Denial of service attack dissected

Undertoad · 05-31-2001, 10:29 PM

This page is a very long, comprehensive, often breathtaking account of a Denial of Service attack. It's written by a very smart admin who would not accept that a 13-year-old could take down his entire network at will. Call it a must-read:

http://grc.com/dos/grcdos.htm

jaguar · 06-01-2001, 03:21 AM

Off slashdot?
yes tis a good one. As on of the comments on the slashdot article said, if only there was some kinda of financial incentive for ISPs to lok its possible comprimised systems, particualr with cable internet, its easy for someone ot put together a sizeable amout of directable bandwidth.

Undertoad · 06-01-2001, 08:28 AM

I didn't remember them covering this one! But it's a natural for Slashdot.

jaguar · 06-01-2001, 08:32 AM

http://slashdot.org/article.pl?sid=0...02&mode=thread

Posted by michael on Thursday May 31, @11:31PM

So yea =)
I assumed u got it from there =)

Undertoad · 06-01-2001, 08:47 AM

Huh. Actually, I did just skim past it there, but picked it up on another weblog which probably got it from there.

jaguar · 06-01-2001, 08:53 AM

Ah k , cool
this is like a real-time conversation lol...

jaguar · 06-01-2001, 08:56 AM

Just out of curiosity, considering the bandwidth at your disposal (god I wish i had T1, not 56k) what kind of security stuff do you use? Do you run Windoze, Linux, XBSD?

Undertoad · 06-01-2001, 09:11 AM

I have a few Linux boxes and a few Windows boxes. The Linux boxes are all patched with the latest stuff and only run the services that are needed. The Windows boxes are all running ZoneAlarm except one.

I was broken into once. Somebody rooted a server on the ISP's network where I live and installed a packet sniffer that basically watched the entire network for passwords. At that point they were able to root just about everyone.

Since then the ISP has tightened considerably. One time last year an employee of mine ran a portsniffer on our boxes just to see what we could find. But he screwed up and the sniffer sniffed addresses in other people's subnets. The next day I got a call from the ISP saying cut it out!

But we could be tracked, because we weren't spoofing our addresses. The scariest point in the article is that, if WinXP goes out in its current state, all these kiddies will be able to spoof to their hearts content, hiding their own addresses and becoming untraceable.

Undertoad · 06-01-2001, 09:15 AM

None of the systems I have is anywhere near state of the art. That's one great thing about Linux; the P3-500 is more than enough to satisfy all the hits the Cellar can generate, and in fact I even have a P-200 that still puts in service duty. Even 486s would more than handle the load of most websites!

jaguar · 06-01-2001, 09:17 AM

OH yea i know.....scary stuff...
A guy i know hacked an e-commenrce company that will remain nameless while sitting on their front lawn lol. COuldn't find him coz he fuced up the packets so bad, this stuff scares me...u run tripwire under linux?
I use Zonealarm under windoze and tripwire/latest patches under Linux. I've gotta learn FreeBSD one of these days......In between, social, school, homeowrk, gaimg, cellar posting....

jaguar · 06-01-2001, 09:19 AM

*laughz yes true, i was suprised to find slashdot runs off 8 machines, sure they are beefy but....

Undertoad · 06-01-2001, 09:42 AM

Actually I do run tripwire - and I started the day after I found that break-in (which happened about two years ago). It's a pain in the butt, but it makes me feel much better.

One other thing I do is to run top and other utilities that the simpler crackers can't reliably modify. The cracker that got me had a "root kit" that modified ps (which shows active processes), ls (file directories), and a few others. he left his root kit around for me to find and dissect. It was quite an education.

jaguar · 06-01-2001, 09:36 PM

Hmm interesting...while i havne't had any personal experience of cracking under linux i spose thats the kind of places you'd put it, basic apps, particulary PS now i think of it.

Undertoad · 06-01-2001, 10:01 PM

Well, the reason they modify ps is so that the daemons they start won't be found through the usual methods. They also modify who and w for similar reasons. Most of the crackers I've found are looking to run irc bots of some sort. They want to start the daemon and leave and not be noticed for a while.

russotto · 06-05-2001, 10:00 AM

Quote:

Originally posted by jaguar
OH yea i know.....scary stuff...
A guy i know hacked an e-commenrce company that will remain nameless while sitting on their front lawn lol.

Insecure wireless?

