homepage Welcome to WebmasterWorld Guest from 54.234.74.85
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member
Home / Forums Index / Local / Foo
Forum Library, Charter, Moderators: incrediBILL & lawman

Foo Forum

    
DDOS attack on internet root server system
It happened!
heini




msg:294068
 9:54 am on Oct 23, 2002 (gmt 0)

Washington Post [washingtonpost.com]

"This was the largest and most complex DDOS attack ever against the root server system", happening 5:00 p.m. EDT on Monday

Too much speculation on the who and how, possible consequences etc. at this point.
Investigations have started.

 

creative craig




msg:294069
 10:01 am on Oct 23, 2002 (gmt 0)

[theregister.co.uk...]

mack




msg:294070
 10:22 am on Oct 23, 2002 (gmt 0)

sounds like a warning!

creative craig




msg:294071
 10:24 am on Oct 23, 2002 (gmt 0)

Its been in the pipeline for along time, ever since the cult of the dead cow group claimed that they could bring the Internet to its knees with a DDOS against all of the NAP's (Network Access Points) through out America.

lorax




msg:294072
 2:40 pm on Oct 23, 2002 (gmt 0)

Yikes!

What can you do?

Turn off your Inet workstation when you're not using it. If you leave an unprotected workstation up and running and connected, your machine can be used in one of these attacks. Shut it off when it's not in use. This is primarily an issue with Windows based machines though Linux and MAC aren't totally invulnerable either.

creative craig




msg:294073
 2:47 pm on Oct 23, 2002 (gmt 0)

It can be done with out your knowledge when you are sitting at your work station happily replying to another false google update thread :)

Windows is an easy target, but dont be fooled as all operating systems are targets if they are connected to the net!

Tapolyai




msg:294074
 2:49 pm on Oct 23, 2002 (gmt 0)

From the articel creative craig pointed to in The Register:

The attack is believed to have been an ICMP (Internet Control Message Protocol) ping flood,

Uhhh... Are the admins complete #@!$%@#$% @#$%! What the !@#$@#$ they !@#$@# thought when they set the @#$@#$ firewalls up?! For G-d's sake, the default setting of most decent firewalls is just to drop pings.

You know what?! They DESERVED it. I cannot STAND listening to "security experts" moaning and groaning about how these bad, bad, nasty hackers attack them. That they don't play nice and hurt their feelings... GET A LIFE! FIX YOUR FIREWALL RULES! Dorks.

Ok, off my soap box. I am having a bad day - client calls "network is completely down" - turns out his monitor was off.

creative craig




msg:294075
 2:54 pm on Oct 23, 2002 (gmt 0)

I think that the firewalls for root servers that look after the DNS side of things wouldnt be set to default. But hey you never know :)

bird




msg:294076
 3:20 pm on Oct 23, 2002 (gmt 0)

Dropping certain packets still requires CPU time just for detecting their type. Given enough volume, that alone may overload a firewall, and the routers in front of the firewall need to process those packets as well.

Tapolyai




msg:294077
 3:26 pm on Oct 23, 2002 (gmt 0)

I would hope they have more then one router for root servers which can also be set to drop ICMP, and that they are not using default settings on firewalls or routers. Obviously not since they messed it up... ;)

bird




msg:294078
 3:40 pm on Oct 23, 2002 (gmt 0)

Obviously not since they messed it up...

Tapolyai, did you actually read the article referenced at the top of this thread?

...Despite the scale of the attack, which lasted about an hour, Internet users worldwide were largely unaffected,...

Just because a DDOS attack happened and was reported to the press doesn't necessarily mean that the administrators of the attacked systems messed anything up.

creative craig




msg:294079
 3:46 pm on Oct 23, 2002 (gmt 0)

Wasnt the English ISP Cloud 9 attacked internaly, they were having a few problems with DDOS but were gettting on top of things, when their own web server joined the attack and killed off a few of their own systmes.

They went bust cause of it, as the cost of upgrading and repairing their network came to more than they were worth.

lorax




msg:294080
 4:47 pm on Oct 23, 2002 (gmt 0)

client calls "network is completely down" - turns out his monitor was off.

ROFL! So I'm not the only one this happens to!

transistor




msg:294081
 4:48 pm on Oct 23, 2002 (gmt 0)

I believe this is a never-ending story...
But how would you know if your server was part of the attack?

creative craig




msg:294082
 4:56 pm on Oct 23, 2002 (gmt 0)

It would be best to use characterisatoin software that would tell you if there were any differences in any systems or log files, do a search on everyones favorite and you will come up with some good results.

Have a look around the CERT web site for some good tips as well.

Craig

Tapolyai




msg:294083
 8:05 pm on Oct 23, 2002 (gmt 0)

bird, appreciate the reminder to read articles before discussing them. Surprisingly I did read the article, although didn't have to because I was impacted.

Here is an even better quote from Internetnews.com, (an other article I did not read :o :)):
Attacks orchestrated with this kind of complexity and power generally can't be executed by your run-of-the-mill "Script kid." It would take a lot of firepower, to amass the servers capable of that kind of bandwidth," said a freelance security consultant, who declined to be named.

[internetnews.com...]

Let me see... Write ICQ script, trigger ICQ client, or Hack KaZaa, Gator, etc. to ping instead of sending private info... Or, load VBX from web site , that does the same, or send e-mail with nice attachement, etc. ad infinitum....

This is the type of "experts" I am nuts about. It's like me trying to tell the rest of you how to do SEO! :) Just because they call themselves experts that does not make them one...

(Ehh, forget it. It's a loosing battle to actually value people's real abilities, it is much more important now what "appears to be" the value...)

lorax




msg:294084
 7:16 pm on Oct 24, 2002 (gmt 0)

A follow up article for 2002.10.23

[internetnews.com...]

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Local / Foo
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved