop a customer that's costing them money by attracting script kiddies and sucking up bandwidth.
If I were the ISP, I'd be going for number three. If a customer was a drain on my cash flow instead of a normal profit-baring customer, I'd drop them for being a liability, not expend more time, money, and overall resources just to get their single account back. For all I know, the customer could just decide to leave my service anyway after I've gotten halfway toward catching the script kiddies and I would be even further in the hole than I was when they were nothing but an everyday cash-sucking DDoS bullseye because I wasted time on something that does not serve to bring me more money.

The ISP might see it as a moral obligation or as something that they just might want to do out of sheer hatred for script kiddies, but to say that taking the time to go after them is "in the ISP's interests" is pretty dubious. At best, it's a moderate risk, low return gamble.

[ Parent ]

dropping (none / 0) (#25)
by j1mmy on Thu Feb 20, 2003 at 10:03:43 AM EST

Dropping the customer doesn't mean the attack will stop. The attackers may well just continue flooding the address to prevent the site from coming back online. That's probably more work for the ISP's routers, which will have to bounce all those packets and waste upstream bandwidth as well.


[ Parent ]
In the real world... (none / 0) (#80)
by xL on Fri Feb 21, 2003 at 06:52:50 PM EST

...dropping the client makes the attack stop pretty soon. It is not implied, no, but it is usually what happens. Attacks sort of stop a couple of hours after the plug is pulled, most of the time. If you bring the site back up that instant, the next attack will likely last longer, but that's not the situation we're discussing here.

[ Parent ]
Public Whippings (2.80 / 5) (#5)
by bearclaw on Thu Feb 20, 2003 at 12:27:01 AM EST

Those sometimes work.

You could take the high road, but why bother? I say give them a taste of their own medicine.
-- bearclaw
You have to find the punks (3.00 / 1) (#35)
by CodeWright on Thu Feb 20, 2003 at 12:13:14 PM EST

before you can whip them. Good luck tracing their botnet.

--
"Humanity's combination of reckless stupidity and disrespect for the mistakes of others is, I think, what makes us great." --Parent ]
There is one way, and only one way (5.00 / 7) (#7)
by Talez on Thu Feb 20, 2003 at 12:42:11 AM EST

First of all, start logging attacks. Start filtering those attacks to get the IP addresses and/or hostnames of the zombies on the botnet. Get your upstream provider to do this also as they can often call bigger shots than you. Try and get this logging going as far up the upstream as you can.

Secondly, start running through the logs with a script and start sorting them into ISP groups. You should start seeing a large amount of IPs coming from the bigger ISPs.

Thirdly, go after the biggest ISPs on that list via your upstream provider. Make sure you give them a list of who, what, where, when. Get the service of the users either cut or severely compromised.

If the ISPs refuse to co-operate then sue their asses off for negligence.

Remember the strength of the botnet is proportional to the script kiddie's power. If you knock off 1,000 out of 8,000 by going after the biggest ISP you've taken them down to 7/8ths strength. If you keep going after the ISPs in a methodical fashion you'll notice an exponential drop in the kiddie's power.

Also, you might want to start scouring for popular botnets that script kiddies might have available. See if any of them match up and then go in and disable it. Use a script in conjunction with the trojans and backdoors to delete themselves. This method might not be as useable as there may be passwords on the trojans to use them.

Si in Googlis non est, ergo non est

Less sensible answer (3.66 / 12) (#19)
by gazbo on Thu Feb 20, 2003 at 07:21:22 AM EST

Physical violence.

Kiddies are just pathetic geeks with no social life who take it out in the one medium where they have power. At the risk of getting obsessed, do whatever you can to track them down, then spend however much it takes to go see them, and beat their fucking skulls in. It'll make you feel better, stop the attacks, make them think twice about attacking anyone, and maybe - just maybe - they'll grow the fuck up and realise that they should try sorting out their pathetic life rather than DDoSing for 'respect'.

Physical violence - always a good solution, especially against kids.

-----
Topless, revealing, nude pics and vids of Zora Suleman! Upskirt and down blouse! Cleavage!
Hardcore ZORA SULEMAN pics!

[ Parent ]

pyscho (2.16 / 12) (#28)
by turmeric on Thu Feb 20, 2003 at 11:04:55 AM EST

idiot

[ Parent ]
Nope (4.00 / 1) (#75)
by ph317 on Fri Feb 21, 2003 at 03:07:44 PM EST


He's not an idiot, he's completely correct.  The DDoSer is the idiot.  The whole logical loop of "dont beat sense into the guy who's beating on someone else because then you're just as bad" is stupid.  There is a good reason children must be disciplined by parents - it teaches them boundaries.  Lots of modern parents are too liberal or just don't give a damn.  They don't discipline their kids sufficiently, and they suffer in their adult lives for it.  I imagine many of the DDoSers suffer from this tragic fate, or something similar.  These lessons can be re-taught later in life, but it's much harder to teach than when they were younger.  I assure you a few trips from angry sysadmins with rubber hoses will get the message through and help them on their way to sociological enlightenment.

