Kuro5hin.org: technology and culture, from the trenches
create account | help/FAQ | contact | links | search | IRC | site news
[ Everything | Diaries | Technology | Science | Culture | Politics | Media | News | Internet | Op-Ed | Fiction | Meta | MLP ]
We need your support: buy an ad | premium membership

[P]
The FBI Called Again

By simul in Technology
Wed Feb 04, 2004 at 04:34:09 PM EST
Tags: Freedom (all tags)
Freedom

Our network was shut down by DDOS attacks for 4 hours a day, three days in a row. Today we got a message from the FBI. Apparently they are investigating:

My name is [snip] and I'm an FBI Agent in [snip] investigating a distributed denial of service attack affecting several different companies around the U.S. and in some foreign countries. I'm writing to ask for your help. Please call me at your earliest opportunity. Thanks!


My response to the FBI's request:

Yes, we were hit with a DDOS attack that shut down hundreds of websites for several hours. This attack cost us over $2000 in bandwidth fees. As a partner, that money comes right out of my meager salary.

Although I was hurt, I'm looking at this rationally.

Ultimately, the problem with DDOS attacks is that ISP's don't implement egress filtering (also known as RPF), and O/S vendors ship systems without adequate security. In other words, it's trivial for ISP's to stop these attacks. Perhaps it is because ISP's make extra money in bandwidth fees when these attack occur that they fail to implement these rudimentary measures. Perhaps it's simply Microsoft's laziness in executing every program without a security context.

If I were the FBI, I'd investigate why AOL, Comcast, Cisco and others that have not implemented egress filters as standard on their networks. Or why Microsoft insists on shipping operating systems without default security settings appropriate to the Internet.

We can't arrest every curious 16 year old kid. We need to, instead, stop the irresponsibility of the billion dollar corporations that are wasting your time and mine.

More information on this issue can be found here: http://www.ddos-ca.org/

NOTE: The networks affected were managed by [snip] and [snip]. They will be able to provide you with details. If you need any more information, we will provide it as required by law.

I hope they don't take my response as antagonistic.

DDOS attacks have cost me over $17,000 over the last 3 years. I have no sympathy for the attackers. But I have less sympathy for lazy billion-dollar corporations.

A friend of mine came up with this analogy: "When an ISP charges a victim of a DDOS attack, that's like a waiter at a restaurant dropping your dish on the floor, making you wait 2 hours for your food, and then putting the dropped meal on the bill."

So why haven't ISP's implemented endpoint egress filters? The problem with DDOS security is this: if you implement DDOS security, it does not protect your network, it merely prevents your network from harming others. Why would an ISP spend extra time and effort implementing a security protocol that was good for everyone else... but not for them?

The answer may have to be government and legal pressure. If ISP's were responsible for damages caused by the attacks originating from their networks, then that would provide sufficient pressure to secure the endpoints.

I'd be interested to know what Kuro5hin readers feel about these issues.

Sponsors

Voxel dot net
o Managed Hosting
o VoxCAST Content Delivery
o Raw Infrastructure

Login

Poll
Who should the government be investigating?
o Microsoft - for willful negligence in producing an O/S that sucks 26%
o Router vendors - for failing to enable RPF by default on endpoint routers 4%
o ISP's - for allowing these attacks to persist, and then charging their customers for them 53%
o Script kiddies - they are the real problem 15%

Votes: 165
Results | Other Polls

Related Links
o Kuro5hin
o http://www .ddos-ca.org/
o Also by simul


Display: Sort:
The FBI Called Again | 210 comments (202 topical, 8 editorial, 4 hidden)
Remember in Die Hard when (1.92 / 27) (#1)
by Tex Bigballs on Wed Feb 04, 2004 at 10:27:19 AM EST

the FBI cut the power to the nakatomi building even though that's exactly what hans gruber wanted? You would think they would learn from their mistakes.

I don't know (none / 1) (#78)
by etherdeath on Thu Feb 05, 2004 at 08:30:44 AM EST

why you and Michael Moore are buddies... you are like 500x funnier than he is.

[ Parent ]
Yeah (none / 1) (#94)
by Michael Moore on Thu Feb 05, 2004 at 11:22:24 AM EST

I admit, in retrospect, that being arrested by the FBI is no joking matter.

--
"My life was more improved by a single use of [ecstasy] than someone's life is made worse by becoming a heroin addict." -- aphrael
[ Parent ]
no.. (none / 0) (#186)
by etherdeath on Sun Feb 08, 2004 at 10:56:08 AM EST

the concept could be funny, if it had been delivered with any sort of style.

[ Parent ]
In the same way that.. (none / 0) (#104)
by Protagonist on Thu Feb 05, 2004 at 02:04:20 PM EST

..one micrometer is 500x longer than two nanometers?

----
Hahah! Your ferris-wheel attack is as pathetic and ineffective as your system of government!
[ Parent ]
Well... (1.47 / 23) (#2)
by Michael Moore on Wed Feb 04, 2004 at 10:27:35 AM EST

I'm pretty sure you're going to be arrested.

--
"My life was more improved by a single use of [ecstasy] than someone's life is made worse by becoming a heroin addict." -- aphrael
I'd leave the country if I were you (1.09 / 22) (#3)
by fritz the cat on Wed Feb 04, 2004 at 10:40:28 AM EST

while you still  have the chance

DOING NOTHING FUCKING SOMETHING

This is one very good article. (1.80 / 10) (#7)
by megid on Wed Feb 04, 2004 at 11:02:47 AM EST

Interesting, concise, realworld. +1 FP.

What I think about this issue is: Either government enforces security (in the same way that e.g. construction companies are forced to adhere to material stability standards), or the customers need to require it. The latter is unlikely to happen, so I recommand the former.

Btw, isnt the surest way to break off a DDOS to unplug your network? At least you wouldnt be billed the full 4 hours, then.

--
"think first, write second, speak third."

Real world? (none / 1) (#89)
by mindstrm on Thu Feb 05, 2004 at 10:29:07 AM EST

The FBI asks for your assistance in a case.

So you go on a big useless rant about how it's really Microsft's fault?

Then say you will provide "Any help required by law" which means to an FBI guy "I will give you any information you show up with a proper warrant for, but nothing else"

That is not called helping.
That's being a self-righteous dink.


[ Parent ]

Exactly. (none / 0) (#107)
by megid on Thu Feb 05, 2004 at 04:04:37 PM EST

That is what realworld is about, isnt it? Being a self-righteous dink, I mean ;-)

--
"think first, write second, speak third."
[ Parent ]
We've been DDOS'ed before. (2.75 / 16) (#8)
by Mr.Surly on Wed Feb 04, 2004 at 11:03:49 AM EST

It was someone known to an employee here, doing it as revenge.

He said he was going to do it.

We worked with our ISP, and his ISP.  NOC employees were willing to testify that it was in fact coming from his account.

We knew his name, address, and phone number.

No law enforcement (local, state, FBI, etc) wouldn't give us the time of day, despite all of this, and despite the fact that it was costing us thousands.

So please tell me, how the fuck did you get the FBI to call you?

What about a civil suit? (2.00 / 5) (#9)
by Michael Moore on Wed Feb 04, 2004 at 11:05:06 AM EST

How significant were the damages?

--
"My life was more improved by a single use of [ecstasy] than someone's life is made worse by becoming a heroin addict." -- aphrael
[ Parent ]
Probably in the range of $5000 (2.00 / 5) (#10)
by Mr.Surly on Wed Feb 04, 2004 at 11:18:56 AM EST

But for a (then) 3-man company, that's significant.  And civil suits against minors don't usually pan out, money-wise.  

[ Parent ]
Needs to be $50k+ (1.66 / 6) (#15)
by The Turd Report on Wed Feb 04, 2004 at 12:47:20 PM EST

Or the FBI doesn't give a flying fuck.

[ Parent ]
Not sure why (2.57 / 7) (#19)
by simul on Wed Feb 04, 2004 at 01:16:02 PM EST

They've called in the past as well.

We're a pretty big ISP, with about 600,000 sites.

Over the past few years, I've been on the phone with the FBI, secret service, various local police. I've literally discussed everything from Elvis Presley's estate to child pornography to Al-Qaeda.

Read this book - first 24 pages are free to browse - it rocks
[ Parent ]

[nitpick] distributed? (none / 0) (#117)
by vnsnes on Thu Feb 05, 2004 at 06:33:18 PM EST

NOC employees were willing to testify that it was in fact coming from his account.

Does it mean it was not distributed? If it weren't, it may not have shown up on the FBI's radar because only (don't mean to sound trivial here) two ISPs were involved.

[ Parent ]

OS nitpicks (2.10 / 10) (#11)
by Mr.Surly on Wed Feb 04, 2004 at 11:23:47 AM EST

Assuming you're referring to a source IP spoofing DDOS,while it seems like it would eliminate script-kiddies, it would just mean that the scripts would get better (be run as a privileged user), and determined DDOS perpetrators would be able to bypass.  I would doubt that MS (or any vendor) would remove source address spoofing entirely, as it probably has it's uses in network testing.

In any case, there are still other DDOS techniques such as zombie machines, which attack from multiple networks, and are often difficult to track back because the attacker doesn't need to send data DURING the attacks.

Source adress spoofing... (3.00 / 4) (#42)
by Znork on Wed Feb 04, 2004 at 05:21:48 PM EST

... is exactly the reason why ISP's need to stop passing packets originating within their networks with source addresses outside their networks.

It's not that hard to do. It's not that expensive to do. And it should affect no legitimate traffic.

There are legitimate reasons for the functionality to be in OS's and it should be there. There are, however, few reasons to pass such traffic on the internet.

[ Parent ]

Agreed. (none / 2) (#44)
by Mr.Surly on Wed Feb 04, 2004 at 05:54:15 PM EST



[ Parent ]
poll option missing (2.13 / 15) (#13)
by Arkady on Wed Feb 04, 2004 at 12:41:36 PM EST

You left out the most important option:  End-Users.

Yes, many OSs ship with badly chosen defaults but as the end-user you _can_ actually change those.  You can also choose not to use an OS which has so many easily-exploitable vulnerabilities.

The ISP-as-nanny approach is no more desirable than a government-as-nanny approach is.  It's the end-user's box, and the end-user's responsibility.

As an ISP I'm certainly willing to help my users work their way through cleaning and securing their systems but, ultimately, it's their responsibility to do so.  It's only reasonable that they also bear the costs associated with their failures.  I have to pay other networks for the bandwidth my users use, and the only way to do that is for the users to pay for their own use.

Why should the ISP pay the price of one of their users failing to act responsibly?

-robin

Turning and turning in the widening gyre
The falcon cannot hear the falconer;
Things fall apart; the centre cannot hold;
Mere Anarchy is loosed upon the world.


Product liability law (2.50 / 6) (#20)
by simul on Wed Feb 04, 2004 at 01:18:39 PM EST

End users are actually not entirely responsible under product liability law. It's more likely that an ISP, as the "vendor" would be liable if their producs (internet connection) was dangerous (unmonitored, no egress filtering).

It's like saying people should be responsible for installing seat belts in their cars. Maybe they should.... but our legal system doesn't work that way.

Read this book - first 24 pages are free to browse - it rocks
[ Parent ]

flawed analogy? (none / 3) (#22)
by Arkady on Wed Feb 04, 2004 at 01:27:57 PM EST

Wouldn't it be more correct to make the analogy with securing one's box to _using_ seatbelts in a car rather than to intalling them?

At a minimum it's more appropriate if you're only considering whether the user has a responsibility to modify the machine's configuration from insecure defaults and to avoid stupid mistakes (like opening an executable ttachment).  In this cse, all the materials necessary are already present and it's only a question of whether they're being used.

In a broader sense, your analogy is also much more applicable to software vendors than ISPs in that the software vendor supplies the car, whereas the ISP supplies only the road.

-robin

Turning and turning in the widening gyre
The falcon cannot hear the falconer;
Things fall apart; the centre cannot hold;
Mere Anarchy is loosed upon the world.


[ Parent ]
I was talking about the precedent (none / 3) (#24)
by simul on Wed Feb 04, 2004 at 01:35:02 PM EST

Manufacurers were not always required to put seat belts and antilock brakes in cars.

They were sold separarely before.

Read this book - first 24 pages are free to browse - it rocks
[ Parent ]

point (none / 1) (#26)
by Arkady on Wed Feb 04, 2004 at 01:44:21 PM EST

Viewed that way, however, I still think it's most apt as an analogy to software vendors.  They do not, in general, include all the equipment necessary to safely use their products on the "road" provided by an ISP (or, in cases such as Outlook, include extremely defective equipment).

-robin

Turning and turning in the widening gyre
The falcon cannot hear the falconer;
Things fall apart; the centre cannot hold;
Mere Anarchy is loosed upon the world.


[ Parent ]
True (none / 2) (#39)
by simul on Wed Feb 04, 2004 at 04:09:19 PM EST

But even private road-builders are subject to safety regulations....

Read this book - first 24 pages are free to browse - it rocks
[ Parent ]
For a better analogy: (2.50 / 3) (#29)
by Kwil on Wed Feb 04, 2004 at 02:25:37 PM EST

A store where someone has broken a bottle of vegetable oil in one of the aisles, and another person slips and injures themself.  If the store has been previously informed that there was a slippery portion in the aisle and did nothing to prevent the slip and fall, they're liable. The customer has a reasonable expectation of good traction.

ISPs are similar to the store in this respect. They know there is a problem that they can easily fix. They know that problem is affecting other people and causing damages. They are doing nothing about it.

Part of the problem is that ISPs do bandwidth charges backward. They charge their user for content uploaded. They should be charging the other ISPs for that, (we gave you this much data.. you give us this much money) and charging their own users for content downloaded (you took this much data from someone else, we need this much money to pay them for it.)

Then, rather than a DDOS being expensive for the victim, it'd be expensive for those who allowed it to happen.

That Jesus Christ guy is getting some terrible lag... it took him 3 days to respawn! -NJ CoolBreeze


[ Parent ]
Learn What 'Peering' Is (none / 3) (#31)
by The Turd Report on Wed Feb 04, 2004 at 02:48:12 PM EST

Part of the problem is that ISPs do bandwidth charges backward. They charge their user for content uploaded. They should be charging the other ISPs for that, (we gave you this much data.. you give us this much money) and charging their own users for content downloaded (you took this much data from someone else, we need this much money to pay them for it.)

Everyone already pays someone for sending and recieving traffic. The only ones that don't are the ones that have peering agreements with each other and even then there is some $$$ exchanged for that.

