Re: DDoSed

[Fredrik Ostergren <fredrik.ostergren () FREEBOX COM>]

Hi all -

I'm a security consultant with Fry's Electronics, a major 
electronics chain on
the west coast.  The DNS entry for our web site, 
www.frys.com, went up a few
weeks ago, and we had our first attack tonight.  At about 
4:00 PM, a flurry of
what looks like ACK packets (still analyzing the sniffer 
logs) started hitting
our web server.  I didn't realize that we had been 
attacked, due to a
misconfiguration on the emergency notification system on 
our network flight
recorder, until about 8:00 PM, at which time I was 
investigating reports of an
internal host not being able to get outside to the 
Internet.  I was pretty
shocked when I saw our core switch and CSU/DSU with solid 
tx/rx lights.

Our upstream provider, AGIS/Telia, said that they were 
experiencing widespread
failure on most of their routers within their AS, and I'm 
still not sure
whether that problem is related to our attack.

The source addresses didn't appear to be spoofed, and were 
all within the same
4 subnets in the 64.0.0.0 network.  It appears that the 
attacker scanned for
vunerable hosts within those four subnets, and then used 
those as a launch
platform for the attack against us.  The strange thing is 
that the packets
were all the same, and the destination port sequence was 
the same (five
sequential ports starting from a random base port, then 
again from another
random base port) be coordinated, but the source hosts were 
different
platforms (NT and UNIX).  There was also some weak evidence 
that the attacks
were coordinated.  I've already contacted all the other 
ISPs and had them call
the same FBI office so we're all dealing with the same FBI 
agent.

Does anyone know of a cross-platform DDoS tool that would 
give results like
this?

Things I learned:

The FBI regional field office in our area may not be the 
office that the
Computer Crimes unit is in.  Get their number for your 
emergency procedures
binder.

Make sure that you have at least one host on each of your 
networks that is
accessible without the LAN interface up, such as with a 
modem.  If you can,
wire it up so that it can page you through that modem.  
That's the mistake I
made when configuring our network management workstation.

Ethereal can import a 150MB sniffer dump a lot faster on a 
Ultra/5 than on a
PIII/600.  I'm buying a dedicated traffic analysis 
workstation.

It will probably help a lot if your provider has a DDoS 
policy and will
automatically filter out suspicious levels of traffic from 
a single host (or a
group of hosts).  It still doesn't protect you against 
spoofed addresses, but
it would have saved us in this case.

I think that posting to the Incidents mailing list and your 
local sysadmin
user group's mailing list should be a part of your post 
break-in procedures.
I'm sure other people are getting nailed by the same people 
that hit us, and I
don't see any trace of it on Incidents, LISA, or any other 
mailing lists I
subscribe to.  I really wish I knew other people made an 
effort to make these
things known so I don't have to think we're the only people 
getting hit.

 - Jason

PS: I'm going to milk all the educational value out of this 
attack as I can;
I'm owed that much for dealing with this mess.  Look 
forward to my analysis of
the sniffer logs.  Our web site isn't even up yet, and we 
get attacked :P
They told me when I took this assignment that people have 
issues with Fry's
return policy, but I had no idea how hard they took it :)

Well, I will only comment the spoof'd part because I didn't 
read the FBI part and the rest. Common DDos tools such as 
stacheldraht always spoof their source ips but IF the 
client is running on a solaris/sun machine, it will only 
spoof the class c ips. For example, if the stacheldraht-
client is running on a solaris on 64.1.1.X it will only 
spoof source ips like; 64.1.1.1-255. On linux is spoofs all 
ips, then you could get like; 1.1.1.1 or 32.2.2.2. 

/ Fredrik.