[ Parent ]
Violence vs. DDoS (3.00 / 1) (#83)
by trane on Sun Feb 23, 2003 at 09:19:36 PM EST

DDoS does not physically harm anyone, at least not anything like beating someone up does.

Hurting someone does not make me feel better. Does that mean I'm not human? Or maybe just more advanced...

Beating people up will not ultimately solve the problem. Taking away motivation will.

"Violence is the last resort of the incompetent" - Asimov

[ Parent ]

Do you listen to yourself when you talk? (2.60 / 5) (#43)
by Emissary on Thu Feb 20, 2003 at 03:14:54 PM EST

"This beating ought to teach you respect for other people!"

"Be instead like Gamera -- mighty, a friend to children, and always, always screaming." - eSolutions
[ Parent ]
well... (3.00 / 1) (#70)
by Danse on Fri Feb 21, 2003 at 12:29:16 PM EST

At least the kid would see what real lack of respect is like. Sometimes you can't make people understand something without showing them first-hand. Whether it would have the desired effect or not is hard to know.






An honest debate between Bush and Kerry
[ Parent ]
Make them IRCops (4.75 / 1) (#9)
by Zapata on Thu Feb 20, 2003 at 12:44:50 AM EST

Give them total control over your network.

When they stop by to claim their prize, start tracking them down. Don't stop searching until you find them. Take it personally.

Compile all the evidence into a nice little binder that you can give to the State Police in their home state.  The State guys will probably love the chance to score. The Feds could care less.

Once you've got all your ducks in a row, lock them out again. When they attack, the cops will have eveything they need.

I'm not just pulling this out of my ass. I contract to a state agency and the website we built got cracked. My partner took it very personally. No one cared until he handed the state trooper in the computer crime division a binder  with a trail of evidence that led all the way to the little bastards 10th grade social studies classroom (my partner was really anal about it).

He spent a month in juvenille detention and his father is still making payments on a lesson in parenting skills.

Umm..  not my partner, the cracker :)

"If you ain't got a camel, you ain't Shiite."


What was the damage dollar estimate? (5.00 / 1) (#16)
by ti dave on Thu Feb 20, 2003 at 04:59:00 AM EST

I'm guessing your jurisdiction has no minimum amount set for Law Enforcement to get involved.

Many states do and I doubt you could build a serious claim over a small IRC network.

Endorsed by the American Taliban Association
[ Parent ]

Goog point. (5.00 / 1) (#22)
by Zapata on Thu Feb 20, 2003 at 09:08:17 AM EST

The actual damage to the web server was nil, but the cost to have the security contractor scan the network and certify it as secure came to something like $15,000.

I'm not sure what kind of damages you can claim against an IRC server.

"If you ain't got a camel, you ain't Shiite."


[ Parent ]
The Network (5.00 / 4) (#34)
by PhillipW on Thu Feb 20, 2003 at 11:56:44 AM EST

The IRC server is hosted on a network with more than just an IRC server. DoS attacks can and do effect network connectivity for the entire network. Since this server is hosted at an ISP, degraded performance and damage to the business could probably be claimed, as well as the possibility of higher bills from upstream providers.

-Phil
[ Parent ]
Good point, also (nt) (3.00 / 1) (#23)
by Zapata on Thu Feb 20, 2003 at 09:09:17 AM EST


"If you ain't got a camel, you ain't Shiite."


[ Parent ]
Get the parents involved (5.00 / 1) (#11)
by FlipFlop on Thu Feb 20, 2003 at 12:53:04 AM EST

Like other people, I have rather limited knowledge of IRC. How exactly do you ban these kids? You must have some way to identify them. If you can identify them, I presume you can track them down.

Once you've tracked them down, you can contact their ISP, and send a letter to their parents. Let the parents know which laws their kids have violated. Offer to settle the matter out of court for $x and a public apology. Hopefully the parents will get the picture.

AdTI - The think tank that didn't

Identification (4.66 / 3) (#12)
by DarkZero on Thu Feb 20, 2003 at 01:05:06 AM EST

The entire idea behind a Distributed Denial of Service (DDoS) attack is that it's distributed. Script kiddies are sort of like necromancers. Their zombie servants (the computers that they've installed trojans on) do most of their work for them. All they have to do is order their zombie PCs around and the zombies will attack their target for them, without any need for the script kiddie to come anywhere near the target. If the script kiddie is smart, their actual IP address will never appear in the logs of their target, leaving absolutely no evidence as to who set up the attack.