[ Parent ]

yeah sure (3.00 / 5) (#52)
by axel on Wed Feb 04, 2004 at 07:01:53 PM EST

That is an obvious case of geek-centric view of the world. Assuming that any computer user can install an operating system himself is obviously wrong. Try to look at normal, non-tech people in a realistic way. Many people who use computers can barely login into windows xp and start Word or Excel, and perhaps play some games. Some of them are curious about the computer and learn more about it, most of the others simply don't give a damn. The security and privacy of their computer is not a matter of pride or technical challenge for them (unlike slashdot readers and geeks worldwide): it's a matter of losing their (real) work, mail, pictures of their relatives and friends, their music. They don't even that the software works perfectly: they've grown to accept that 'computers crash now and then' and are not surprised when the Blue Screen Of Death shows up. And why? because they think that's the only way stuff works. They don't even know what the hell Linux is. And they don't care anyway. If my brother, my mom or my girlfriend suddenly decided to install linux by themselves, i bet they could spend a whole year sitting in front of the computer and not figuring it out. So it's not their responsibility to make their boxes 'secure': operating systems _should_ be secure with stock configuration. So hell yeah it's the vendors' fault and not the user's fault. It's not the driver's fault if he kills someone because the brake didn't work in his brand new car. Is it?

[ Parent ]
Ignorance is no excuse (none / 1) (#93)
by werner on Thu Feb 05, 2004 at 11:17:50 AM EST

Sure, a driver may not be responsible if the car's brakes fail (unless he neglected to service them), but he is responsible if he kills someone because he is a crap driver.

[ Parent ]
As the Internet becomes increasingly mainstream... (none / 1) (#118)
by skyknight on Thu Feb 05, 2004 at 08:02:49 PM EST

we can expect a continued drop off in the technical ability of the average user. Demanding that the Internet be hardened via improved security at end hosts is consequently impractical.

How would you feel if someone's microwave oven was apt to do thousands of dollars worth of damage to someone living on the other side of the world, simply because they weren't an electrical engineer? I won't presume to speak for you, but I plug mine into the wall, punch in a time, press start, and expect my food to get cooked. I don't know anything of its electromagnetic radiation properties or power consumption characteristics. If my microwave were capable of causing such catastrophes, would you tend to blame me, or the manufacturer?

Furthermore, placing all security at the end hosts presumes that even perfectly reasonably computing practices will invariably prevent computer hijacking. Sometimes application or system code has security flaws that can be exploited by third parties without any mistake made by users, and this information does not always get to legitimate users in time to patch a system before an attack is launched.

Also, even if you are diligent, and there are no accidental security flaws in code, some Trojan attacks are remarkably obscure, and for all intents and purposes impossible to stop. Do you install only source based packages on your system? Do you actually read all source code before compiling and installing it? Did you hand assemble your own compiler so that you know that it doesn't furtively compile Trojan horses into your code? Did you write your assembler in machine code yourself? Have you built all of your own hardware, so that you can rest peacefully at night, knowing that the microcode does not contain back doors?

There is a very good reason that the real security experts preach defense in depth.



It's not much fun at the top. I envy the common people, their hearty meals and Bruce Springsteen and voting. --SIGNOR SPAGHETTI
[ Parent ]
+1 FP (1.91 / 12) (#14)
by SkArcher on Wed Feb 04, 2004 at 12:43:51 PM EST

Good article on a serious problem.

Without getting too far into anti-MS and anti-AOL territory, it is the responsibility of those entities to protect the rest of the internet from their users as it is for them to protect their users from the rest of the internet.

Not that they will do anything of the sort, as they are too busy cutting corners in the name of Profit

If God didn't want us to eat people, why did he make them out of MEAT?
Have You Contacted Your ISP? (2.12 / 8) (#18)
by The Turd Report on Wed Feb 04, 2004 at 12:57:16 PM EST

They should be able to track down the attack or atleast stop it. If you have a burstable circuit and don't alert them that you are getting DoS'd, you will get the burst charges. Do you have any sort of plan of action for these DoS attacks?

Our ISP is a victim too (2.25 / 3) (#21)
by simul on Wed Feb 04, 2004 at 01:25:00 PM EST

Only one of our ISP's billed us. The other one took the high road, and is busy working with us to monitor the traffic and getting the virus/bots shut down.

Once we got tipped off by someone. We used the IRC channel to "hack back in" to the source machines. I was tempted to wipe them... but we instead spent 20 hours popping open vnc terminals, installing windows update on people's boxes without their permission, and deleting the trojans from over 200 machines. I couldn't find a way to automate it.

Ultimately it's the distributed network of source ISP's and O/S vendors that's at fault.... any one of which contributes less than 1% to the overall problem.

Read this book - first 24 pages are free to browse - it rocks
[ Parent ]

How Far Removed From the 'Backbone'? (none / 3) (#25)
by The Turd Report on Wed Feb 04, 2004 at 01:37:19 PM EST

Attacks can be traced if you get a tier1 provider to start looking. I know the one I work for will trace attacks for customers, if they are going to press charges, and will trace attacks that originate from our network if another teir1 calls and has traced a live attack to us.

[ Parent ]
Which one? (none / 2) (#38)
by simul on Wed Feb 04, 2004 at 04:07:43 PM EST

Ok to name names? We're devinitely moving off of ours.

Read this book - first 24 pages are free to browse - it rocks
[ Parent ]
MCI (nt) (none / 2) (#49)
by The Turd Report on Wed Feb 04, 2004 at 06:29:21 PM EST



[ Parent ]
vigilantes? (3.00 / 5) (#32)
by /dev/trash on Wed Feb 04, 2004 at 03:26:30 PM EST

Once we got tipped off by someone. We used the IRC channel to "hack back in" to the source machines. I was tempted to wipe them... but we instead spent 20 hours popping open vnc terminals, installing windows update on people's boxes without their permission, and deleting the trojans from over 200 machines. I couldn't find a way to automate it.

Isn't that just as illegal?

---
Updated NEW 10/15/2003!!
New Site, More Parks
[ Parent ]

Yep [nt] (3.00 / 6) (#37)
by simul on Wed Feb 04, 2004 at 04:07:03 PM EST



Read this book - first 24 pages are free to browse - it rocks
[ Parent ]
Missing Poll Option (2.75 / 3) (#27)
by CENGEL3 on Wed Feb 04, 2004 at 02:05:42 PM EST

(IMO) You should include an "All of the Above" poll option. While I think you are right about venders being responsible for the security of thier products as a big part of the problem, however any system which is designed to be used can also be misused by some-one bright enough. Ultimately that person should be held responsible for the consequences of thier own actions.

The script-kiddies who perform DDoS attacks or compromise and deface websites really aren't all that different then punk kids who break into peoples homes and shops and vandalize them. They should be treated accordingly which does mean criminal charges (though not more serious then if they had physically vandalized property).

Leaving the shop door open (none / 1) (#36)
by simul on Wed Feb 04, 2004 at 04:06:16 PM EST

To what extent are Microsoft's poor O/S secuity and unfiltered ISP's are analogous to leaving the shop door open? Does that modify the crime?

Read this book - first 24 pages are free to browse - it rocks
[ Parent ]
Depends (none / 1) (#40)
by CENGEL3 on Wed Feb 04, 2004 at 04:36:27 PM EST

I'd say it was more analogous to having a really shitty lock. It's one thing to have something which no one has made any attempt to secure (i.e. public share, full control everyone, no indication access is meant to be restricted)... it's another to actualy make an attempt to secure something and have it overcome, even if it was a poor attempt (i.e. a buffer overrun exploit).

The script kiddies know that they are violating some-ones space without permission and in most cases they are actively doing something to defeat security measures... even if it is only downloading and running an automated exploit kit.

Yes, the lock manufacturers (i.e. Microsoft) are guilty of producing a bad lock but that does nothing to excuse the person who breaks the bad lock, busts in and vandalizes some-one elses property (i.e. script kiddies). They are just as guilty as if the shop had been secured with the best lock in the world.

[ Parent ]

I agree (none / 1) (#41)
by Cro Magnon on Wed Feb 04, 2004 at 05:06:48 PM EST

but the guy making the crappy lock needs to pay some kind of penalty that will encourage them to build better locks. Or more people need to use a different lockmaker.
Information wants to be beer.
[ Parent ]
The Penalty (none / 2) (#45)
by moondrop on Wed Feb 04, 2004 at 05:57:45 PM EST

You're spot on about people using a different lockmaker. If one lockmaker is producing crappy locks, then his penalty will be potential users and repeat customers going to someone else.

[ Parent ]
Vendor lock-in (3.00 / 4) (#68)
by swr on Thu Feb 05, 2004 at 12:05:45 AM EST

Except the lock (security function) is integrated with the door (operating system), so you have to replace the whole door. But only one company produces doors with those dimensions (ABI), and they sell more than 90% of all doors, so most houses (software applications) are built to fit their doors. So in order to replace your lock, you're going to have to replace your house too.

Of course, the lack of government interference makes it all worth it. Right?



[ Parent ]
Nope! (none / 0) (#164)
by simul on Fri Feb 06, 2004 at 10:55:33 PM EST

the problem is that the people with the shitty locks don't get hurt by the silent and unobtrusive intruder... so they have no incentive to buy new ones

their homes are instead used to plan and house terrorists tht attack others... in well-defended homes ... without their knowledge.

Read this book - first 24 pages are free to browse - it rocks
[ Parent ]

Cisco (2.83 / 6) (#30)
by b1t r0t on Wed Feb 04, 2004 at 02:27:28 PM EST

If I were the FBI, I'd investigate why AOL, Comcast, Cisco and others that have not implemented egress filters as standard on their networks.

Like the Sesame Street song says, "One of these things is not like the others, one of these things is not the same..." Ummmmm, Cisco is an equipment manufacturer. They can't do anything about the intelligence level (or lack thereof) of the management of access providers, nor can they affect their management decisions, any more than you can.

-- Indymedia: the fanfiction.net of journalism.

Tragedy of the Commons (none / 3) (#35)
by simul on Wed Feb 04, 2004 at 03:47:07 PM EST

If you understand this: http://dieoff.com/page95.htm ... then you'll understand why Cisco - who has the ability to fix the problem - should.

Read this book - first 24 pages are free to browse - it rocks
[ Parent ]
Cisco (none / 3) (#46)
by bobthejanitor on Wed Feb 04, 2004 at 06:10:31 PM EST

Even if they did include it by default, it is still up to the admin to enable filtering. ISP's have the ability to do this, but as you said choose not to. It is still a problem of O/S makers not securing their products, and if that can be fixed that will eliminate the problem at its source. I agree with saying that providors should do more to stop these kinds of attacks on their networks. They claim procect against most other kinds of attack, why not these?

[ Parent ]
ISP's leave the default settings (none / 2) (#50)
by simul on Wed Feb 04, 2004 at 06:31:24 PM EST

When Verizon mails you a DSL kit.... it doesn't come with egress filtering and basic firewalling enabled by default.

And they don't even give you the password to it. So it's defeinitely Verizon's fault, and possible the router vendor's fault for having bad defaults.

Read this book - first 24 pages are free to browse - it rocks
[ Parent ]

egress filtering is not done on end-user equipment (none / 2) (#54)
by The Turd Report on Wed Feb 04, 2004 at 07:26:25 PM EST

ISPs that do egress filtering do it on their connections to their upstream. Plus, using a router as a firewall isn't a good idea.

[ Parent ]
errrr? (none / 1) (#59)
by 0x29a on Wed Feb 04, 2004 at 07:42:48 PM EST

I know that it would be more beneficial to have a full firewall that can support complex stateful inspection, rather than a simple network layer based ACL at the route point.

But, since we are talking end-user it is really just a simple matter of select packets out / no packets in (stateful return packets only).

Maybe I am missing your point, but an ACL at the route point can do that pretty well for the end-user. No need for complex firewalls.

[ Parent ]

ACLs == Increased CPU Load (none / 1) (#60)
by The Turd Report on Wed Feb 04, 2004 at 07:45:51 PM EST

blocking spoofed traffic is better/easier at the upstream anyway.

[ Parent ]
smarter at the end user (none / 0) (#162)
by simul on Fri Feb 06, 2004 at 10:50:18 PM EST

end user routers are typically overspecced anyway for DSL traffic. and end users on't have the pasword for them. RPF-filtering (symmetric) would work fine on them .... it's not like my dad needs to do asymmetric routing from his livingroom. If he did.. he'd be better off with a Linux box running ZEBRA.

Read this book - first 24 pages are free to browse - it rocks
[ Parent ]
Question (1.28 / 7) (#43)
by CaptainSuperBoy on Wed Feb 04, 2004 at 05:52:39 PM EST

How in the world could Microsoft stop e-mail trojans from propagating? Nothing they do requires administrative access to the machine. They don't exploit any specific security holes in Windows.

Also, do you work for SCO?

--
jimmysquid.com - I take pictures.

What? (2.83 / 6) (#48)
by simul on Wed Feb 04, 2004 at 06:26:59 PM EST

Attachments should be run with "guest" or "anonymous" or "chrooted" access by default.

An email trojan roots through your address books, installs itself on your harddrive with execute permissions, typically accesses the registry, then emails itself out to others.

That's a lot of "default" access to hand out to executable attachments.

Read this book - first 24 pages are free to browse - it rocks
[ Parent ]

Again (2.66 / 6) (#53)
by CaptainSuperBoy on Wed Feb 04, 2004 at 07:06:59 PM EST

In any modern operating system, any program you run, runs as you by default. So it has access to your address book, can save itself to the hard drive, and can add itself to your startup. Of course it can access the Internet.

I hate to bring up the Linux thing, but it's exactly the same in Linux. Any program you run can look through all files in your home dir including your address book (chroot or not), save itself in your home dir, and add itself to your login script. The only thing preventing a worm of this scale on Linux is that Linux desktops aren't at critical mass yet.

And don't tell me OE makes it too easy to run executables. Users have to completely IGNORE a big fucking warning before they save or run any attachment. We're not talking about buffer overflows in the preview pane, which were inexcusable. This problem doesn't belong to Microsoft, it belongs to administrators who allow their networks and users to abuse the Internet.

One solution I see is to not allow users to run their own executables, at all. This is totally feasible today, and more admins should do this. Most users have no need to install software. Another solution is to implement firewalls, either centrally or on each PC. Windows XP SP2 will have a firewall that alerts the user (and hopefully an admin) if a program tries to make an unauthorized connection.

None of what the worm does is traditionally considered priviledged activity, in either OS circle. Not even the DDOS - it's just a simple fetch of SCO's, or whoever's, webpage.

--
jimmysquid.com - I take pictures.
[ Parent ]

Executable content (none / 2) (#70)
by swr on Thu Feb 05, 2004 at 12:51:24 AM EST

I'll agree about the OS not being responsible for email viruses. The OS could provide a sandbox for running untrusted executables, but that can and is handled just fine at the app level with things like Javascript, Flash, Java, and (I think) the .NET runtime.

I disagree about Outlook though. Users are conditioned to click in agreement to whatever dialogs pop up. I think most users, when they don't hit OK, and it doesn't run the executable, they just assume they were supposed to hit OK and go back and do just that.

Most other MUAs will completely refuse to execute. You have to save it to disk (the only option) and then find where you saved it and run it manually.

Running untrusted executables should be a pain in the ass, actively user-hostile, to discourage people from doing it. Really, there are better ways to receive executable content, for example a trusted repository like Windows Update (though preferably something that would work with more than just one vendor's software; Debian's apt-get for example).



[ Parent ]
IAWTP (none / 1) (#85)
by CaptainSuperBoy on Thu Feb 05, 2004 at 09:32:15 AM EST

I agree with you, we can't trust users to listen to Outlook. But we also can't fault Microsoft - what should they do next, make it two dialog boxes in a row? Three? Big flashing lights? It's easy to disguise an exe in a zip file, so we can't just say "don't allow exe's in the mail."

