Re: NANOG meeting subject of attack? Hmmmm....

[Joe Shaw <jshaw () insync net>]

On Wed, 9 Feb 2000, Travis Pugh wrote:

> On the subject of cooperation, has anyone set out to catalog where these
> attacks are coming from, at least in terms of compromised networks,  and
> share said information?  

As far as I know (thank you C-SPAN), the FBI has logs of the hosts used to
originate the traffic, and are now going through them to find the
"innocent third parties."  At this time, since it's part of a current
criminal investigation, this information will not be made available to
"the public," though they are saying this is going to be a joint venture
between the FBI and the Internet Community

> I know similar catalogs sprang up in response to
> smurfs ... is it time to start listing offending networks?  Even better,
> does anyone know if the attacks are using something like TFN2K and using
> dummy  addresses to obfuscate real attacking hosts?

Not sure, since it seems the discovered DDoS programs don't seem to have
the capability to forge the traffic, though it's not too terribly
difficult to modify existing exploits to do so.

> I see a lot of talk of attacked sites putting up router filters to
> stop attacks.  Can anyone who knows let the rest of us in on what was
> filtered ... was Yahoo taken down with a flood of HTTP GETs, ICMP, UDP, 
> SYN floods, or what?  If this is a DDoS, the attack could probably be
> fingerprinted  ... this would be very useful information if we are going
> to see more tomorrow.  Do we know if the source addys are spoofed, and if
> an attacker could turn off spoofing, revealing the source of the traffic
> but getting around some filtering?

I have a feeling you're going to see many more in the next couple of days,
and certainly some periferal meltdown as an after effect.  While no
official details regarding the attacks have been announced that I've read,
there are a few advisories on some of the known DDoS attacks.  Dave
Dittrich has posted some excellent material on the DDoS's that have been
found and you can view them at his homepage located at
http://www.washington.edu/People/dad/.

He also has links to scanners (written by NFR President Marcus Ranum,
Dittrich, and others) that can help look for the known DDoS daemons on
servers.

> I am making the assumption that the last three days' attacks  were caused
> by the same person or persons.  But the intent is the same regardless
> ... we can all go back and forth on NANOG about what might be happening,
> and wait for the feds to chase down the attacker(s), or people who have
> been attacked or might be attacked can compare notes and try to get an
> idea of where the attacks are coming from and exactly what they are.

Well, to quote a Wired article, "A Yahoo source close to the problem told
Wired News that they hadn't contacted the Feds during their trouble
yesterday because it would do no good." 

> Any relevant info would be appreciated.  Nobody knows who is next.

Indeed...

--
Joseph W. Shaw - jshaw () insync net
Computer Security Consultant and Programmer
Free UNIX advocate - "I hack, therefore I am."