Handling the attacker is the easy part. You just give your information to their local authorities and it's handled by someone else from there on. The hard part is identifying who your attacker is so that they can then be handled.

[ Parent ]

Banning (5.00 / 2) (#20)
by Lacero on Thu Feb 20, 2003 at 08:02:14 AM EST

To ban someone from an IRC network requires some way of identifying them when they log on. Either by user name, nick name or IP address. If they have the IP address they're sorted, a letter to the ISP of the offenders should be enough.

However proving a link between the attacks and these peoplewill require evidence too, if they brag a lot then this may be easy.

[ Parent ]

DDOS (5.00 / 2) (#29)
by ender81b on Thu Feb 20, 2003 at 11:05:41 AM EST

Admittedly maybe not the wisest course of action but... I have some friends that run 2 irc servers. Lot of people hang out there, many have been friends for years, very nice enviroment, etc. We don't have a problem with script kiddiez.

This is mainly due to the fact that one of the op's happens to work at a Large Backbone Provider as a network engineer. The last time we had a DDOS attack on our servers he grabbed their original IP (somewhere in netherlands, iirc) and tried contacting their abuse department. After that failed (24 hours no response) he flooded 154megabits/sec at them. That rapidly solved one part of the problem as their ISP went tumbling down hill. The ISP eventually contacted him and shut off the script kiddiez internet service.

The second part, the DDOS, was solved by the other op who happens to be sysadmin of a local ISP. He just logged onto his router, analyzed where the packets where coming from, and dropped em at the router. It was interesting that this, and most according to him, DDOS's by script kiddiez only use 10-20 machines. The problem is they tend to spoof their IP's so it can be a pain to hunt them down.

Obviously not everybody has access to these same resources and they are borderline legal. But it keeps our little corner of IRC nice and friendly.

[ Parent ]

Ethics and more (none / 0) (#66)
by xL on Fri Feb 21, 2003 at 06:15:50 AM EST

A counter-DoS, for most network engineers, is just Not Done. There are other ways, though. A known piece of Undernet lore is the story of a Romanian cracker that had the main ISPs in .ro by the balls. Their abuse departments were reluctant to yank him, against an orgy of evidence. After a lot of attempts to get the situation fixed, one undernet administrator finally took the decision to announce blackhole routes for effectively all of the romanian IP space on a major US route exchange. It took the romanians less than a day after that to kick the abuser off.

As to analyzing and filtering: Your friends have been lucky. I've seen many attacks come by, most of them can not be effectively filtered. Any sane admin of an irc server on a major network will have access-lists like this:

access-list irc permit tcp any host $ircd range 6666 6669
access-list irc deny ip any any

Provided the ISP already does proper martian filtering at the border (ie don't allow packets from rfc1918-addresses or from addresses within your own AS to come from the outside), that is about all the filtering you can do. And since it is possible to use perfectly valid tcp packets to fill the pipe towards the irc server, on higher profile networks they help exactly jack shit.

[ Parent ]

Alternately (3.83 / 6) (#40)
by jabber on Thu Feb 20, 2003 at 02:47:23 PM EST

Once you have them identified, locate them, wait for everyone to leave the houses, and set fire to them.

Idealy, you should do this from inside the house, from the kids rooms if that's where their computers are located. It would also be helpful to put kiddie pr0n in the father's sock drawer, a crack pipe in the mother's lingere, and a few pregnancy tests under the sister's bed.

That will teach the little bastards, and their little dogs too!

[TINK5C] |"Is K5 my kapusta intellectual teddy bear?"| "Yes"
[ Parent ]

Deception always helps! (4.00 / 1) (#13)
by tang gnat on Thu Feb 20, 2003 at 02:31:50 AM EST

Tell them that you are in the process of collecting their personal information. If they wish to not be punished they should stop immediately.

If they call your bluff, then start to actually investigate - perhaps when they were originally on your servers, they used their own IP, or maybe you can grab their email address somehow. If they use a hotmail address, I'm sure Microsoft would be glad to help stop a DDoSer, and tell you the IP they use to access their mail.

The other option (as has been mentioned) is to pretend to give in, then stab them in the back later on.

no (none / 0) (#31)
by tps12 on Thu Feb 20, 2003 at 11:23:26 AM EST

That never works.

[ Parent ]
Ignore them (4.50 / 2) (#15)
by the77x42 on Thu Feb 20, 2003 at 02:46:04 AM EST

Script kiddies will only do something that gives them a reaction. I remember the days. Don't do anything and they'll stop. I'd even pull this from the queue. Ignore your problems; if you stoke the fires that started the attacks, more will definitely follow.