What we need is trusted computing. I hate that there are all these privacy and DRM concerns, because trusted computing is really just about restricting software that isn't trusted by the admin. Which is a good thing.

--
jimmysquid.com - I take pictures.
[ Parent ]

Not what he's meaning (none / 1) (#72)
by ishark on Thu Feb 05, 2004 at 03:15:17 AM EST

In any modern operating system, any program you run, runs as you by default. So it has access to your address book, can save itself to the hard drive, and can add itself to your startup. Of course it can access the Internet.

This is not a requirement when executing an attachment. What I think the poster is suggesting is (for example) that whatever is received is not dumped in one of your directories and run, but placed in a specific sub-tree (part of your tree) and executed chrooted in there, without any access to any part of the system.

Of course it'll still be possible to write something which pops up a window saying "move me outside and run me again", but a solution like this would allow people to exchange "legitimate" executables, and make executing worms much more long and annoying (which means a lot less people will do it).

[ Parent ]

Chroot != Security (none / 1) (#74)
by warrax on Thu Feb 05, 2004 at 04:18:37 AM EST

placed in a specific sub-tree (part of your tree) and executed chrooted in there, without any access to any part of the system.

Chrooting is a very weak form of security. Even if the executable is not allowed any access to the filesystem it can still do lots of evil things, like signal other processes, scan for local (kernel-level or otherwise) exploits, spawn a zombie process with network access, etc.

What you want is to completely isolate the attachment from anything else. But at that point the attachment cannot do anything vaguely interesting, so what's the point of it? There is none.

The solution is simple: DO NOT, EVER, UNDER ANY CIRCUMSTANCES RUN EXECUTABLE ATTACHMENTS. Force the user to save them somewhere manually and run them manually. That will at least alleviate the problem for those idiots who happily click on anything in their inbox and completely ignore any and all warnings that pop up.

-- "Guns don't kill people. I kill people."
[ Parent ]

No it's not (none / 0) (#87)
by ZorbaTHut on Thu Feb 05, 2004 at 09:47:18 AM EST

That's a lousy solution. All that'll do is make someone write software without that limitation, and it'll become more popular than yours.

Removing features that users want is a ghastly idea, especially when you're trying to crack a monopoly. Come on, think about this logically - even on the chance that Linux manages to become the dominant OS, can you really believe that *someone* won't market "Linux For Users" that contains all those features that are a bad idea in terms of security, and a good idea in terms of usability?

And it'll become the standard Linux distribution, too.

[ Parent ]

"Subject" (none / 0) (#141)
by warrax on Fri Feb 06, 2004 at 06:15:57 AM EST

That's a lousy solution. All that'll do is make someone write software without that limitation, and it'll become more popular than yours.
Which distribution do you think companies will install of their desktops? The secure one or the "usable" (and I use the term loosely) one? I think the techies will have a very easy time arguing that secure=good in this case. (Why would employees be running executable attachments in the first case? It's almost certainly not needed for the day-to-day running of the buisness)

The problem with arguing about these things is that there is no real-life scenario where you can actually test what users (and businesses) want. If they need Windows on your desktop (or Outlook or whatever), then they need Windows. You don't get a choice between a "secure" Windows and a "usable" Windows/Outlook/whatever. If there was such a choice my money would be on companies installing the "secure" version. And for now, I don't think anyone's written an e-mail client for Unix that will run attachments automatically (or even at a click); maybe that says something, maybe it doesn't. It could mean that developers on Unix are conditioned to think that security is more important than "usability". It could also just be a manifestation of the fact that one Unix distribution is not necessarily binary compatible with another Unix distribution. That means that binary executable attachments are basically useless on Unix.

Oh, and a final note: There is no such thing as a "standard" Linux distribution, never will be. People's tastes differ to much for that to ever happen. We have seen some convergence, what with the LSB and some distributions using the same package management systems, but I don't think there will ever be "one" distribution.

-- "Guns don't kill people. I kill people."
[ Parent ]

Random executables ... (none / 2) (#75)
by EphraimT on Thu Feb 05, 2004 at 04:23:00 AM EST

... run as you by default can be cured on a linux box in the time it takes to type "/usr/sbin/deluser dumbass" with no harm to the operating system or other users. What is the command for this operation on a Microsoft based box?

Linux worms to date are almost exclusively buffer overrun exploits rather than social engineering projects as with MS products. Why is this?

Standard linux users can install only a limited range of executable files with very limited access to the file system and "dangerous" commands. Standard Microsoft users are root with every access that entails. Is this the user's fault? Should the user be punished because the system is insecure by design?

There are important differences between MS and linux based systems. Many are technical, but the really important ones are philosophical.

[ Parent ]
For the last time (none / 2) (#79)
by CaptainSuperBoy on Thu Feb 05, 2004 at 08:45:08 AM EST

Standard MS users are NOT root, at least in a corporate setting. And these worms don't even REQUIRE root. Not one of you zealots can explain to me how "the system is insecure by design," because it works exactly the same as Linux.

--
jimmysquid.com - I take pictures.
[ Parent ]
not quite true (none / 1) (#91)
by werner on Thu Feb 05, 2004 at 10:52:25 AM EST

it works exactly the same as Linux

No it doesn't. You can't just click on an attachment in Linux and run it. You have to save it, you have to set the executable bit, then you can run it. That's a real, conscious effort. Windows requires a slip of the finger. At any rate, doesn't the fact almost all viruses spread through Windows users clicking "Run" suggest that MS should do something about it, regardless of how other operating systems behave?

You are quite right to say that corporate Windows users are not normally administrators, but home users are. Still, I think this is a moot point: who gives a toss about the operating system? It only takes at most a few hours to repair. I think most users would be much more distraught to lose the contents of ~/ or wherever they saved their stuff on Windows.

I'm not sure that Windows is "insecure by design", but you cannot argue that the design of Windows, coupled with their abominable track record for programming errors and some pretty stupid default settings makes for an eminently exploitable platform.

[ Parent ]

Linux (none / 0) (#96)
by CaptainSuperBoy on Thu Feb 05, 2004 at 11:50:48 AM EST

I'll admit to not being familiar with the latest and greatest on Linux. The Linux fans here don't seem to want to admit that they're behind the times on Windows, but that doesn't really matter.

First let's control for the fact that a Linux user will be MUCH more proficient than a Windows user, and less likely to run a worm. This is because of Windows' desktop dominance. I'm assuming Evolution or Mozilla or whatever, gives you a pretty interface to save an attachment. Then the user goes in with KDE, which I know opens TGZ files natively, extracts the binary, and double clicks to run it. I believe tar preserves the executable bit.

In Outlook for Windows, you'd double click on the attachment (a zip file), then Outlook shows a dialog box with a pretty explicit safety warning. You'd click open, which brings up the contents of the zip in a window. Then you'd double click on the exe.

I say Windows makes it a little bit easier, but not by much. It's certainly not a "slip of the finger." You're right that root is a moot point - none of what we did requires admin, and the machine is easy to fix up.

--
jimmysquid.com - I take pictures.
[ Parent ]

Windows makes it easier ... (none / 0) (#127)
by EphraimT on Thu Feb 05, 2004 at 11:59:24 PM EST

... by a bunch. Too easy, least common denominator easy. You need know absolutely nothing about the tool you are using other than what sends and receives email, where to find the web browser, how to type, and how to point and click. This has been a huge selling point for MS machines for the last 10 years.

Thought is not a requisite part of the process with a MS box. This is in large part the problem. This isn't the user's problem so much as it is Microsoft's. It was Bill Gates & Co. who foisted badly broken software with a corrupt concept of the average person's intelligence onto the world to make a buck ... and another buck ... and another ... and another ...

Now Microsoft is pointing to script kiddies and crackers and mafia worm writers and blaming them for all the ills of the internet ... ills which their corporate greed and poorly thought out values made not only possible, but inevitable.

Nope, I'm quite happy with my dual boot laptop. I have XP Pro for the portion of the world that knows no better and linux (SuSE Pro 9.x) for everything else. YMMV

[ Parent ]
Look (none / 0) (#129)
by CaptainSuperBoy on Fri Feb 06, 2004 at 12:13:41 AM EST

I don't like to be mean, but sometimes it's called for. You're a crazy-ass zealot. You just told me, possibly with a straight face, that we should make our operating systems HARDER to use. So that users have a harder time using them, and possibly that will cause some of them to give up before they figure out how to run the virus.

This is the dumbest thing I've heard all day, and I sat through an entire Accounting I lecture today.

--
jimmysquid.com - I take pictures.
[ Parent ]

that seems to be their entire arguement (none / 0) (#151)
by no carrier on Fri Feb 06, 2004 at 11:00:53 AM EST

as far as I can tell, all linux zealots think that by making it difficult to use something it will prevent idiots from hurting themselves.

I don't get this either. I mean if someone is using linux and they receive email attachments that they need for work, something like really_important_account.exe, then they will need to figure out how to actually execute the file. Now, the next day when they receive nude_pics_ofyour_mom.exe they will do the same thing and execute it. It makes no difference how many hoops you make them jump through. If a user wants to run something they will. Now, in a corporate setting you can prevent much of this, but it will make for some pretty useless home systems if users can't execute programs.

The next arguement is that linux is more secure because of user permissions. But what happens when a linux virus says you have to be root to execute it. Well, most admins aren't gonna be that stupid. But we're not talking about experienced admins. We're talking about Joe Random on his home system. All he's gotta know is how to use 'su' and it's game over.

bottom line is, computers are made to be used. If you can use one, you can screw it up.

And just so you know I'm not biased. I have two machines on my desk, one running Win2k and the other running RedHat 9 (well, technically my laptop is here too, it is currently running Debian).


I stab people.
[ Parent ]
pay attention (none / 0) (#188)
by werner on Sun Feb 08, 2004 at 01:43:47 PM EST

we should make our operating systems HARDER to use

That's not what he said, is it? He said MS makes it too easy to execute attachments, which seems to be a fair comment when you consider the trouble email-borne viruses have caused in recent years.

You seem to be seeing Linux zealots everywhere. Or you just aren't paying close enough attention, which as everyone seems to agree, is why there is such a problem with viruses.

[ Parent ]

Fair comment (none / 0) (#190)
by CaptainSuperBoy on Sun Feb 08, 2004 at 06:24:25 PM EST

There's a flaw in your logic there, you can't just look at the volume of e-mail viruses and conclude that "MS makes it too easy to execute attachments." What I say is, the fact that people use computers is the cause of e-mail viruses. After all, if nobody used computers there'd be no viruses. You see? Causes and effects aren't simple, and my cause is at least as valid as yours.

I am paying attention, and all I see are people who are unable to come up with workable solutions, but they're completely sure that "It just has to be Microsoft's fault, somehow!"

--
jimmysquid.com - I take pictures.
[ Parent ]

random insults (none / 0) (#187)
by werner on Sun Feb 08, 2004 at 01:35:32 PM EST

The Linux fans here don't seem to want to admit that they're behind the times on Windows

Care to back this one up?

[ Parent ]

Sure (none / 0) (#191)
by CaptainSuperBoy on Sun Feb 08, 2004 at 06:29:43 PM EST

You said: "Windows requires a slip of the finger"

As I mentioned, this just isn't true.

--
jimmysquid.com - I take pictures.
[ Parent ]

there's a dialog (none / 0) (#205)
by werner on Sat Feb 14, 2004 at 06:46:59 AM EST

and you click on it. Never clicked the wrong button on a dialog by accident? I know I have.

[ Parent ]
Yes, yes, yes - link attached (none / 0) (#128)
by EphraimT on Fri Feb 06, 2004 at 12:08:11 AM EST

Spot on to the subject we are discussing -

http://www.eweek.com/article2/0,4149,1505008,00.asp

[ Parent ]
Link (none / 0) (#131)
by CaptainSuperBoy on Fri Feb 06, 2004 at 12:15:23 AM EST

Your superior operating system sure makes it easy for you to post a link in a comment on the web. Because that can be very tricky if you don't have the right tool for the job.

--
jimmysquid.com - I take pictures.
[ Parent ]
WTF, over? (none / 0) (#134)
by EphraimT on Fri Feb 06, 2004 at 12:34:11 AM EST

???

[ Parent ]
The system is insecure by design because ... (none / 1) (#125)
by EphraimT on Thu Feb 05, 2004 at 11:45:33 PM EST

... there are millions and millions of users out there who are not in corporate settings. These people run their machines solo user as root.

Microsoft makes no distinctions as to who buys their computers or for why - they just sell stuff to make as much money as possible from the greatest mass of sources possible. Thus, the system has to be open to all users at all levels of skill. Thus the default - MS systems are set up from the factory at the least common denominator level of skill. And there they usually stay unless some fascist autocrat from IT gets involved. Linux systems are generally, but not always, set up just the reverse ... the user account is totally restricted until he/she learns to loosen things up.

[ Parent ]
As you just pointed out, (none / 1) (#133)
by CaptainSuperBoy on Fri Feb 06, 2004 at 12:23:24 AM EST

It's not Microsoft's fault. Thanks for agreeing with me.

--
jimmysquid.com - I take pictures.
[ Parent ]
Hahahahahahahahahaha ... (none / 2) (#135)
by EphraimT on Fri Feb 06, 2004 at 12:38:47 AM EST

... hahahahahahahahahahahahaha ... Bill? Bill Gates? Is that really you Bill, or is it Darl McBride masquerading as Bill Gates? nah, can't be. Must be some sort of flame baiter or maybe a really ugly troll.

[ Parent ]
OK (none / 2) (#144)
by CaptainSuperBoy on Fri Feb 06, 2004 at 08:53:01 AM EST

I'm not getting into an OS pissing contest with an obvious child. Go back to Slashdot - scratch that, go back to OSNews.

--
jimmysquid.com - I take pictures.
[ Parent ]
Ooooooo ... I'm so hurt (none / 1) (#183)
by EphraimT on Sat Feb 07, 2004 at 11:19:19 PM EST

Your last comment pretty much defines you as the child. However, charity demands that you be forgiven. Its obvious that you're either an idiot or a troll, but I repeat myself.

[ Parent ]
A lot of the security issues with Windows... (none / 1) (#130)
by skyknight on Fri Feb 06, 2004 at 12:14:56 AM EST

are not directly the fault of MS, so much as the fault of the Windows development community. This is the result of the fact that a great many applications are stupid about where they write out to disk, and thus have to be run as Administrator to function properly. As such, most home users, myself included, are de facto compelled to run as Administrator all the time.

For example, when I play Half-Life and download the server list from WON, the damn thing tries to write the server list to a file in C:/Program Files/Halflife, which absolutely will not work if I'm not running as Administrator. If the program were smart, it would write the list out to the appropriate Documents And Settings directory, but it doesn't and so I am forced to run as Administrator. Unix programs, on the other hand, are almost invariably written with the understanding that you're working with a multi-user system. Windows woes are largely the result of the Win9x mentality getting ported to Win2k/XP. Win2k and XP could be much more secure, if it weren't for all the broken software that people need to run on them.