06-01-2001, 03:21 AM	#2
jaguar whig Join Date: Apr 2001 Posts: 5,075	Off slashdot? yes tis a good one. As on of the comments on the slashdot article said, if only there was some kinda of financial incentive for ISPs to lok its possible comprimised systems, particualr with cable internet, its easy for someone ot put together a sizeable amout of directable bandwidth. __________________ Good friends, good books and a sleepy conscience: this is the ideal life. - Twain

06-01-2001, 08:32 AM	#4
jaguar whig Join Date: Apr 2001 Posts: 5,075	http://slashdot.org/article.pl?sid=0...02&mode=thread Posted by michael on Thursday May 31, @11:31PM So yea =) I assumed u got it from there =) __________________ Good friends, good books and a sleepy conscience: this is the ideal life. - Twain

06-01-2001, 08:53 AM	#6
jaguar whig Join Date: Apr 2001 Posts: 5,075	Ah k , cool this is like a real-time conversation lol... __________________ Good friends, good books and a sleepy conscience: this is the ideal life. - Twain

06-01-2001, 08:56 AM	#7
jaguar whig Join Date: Apr 2001 Posts: 5,075	Just out of curiosity, considering the bandwidth at your disposal (god I wish i had T1, not 56k) what kind of security stuff do you use? Do you run Windoze, Linux, XBSD? __________________ Good friends, good books and a sleepy conscience: this is the ideal life. - Twain

06-01-2001, 09:15 AM	#9
Undertoad Radical Centrist Join Date: Jan 2001 Location: Cottage of Prussia Posts: 31,423	Oh and by the way None of the systems I have is anywhere near state of the art. That's one great thing about Linux; the P3-500 is more than enough to satisfy all the hits the Cellar can generate, and in fact I even have a P-200 that still puts in service duty. Even 486s would more than handle the load of most websites!

05-31-2001, 10:29 PM	#1
Undertoad Radical Centrist Join Date: Jan 2001 Location: Cottage of Prussia Posts: 31,423	This page is a very long, comprehensive, often breathtaking account of a Denial of Service attack. It's written by a very smart admin who would not accept that a 13-year-old could take down his entire network at will. Call it a must-read: http://grc.com/dos/grcdos.htm

06-01-2001, 08:28 AM	#3
Undertoad Radical Centrist Join Date: Jan 2001 Location: Cottage of Prussia Posts: 31,423	I didn't remember them covering this one! But it's a natural for Slashdot.

06-01-2001, 08:47 AM	#5
Undertoad Radical Centrist Join Date: Jan 2001 Location: Cottage of Prussia Posts: 31,423	Huh. Actually, I did just skim past it there, but picked it up on another weblog which probably got it from there.

06-01-2001, 09:11 AM	#8
Undertoad Radical Centrist Join Date: Jan 2001 Location: Cottage of Prussia Posts: 31,423	I have a few Linux boxes and a few Windows boxes. The Linux boxes are all patched with the latest stuff and only run the services that are needed. The Windows boxes are all running ZoneAlarm except one. I was broken into once. Somebody rooted a server on the ISP's network where I live and installed a packet sniffer that basically watched the entire network for passwords. At that point they were able to root just about everyone. Since then the ISP has tightened considerably. One time last year an employee of mine ran a portsniffer on our boxes just to see what we could find. But he screwed up and the sniffer sniffed addresses in other people's subnets. The next day I got a call from the ISP saying cut it out! But we could be tracked, because we weren't spoofing our addresses. The scariest point in the article is that, if WinXP goes out in its current state, all these kiddies will be able to spoof to their hearts content, hiding their own addresses and becoming untraceable.

06-01-2001, 09:17 AM	#10
jaguar whig Join Date: Apr 2001 Posts: 5,075	OH yea i know.....scary stuff... A guy i know hacked an e-commenrce company that will remain nameless while sitting on their front lawn lol. COuldn't find him coz he fuced up the packets so bad, this stuff scares me...u run tripwire under linux? I use Zonealarm under windoze and tripwire/latest patches under Linux. I've gotta learn FreeBSD one of these days......In between, social, school, homeowrk, gaimg, cellar posting.... __________________ Good friends, good books and a sleepy conscience: this is the ideal life. - Twain

06-01-2001, 09:19 AM	#11
jaguar whig Join Date: Apr 2001 Posts: 5,075	*laughz yes true, i was suprised to find slashdot runs off 8 machines, sure they are beefy but.... __________________ Good friends, good books and a sleepy conscience: this is the ideal life. - Twain

06-01-2001, 09:42 AM	#12
Undertoad Radical Centrist Join Date: Jan 2001 Location: Cottage of Prussia Posts: 31,423	Actually I do run tripwire - and I started the day after I found that break-in (which happened about two years ago). It's a pain in the butt, but it makes me feel much better. One other thing I do is to run top and other utilities that the simpler crackers can't reliably modify. The cracker that got me had a "root kit" that modified ps (which shows active processes), ls (file directories), and a few others. he left his root kit around for me to find and dissect. It was quite an education.

06-01-2001, 09:36 PM	#13
jaguar whig Join Date: Apr 2001 Posts: 5,075	Hmm interesting...while i havne't had any personal experience of cracking under linux i spose thats the kind of places you'd put it, basic apps, particulary PS now i think of it. __________________ Good friends, good books and a sleepy conscience: this is the ideal life. - Twain

06-01-2001, 10:01 PM	#14
Undertoad Radical Centrist Join Date: Jan 2001 Location: Cottage of Prussia Posts: 31,423	Well, the reason they modify ps is so that the daemons they start won't be found through the usual methods. They also modify who and w for similar reasons. Most of the crackers I've found are looking to run irc bots of some sort. They want to start the daemon and leave and not be noticed for a while.

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)