"We're not here to educate. We're here to point and laugh." - creature
"You have some pretty stupid ideas." - indubitable ‮

I would suggest (3.00 / 4) (#18)
by psychologist on Thu Feb 20, 2003 at 05:55:31 AM EST

That you send me an email with the info about these kids. I'll take care of them...real good. They won't be disturbing anybody for a very very long time to come...

he has to find them first (3.66 / 3) (#36)
by CodeWright on Thu Feb 20, 2003 at 12:19:16 PM EST

and i question how having you regale them with delusional tales will have any effect other than loosening their already tenuous grasp on reality.

--
"Humanity's combination of reckless stupidity and disrespect for the mistakes of others is, I think, what makes us great." --Parent ]
What say we *do* loosen that grip? (1.00 / 1) (#48)
by rasmoh on Thu Feb 20, 2003 at 06:13:33 PM EST

Loosen 'em up reeeel good.

'Twas the pride of the peaches.
[ Parent ]
Good ideas, but... (5.00 / 1) (#21)
by coutcin on Thu Feb 20, 2003 at 08:29:23 AM EST

You have given good ideas, but most of these won't work for us.  Notifying each bot owner is a great idea, but someone mentioned that these kids had over 8000 bots, that'd take more time than it would to physically track them down.  :)

Shutting down the server to play with them as they attack would be fun as well as possibly work, but some of our users are already mad from the downtimes.

I do like the suggestion about the email, except they probbaly used fake email addresses when they registered their nicks.

Ross

Trace Them (5.00 / 1) (#39)
by The Turd Report on Thu Feb 20, 2003 at 02:34:17 PM EST

Your backbone could trace them back. If they are using spoofed IPs, they can still be traced, but it is hard to do. If they are coming from real IPs, someone would have to monitor the traffic/packets coming in and out of that machine.

[ Parent ]
If only (5.00 / 1) (#65)
by xL on Fri Feb 21, 2003 at 06:05:31 AM EST

Carriers are generally apathic towards DDoS attacks. If their own infrastructure doesn't suffer, why would they be inclined otherwise? It's bytes passing their pipes. Someone is paying for them. I've never had any luck going upstream with DDoS situations, usually a day goes by before you get past the clueless dumbwits at the callcenter to explain the situation to a person with a mild understanding of networks. This person then has the choice of either doing a lot of hard work (the attack could be coming in from hundreds of peers and customers) or just setting a routing blackhole for the attack target. Carriers are VBCs with VBC politics and work ethics, so in 99% of all cases he will go for door number two.

[ Parent ]
ok (4.50 / 2) (#24)
by auraslip on Thu Feb 20, 2003 at 09:18:01 AM EST

So, your telling me that when these kids first came you don't have the logs for their IP?
Surely they wouldn't just hop on to random IRC nets through compromised machines? Unless they were looking for trouble?
If thats the case... try to find their original IP from their username. Find everytime that user logged in. Ask people if they know that person under a differant name, consult logs.
If they are using a compromised machine as a gate way to you, "uncompromise" it with the help of the machine controller, and set a trap for the next time the hacker trys to log in, you got his IP.

If you know who the person is...well
thanks to the web, anything with a large enough user base can substantially fuck up a persons life.
Thats right...a hate webpage, with phone numbers of freinds and relitives.  
124

Unfortunately... (5.00 / 1) (#64)
by xL on Fri Feb 21, 2003 at 06:00:54 AM EST

...they are logging in from compromised machines and they are looking for trouble. It is my careful estimate that there are approximately 25,000 open proxies and 15,000 compromised machines in the world used for irc-related abuse at any given time.

[ Parent ]
Give up (3.00 / 1) (#26)
by dmt on Thu Feb 20, 2003 at 10:05:07 AM EST

If you can't think of adequate ways of dealing with them there is not much point in continuing.

Although, surely getting in contact with other IRC network admins and asking them how they deal with it would be a good first step, before quitting?

Packet filtering? (5.00 / 2) (#27)
by catseye on Thu Feb 20, 2003 at 10:25:22 AM EST

Are you doing any kind of filtering to help prevent attacks from spoofed IP addresses? I'm assuming the IPs are spoofed because if they were valid, you'd know the source and be able to contact the ISP.

These documents might help:
http://www.landfield.com/rfcs/rfc2267.html
http://www.cert.org/incident_notes/IN-99-07.html
http://www.sans.org/dosstep/index.php

And, if you find it's coming from valid IP addresses, you really do have the responsibility to log the traffic and report the behavior to the ISP of the offending addy. If you can identify the bots, report the compromises to the owners/ISPs.

Good luck.

----------
How can we fight Islamic Fundamentalism abroad if we do not fight Christian Fundamentalism at home?