It's not much fun at the top. I envy the common people, their hearty meals and Bruce Springsteen and voting. --SIGNOR SPAGHETTI
[ Parent ]
Agree (none / 1) (#132)
by CaptainSuperBoy on Fri Feb 06, 2004 at 12:20:51 AM EST

You're right about that. It's just a part of the development culture that's been there since DOS. I don't think Microsoft can be blamed at all for that one, after all the concepts of HKEY_CURRENT_USER and the user profile have been around for over 10 years. It wasn't until Terminal Server Edition that this concept really sunk in. Luckily Windows Logo program members must adhere to these design guidelines.

--
jimmysquid.com - I take pictures.
[ Parent ]
Corporate users aren't standard (none / 1) (#163)
by simul on Fri Feb 06, 2004 at 10:53:12 PM EST

MyDoom spreads from the kids bedroom to the living room with nary a corporate sysadmin in sight.

Linux desktop O/S's all ship with default access as "user". You type you root password in every time you pop open a control panel or install software.... without having to log out and log in again.

Read this book - first 24 pages are free to browse - it rocks
[ Parent ]

Reminder (none / 0) (#192)
by CaptainSuperBoy on Sun Feb 08, 2004 at 06:30:55 PM EST

You have yet to explain how this worm would require root on a Linux machine.

--
jimmysquid.com - I take pictures.
[ Parent ]
The worm doesn't work on Linux (none / 0) (#195)
by simul on Mon Feb 09, 2004 at 02:55:32 PM EST

Mail readers on Linux dont' execute scripts, and even if you run an attachment, they run attachments in chroot jails and with alternate users, etc. by default. Also, users in linux typically log on as a "user" and not as an "admin"

Read this book - first 24 pages are free to browse - it rocks
[ Parent ]
Eh? (none / 2) (#86)
by ZorbaTHut on Thu Feb 05, 2004 at 09:44:09 AM EST

"Standard linux users can install only a limited range of executable files . . ."

Really? I thought they could install arbitrary code in their own directories. Of course they can't access the file system as root, but they can do quite a bit of damage otherwise. For example, it's pretty trivial to - as mentioned - browse the user's address book and spam users. Or, alternatively, just spam users to begin with. Or, alternatively, start DDoS'ing sites - I don't know if it's possible to spoof addresses, but it's certainly possible to scan for open exploits and use those.

At school I had to deal with an insane admin who decided to remove just about every useful program from the Linux box, or otherwise lock it off so users couldn't use it. One by one I redownloaded them and used local copies. Worked fine. Admin never figured out what I was doing, either.

I thought one of the strengths of Linux was that you could do just about anything as user, but you couldn't do anything to damage the system or other people's files on your system directly?

[ Parent ]

that's spot on (none / 1) (#92)
by werner on Thu Feb 05, 2004 at 10:59:17 AM EST

You can install just about ANYTHING you want under your home directory. Apart from binding to privileged ports, maybe mounting drives and tinkering with the rest of the system, I can't think of much you would want to do that you can't do as a user.

If there's no compiler already on the system, that might slow you down a bit, but not much.

[ Parent ]

Aargh. (none / 1) (#97)
by abracadada on Thu Feb 05, 2004 at 12:22:53 PM EST

You asked what Microsoft could do to prevent email-based worms. The reply suggested that email attachments should run under a restricted user account.  You replied that they don't.  This is not an argument.

Ideally, each user on the system would be assigned their own TMP directory (you should already be doing this) and a "companion" account (say, with a naming convention like username-sandbox).  This second account might have a restricted shell, something like /bin/rbash.  It would not be allowed to change directories or read files belonging to the user.

Software such as browsers or email clients would use this secondary account by default for running programs (things from Web pages or attachments).

I think that if this and easy to use PGP software were implemented and effectively marketed, it would go a long way towards improving the current state of email.
WMBC online freeform/independent radio.
[ Parent ]

I said what? (none / 1) (#98)
by CaptainSuperBoy on Thu Feb 05, 2004 at 12:35:43 PM EST

What part of "One solution I see is to not allow users to run their own executables, at all" did you not understand? As I said, "guest" or "chroot" accounts can still read files and connect to the Internet.

Problems with your solution include: It's hard to detect if a user is receiving an executable or something else. MyDoom spreads in a zip file. It's inconsistent to treat executables through e-mail in one way, and executables through, say, kazaa, in another way.

I also wonder how useful this hypothetical attached exe is if it can't read your files or connect to the internet.

Also - easy to use PGP software? Try, every version of Outlook for the past several years has included good public key cryptography. Approximate number of people using it: Zero. Trusted e-mail is a good thing, but it's not here yet.

--
jimmysquid.com - I take pictures.
[ Parent ]

Hmm (none / 1) (#153)
by abracadada on Fri Feb 06, 2004 at 11:34:44 AM EST

It is possible that you and I have differing concepts of "good", "easy", and "several".  Additionally, I did specify that it would have to be better marketed (whether commercial or not).  There's great pop-up blocking software for Windows too, which most people want.  But they don't know about it.

Since everyone's so gung-ho about Windows having high-level standard interfaces, it should add a standard interface for "remotely received files".  These could go into a special type of directory which would act as a sandbox where things could be safely run (at least, more safely than usual.)  The OS would attempt to warn the user if suspicious behaviour were observed, and any files deemed to be "safe" could be moved wherever the user really wanted them to go.

In a business setting, of course, you would have a virus gateway intelligent enough to open archive formats and inspect them.  I've looked at several with that feature.  You would also probably disallow attached executables altogether.
WMBC online freeform/independent radio.
[ Parent ]

more visible under linux (none / 1) (#166)
by cronian on Sat Feb 07, 2004 at 03:58:29 AM EST

Under linux the software is generally only installed by root. So, the only way for the worm to keep alive would be to place itself in the home directory, and in the user script or user cron job. However, it would probably be more visible than under windows, since there fewer trivial uses for these things. However, linux users don't generally execute anything they receive via email. Windows usuall shouldn't either, except that outlook makes it confusing. Outlook sbould not allow executing stuff.

We perfect it; Congress kills it; They make it; We Import it; It must be anti-Americanism
[ Parent ]
Tough to do (none / 0) (#193)
by CaptainSuperBoy on Sun Feb 08, 2004 at 06:33:05 PM EST

It's easy to disguise an exe in a zip file, so we can't just say "don't allow exe's in the mail."

The solution is more radical, don't allow users to install any unsigned EXE's.

--
jimmysquid.com - I take pictures.
[ Parent ]

Just Make It Harder (none / 0) (#194)
by cronian on Mon Feb 09, 2004 at 06:32:18 AM EST

Force the user to type a confirmation with a long warning. The user then must type "I understand the risks and still want to execute," and enter a password, if it isn't signed. People will click real easily, but if they actually have to type they will get lazy, and be much less likely to open it.

We perfect it; Congress kills it; They make it; We Import it; It must be anti-Americanism
[ Parent ]
Hey (2.75 / 3) (#63)
by CaptainSuperBoy on Wed Feb 04, 2004 at 10:07:48 PM EST

I knew I explained this MyDoom mess before. Turns out, I told you. If you ask me, the FBI shouldn't listen to what you have to say. After all, you're very good at ignoring what people say to you.

--
jimmysquid.com - I take pictures.
[ Parent ]
Simple. (none / 3) (#71)
by Znork on Thu Feb 05, 2004 at 03:04:36 AM EST

Dont allow clicking on attachments to open them. Only allow save-attachment-as and force the user to open it in the appropriate program. Click-to-read attachments is a horrible misfeature, largely responsible for trojans being a problem at all.

[ Parent ]
Appropriate program (none / 2) (#84)
by CaptainSuperBoy on Thu Feb 05, 2004 at 09:28:01 AM EST

MyDoom distributes itself as a zip file, and you can stuff anything in a zip file. I think if it looks like an important attachment, users will go to the trouble of saving it and then opening it. What you suggest is a good first step, but what we really need is for corporate admins to not allow end-users to install software. And home users should have outgoing port 25 blocked, and virus filtering by their ISP.

--
jimmysquid.com - I take pictures.
[ Parent ]
Zip files... (none / 1) (#102)
by Znork on Thu Feb 05, 2004 at 01:37:28 PM EST

Still, zip files are another non-executable format. Or should be. It should not be allowed to execute by default.

I dont think it's necessary to forbid end user installation to solve the trojan mail virus problem really. It merely needs to be impossible to execute content by mistake. Anything coming from an untrusted source like a webpage or a mail should require you to explicity set execute permissions on the file before it's possible to execute it.

Most end users are smart enough not to run such content if they realize they are about to actually execute a file rather than open it. And the ones who arent smart enough to avoid that probably wont be setting the file to be executable anyway.

These trojans are so effective simply because they trick people into running things by mistake, a point that is made pretty clear by the spread of MyDoom.

Sure, we'd still get a few thousand people who run it anyway, but that wouldnt be a real problem.

[ Parent ]

Well... (3.00 / 5) (#47)
by Apuleius on Wed Feb 04, 2004 at 06:18:28 PM EST

While the lack of egress filtering is the best way to stop DDOSen, it's not the FBI's department, because at most it's negligence, a matter for the civil courts, or communciations policy, a matter for Congress and the FCC. If the FBI wants to find the guy who aimed his zombies at you, that may or may not be a wise use of an agent's time, but I don't see any reason for you not to chat with him.


There is a time and a place for everything, and it's called college. (The South Park chef)
Inter-state commerce... (none / 0) (#114)
by skyknight on Thu Feb 05, 2004 at 06:04:55 PM EST

when interpreted broadly enough, is a catch-all term for pretty much everything under the sun.

It's not much fun at the top. I envy the common people, their hearty meals and Bruce Springsteen and voting. --SIGNOR SPAGHETTI
[ Parent ]
Yes, but... (none / 0) (#159)
by Apuleius on Fri Feb 06, 2004 at 08:21:02 PM EST

That makes it a Federal matter, but not necessarily a Federal criminal matter.


There is a time and a place for everything, and it's called college. (The South Park chef)
[ Parent ]
DDOS bypasses egress (2.63 / 11) (#51)
by pyro9 on Wed Feb 04, 2004 at 06:39:00 PM EST

The problem is, a widespread DDOS won't have any problem at all with getting past an egress filter. 1000 hosts sending at 50Kb (in other words, dialup modem speed) will add up to a 50Mb DDOS (In other words, you're screwed).

Ingress filtering OTOH could be helpful.


The future isn't what it used to be
Egress still useful (2.75 / 4) (#69)
by swr on Thu Feb 05, 2004 at 12:19:09 AM EST

1000 hosts can do a lot of harm, but in that case at least the victim only needs to get their upstream provider to block 1,000 IP addresses (or address blocks, if the zombies are spoofing within their allowed range). If the addresses can be arbitrarily spoofed, the victim would have to block all four billion or so IP addresses, which would be equivalent to a self-inflicted DoS.

Egress filtering would also make it easier (read: possible) to contact the numerous ISPs where the zombies are located to have them shut the zombies down. A lot of work, but it would leave the attacker with fewer zombies for future attacks.



[ Parent ]
Agree (none / 0) (#156)
by pyro9 on Fri Feb 06, 2004 at 02:48:08 PM EST

Agreed, egress filtering would at least help.

What's really needed is a way to authenticate as the owner of an IP block with the source ISP so the process of cutting off a DDOS could be automated.

Essentially propigating an ingress filter rule up stream until it becomes an egress filter at the source.

The nice thing about that is that you don't have to play whack-a-mole with small DDOS zombies all over the place (get 1000 killed, 1000 more pop up).

Propigating ingress filtering would also help with the bandwidth bills. With quick detection, you could get a DDOS killed off before the burst affects the 95th percentile. There'd still be some cost, but not nearly as bad as it would be otherwise.


The future isn't what it used to be
[ Parent ]
Pushback (none / 0) (#171)
by dachshund on Sat Feb 07, 2004 at 12:13:00 PM EST

Essentially propigating an ingress filter rule up stream until it becomes an egress filter at the source.

There are schemes that do this sort of thing. It's called "pushback". The problem is in identifying malicious traffic; if you're receiving millions of packets, each with a different spoofed address, how the hell are you going to run this process for each one?

Most pushback schemes resort to handwaving about aggregates and "traffic flows" at this point. Essentially, you need to find something recognizable (ie filterable) about all of the malicious packets, then instruct the upstream routers to block them. Problem is, a clever attacker can work around this.

Egress filtering is probably the only ideal solution all around, as it's relatively inexpensive and makes filtering significantly easier.

[ Parent ]

It depends on the server (none / 0) (#176)
by pyro9 on Sat Feb 07, 2004 at 01:48:12 PM EST

Current routers are much too wimpy to handle it properly. Ideally, you could always push a filter to block all that is (!dport 80 && !dport22) for example to protect your web server and allow users to ssh in but nothing else. Or you could say (!saddr 192.168.2.2). The latter would require decent egress filtering by the ISP, but if they are supporting the pushed rules, they'll likely have that covered already. Once you block all traffic that isn't to a public service, you can then block addresses that are making repeated or nonsense requests (such as SYN floods or repeated GET /).

The big problem with that is that there are already too many routers that will crap out if there is too much route flap, much less dealing with filter tables as well.

A more dedicated ISP could also use the filter rules to look for traffic patterns. For example, is there a single IP that is contacting all of the machines being filtered by someone but not the others (with fuzz to try to avoid red herrings and false negatives). While that would be no silver bullet, it could yield useful results in aggregate.


The future isn't what it used to be
[ Parent ]
Your comment doesn't make any sense... (none / 0) (#116)
by skyknight on Thu Feb 05, 2004 at 06:14:02 PM EST

An egress filter is something that every ISP would be running, and it would completely nip DDoS attacks in the bud, if only all ISPs would run them. It stops source forgery right at the source, because the ISP for the attacking machine never lets the packet leave their network. It doesn't matter how many attackers there are, if they are all getting their phony packets dropped right away by their own ISPs.

Ingress filtering would be basically useless. The only thing that it would accomplish would be to stop flooders from using addresses internal to his network as the forged source addresses, which they almost certainly aren't doing anyway. The purpose of ingress filtering is not to defend against DoS attacks, but to prevent fraudulent claims of a privileged location in the network topology.



It's not much fun at the top. I envy the common people, their hearty meals and Bruce Springsteen and voting. --SIGNOR SPAGHETTI
[ Parent ]
Somebody knows what they are (none / 0) (#124)
by simul on Thu Feb 05, 2004 at 11:24:49 PM EST

i think like 9 out of 10 people reading this don't even know what they do.

Read this book - first 24 pages are free to browse - it rocks
[ Parent ]
Your article... (none / 0) (#126)
by skyknight on Thu Feb 05, 2004 at 11:48:06 PM EST

is just littered with attached comments by people who have no idea how the Internet works, and many of these comments got several high comment ratings, further illustrating that most people have little or no comprehension of these issues. I slapped as many people as I could bear, but it got tedious and repetitive pretty quickly. We'll just have to hope that these people aren't the network engineers of the future.

