DDoSed

[thalakan () TECHNOLOGIST COM (Jason Spence)]

Hi all -

I'm a security consultant with Fry's Electronics, a major electronics chain on
the west coast.  The DNS entry for our web site, www.frys.com, went up a few
weeks ago, and we had our first attack tonight.  At about 4:00 PM, a flurry of
what looks like ACK packets (still analyzing the sniffer logs) started hitting
our web server.  I didn't realize that we had been attacked, due to a
misconfiguration on the emergency notification system on our network flight
recorder, until about 8:00 PM, at which time I was investigating reports of an
internal host not being able to get outside to the Internet.  I was pretty
shocked when I saw our core switch and CSU/DSU with solid tx/rx lights.

Our upstream provider, AGIS/Telia, said that they were experiencing widespread
failure on most of their routers within their AS, and I'm still not sure
whether that problem is related to our attack.

The source addresses didn't appear to be spoofed, and were all within the same
4 subnets in the 64.0.0.0 network.  It appears that the attacker scanned for
vunerable hosts within those four subnets, and then used those as a launch
platform for the attack against us.  The strange thing is that the packets
were all the same, and the destination port sequence was the same (five
sequential ports starting from a random base port, then again from another
random base port) be coordinated, but the source hosts were different
platforms (NT and UNIX).  There was also some weak evidence that the attacks
were coordinated.  I've already contacted all the other ISPs and had them call
the same FBI office so we're all dealing with the same FBI agent.

Does anyone know of a cross-platform DDoS tool that would give results like
this?

Things I learned:

The FBI regional field office in our area may not be the office that the
Computer Crimes unit is in.  Get their number for your emergency procedures
binder.

Make sure that you have at least one host on each of your networks that is
accessible without the LAN interface up, such as with a modem.  If you can,
wire it up so that it can page you through that modem.  That's the mistake I
made when configuring our network management workstation.

Ethereal can import a 150MB sniffer dump a lot faster on a Ultra/5 than on a
PIII/600.  I'm buying a dedicated traffic analysis workstation.

It will probably help a lot if your provider has a DDoS policy and will
automatically filter out suspicious levels of traffic from a single host (or a
group of hosts).  It still doesn't protect you against spoofed addresses, but
it would have saved us in this case.

I think that posting to the Incidents mailing list and your local sysadmin
user group's mailing list should be a part of your post break-in procedures.
I'm sure other people are getting nailed by the same people that hit us, and I
don't see any trace of it on Incidents, LISA, or any other mailing lists I
subscribe to.  I really wish I knew other people made an effort to make these
things known so I don't have to think we're the only people getting hit.

 - Jason

PS: I'm going to milk all the educational value out of this attack as I can;
I'm owed that much for dealing with this mess.  Look forward to my analysis of
the sniffer logs.  Our web site isn't even up yet, and we get attacked :P
They told me when I took this assignment that people have issues with Fry's
return policy, but I had no idea how hard they took it :)