No use (5.00 / 1) (#63)
by xL on Fri Feb 21, 2003 at 05:57:48 AM EST

On ingress, you cannot see if a packet is spoofed. If it's tcp, comes from a valid ip-address and is aimed at the irc port, there is no way to stop it without closing the service. Carrier networks don't have the interest or capacity to block spoofs as they come in, so generally you cannot draw any more conclusions than "they are coming in over our level 3 link", if you're lucky the upstream will investigate but most likely they will nullroute your irc-server if anything.

Then there is DDoS drones and open proxies. Good luck getting a high school in North Korea and 1500 similar sites interested in removing a drone bot.

Finally, even if you do perfect filtering, the volume of today's DDoS attacks is in the Gigabit range. Sure you can drop packets, but what use it is if your pipe is so stuffed legitimate packets can't get through anyway? Even if there is spare capacity, have you ever had the privilege of trying to log in to a cisco router that is suddenly handling 2500% of its normal packet load? Access-lists only add to the already tremendous burden it has to carry.

[ Parent ]

jay and silent bob it. (3.00 / 3) (#32)
by Work on Thu Feb 20, 2003 at 11:27:53 AM EST

Find out where they live, send a guy named Guido to give them a little talking to.

Otherwise there aint shit you can do.

Get one bot, get them all. (4.62 / 8) (#33)
by dark on Thu Feb 20, 2003 at 11:36:10 AM EST

Kiddies tend not to use very smart bots. The thing to do is track down one of the hosts they're using, and get the owner of that host to send you a copy of their bot.

Then wander over to the Honeynet Project, who are experts at decoding such things. They can figure out how the bots work and shut them all down. Alternately, you can use your new-found knowledge to play with their minds and scare them off. Steve Gibson had some success with that, but note that he eventually surrendered.

Temporary relief (none / 0) (#62)
by xL on Fri Feb 21, 2003 at 05:50:34 AM EST

I give you a good chance that you can pull this off. But, once this has been done a couple of times the kids will smarten up and you'll be in another arms race. Undernet thought they would gain the upper hand on drone bots with their user registration scheme. It turned out, that the registration system is still vulnerable to robotic subscription. It's impossible to tell whether an email-address used to send a password to is actually legit and not just some subdomain of scriptkiddies.org, so it's back to the drawing board.

The Undernet server I run has had its share of DDoS problems. The tactic to keep the impact within bounds that I developed over time works fairly well but takes discipline: Make it perfectly clear that you don't care. You must be able to communicate this with a straight face, so the knack to it is that in part this has to be true. Be prepared to flick the switch, enjoy your weekend and see if the tide's turned a couple of days later.

On the occasions that people from the l33t channels threatened with DDoS, I have always made the point that there were 20 DVDs I still wanted to watch and 40 books that I wanted to read and the fact that I just flipped the off-switch on an irc server would have no negative impact on my enjoyment of either offline activity. For two years I have irc'ed as an operator on a 28k8 leased line with my ip-address visible for the entire world and I never got attacked, I was no fun as a target,



[ Parent ]

Talk to them (4.71 / 7) (#37)
by egg troll on Thu Feb 20, 2003 at 02:02:03 PM EST

Another comment suggested making them IRCops long enough to find out who they are. I fully concur with this. The company I worked for had a lot of its clients hacked by French haquers. When I found one of them on a PC, I started talking to him, singing his praises ("Oh you must be very smart!" "No, I'm not interested in finding out who you are to punish you, just to learn how you did it." Etc...) Sure enough, we eventually got all his info.

I'm not certain what stage the legal proceedings are in this matter, as I've left the company. However I know that the attacks stopped once he found out he was caught. I'd suggest appealing to their sense of power, find out who they are and then persue legal action.

Good luck, sorry to hear about the troubles.

He's a bondage fan, a gastronome, a sensualist
Unparalleled for sinister lasciviousness.

Seconded (5.00 / 1) (#60)
by NFW on Fri Feb 21, 2003 at 03:41:14 AM EST

Someone cracked into a friend's box, which was coincidentally running an IRC server, and logged into the IRC server for reasons unknown. We started BSing with him while a couple of us figured out who his ISP was, and got his account yanked.

We had it easy because he only had a couple other accounts to play with, which we blocked one-by-one over the next few minutes. Blocked at the IP level on our own ISP's router, I might add (we have friends there), so the impact on us and our ISP was negligible.

In your case, with many hosts to deal with, it would be worth luring them into comfort (the IRCop idea is interesting) to make up a list of the hosts they come in from, then have those shut down by talking to their ISPs one by one. Every action they take while they're logged in has to begin at home, so if you can track down their home ISP there's a fair chance you can keep them away for a while. If they're minors, it might even keep them away for a long while, as they'll probably have to explain to mom and dad why the internet connection doesn't work anymore.