It's not much fun at the top. I envy the common people, their hearty meals and Bruce Springsteen and voting. --SIGNOR SPAGHETTI
[ Parent ]
Myself included (none / 0) (#168)
by squigly on Sat Feb 07, 2004 at 05:52:39 AM EST

Although a little internet research tells me that they're filters to remove malevolent upstream packets, and therefore the responsiblity of the ISP whose customers are causing the DDOS.

Strange that this got voted to the front page then, and nobody made an editorial comment asking for you to explain.  

[ Parent ]

why not... (2.80 / 10) (#57)
by CAIMLAS on Wed Feb 04, 2004 at 07:38:05 PM EST

If your ISP is responsible for such wanton negligence that drastically impacts your livelyhood by $17,000, then I'd recommend one thing:

Sue them. Seriously. People sue for some of the most pidly things. The FBI won't do anything about their negligence, more than likely. Laws will likely not do anything either; you've got to hurt them where they care to get results.

Impact one company, the rest would be sure to follow over time (particularly if you come away with a significant amount of money).
--

Socialism and communism better explained by a psychologist than a political theorist.

It's other people's ISP's (none / 1) (#95)
by John Asscroft on Thu Feb 05, 2004 at 11:33:17 AM EST

And the problem is tracking them down, because the packets are hitting you without a valid return address (i.e., the IP address has been spoofed). Once a packet hits the backbone, it's too late to do egress filtering.

Which points to another issue: egress filtering wouldn't help with the source of most of the attacks, which is Korea and China (or, specifically, fleets of Korean and Chinese "zombies" which are 0wnz3d). It wouldn't help with zombies that don't spoof their source IP either, and most zombies nowdays don't bother spoofing their source IP 'cause what's the point, really? The whole point of a fleet of zombies is that you're stealing their bandwidth, why not steal their IP addresses too?

The only real solution is to end anonymity altogether. Junk IPV4 and IPV6 and go to IPV7, where each packet must be cryptographically signed with a private key registered with the FBI or your country's equivalent via a key escrow agent, or else it just gets dropped at the router. That would also end the nastiness of anonymous criticism of our Great Leader -- we could just revoke the critic's key and voila! Bwah hah ha ha ha!
We must destroy freedom to save it from the terrorists who want to destroy freedom. Else the terrorists have won.
[ Parent ]

How does RPF help? (2.71 / 7) (#58)
by m a r c on Wed Feb 04, 2004 at 07:40:32 PM EST

In your response you commented on how ISPs should implement RPF to stop DDOS attacks. My understanding of RPF is that it will check the source IP address in the IP packet against the routing table. This will ensure that the packet was sent from a valid destination.

My question is how does the ISP know that traffic from a valid IP address is legitimate or DDOS traffic? Certainly if they are doing SYN flooding or the like it would be easy to detect but if they are just doing page lookups then you can't distinguish between a real user and a DDOS.
I got a dog and named him "Stay". Now, I go "Come here, Stay!". After a while, the dog went insane and wouldn't move at all.

One IP that hits your page 10 x / sec? (2.50 / 4) (#64)
by simul on Wed Feb 04, 2004 at 10:17:39 PM EST

DDOS attacks typically use the "distributed" aspect to commandeer enough bandwidth. It's very rare for an attack to mimic a real user's behavior to the point where a smart sysadmin can't block the attack by filtering out IP's

Attackers learn this, so spoofed attacks are used on sites instead.

Without spoofing, attackers would have to break in to 100's of times as many machines, and write complex scripts that mimic user behavor (cookies, etc.) in order to fool defenses

Read this book - first 24 pages are free to browse - it rocks
[ Parent ]

No ... (3.00 / 6) (#65)
by wobblie on Wed Feb 04, 2004 at 10:26:30 PM EST

This will ensure that the packet was sent from a valid destination.

No, it guarantees that the packet was set from a valid source address.

It's quite simple, and almost no ISP does it. Most DDOS attacks are essentially this:

Attacker (or "zombie") sends traffic with a spoofed source address (the host they wish to attack), with a desination address of some vulnerable host. The vulnerable host responds to the spoofed source address. Multiply by 100,000; you have a DDOS.

If ISP made sure that traffic coming out of their network had valid source addresses (egress filtering), this would be nearly impossible (the host you would want to attack would have to be on your network, which is not the case 99.9% of the time). They simply won't do it.

Rate limiting is another issue. they won't do that either.

[ Parent ]

Yeah, I'm sure the agent appreciated the lecture (2.48 / 29) (#61)
by brettd on Wed Feb 04, 2004 at 09:23:36 PM EST

I hope they don't take my response as antagonistic.

Nah. You only complained to the FBI agent about Microsoft(which is NOT most of the problem- it's lazy customers who don't patch systems; MyDoom is a perfect example, using a 4-year-old vulnerability), ISPs, both yours and the big evil corporate ones.

I think a simple "yes, we'd like to help, what do you need to know?" would have been a lot more to the point, instead of giving the guy a 10 minute speech about How Evil Microsoft Is. Among other things, it's insulting; the agent probably works in their computer crimes unit...and judging from your misunderstanding of how the MyDoom virus spreads- knows more about the problem than you do.

When a problem arises, there are three types of people. Those who do nothing. Those who point the finger and whine. And lastly, the guy who realizes that the other two people in the room aren't doing anything to fix the problem, and gets down to brass tacks.

You, my friend, are whining(I've lost $17k whine whine whine) and complaining(you pretty much blame the FBI for not looking in the right places)- only until the very end, after you'd lectured the guy 5 times over about how evil it is that big networks don't egress-filter...do you then say "f you need any more information, we will provide it as required by law".

Let me translate the last two sentences of your message into Real World Speak. "Our networks are run by these people, so fuck off and bother them. If you need anything from us, you'll need to get a court order even though we're a victim and we should be helping you however possible". I guarantee you're not going to hear from the agent again, because you've been marked as not only hostile, but irrational and incompetent as well. Congratulations, you just shot yourself in the foot. You probably won't be involved in any court action should the perp(s) get arrested, there won't be any evidence your company was part of the attack(no, a bandwidth bill doesn't count, nor do logs you've saved), so there won't be any compensation.

The Man beat you as a child and take your lunch money or something? I know K5 tends to be liberal and all, but this is ridiculous...

MyDoom (2.75 / 4) (#62)
by CaptainSuperBoy on Wed Feb 04, 2004 at 10:00:31 PM EST

MyDoom doesn't use any vulnerability to infect systems, it's just another generic mass-mailing worm.

--
jimmysquid.com - I take pictures.
[ Parent ]
Not sure I agree (none / 1) (#81)
by mcherm on Thu Feb 05, 2004 at 09:06:02 AM EST

I've always thought that designing an email program so that simply "clicking" on an attachment results in executing code without even a reliable way to tell that this will happen, is itself a security vulnerability. Admitedly, it's a feature which was INTENTIONALLY included, but I still consider it a form of vulnerability.

-- Michael Chermside
[ Parent ]
Except (none / 2) (#83)
by CaptainSuperBoy on Thu Feb 05, 2004 at 09:25:32 AM EST

Except that's not what happens. Outlook and Outlook Express have always given pretty explicit warnings before you are allowed to save or execute any attachments. Of course there's a reliable way to tell what will happen, it gives you two choices: save, and open. They do what they say.

--
jimmysquid.com - I take pictures.
[ Parent ]
I find (none / 0) (#149)
by CENGEL3 on Fri Feb 06, 2004 at 10:39:11 AM EST

Almost all of the security problems in Outlook and Outlook Express relate to it's support for graphical E-mail.... and the functionality borrowed from that steaming piece of crap that is I.E.

I find that by turning off HTML functionality in Outlook and looking at everything in ASCII only, along with exercizing a little common sense about which attachments to open eliminates nearly all  vulnerability as far as the e-mail client vector goes.

I'm not really missing too much with the graphical e-mails anyway... the only people who seem to send them are spammers ....and I really don't want to see the pretty pictures in thier advertisements anyway.

[ Parent ]

What the fuck's this got to do with liberalism? (none / 1) (#80)
by nebbish on Thu Feb 05, 2004 at 08:59:10 AM EST

Maybe you've got a point, whatever, but I don't see how liberal politics come into it.

---------
Kicking someone in the head is like punching them in the foot - Bruce Lee
[ Parent ]

re:What the fuck's this got to do with liberalism? (none / 1) (#100)
by cymon on Thu Feb 05, 2004 at 12:50:27 PM EST

answer: it doesn't have anything to do with liberalism (of any description)

This is a standard type of throw-away comment from people who either won't or can't think carefully about what they are saying.  It goes like this

  1. Identify a behaviour you don't like
  2. Blame the behaviour on people with politics you don't like .... without bothering to find out if it is indeed even correlated.


[ Parent ]
tendancy toward government solution (none / 1) (#106)
by emmons on Thu Feb 05, 2004 at 02:39:22 PM EST

Liberals tend to prefer government action vs. market pressure. In this case, the story's author proposes government regulation to solve a problem that could be largely solved by market pressure. If he were to take his business to a different colo or bandwidth provider that does what he asks for, the problem would be solved. Sure, he may have to pay a bit more for it, but the cost of government regulation wouldn't be any cheaper; just hidden.

The wrench thrown into this is Microsoft's defacto monopoly power and software makers' lack of liability for allowing their systems to be used for DDOS attacks. Changing that would allow the private sector to fix the security problem on the client end, but nobody in the software industry seems interested.

That being said, his comment was a needless cheap shot. Pity; he was doing pretty well up until the "liberal" bit, which will offend many readers and in some minds serve to discredit the rest of what he wrote.

brettd: always remember your audience. You'll never convince anyone of anything if you insult them in the process.

---
In the beginning the universe was created. This has made a lot of people angry and been widely regarded as a bad move.
-Douglas Adams

[ Parent ]

In this case, market regulation is necessary (none / 0) (#177)
by scruffyMark on Sat Feb 07, 2004 at 02:06:08 PM EST

I think you've missed one thing - ISPs putting these filters in place prevents their customers from attacking other ISPs' customers (or at least, it makes it harder for them to get away with it). So, moving to an ISP that uses egress filtering doesn't help you. It only helps you if the bad guys can't find an ISP that doesn't use it. So, it costs an ISP money to apply egress filtering, but it benefits them only if most other ISPs apply it. If everyone does it, you get a better situation for everyone, but any one ISP not applying it saves themselves money by costing everyone else money. Tragedy of the commons, right?

That's where govenment intervention in the market can start making sense. Note we're not talking about government legislating specific measures. If they did that, (a) the ISPs would put their efforts into finding the most minimal, ineffective way of satisfying the rules, and (b) the next generation of DDoS tools would work around such measures withing months, and it would be probably four or five years until regulation caught up.

What we're talking about is changing the balance of financial responsibility in such a way that the free action of the market (which responds to the entire financial environment, including liabilities imposed by law) causes ISPs to seek out and use the most effective available measures. So, you say ISPs are liable for X percent of damages for DoS attacks originating from their networks, where it can be shown that proper diligence would have permitted them to block those attacks (or to have allowed the perps to be caught the first time, if this is a repeat attack). All of a sudden, instead of dragging their feet, ISPs will look for technical solutions, and the market will produce the most effective ones.

Here's an interesting example of this: in Beyond Fear Bruce Schneier refers to security against bank ATM fraud in the US and the UK. In the US, if a customer complains of fraudulent withdrawals on their card, the onus is on the bank to prove there wan't a fraud. If they can't prove it one way or another, the bank has to refund the customer's money. Result: the banks implemented countermeasures against ATM card fraud, because the fraud cost them money, and the fraud was drastically reduced.

In the UK, the onus is on the customer to prove they're not lying. So, in most cases, if a customer complains of ATM fraud, the (default) conclusion is they're trying to scam the bank, and they'll often get sent to jail for fraud themselves. Therefore it becomes most cost-effective for UK banks to ignore ATM fraud, because they can just charge customers for it, and if they protest, have them thrown in jail. Result: lots of ATM fraud, and customers mostly just silently accept the damages.

Bit of a digression now, but - it seems to me, most people who claim to be against government intervention in the markets, aren't really when you look at it closely. Bankruptcy protection is a perfect example of government interfering in the markets - poof! that debt doesn't exist! - but I think almost everyone thinks it's a good idea, most especially the "free market" fanatics. But if you really want to be consistent about the government staying out of the market, you'd have to be opposed to bankruptcy protection, as just another government interference.

So, if you (or a company in which your pension fund has invested your savings) go deep into debt, then you would stay on the hook for the debt; no state intervention to bail you out. And you (and maybe your children to the n-th generation till the debt is gone) would have to have your wages garnisheed, or, if you're not earning enought, just go into indentured servitude till it's paid off. Of course that's patently ridiculous. Everyone favours state intervention in the market, because in this case a truly free market doesn't favour human well-being, or even the long-term health of the economy as a whole.

[ Parent ]

Yes (none / 0) (#182)
by emmons on Sat Feb 07, 2004 at 10:47:44 PM EST

Thank you for that well thought out reply. I agree with you entirely. I am not a fan of direct government invovement and regulation- it often ends up creating a bigger mess than it sought to fix in the first place. Allowing an industry to be liable for such actions is a much better impetus for improvement. Granted, the amount and scope of the liability must be carefully measured so as to restrict the creation of situations such as today's medical malpractice and personal injury liability messes.

---
In the beginning the universe was created. This has made a lot of people angry and been widely regarded as a bad move.
-Douglas Adams

[ Parent ]
I think you were a little harsh. (2.66 / 9) (#66)
by mindstrm on Wed Feb 04, 2004 at 11:45:30 PM EST

First, you need to realize that it's NOT just 16 year old kids screwing around anymore.

There are fairly organized groups of people, in and outside the US, who are extorting money out of online business, both in and outside the us, and many of them are organisationally related.  What might be some 16 year old kids goofing aroudn with one botnet quickly becomes a group of kids hired to DDOS a legitimate business for extortion money.

I'm not saying we should put kids in jail for doing nothing, but at the point where extortion is the name of the game... and it IS rapidly becoming a more serious problem, law enforcement should do something, that's what we pay them for, right?

And in order to do something, they need the cooperation of all those involved... we should all agree that cooperation is better than, say, what law enforcement would really like, carte-blanche access to everything.

ISPs need to cooperate with law enforcement in order to track down and punish those responsible.

When someone threatens a business with a DDOS that is going to cost them $100,000 in REAL money, Microsoft is not to blame, nor are ISPs with no filters.. those who are doing the extortion are.

MS is partly responsible, so are ISPs, so is every computer owner who doens't give a shit about what their computer does, so are parents who don't care what their kids do... but in the end, it's those actually consciously initiating illegal acts that are responsible for their own actions.

In some cases (none / 2) (#77)
by Golden Hawk on Thu Feb 05, 2004 at 04:49:15 AM EST

Both the software companys "consciously" ignore security flaws in order to push a product out the door, and script-kiddies "consciously" produce a destructive weapon.

