[theregister.co.uk...]

sounds like a warning!

Its been in the pipeline for along time, ever since the cult of the dead cow group claimed that they could bring the Internet to its knees with a DDOS against all of the NAP's (Network Access Points) through out America.

Yikes!

What can you do?

Turn off your Inet workstation when you're not using it. If you leave an unprotected workstation up and running and connected, your machine can be used in one of these attacks. Shut it off when it's not in use. This is primarily an issue with Windows based machines though Linux and MAC aren't totally invulnerable either.

It can be done with out your knowledge when you are sitting at your work station happily replying to another false google update thread :)

Windows is an easy target, but dont be fooled as all operating systems are targets if they are connected to the net!

From the articel creative craig pointed to in The Register:

The attack is believed to have been an ICMP (Internet Control Message Protocol) ping flood,

Uhhh... Are the admins complete #@!$%@#$% @#$%! What the !@#$@#$ they !@#$@# thought when they set the @#$@#$ firewalls up?! For G-d's sake, the default setting of most decent firewalls is just to drop pings.

You know what?! They DESERVED it. I cannot STAND listening to "security experts" moaning and groaning about how these bad, bad, nasty hackers attack them. That they don't play nice and hurt their feelings... GET A LIFE! FIX YOUR FIREWALL RULES! Dorks.

Ok, off my soap box. I am having a bad day - client calls "network is completely down" - turns out his monitor was off.

I think that the firewalls for root servers that look after the DNS side of things wouldnt be set to default. But hey you never know :)

Dropping certain packets still requires CPU time just for detecting their type. Given enough volume, that alone may overload a firewall, and the routers in front of the firewall need to process those packets as well.

I would hope they have more then one router for root servers which can also be set to drop ICMP, and that they are not using default settings on firewalls or routers. Obviously not since they messed it up... ;)

Obviously not since they messed it up...

Tapolyai, did you actually read the article referenced at the top of this thread?

...Despite the scale of the attack, which lasted about an hour, Internet users worldwide were largely unaffected,...

Just because a DDOS attack happened and was reported to the press doesn't necessarily mean that the administrators of the attacked systems messed anything up.

Wasnt the English ISP Cloud 9 attacked internaly, they were having a few problems with DDOS but were gettting on top of things, when their own web server joined the attack and killed off a few of their own systmes.

They went bust cause of it, as the cost of upgrading and repairing their network came to more than they were worth.

client calls "network is completely down" - turns out his monitor was off.

ROFL! So I'm not the only one this happens to!

I believe this is a never-ending story...
But how would you know if your server was part of the attack?

It would be best to use characterisatoin software that would tell you if there were any differences in any systems or log files, do a search on everyones favorite and you will come up with some good results.

Have a look around the CERT web site for some good tips as well.

Craig

bird, appreciate the reminder to read articles before discussing them. Surprisingly I did read the article, although didn't have to because I was impacted.

Here is an even better quote from Internetnews.com, (an other article I did not read :o :)):

Attacks orchestrated with this kind of complexity and power generally can't be executed by your run-of-the-mill "Script kid." It would take a lot of firepower, to amass the servers capable of that kind of bandwidth," said a freelance security consultant, who declined to be named.

[internetnews.com...]

Let me see... Write ICQ script, trigger ICQ client, or Hack KaZaa, Gator, etc. to ping instead of sending private info... Or, load VBX from web site , that does the same, or send e-mail with nice attachement, etc. ad infinitum....

This is the type of "experts" I am nuts about. It's like me trying to tell the rest of you how to do SEO! :) Just because they call themselves experts that does not make them one...

(Ehh, forget it. It's a loosing battle to actually value people's real abilities, it is much more important now what "appears to be" the value...

A follow up article for 2002.10.23

[internetnews.com...]