Bait them and trap them sounds to me like the best suggestion so far.


--
Got birds?


[ Parent ]

Script kiddies would stop doing this sort of thing (4.00 / 11) (#38)
by qster on Thu Feb 20, 2003 at 02:11:58 PM EST

If companies began hiring hit-men to remove them from circulation once they discover who they are. Take a page from the World Wildlife Foundation, who hire snipers to deal with poachers in Africa.

OT: Snipers for poachers? (3.33 / 3) (#59)
by NFW on Fri Feb 21, 2003 at 03:27:37 AM EST

Take a page from the World Wildlife Foundation, who hire snipers to deal with poachers in Africa.

Fascinating. Got a link to a page with more info?


--
Got birds?


[ Parent ]

Three easy steps: (5.00 / 6) (#44)
by Alarmist on Thu Feb 20, 2003 at 04:03:03 PM EST

1. Join the DShield mailing list. A signup form is available here.

2. Post your question to the list. Include details and be sure to provide more details as necessary, because people will ask.

3. Read the responses and act appropriately.

The DShield list is read by a lot of people, some of whom put a fair number of letters after their names. Its real value lies in the fact that it is populated either by security professionals or by people who have an interest in network security. The information and suggestions are usually quite good and it never hurts to ask them.

Note: be thick-skinned. Some of the people on the list are not friendly.

There must be some way to find them. (4.50 / 2) (#47)
by nstenz on Thu Feb 20, 2003 at 06:11:51 PM EST

If they 'sent you a message', it must have come from somewhere. Just about every messaging system on the net can be traced one way or another. E-mail has headers. ISPs keep log files. There must be a way.

Assuming most of the compromised machines were hacked Windows boxes, you could try a NET SEND to each IP address. If it's Windows 2000 or XP and the port isn't blocked, the owner of the machine can get a nice little message explaining that his/her system has been compromised and how to contact you. Windows 9x can do the same, but it needs a client running that isn't started by default. :(

I feel your pain (2.50 / 2) (#55)
by hans on Thu Feb 20, 2003 at 09:48:00 PM EST

LiveJournal has been under attack for over 24 hours, leaving it unreachable for most users.  

If you ever do ID these kids, I'm sure there's enough unemployed geeks 'round hetre who would jump at the chance to flex.  Hell, just give me a street address.  Spring break is coming up and I need a road trip!

They're wimps (none / 0) (#58)
by gameprograma on Fri Feb 21, 2003 at 12:10:47 AM EST

This definately isn't hacking. It's just being stupid. They're not gaining anything from this. Anyway, they're obviously going to give up very soon if you like get hooked up to more servers.

Good luck!
-> ae++ one level beyond

IRC is going to hell in a handbasket, film at 2300 (5.00 / 6) (#61)
by xL on Fri Feb 21, 2003 at 05:29:53 AM EST

Let me start off with saying that you have my sympathy. I am the administrator for an Undernet server and have briefly run a server on efnet, so I've seen my fair share of (D)DoS problems. What struck me is, although DoS-attacks against users and servers can be found on any irc network, the stated/perceived reasons behind attacks vary wildly.

In general, DoS-attacks against irc networks find their roots in one of the following:

  • Tactical Advantage - Depending on server code used on the network, disrupting one or more servers may offer the attacker options to take control of a channel or nickname.
  • "Respect" - In some situations, attackers are offended by the behaviour or attitude of the irc operators. Typically, the attacker feels challenged by the operator's confidence in having control over the network and sets out to "demonstrate" that they do not.
  • "Vengeance' - The attacker feels that stated rules for the network should not count for him. Attempts of irc operators to wield their "power" in banning the attacker give him the justification to wreak havoc.
In short, attacks are either a result of obvious technical malfunctions in the implementation of the irc protocol (this has been sort of an arms race for a while between ircd coders and crackers) or a direct consequence of culture.

I think that, in the end, the culture aspect is the most important one. IRC has a big cultural disadvantage that may be the root cause for all the chaos: Hierarchy. The system of ops, left entirely to the lunatics running the asylum, makes channels competitive social systems. Some networks complement the basic feudal division betwen Ops/Non-ops with channel services and "levels", bringing even more breeding ground for envy and competition.

If you go into established channels on any irc network, you will see that this hierarchy is for many people a very prominent aspect of their behaviour. I've seen many channels go to shit because of exactly this. Power struggles, op wars, the works. Because of the "power" derived from channel "ownership", the first wave of irc abuse was in the realm of channel "takeovers".

What makes things worse, is when this power hierarchy extends to the server operator level. Networks that have highly visible opers that actively involve themselves with the balance of power on channels catch a lot of DDoS attacks. It's even worse if the operators are "recruited" from within the general irc population. One person's rise to status is the other person's hidious envy. Things start rolling.