Much like the creator of ANY product, there are basic safety standards which must be met.
-- Daniel Benoy
[ Parent ]

Not the same thing. (none / 0) (#88)
by mindstrm on Thu Feb 05, 2004 at 10:20:18 AM EST

Real-world things, like the quality of your gas line installation, or the safety of your vehicle, things that lead directly to injury and death, yes, there are standards that must be met. If someone lights a match in a gas filled room, sure it's the gas company's fault if their installation was not to code (becuse that's the law already). It's ALSO clearly the direct fault of he guy who said "Cool! A room full of gas! Let me light this match." You can look at many factors that would enable DDOS to be less of a problem, and call it 'blame" if you want... but the person responsible is the person doing it, and nobody else.

[ Parent ]
Laws aren't from another reality (none / 0) (#90)
by Golden Hawk on Thu Feb 05, 2004 at 10:41:39 AM EST

The system is supposed to work in such a way that we decide what's morally wrong, and then we create applicable laws.

(I'm quoting here) "becuse that's the law already" doesn't seal the question of moral responsability.

Now, back to the genuine issue, forsaking this shameless sidestep; clearly anyone who intentionally causes problems like lighting a match in the gassy room bares responsability.  However, does not someone who (also intentionally) ignores flaws in software when they have a duty to make quality code bare responsability too?
-- Daniel Benoy
[ Parent ]

law != morality (none / 0) (#197)
by leftfrog on Tue Feb 10, 2004 at 07:17:39 AM EST

I wouldn't say law and morality are entirely unrelated, but they're certainly not tightly coupled. And, I can't recall ever reading a good argument that they should be tightly coupled.

[ Parent ]
They're related... (none / 0) (#198)
by Golden Hawk on Wed Feb 11, 2004 at 11:41:32 AM EST

Morality is the source of law, and law isn't the source of morality.

Some people believe that it's ones moral duty to obey the law.  This doesn't make sense, because if someone is obeying their moral duty, they're obeying the law anyway in all cases except when the law is immoral.  And if their morality says they should do immoral things if it's a law, how is it morality at all?
-- Daniel Benoy
[ Parent ]

The Flaw in your Statement... (none / 0) (#101)
by virg on Thu Feb 05, 2004 at 01:30:29 PM EST

> You can look at many factors that would enable DDOS to be less of a problem, and call it 'blame" if you want... but the person responsible is the person doing it, and nobody else.

This is the fatal flaw in your argument. You seem to be arguing that there's only enough blame for one entity, when his comment is that it's the fault of all of the perpetrator, the ISP and the company making the software. His comment further puts forward that it's much easier to enforce compliance from the ISP or the OS maker than the perpetrator, and that doing so will minimize the effect the perpetrator can have, and frankly I agree with him. If more end-users held their ISPs to the wall for this sort of thing, it would be much less effective, and much less costlly.

If a lockmaker knowingly sold defective locks, and someone used that knowledge to break into my house and steal my stuff, I'd have recourse against both the thief and the lockmaker. I fail to see any difference here.

Virg
"Imagine (it won't be hard) that most people would prefer seeing Carrot Top beaten to death with a bag of walnuts." - Jmzero
[ Parent ]
It is easy. (2.00 / 5) (#67)
by Maljin Jolt on Wed Feb 04, 2004 at 11:48:55 PM EST

Just ask your ISP a guaranteed bandwith you will pay for. And with penalty paid to you if not delivered.


I agree to some extent (2.57 / 7) (#73)
by Golden Hawk on Thu Feb 05, 2004 at 04:01:53 AM EST

If someone lights a match in a gas filled room, is it the fault of the guy who lit the match, or the responsability of the people who left the gas line unpatched?

It's a tough ethical question, and the answer probably lies 'somewhere in between', but I think no matter who's to blame (or who we want to punish), resorting to government pressure is not the answer.

As in all instances of businesses cutting corners and gougeing consumers, we should seek a technical solution, and in failing that simply vote with your wallets and take our business elsewhere.

For example, if your ISP charges you for DDoS flods, get one that doesn't.  If none of them will accomidate you, find another way to make money.

Your dollars created this whole situation in the first place by patronizing a broken system.  Yes it's nigh impossible to fight against it, but life isn't all roses and candy.  You have to fight for what you want, not just sit around on k5 complaining that the FBI has the wrong attitude.

Some people seek the cheap and lazy way out of 'let's get the government to solve our problems for us.'  This is not the right answer.  For three reasons.
1) It's not right to trample people's rights to operate theri business as they see fit.  As long as they remain within the bounds of overt morality (i.e. they don't kill people or steal) they can charge whatever they wish for whatever they wish.  It's up to the consumer to decide wether they want it or not.
2) All of this crap causes unnessesary beaurocracy.  We'll end up spending way more than $2000 just for the paperwork and enforcement officers required to ensure compliance.  And even then it may not work anyway.
3) One of these days, we may be on the other side of this situation, where we are the ones who irratate someone else, and they seek to dominate us through government control.  If we go down that slipery slope (as it seems we are) we will spiral into a litigeous culture from which there is no escape except the weath to hire a thousand accountants and lawyers, and where those with power can bend the system to harass innosent people.

Hopefully we can understand that there are no quick fixes in life, and actually make waves ourselves rather than stagnating in a pool of our own complaints.
-- Daniel Benoy

Already There (none / 0) (#123)
by skavookie on Thu Feb 05, 2004 at 10:20:25 PM EST

If we go down that slipery slope (as it seems we are) we will spiral into a litigeous culture from which there is no escape except the weath to hire a thousand accountants and lawyers, and where those with power can bend the system to harass innosent people. Boy am I glad you pointed out that danger before it's too late!

[ Parent ]
Yep (none / 0) (#185)
by Golden Hawk on Sun Feb 08, 2004 at 05:36:02 AM EST

Boy am I glad you pointed out that danger before it's too late!

Heh, I was trying to be satirical :p
-- Daniel Benoy
[ Parent ]

disagree with point #1 (none / 0) (#196)
by leftfrog on Tue Feb 10, 2004 at 07:13:30 AM EST

1) It's not right to trample people's rights to operate theri business as they see fit. As long as they remain within the bounds of overt morality (i.e. they don't kill people or steal) they can charge whatever they wish for whatever they wish. It's up to the consumer to decide wether they want it or not.

Broadly, I agree that it's best to find a non-governmental solution. But, there are a lot of problems that aren't easily dealt with via your test of violating standards of overt morality. For example, overfishing particular commercial fish stocks has been a problem resistent to anything short of intense government oversight, and even then has been difficult to conquer.

I think one can argue that DDOS attacks aren't a problem best solved by government, but it's not convincing to argue that no problem short of murder/theft justifies government intervention.

[ Parent ]

RPF is ingress filtering (none / 3) (#82)
by Kebinu on Thu Feb 05, 2004 at 09:15:04 AM EST

RPF checks traffic as it comes into the network edge, not leaving the network. Thus RPF is really ingress filtering. RPF is quite useful because it makes it virtually impossible for addresses to be spoofed, thus it is fairly easy to track and isolate the source of such attacks. There are also many carriers that offer Dynamic blackholing services through BGP peering. If I advertise a route to my upstream carriers with a specific community attribute, my carrier will blackhole the traffic for that IP/Network. While I am in effect denying service to the affected customer, it allows me to preserve my upstream for the rest of our customer base.

Um, no... (none / 0) (#112)
by skyknight on Thu Feb 05, 2004 at 05:51:10 PM EST

RPF is really ingress filtering. RPF is quite useful because it makes it virtually impossible for addresses to be spoofed, thus it is fairly easy to track and isolate the source of such attacks.

Ingress filtering does not unequivocally stop people from spoofing source addresses. It does stop outsiders from spoofing internal network traffic, but it does nothing to stop outsiders from spoofing where outside your network they are located.

Ingress filtering is basically a firewall rule that says simply this: "for any packet coming into my network, drop it if the source address is an address that is internal to my network". This prevents, for example, me from sending IP traffic to amazon.com's database machine, pretending to be amazon.com's web server. It does not prevent me from sending traffic to amazon.com's web server, claiming to be from an RCN address when really my cable modem service is through Comcast. The only (practical) way for me to be stopped from doing the latter is for Comcast to do egress filtering, noting that there is no way that a packet could have an RCN source address on it if it were originating from their network.

How exactly you think ingress filtering makes it "fairly easy to track and isolate the source of such attacks" is beyond me. By the time the packet gets to your network, there is no information associated with it that will tell you from whence it came. The only way you're going to locate the attacker is with mechanisms such as Pushback and Traceback, and this requires the cooperation of upstream routers.



It's not much fun at the top. I envy the common people, their hearty meals and Bruce Springsteen and voting. --SIGNOR SPAGHETTI
[ Parent ]
Why the hell does the FBI care how to stop this? (2.50 / 6) (#99)
by gte910h on Thu Feb 05, 2004 at 12:45:46 PM EST

The FBI's job is NOT to solve society's problems; it is to apprehend crimnals working with a domestic component that have resources that are too much for local law enforcement.

Why would you tell him what company can really solve this? He doesn't care. His job is to find who did this specific incident. Its YOUR option to sue companies, but I doubt you'd get anywhere loooking at the size of their legal teams and the lack of case law.

This is an annoying rant that also shows that you franky were a twerp in dealing with this incident.

a bit harsh but true (none / 1) (#103)
by debonair on Thu Feb 05, 2004 at 01:38:52 PM EST

I'd have to agree with this. I wouldn't go so far as calling him a twerp, coz he's obviously upset about the whole incidence.

I would have say that he didn't look at it rationally despite what he said in the email.

I really do like the analogy though :)

[ Parent ]

What Kind of DDOS (none / 2) (#105)
by niku on Thu Feb 05, 2004 at 02:12:32 PM EST

What kind of packets are they sending you? In all probability, they're of one type, and you could put a snort or tcpdump outside your firewall, and be able to create a firewall rule and custom snort rule the packet you capture. At that point, you take a snort box, strip it down to only that rule, and run it outside your firewall. Filter for unique ip links and you can generate a pretty quick blacklist. Work with your Firewall vendor, or person responsible for your firewall to have this list generated every two hours or so, and have the firewall block packets from the hosts sending the packets for the two hour duration. At the same time, talk to your upstream provider; ask them to do some filtering, and offer them an example of the packet and offer to do any research they need to have rules put in place. In addition, take the scripts that you are generating from the snort box, and keep a master list of all hosts that have targeted you, do a whois on them and send out an email to abuse@blah; also send that list to the FBI.

DDOSs are a hassle. They can interup business, and like in your case, cost thousands of dollars. There are small steps you can take though, and all togther, they may not completely eliminate the DDOS attack, but they can help incrementally decrease the power of your attack. It is also worth noting that you may want to consider calling an information security company; mine would certainly be willing to help you. There are a bunch of bad ifosec companies out there, so if you don't go with us, use @stake; they're frightfully expensive, but do a good job, unlike guardant, or IIS.

Hope that helps

PS:
forgive the spelling, I rushed through this.
--
Nicholas Bernstein, Technologist, artist, etc.
http://nicholasbernstein.com

Against a proper DDoS attack... (none / 0) (#113)
by skyknight on Thu Feb 05, 2004 at 06:01:11 PM EST

there can be no host based defense. The source addresses will be forged randomly, and the destination port will be for a service that you are actually trying to provide. What can you, at the end-point of the attack, do about this? The answer, unfortunately, is nothing. Your only hope is to get an upstream router to clamp off the flow, but if the attack is properly distributed, such that there is no single and well defined choke point, then even this won't work.

Apart from a total attitude change from ISPs, users of the Internet are largely at the mercy of attackers. We desperately need ISPs to start enforcing egress filtering, but as rational individual entities, they logically conclude that their taking such steps will only help others, so they don't bother. I don't know what it will take to get all ISPs to act responsibly in concert. There will have to be some kind of financial or legal pressure, though I'm not sure what would be best.



It's not much fun at the top. I envy the common people, their hearty meals and Bruce Springsteen and voting. --SIGNOR SPAGHETTI
[ Parent ]
Teir 1 Providers Can Stop/Track It (none / 0) (#122)
by The Turd Report on Thu Feb 05, 2004 at 10:09:27 PM EST

It is a PItA, but they can be tracked. It is only done when the attackee is going to be pressing charges.

[ Parent ]
No, they really can't (none / 0) (#180)
by simul on Sat Feb 07, 2004 at 04:22:47 PM EST

The attack was times so as not to last more than a 4-5 hours at a time. They did it 5 days in a row before they stopped (not sure why they stopped....maybe this article?).

The used spoofed packets each time, and each time our ISP tried to isolate the interface, and coordinate with the upstreams it just appeared that the attack was comeing from thousands if not hundreds of thousands of places at once.

No way to get it down to a "per machine granularity". If more ISP's supported egress filtering, we'd have a list of IP's to block within an hour.

Read this book - first 24 pages are free to browse - it rocks
[ Parent ]

re: Against a proper.... (none / 0) (#207)
by niku on Thu Feb 19, 2004 at 07:59:41 PM EST

I think it really depends on your situation, and what kind of DDOS you're experiencing. You may have large pipes, but a service is being knocked out. In that case, you could use some traffic shaping like that described in : The advanced linux routing howto.
Also, your upstream providers aren't going to do anything unless you get them good information. That's the purpose of dropping a snort sensor onto the net, or tcpdump, or whatnot.
In addition, the randomness of the ip's may not actually be that random, by having a sensor on the net, you may find that many of the ips are being created in a similar manner, especially if they are using large numbers of hosts using the same algorithm to generate them. You may also be able to put together a whitelist depending on the type of service you are providing, and how easy it is to determine legitimate clients. If your clients are mostly repeat, you can write a script to parse their ips from existing log files and perhaps be able to provide service to your existing clients.
Again, the aim is to mitigate the damage, not completely solve the problem in one fell swoop.
--
Nicholas Bernstein, Technologist, artist, etc.
http://nicholasbernstein.com
[ Parent ]
And if the charges were for bandwidth? (none / 0) (#119)
by KrispyKringle on Thu Feb 05, 2004 at 08:11:37 PM EST

What was he to do? Sure, if he's not replying, it saves his upstream, but we can assume he already took this measure. Point is, he claims to have lost thousands on bandwidth charges. Without the cooperation of his ISP (and he claims they won't help because they make money off the attack, which they do), there's not a lot he can do on his end.

[ Parent ]
He Can Move (none / 0) (#121)
by The Turd Report on Thu Feb 05, 2004 at 10:02:27 PM EST

How long is he going to let his ISP nail him in the pooper? Move. When shopping for a new ISP, ask how they handle DoS attacks. Find out what you need to do to contact them about a DoS.

[ Parent ]
His entire corporate LAN? (none / 0) (#138)
by KrispyKringle on Fri Feb 06, 2004 at 02:28:03 AM EST

Let's say he's got a fairly typical corporate setup. They've got a handful of external IPs, or maybe even a full subnet. Web and mail servers on the DMZ, PCs behind a NAT box. So, to change to a new external IP/subnet, he has to do a number of things. Let's draw up a quick checklist:

Buy new static IP or subnet from ISP: pricey, but ISP doesn't mind 'cause they get paid.

Change root DNS servers to point to his new DNS server location and wait for propogation: free, but slow.

Change settings on firewalls and servers to reflect new external IP address: not all that difficult, but tedious and time-consuming.

Point is, it's doable, sure. But this wasn't like he's on a cable modem with a 6 month DHCP lease. In comparison, the ISP could simply filter higher upstream and charge him nothing (and perhaps lose a miniscule amount in their own bandwidth charges, unless they wrangle with their backbone providor or the ISP the traffic is originating from, WHICH WOULD BE GOOD FOR EVERYONE).

[ Parent ]
Wha...? (none / 0) (#143)
by The Turd Report on Fri Feb 06, 2004 at 08:16:02 AM EST

Are the costs you mentioned greater than getting DoS'd every day (and losing $$$) and geting reamed on bandwidth charges by an ISP that doesn't do squat to help you out?

If you are careless enough to put your corporate network on "Ma and Pa Kettle's ISP" don't be shocked when any script kiddie can blow you off the internet.

[ Parent ]

This is a 1st Tier top ISP (none / 0) (#147)
by simul on Fri Feb 06, 2004 at 10:11:43 AM EST

They are one of the top 10 largest managed server centers in the world.

You clearly know nothing about the issue. There is NO victim-based defense against a DDOS attack. None. Period. Just get that past your head. I don't care who you are or how much money you have. It's technically impossible to have a victim based defense.

http://www.sans.org/y2k/egress.htm

The only defense is if the entire internet implements egress filters (at a minimum), and endpoint firewalls (best).

Yhat's why legislation may be the only way to go. How e

Read this book - first 24 pages are free to browse - it rocks
[ Parent ]

Teir 1 == Backbone (none / 0) (#155)
by The Turd Report on Fri Feb 06, 2004 at 12:38:03 PM EST

They are one of the top 10 largest managed server centers in the world.
And they can't stop a DoS and then they charge you for bandwidth? You are kidding, right?

You clearly know nothing about the issue.
LOL If only you knew... :p

There is NO victim-based defense against a DDOS attack. None. Period. Just get that past your head. I don't care who you are or how much money you have. It's technically impossible to have a victim based defense.

But it is possible to have your upstream defend you. If you but cheap assed bandwidth/hosting, you will get shitty service. Get that 'past your head'.

hat's why legislation may be the only way to go.
Oh, yeah, the government will take care of it... Now who clearly knows nothing? lol.



[ Parent ]

Trying to keep it civil... (none / 2) (#157)
by KrispyKringle on Fri Feb 06, 2004 at 05:07:58 PM EST

First off, if his company is being deliberately targeting, changing his IP won't do shit. Look at MyDoom; by targeting the DNS record instead of the IP address, the only way to avoid the attack is to move to a different DNS lookup, which has obvious costs that probably outweigh the benefits (SCO did this for attention; MS simply spent enough on bandwidth and distributed hosting that they probably can't be knocked down without taking the whole Internet with them).

So, yes. He could move his whole corporate subnet. Change the URL of the domain. Wait a few weeks and do it again. And again. And again. There's no cheap solution to this problem.

The reason the other replier contends that legislation is the only way is that, technically speaking, the only real solution requires cooperation of the ISPs. If the upstream providor who the DoS is coming from won't cooperate, then blocking it ANYWHERE else farther along will cost SOMEONE lots of bandwidth and, presumably, money. I presumably don't need to elaborate on the technical specifics of this, because you claim to have a good foundation in network security.

So, as I said, the only way is to have the upstream DoS blocked on it's way out of the attacker's ISP(s)'s network. And apparently, the only way to incentivise this blocking is legislation (essentially setting a reasonable care standard of blocking these attacks and putting financial burden for failure to do so on the ISP).

You could sue for negligence, if you contend that the business relationship between you and that ISP requires this behavior already, but I would suspect such technical arguments would be a toss-up in court. And the reasonable-person standard, as is, indicates that most ISP's do NOT do this filtering, and that, therefore, it probably is not to be expected. Hence the need to legislate this as negligence nonetheless.

[ Parent ]
Keeping It Civil (none / 0) (#158)
by The Turd Report on Fri Feb 06, 2004 at 06:17:12 PM EST

First off, if his company is being deliberately targeting, changing his IP won't do shit. Look at MyDoom; by targeting the DNS record instead of the IP address, the only way to avoid the attack is to move to a different DNS lookup, which has obvious costs that probably outweigh the benefits (SCO did this for attention; MS simply spent enough on bandwidth and distributed hosting that they probably can't be knocked down without taking the whole Internet with them).
So, yes. He could move his whole corporate subnet. Change the URL of the domain. Wait a few weeks and do it again. And again. And again. There's no cheap solution to this problem.

For this guy's current problem, there are two solutions it seems: 1) move to an ISP that can mitigate the DoS and get it traced or 2) Wait for *every* ISP to implement the anti-DoS filters either by the goodness of their hearts, or by all countries passing laws forcing them to. While I would pee myself with happyness is these filters were put in place. I have a feeling I'd be waiting with all the people waiting for all open relays to be fixed, or open proxies, or unpatched Windows boxes.

The reason the other replier contends that legislation is the only way is that, technically speaking, the only real solution requires cooperation of the ISPs. If the upstream providor who the DoS is coming from won't cooperate, then blocking it ANYWHERE else farther along will cost SOMEONE lots of bandwidth and, presumably, money. I presumably don't need to elaborate on the technical specifics of this, because you claim to have a good foundation in network security.

If your provider can't "eat the traffic", then they are feeling the effects of the DoS as well, I'd guess. In this case they might be contacting their upstream and might be able to get the DoS traced for you. Trying to legislate this is just going to be silly. Even if all US ISP automagicly enabled the filters when this law was passed ISPs out side of the US won't be as compelled.



[ Parent ]

Yes, but... (none / 0) (#208)
by KrispyKringle on Wed Apr 07, 2004 at 10:06:52 PM EST

I think when two people argue a point from positions not too seperate, they converge. That said, I don't fully agree with your argument here.

Even if the providor can handle the traffic, it costs them something, which they in turn want to hand off to his company, apparently. If they can't, then it costs them even more, and they really want to charge him now (though you are right, he should move to a different providor). But it doesn't really matter if the providor can, as you say, ``eat the traffic'', since so doing doesn't particularly mitigate the cost for the providor. So what he needs, then, is a contract that does not hold him financially responsible for DOS traffic. Something he contends legislation is necessary for. :)

The point of this would not be to legislate behavior. That's far too messy and inefficient, as you clearly feel as well. Instead, the point is to legislate liability; make it negligent for an ISP to not take reasonable measures to protect clients against being charged for DOS traffic. If there is a financial burden, the ISPs will come to a solution far faster and more effectively than if that solution were itself legislated, I suspect.

[ Parent ]

"The upstream".... (none / 0) (#160)
by simul on Fri Feb 06, 2004 at 10:46:44 PM EST

Big DDOS'es are really a lot harder to defend against then you think. 1M machines generate enough bandwidth to shut down most big ISP's. And most ISP's have no recourse but to nullroute.

Everyone nullrouted our IP address because they were getting hit way too hard. Our ISP wants to sue us now for their outage and effort defending us.

What about a blacklist of all ISP's that don't have egress filters?

Read this book - first 24 pages are free to browse - it rocks
[ Parent ]

1M? Wow.... (none / 0) (#172)
by The Turd Report on Sat Feb 07, 2004 at 12:31:48 PM EST

Big DDOS'es are really a lot harder to defend against then you think.
I deal with (D)DoS'es all day at work and have for the past 6 years.

1M machines generate enough bandwidth to shut down most big ISP's.
Well, *duh*. How do you know it is 1M machines hitting you? And, if it is 1M, who the HELL did you guys piss off? :) It doesn't sound like your standard IRC/Shell server getting flooded.

What about a blacklist of all ISP's that don't have egress filters?
I am not sure how easy it would be to determine if an ISP had egress filters or not. This would make adding and removing ISP kind of hard. If it was widely used and if ISPs knew why their traffic was being dropped, it might be useful in getting ISPs to make the change (but they say that about spam blacklists. Even then, I don't think it will solve the problem 100%.

[ Parent ]

Two Contradictions (none / 1) (#108)
by lvogel on Thu Feb 05, 2004 at 04:58:37 PM EST

  1. "Although I was hurt, I'm looking at this rationally."
  2. "I hope they don't take my response as antagonistic."
Three if you count:
"I'd be interested to know what Kuro5hin readers feel about these issues."

The internet performs best when unregulated. If you are having problems, you have software and hardware tools and technologies to help you get around the problem. The more people that run, screaming and crying, to Uncle Sam, the more likely the beauracracy will get involved and start imposing rules that adversely affect us all.

Maybe they've already just begun...
-- ----------------------
"When you're on the internet, nobody knows you're a dog!"

-a dog

This comment shows a lack of understanding... (none / 0) (#111)
by skyknight on Thu Feb 05, 2004 at 05:34:26 PM EST

for how the Internet works. There is positively no host based defense against denial of service attacks. You can't have a tool that stops it. The only defenses against denials of service attacks are router based, and unfortunately the incentives are not in place to get people to act responsibly. The most practical defense against DoS attacks is egress filtering, and yet, an ISP performing egress filtering only benefits other networks, not its own. To have a functional situation, everyone needs to implement it.

There is substantial "regulation" already in place on the Internet, though you may not know it. Take a look at how the TCP protocol works. It does not try to maximize throughput for a given connection, but rather the Internet as a whole. We have standards for how well behaved flows are to act, and this makes the Internet usable.

There is a world of difference between traffic regulations and content regulations. Nobody here is proposing that restrictions be placed on content, just that ISPs ought to collaborate, one way or another, to defend against a tragedy of the commons.



It's not much fun at the top. I envy the common people, their hearty meals and Bruce Springsteen and voting. --SIGNOR SPAGHETTI
[ Parent ]
Hmm. Coincidence? (none / 1) (#109)
by aphasia on Thu Feb 05, 2004 at 05:05:18 PM EST

http://forums.somethingawful.com/showthread.php?s=&threadid=905014

"You have *huge* brass balls. Tex would be jealous." --ti dave

I mean (none / 0) (#110)
by aphasia on Thu Feb 05, 2004 at 05:05:59 PM EST

hmm

"You have *huge* brass balls. Tex would be jealous." --ti dave
[ Parent ]

Hardcore vigilantes (none / 0) (#136)
by TheOnlyCoolTim on Fri Feb 06, 2004 at 12:39:51 AM EST

That is a very interesting thread.

Tim
"We are trapped in the belly of this horrible machine, and the machine is bleeding to death."
[ Parent ]

OK?? (none / 0) (#200)
by Klom Dark on Wed Feb 11, 2004 at 02:12:19 PM EST

All I get is a page begging for money before I can do anything. Sorry, don't think so...

[ Parent ]
That just proves (none / 0) (#204)
by aphasia on Fri Feb 13, 2004 at 04:04:52 PM EST

your lack of coolness, for not already having an SA account, like the rest of us.

"You have *huge* brass balls. Tex would be jealous." --ti dave
[ Parent ]

Not smart, and possibly incorrect tech (none / 2) (#120)
by redelm on Thu Feb 05, 2004 at 09:20:31 PM EST

First, it is unwise to be anything less than co-operative with police when a true crime has been committed. Police tend to see things is black-and-white. Occupational requirement to wade through very gray laws. If you're not a civilian (innocent), then you are a perp (guilty).

Second, I'm not sure you're factually correct. DDoS involves lots of machines infected by a relaying/bombardment trojan/worma. I'm not sure ISPs can simply implement egress controls, and they would certainly need hardware upgrades.

Yes, MS Outlook is egregious, verging on criminal negligence. So sue them.



Re: Not smart, and possibly incorrect tech (none / 1) (#139)
by Kuwanger on Fri Feb 06, 2004 at 03:13:23 AM EST

Second, I'm not sure you're factually correct. DDoS involves lots of machines infected by a relaying/bombardment trojan/worma. I'm not sure ISPs can simply implement egress controls, and they would certainly need hardware upgrades.

Actually, they can thanks to the ideas of traffic shaping and policing. Traffic shaping can prevent a web server from using up too much outward bandwidth, while traffic policing can drop packets to prevent web servers from becoming overloaded. Admittedly, the actual connection from the web hosting site to the backbone might become saturated for the inbound direction, which can greatly reduce the ability to server content outwardly. And if a hosting company is charged for inbound traffic, it is likely to cause a significant penalty in payment. But, this should be covered under a contract which doesn't hold a site responsible for the traffic generated to a site.

The truth is as more and more DoS attacks occur, client ISPs should be encouraged to set up squid caches and the like and redirect most if not all web traffic there. For broadband, this would be especially advantageous since the distance from ISP to local loop is relatively small and would allow near LAN saturation speeds. This does mean ISPs are likely to invest more in HDs, CPUs, etc, but in reality HD sizes and CPU power are both growing at a much larger rate than bandwidth is expanding. Overall, this means that smart ISPs should begin to realize that good caching policies and buying the extra hardware is *cheaper* than paying for the extra bandwidth.

But back to the actual web server. Traffic shaping would prevent a DoS attack from saturing the outbound direction, entirely. In fact, bandwidth usage could be monitored with the largest used web sites being limited to some set minimal (say 2KBps) and the least used given higher priority (Linux 2.4+ easily supports this configuration). Given this setup, a T1 could be shared with ~91 web sites without any of the clients worrying about being charged extra. Given this, I'd say it's very likely that web hosts are *trying* to not use such services to get that $2000. My advice is to either find another web hosting company or to start your own doing the above. The idea of a universal flat rate worked on the client end. I don't see why you couldn't push it on the server end too.



[ Parent ]
Egress filtering (none / 1) (#146)
by simul on Fri Feb 06, 2004 at 09:53:39 AM EST

"Egress filtering is a measure to prevent an attacker from being able to use forged packets which makes the attack extremely difficult to track down and stop. It does nothing to prevent an attack for the victim. For it to be successful, most, if not all, Internet connected networks worldwide must implement it. Anti-smurf configurations similarly must be implemented in the majority of Internet connected networks to prevent them from being used as attack amplifiers." How to get the whole world to implement egress filters without government supervision?

Read this book - first 24 pages are free to browse - it rocks
[ Parent ]
Why must it be w/o government supervision? (nt) (none / 0) (#174)
by scruffyMark on Sat Feb 07, 2004 at 12:56:21 PM EST



[ Parent ]
Government supervision is fine AFAIC (none / 0) (#179)
by simul on Sat Feb 07, 2004 at 04:17:07 PM EST

Just there's always a mosh-pit of "libertopians" on Kuro5hin that panic any time someone appeals for a government solution to a growing problem.... so I always pose a nongovernment one. Not that there's an effetive difference. Punishment for bad behavior, from wherever it comes, is punishment.

Read this book - first 24 pages are free to browse - it rocks
[ Parent ]
whadda good reply! (none / 1) (#137)
by zedumfore on Fri Feb 06, 2004 at 12:50:05 AM EST

i think your response was right on,
but have my doubts that Agent Snip will get it.
~Johnny J. Zedumfore
Your own problem, to a large extent (none / 1) (#140)
by grahamlee on Fri Feb 06, 2004 at 04:38:25 AM EST

Or why Microsoft insists on shipping operating systems without default security settings appropriate to the Internet.