My recommendation for IRC networks: Really start thinking about the service you are offering. As a network, you are offering infrastructure that, as time has shown, lends itself best for virtual gang warfare. Part of this is the attraction of irc, but there is no way you can encourage people to be competitive and at the same time restrain them to your rules, especially not if the network itself is also a player in the "competition".

Think of ways to flatten the hierarchical model. As long as people can "kick" eachother off channels, people will be offended by it and long for vindication. Take a look at other unmoderated platforms (like usenet or blogs) and see how they deal with control. Perhaps "ops" should not be set in stone; Why not let users decide whose judgement to trust for moderation? I can envision users giving other users (or a bot) ops, but being able to discard their moderation. So if user JQop666 on #channel gets the op and kicks Lamer1335 off, only users that selected to listen to JQop will see him disappear.



Changes need to be thought through. (5.00 / 1) (#67)
by zipper on Fri Feb 21, 2003 at 09:27:35 AM EST

It's key to make sure that the changes you make either to services or ircd code are thought through.

After the trouble with linuxsex, ssc and some romanians, in come the HEAD_IN_SAND patches. coder-com thought the modifications were short-sighted, and from what I hear, they were largely pushed through by admins such as yourself.

Now clearly, you're in a better position to judge what's an actual attack, and what's just an EU oper falling over drunk and hitting /squit, but from an end user perspective, undernet's stability hasn't improved significantly, and the ease of use has decreased.... since I can't see routing information with /map or /links, and since I can't see what server a user I'm talking with is on, I can't even guess where lag is when it comes, so I have to either hop servers randomly or wait while undernet splits on and off.

User registrations also must have seemed like a great idea... protecting users/opers from attacks is always desirable, but there are clear problems with it that SHOULD have come up in any debate. The minor problem is that everybody who uses it is on one base host (*!*@*.users.undernet.org) ... no matter, if someone causes problems, you can just ban the username, right? Well, uh, no.

Since there's nothing to ensure that each user only gets a single username, people can evade bans to their hearts content, secure in the knowledge that you can't ban *.undernet.org because there are legit users on it as well. Set +i or +k, and they win.

---
This account has been neutered by rusty and can no longer rate or post comments. Way to go fearless leader!
[ Parent ]
Good points (5.00 / 2) (#69)
by xL on Fri Feb 21, 2003 at 10:53:42 AM EST

A couple of things, though. If you perceived my post as relating to developments on Undernet, you misinterpreted. In my vision, irc is doomed unless if it reshapes itself from the bottom up. A running network, like Undernet, is not the platform for such drastic changes.

The reason Undernet admins went for the whole "hiding stuff" operation has nothing to do with all that, but much more with economics. I think most admins who voted 'Yes' knew full well that this would lessen the quality of user experience, but a significant number of parties felt that their backs were against the wall and the choice was between either folding up or trying something to lower the level of abuse. The traffic volume of DoS attacks was rising to the level that even larger ISPs had trouble coping with them, which has an impact on paying customers.

As to host hiding, I agree that it has problems. In my opinion, these problems are not worse than they were before (evading bans has always been easy for the average kiddo) and at least there is now some chance to fight the abuse on an entirely different level. It may be whack-a-mole, but every time a double registration is noticed, there is at least a record to an email-address. Its domain can be blocked from further registrations. MX records can be traced and exempted. An email-address leaves a bigger audit-trail than an open proxy. Average abuse desks can grok what is going on, more than with vanilla irc abuse.

[ Parent ]

It's probably hopeless. (4.00 / 1) (#74)
by Mr.Surly on Fri Feb 21, 2003 at 02:24:04 PM EST

Our small company was under a DDOS attack also, We knew:
  • Who was doing it (full name)
  • Where they lived (a few miles from us)
  • Their phone number

Our upstream was willing to testify as to the origin of the attack. We contacted the local, state, and federal law enforcement.

Nothing happened. Law enforcement doesn't care, even if there are monetary damages.

Eventually, they got bored and stopped..

What happened? (5.00 / 1) (#78)
by NFW on Fri Feb 21, 2003 at 03:53:59 PM EST

It's been way more than 27 hours since this went into the queue. Are they still at it? Did you implement any of the ideas below? Did they help? What would you do next time?

What, if anything, would you differently next time?


--
Got birds?


Update (5.00 / 5) (#79)
by angelic on Fri Feb 21, 2003 at 06:45:48 PM EST

I wanted to thank everyone for their support and words of advice, we have read all your posts and are so grateful to you for taking the time to help us.

I would also like to give you an update, explain a few things that were mentioned in the replies to my initial post and then explain what we decided to do and what the outcome has been so far (it may be long winded, i'm sorry).