There's nothing to stop Microsoft doing whatever the crud they want with the security settings on their systems. However, there's no reason you need to use their software, if it's inappropriate for you. There's also no reason why Windows traffic couldn't be dropped from your network at the earliest opportunit{y,ies} if this is what poses the security threat. Your letter seems more like an exercise in scapegoating than anything else; you know that you could prevent/limit the efficacy of [D]DsOS, you also know that the scriptkiddies from l0pht who perpetrated them will never be caught so you think "who else may be blamed"? Happens that the big companies are quite effective targets, because the government like taking money out of them and letting them do whatever tf it was that they were sued for in the first place.



I don't use their software (none / 0) (#145)
by simul on Fri Feb 06, 2004 at 09:50:16 AM EST

Other people do, and that's screwing up the internet for the rest of us.

Read this book - first 24 pages are free to browse - it rocks
[ Parent ]
I just can't agree with you (none / 1) (#152)
by no carrier on Fri Feb 06, 2004 at 11:17:32 AM EST

You do make some good points about ISP's needing to be more responsible, but I don't want to see gov't regulation. And your MS arguement is weak. You don't expect Ford to make Nerf cars do you?

I think we will see more ISP's implement policy's like egress filtering in the future. Look at AOL 9, they have virus protection and all sorts of little helper apps built in. They will warn users about messenger and shut down that service and all sorts of other good things. Plus they are working to stem the flow of spam. But it takes time.

We are still in the wild west of internet times and there are a bunch of gunslingers out there looking to make a name for themselves. Eventually order will be restored, but I don't want to see it come from gov't regulation. I believe there are technological answers for all the problems we have.

I happen to think ISP's have more responsibilty for these things than software makers do, that's just my opinion. I also think that any corp hit by one of these virus/worms should fire the entire IT dept and find someone capable of doing their job. My users can barely move icons on the desktop, much less run executables in email. And yes, we use Lookout (albeit heavily modified with Norton corp edition running on the email server and the clients and tons of GPO's to prevent user idiocy).


I stab people.
[ Parent ]
Ford is required to put seatbelts in (none / 1) (#161)
by simul on Fri Feb 06, 2004 at 10:48:11 PM EST

Ford is required to put seatbelts in, and antilock brakes. O/S vendors could be required to ship with an application-level firewall with defaults appropriate to a typical internet user.

Read this book - first 24 pages are free to browse - it rocks
[ Parent ]
Ok, I concede that my analogy was bad (none / 1) (#199)
by no carrier on Wed Feb 11, 2004 at 12:35:36 PM EST

But, I'm still against regulation in regards to software. From what I hear MS is going to turn on the XP firewall by default in the next service pack, plus future OS's from MS will have this turned on by default. So that should make us both happy.

Of course, there will be many people that say MS is evil and putting 3rd party firewall vendors out of business, but thats not our arguement.

I just don't see any way that regulation could be enforced on software. There are too many OS vendors outside the US law system and getting everyone to agree on something is next to impossible (as much as I'm against regulation in the US I'm 100 times more against it as a worldwide effort). I just think that trying to regulate something like this is going to create a huge mess and have side effects that we would never imagine.

Really I think you were just angry when you wrote this article and wanted someone tangible to blame. You are likely to never find the person who ddos'd you and you know it. So why not strike out at someone you can see? But the problem with that is you are fighting the symptoms and not the problem. Just because I know how to ddos you off the net doesn't mean I'm going to and I shouldn't be forced to do something because someone somewhere might do something bad. It all comes down to individual freedom and individual responsibility. I also don't stop at gas stations that make me pay before I pump, because they assume I'm a criminal.


I stab people.
[ Parent ]
Windows traffic? (none / 1) (#169)
by skyknight on Sat Feb 07, 2004 at 09:44:09 AM EST

For cripes sakes... There are so many people making comments in this article that are just patently false. IP traffic is IP traffic, regardless of the OS. There is absolutely no guarantee that there will be any information that identifies the originating OS. Certainly there is no such information at the transport level, i.e. TCP or UDP, and while this information may be present at the application level, e.g. in HTTP headers, there is typically no requirement that it be present, and it can be forged trivially.

Despite what myriad people commenting on this article say, there is positively no end-host based defense against DDoS attacks. The only defenses against such attacks are at routers, and that means that one way or another the heat has to be turned on the ISPs who allow blatantly forged packets to come out of their network. The attacks that happen are possible because ISPs are letting people do the equivalent of the post office letting people send letters with a return address in France when they live in the US. In this situation, the post office would hopefully not forward along such a letter, and ISPs shouldn't either, but they do. Simply put, if such a fraudulent send operation is allowed, then there is absolutely no technical defense that the recipient can deploy. He can either buy a bigger pipe, so he doesn't feel the drain on his resources, or he can bitch to his ISP or the government. Once the attack packet arrives at his machine, it is apt to have absolutely no incriminating evidence in it, unless the attacker has done something cosmically stupid.

I know practically nothing about how cars work, so when someone's car breaks down, I don't dispense advice on how they should go about fixing it. If you don't know how the Internet works, then don't condescendingly lecture others about it, as if you were some kind of expert. You just end up looking foolish.

Go read some books.



It's not much fun at the top. I envy the common people, their hearty meals and Bruce Springsteen and voting. --SIGNOR SPAGHETTI
[ Parent ]
Hey, good idea (none / 0) (#173)
by scruffyMark on Sat Feb 07, 2004 at 12:54:26 PM EST

I like that postal analogy - get cheap shipping to France by swapping the destination and source address, then when you get the parcel, just write "not at this address" and drop it back in the mailbox!

return postage, the attacks start going away on their own. Swat the old invisible hand of the market with a ruler whenever it tries anything indecent, and maybe one day it'll learn not to behave like a pervert...

[ Parent ]

talkin' back to the fed? (1.75 / 4) (#142)
by My Dupe Account on Fri Feb 06, 2004 at 07:36:18 AM EST

Enjoy your trip to Gitmo, Mohammad.

--

"Very funny, Scotty. Now beam up my clothes."
Bad move (none / 1) (#148)
by tmenezes on Fri Feb 06, 2004 at 10:14:13 AM EST

If you help the FBI catch the people behind the attack and putting them in jail, you will help reduce the likelyhood of future attacks.

As said before, the FBI's job is to catch criminals, not deal with technical issues. You may be right in your claims, but this a very bad timing to make your point.

You are free to pressecute your ISP, and then maybe you can get the FBI to investigate them. This is how the system works.

Fed's Job To Regulate Interstate Commerce Too (none / 0) (#150)
by EXTomar on Fri Feb 06, 2004 at 10:47:28 AM EST

Constitutionally, the Federal Government regulates interstate commerce which, believe it or not, the Internet falls squarely under this. Now if any buisness pertaining to interstate commerce is being slipshod or substandard and especially if it involves large sums of money you bet your J Edgar Hoover's they will do something.

So how are ISP ignoring attacks because they can make money off of bandwidth any good? It would be as if a bank just kind of kept the books and balances straight using the float in their favor for profit. The feds would be all over this bank.

If the market won't correct the situation themselves, then the government has no recourse but to step in. Conservatives might hate this but the system has had plenty of chances to fix this and failed to do so. At the moment, market forces keep man ISPs from filtering this kind of attack because it is more profitable for them to ignore it and blame some hacker.



[ Parent ]
possible fix (none / 0) (#165)
by simul on Fri Feb 06, 2004 at 10:57:37 PM EST

we could make a blacklist with all the isp's that ignore egress filtering rules. publishing this list might make ISP's squeal enough to implement them.

Read this book - first 24 pages are free to browse - it rocks
[ Parent ]
Except (none / 0) (#167)
by joto on Sat Feb 07, 2004 at 04:14:47 AM EST

Except of course, that the list would include almost every major ISP. Essentially, you would no longer communicate with anyone else. Blacklists doesn't work when everyone is the bad guy. It would be somewhat like public humiliation of people taken by the police for speeding.

[ Parent ]
Really? (none / 0) (#170)
by simul on Sat Feb 07, 2004 at 11:34:45 AM EST

I know Time Warner does a good job.

Read this book - first 24 pages are free to browse - it rocks
[ Parent ]
Really. (none / 0) (#175)
by The Turd Report on Sat Feb 07, 2004 at 01:22:35 PM EST

Getting all ISPs to put up egress filters is going to be impossible. Look at how long people have been trying to close open relays. Not that you shouldn't try, but be prepared for a long struggle.

[ Parent ]
obviously you aren't paying attention (none / 1) (#154)
by ph0rk on Fri Feb 06, 2004 at 12:25:29 PM EST

That is more or less how the system has worked since the giant DDoS's of 1999 and 2000, but the point of the article is it is BROKEN.

As someone who used to do network security at a Large Phone Company, I can tell you egress filtering would almost take the extra D out of DDoS.

Relying on the current system to 'fix' the problem by attempting to nab each and every DOSser is akin to calling the police every time you get a crank call (from a payphone!).

.
[ f o r k . s c h i z o i d . c o m ]
[ Parent ]

Of course it will. (none / 0) (#184)
by Zerotime on Sun Feb 08, 2004 at 01:12:03 AM EST

And when all of J. Random Scriptkiddie's friends get caught and handed large fines, they'll accept that they've done something wrong, and won't launch further DDOS attacks as revenge. Nope.

---
"You don't even have to drink it. You just rub it on your hips and it eats its way through to your liver."
[ Parent ]
Of course it won't. (none / 0) (#201)
by Foetus on Thu Feb 12, 2004 at 08:14:04 AM EST

If it was that easy, there would be no murderers anymore, since they all know they might get killed in return.

No, higher fines will hardly stop DDoS.

[ Parent ]

interesting (none / 3) (#178)
by dh003i on Sat Feb 07, 2004 at 03:19:58 PM EST

This can be looked at from a solely property rights stand-point. Lets say that I live next to you, and I throw a party every week. I invite a bunch of college kids from the sorority and it's a weekly ritual for them to smash bear bottles and throw them into your yard. I do nothing about this. Now, as the property owner on who's property this vandalism of my neighbors yard is taking place, as someone who is allowing this and not throwing out those who do it, I arguably bear partial responsibility.

Social Security is a pyramid scam.

The analogy breaks down... (none / 2) (#181)
by bhtek on Sat Feb 07, 2004 at 08:19:19 PM EST

because the ISP didn't invite the script kiddies to use their network. They are like vandalising kids who jumped into your yard and throw beer cans into your neighbour's yard while you were not looking. Should you be punished for not having a stronger/higher fence?
Super Crazy Ninja Sh*t Coder
[ Parent ]
good point (none / 1) (#189)
by dh003i on Sun Feb 08, 2004 at 04:29:00 PM EST

I agree. Considering that, the ISP's should face no liability at all (unless the attack was perpetuated by their customers).

Social Security is a pyramid scam.
[ Parent ]

No the analogy is OK (none / 0) (#210)
by simul on Wed Apr 14, 2004 at 12:16:55 PM EST

Becaue you've left your house unlocked in a neighborhood that has problems (poor security). Whats more, you've left a supply of food and beer-bottles for whoever wants to use it.

A person is required to actively protect the misues of his assets. A gun owner canot leave a loaded gun on his porch, for example.

Read this book - first 24 pages are free to browse - it rocks
[ Parent ]

Egress Filtering != RPF (none / 1) (#202)
by qtp on Thu Feb 12, 2004 at 02:16:51 PM EST

(but RPF does = Egress Filtering)

While I do agree with the crux of your letter, especially in that it is better that networks be well managed in order to prevent IP spoofing and DDOS attacks, you made a small error in equating RPF with Egress filtering.

RPF is Reverse Path Filtering, which is a method of egress filtering in which you eliminate packets which obviously do not belong on your network by means of checking the packets rioute against what is known about the networks topology.  The simplest form of this is blocking all packets that claim to have originated from within your network that are arriving from outside your network (and vice-versa).  This is an effective method of eliminating many of the methods used to disguise the origin of malevolent packets, but it cannot be used in many cases.  In more complicated networks RPF is used to assure that packets are arriving on the same routes that packets going to the originating IP would follow, but that limits its usefulness a bit as well.

If your network is part of a larger shared network (such as the internet) and you have multiple gateways to that network, you are likely to be using the Border Gateway Protocol for at least a portion of your network (those areas that include your gateways and routes in between).  In that case you may have routing tables that are changing dynamically in response to conditions outside your network, or you may have packets that are following different paths depending on the direction of flow (ingess at one gateway, return path through another).

That said, it should still be possible for the larger network providers you mention to implement RPF for the largher portion of their networks, as well as other forms of egress filtering (simply dropping all packets that claim top originate from outside your network from leaving your network) which you mention. I would hope that network admins would see this as a minimum measure to be taken in any case where it can be implemented but full RPF cannot.  Unfortunately the obedient drones are the ones who get the jobs these days, and managers do not often like measures that they do not fully understand (or did not request themselves) on "their" networks.

+++

Visit the National Security Archives today!

Don't reply!!! (none / 2) (#203)
by A55M0NKEY on Fri Feb 13, 2004 at 11:42:28 AM EST

Don't reply. Messages purporting to be from the FBI, or from the IRS are known for being SPAM. If you reply to a message claiming to be from the FBI, then they will know the address they sent the message to is real, and will sell it to hordes of other SPAMMERS. They will sell your email address even if you reply saying you do not want to be on their mailing list. Ignore, and certainly do not reply to any snail mail purporting to be from any law enforcement, tax collecting, or any government agency such as the Department of Motor Vehicles. Any snail mail purporting to be from these sources is fraudulently LYING to you and is nothing but SPAM JUNK MAIL. Trash it and mourn the dead trees. Claiming to be from the government is the latest SPAM technique. Beware, and avoid their viruses and worms! Let me reiterate: Government correspondence = SPAM!

No need to worry (none / 0) (#209)
by simul on Wed Apr 14, 2004 at 12:13:50 PM EST

We're a large ISP and have worked with the FBI on a number of issues in the past. This was a well-known contact and we verified with phone calls to the local agencies main number.

Read this book - first 24 pages are free to browse - it rocks
[ Parent ]
http://www.ddos-ca.org/ (none / 0) (#206)
by FatHed on Sun Feb 15, 2004 at 03:33:57 AM EST

That site has not been updated since some point in September of last year.

Which is good, I would hate to see an class action lawsuit go through. I'd rather see people actually file complaints with the BBB and other agencies. A class action lawsuit would result in the consumers paying for a lawsuit against monoplies that they work for and consume from.

Intelligence is a matter of opinion.
The FBI Called Again | 210 comments (202 topical, 8 editorial, 4 hidden)
Display: Sort:

kuro5hin.org

[XML]
All trademarks and copyrights on this page are owned by their respective companies. The Rest 2000 - Present Kuro5hin.org Inc.
See our legalese page for copyright policies. Please also read our Privacy Policy.
Kuro5hin.org is powered by Free Software, including Apache, Perl, and Linux, The Scoop Engine that runs this site is freely available, under the terms of the GPL.
Need some help? Email help@kuro5hin.org.
My heart's the long stairs.

Powered by Scoop create account | help/FAQ | mission | links | search | IRC | YOU choose the stories!