This kid came to our network looking for trouble, he pushed and threatened the IRCops, and he was initially ignored, we felt that was the best way to deal with him, it wasn't until we *really* felt our users were at risk that we took action. That action was to remove him from our support channel (not the network) and this was followed by an explanation of the ban to him in private. This is when he demanded we lift the ban and show him some respect or he would attack us, catch 22? Do we lift the ban and allow him to do what ever he wants? or we maintain the ban and prepare to be attacked?

We've worked hard on our rules, we've trained our opers not just in commands, but in communicating with users, we looked for "people" people for our staff. Respect plays a huge part in our network, for each other and for our users, we work on an open and honest policy where we share feedback and we take it on the chin, we want to learn and grow and develop. Our user base respects that, and to allow someone to come along and blackmail us would make a mockery of our philosophies.

Please also note that he has access to thousands of compromised machines, we ban him and 20 seconds later he's back on a new proxy and so on. We do have is real ip, when he's using the bots for the attacks he can't use them to connect, and he likes to check if we are still around, so he uses his real ip :)

ok, so we tried a number of your suggestions;

We contacted the FBI, they asked us to contact our local Law Enforcement Agency. I'm a Brit, so that meant the Metropolitan Computer Crimes Unit. I spoke to a really great guy there, he gave us good advice, and asked us to forward any information we had to him. The problem here is, our server is in the states, so he is limited to what he can do, but just having someone take us seriously helped a lot.

We spoke to friends on other networks, some other IRCops and.. ta da.. one has a folder on this kid, he attacks other networks too, so we have a support network now, a few of us working together to gather and collate information.

At this point he was still attacking us heavily each night, he didn't come onto the network like usual to gloat about it, he just did it.

I think we wanted to believe that there was some good in this kid and that we could reason with him and make him understand what he was doing and how it affected people, not some big corporation, just normal users, 1600 people who called our Network home.

Last night he logged on, now please imagine, this guy has the ability to destroy something you feel sooooo strongly about, when we see him arrive everyone is tense, we can't help it.

Two of us talked to him, he listened, we *thought* he listened. 10 minutes later it all started again.

We rallied. Enough, we'd done enough now to try and appeal to his sense of right and wrong, we worked on contingency, brought up some other servers, secured them, did what we could to keep him out. We also updated our website, stating enough is enough, calling him a terrorist and explaining to our users (and him) that the next step was the authorities, we also indirectly implied we may call his parents, he didn't say another bad word after that.

Guess what he did? He came back onto our network a few hours later, into our main support channel and in front of fuming users and staff he apologised and promised not to do it again (i am almost tempted to paste the log!), he even said he would make it up to us. There was silence, no one was quite knew what to do.

This hasn't stopped him attacking other networks, we have no idea if he really means he will stop attacking us, but, it doesn't matter now, we have pulled together as a community and as a team, we are not ready to give up.

Moving forward, we are still working on ontingency servers, we have lost a lot of users. People used our network to host national help and advice channels along with other more general chat rooms, but, as much as webmasters want to support us (and we know they do from the emails and comments we have received), they need a stable network. So we are trying to host a few servers ourselves until we can find more sponsors.

We are obtaining isps from the IP's used in the attacks and we plan to e mail as many as possible, as well as trying to educate our users on security, running public training sessions that will include computer security.

Personally, i learnt you can't change everyone, that sometimes you have to make a stance, suffer the short term loss, use it as a learning experience and be more prepared for the next kiddiot that comes along, because, this is irc, and we really do have a kickass Network, an amazing community, and *someone* is always going to want to wreck that.

It's hard work doing this, but yanno what?, right now, sitting in a channel with users who are offering us support every step of the way, reading your comments on here, receiving email after email of support, watching our sponsor fight against this kid, listening to the network staff debating how we can make our network even better, not losing hope for one moment, watching them appease angry users, users who really want to scream at this kid, and keeping their cool when secretly, they want to do the same, makes it worth all this hassle and stress. If i have learnt anything from this, it's that there are a bloody lot of people out there that really give a damn.

angelic www.liveharmony.org

What do we do? | 83 comments (80 topical, 3 editorial, 1 hidden)
Display: Sort:

kuro5hin.org

[XML]
All trademarks and copyrights on this page are owned by their respective companies. The Rest 2000 - Present Kuro5hin.org Inc.
See our legalese page for copyright policies. Please also read our Privacy Policy.
Kuro5hin.org is powered by Free Software, including Apache, Perl, and Linux, The Scoop Engine that runs this site is freely available, under the terms of the GPL.
Need some help? Email help@kuro5hin.org.
My heart's the long stairs.

Powered by Scoop create account | help/FAQ | mission | links | search | IRC | YOU choose the stories!