Forgot your password?
typodupeerror
The Internet

Security Expert Dave Dittrich on DDoS Attacks 139

Posted by Roblimo
from the straight-from-the-source dept.
We've linked to plenty of "secondhand" media pieces about the recent DoS attacks on major commercial Web sites. Fine. Now here's real, hard-core hard-tech info on the subject - in answer to your excellent questions - from somebody who actually knows what's going on, namely Dave Dittrich from the University of Washington. He's been interviewed up the yin-yang this last week by mainstream reporters who probably wouldn't understand half the answers he gives here. But this is Slashdot, so he didn't have to hold back or dumb anything down. Click below and enjoy!

Dave:

First off, I'd like to thank Slashdot for giving me an opportunity to spew my opinions. Since Slashdot readers look for "stuff that matters," I'll #include [std/disclaimer.h] and say that this is me talking, not my employer, and I'll be honest about what I think the issues are (and hopefully not ramble too much).

Is a network proof against DDoS possible?
by Paul Crowley

Is vulnerability to DDoS-type attacks due to a flaw in the design of TCP or IP, or is the design of a network that's inherently resistant to such attacks an unsolved problem? Is it possible to imagine a fix that would address this, or a protocol that wouldn't be vulnerable even when many machines are compromised?

Dave:

There are flaws in anything created by humans. Sure, the TCP/IP protocols we are using today have some weaknesses, but they also work amazingly well, don't you think? And all things created by humans are improved over time as new ideas are developed and known problems are identified and solved. Its just a matter of how quickly these improvements can be implemented, and as we've seen with GOSIP, IPv6, etc. change can come very slowly. (A good book on this topic if you are interested is "Diffusion of Innovations", by Everett M. Rogers, The Free Press, ISBN 0-02-926650-5.)

Denial of service attacks are one of the easiest forms of attacking systems and networks; resources can easily be exhausted, programming flaws in network stacks and devices can be exploited to cause failures, covert channels can be created allowing hidden and practically unstoppable communication and control. In other words, there is no single "this problem" to be solved here, but rather a hole bunch of little "these problems".

In fact, the current DDoS tools implement UDP large packet floods, TCP SYN (session setup resource exhaustion) floods, ICMP "echo" floods and "Smurf" (directed broadcast ICMP "echo reply") floods, and other DoS techniques could easily be added (and many other exploits exist).

Yes, there are some proposed fixes that can address some of these problems. I'll get to them in a minute.

Other methods?
by Dr Caleb

There seems to be several solutions floating around, mostly smart routers that track valid traffic and MAC addresses.

Would changing to IPv6 help eliminate these type of attacks? >From what I read of the specs on IPv6, all the data needed to track a packet from destination right down to the MAC address is included in the packet.

Dave:

I don't claim to be enough of an expert on IPv6 yet to say which of the current set of DoS attacks are eliminated by its features (better to ask the real experts like Steve Bellovin). Perhaps IPv6's Quality of Service features, IPSec authentication features, etc., *may* provide a means of defeating some packet flood attacks by rate limiting flows, allowing quicker discarding of "invalid" packets, etc., but I'm not sure if it will entirely eliminate DoS attacks.

There are other new proposals that have recently been put forward for consideration, such as Bob Moskowitz' "Host Identity Protocol" (which addresses some problems in TCP session establishment and identification of "valid" packets) and a proposed method of tracing packet flows (independent on ISP involvement) that uses a probabilistic packet marking technique developed (coincidentally) by researchers at the University of Washington. Documents describing both of these are available at:

http://staff.washington.edu/dittrich/misc/ddos/

Since IPv6 is *still* not widely implemented, and these other proposals are likely years from implementation as well, it is probably best to focus now on the fundamental issue in large scale DDoS attacks, and that is we need to put a MAJOR emphasis on minimizing the population of systems that can be trivially root compromised. (I didn't say it would be an *easy* solution, but it is one thing that can be started immediately.)

Stop Spoofing At The Backbone?
by Effugas

How viable would spoof protection at the backbone level be? In other words, after a certain date, all downstream links are categorized as either able to peer for other network blocks, or simply not. Admins who can't be bothered to spoof-protect their networks would get IP source ranges outside their IANA assigned IP block dropped at their first upstream provider; sites which need to maintain peering relationships thus have their direct motivation (their backup networks will cease to function) to specifically lock down their peer forwarding to only those IP ranges they're actually peered with.

Yes, you obviously get problems as peering scenarios get traveling-salesman levels of complexity, but most sites (to my knowledge) don't exceed more than a few levels of peering--we should take advantage of this fact to enforce a top down elimination of infinite source spoofability? And, if so, would the precedent that this creates help or hinder the growth and freedom of the Internet?

Dave:

Eliminating IP source address spoofing would eliminate attacks such as forged DNS query attacks and the MacOS 9 TCP/IP stack bug (both packet size/number amplification flood attacks), and would definitely make it easier to trace packets back to their source networks, greatly simplifying and speeding up the (still major) task of stopping the agents from sending out packets and doing forensic investigation. Add to that the elimination of incoming directed broadcast packets and you also get rid of "Smurf" amplification attacks.

Not only do I think this should be done at a site's border routers, but also on all routers within the network. Programs like stacheldraht attempt to determine if they can successfully send packets with forged source addresses, and both it and TFN2K have code to randomize packets on a per octet basis (not exactly CIDR compatible, but still pretty clever and effective.) This means that if you have a /16 network with several hundred subnets, the agents could forge the final two octets, looking like they are coming from hosts on all of a site's subnets at once. Depending on your network infrastructure and political organization and authority, this can either force you to have to sniff on *each* subnet, or do your own router-by-router debugging of packet flows to locate the actual host(s) sending the packets (links to various documents on packet tracing are found on the page I referenced above.) If no host can forge source addresses beyond its own subnet, the task is greatly simplified (and you only need to put filters on one router to stop the flow from one agent host.)

Practices like those described in RFC 2267 should, in my opinion, be a standard requirement under any network peering agreement and AUP, but what motivation do ISPs and NAPs have to enforce them? Its not common for a company to say to a customer, "Hey, I don't want to take your money!" It tends to be a matter of waiting for an attack to happen for upper management to start asking the techies how to react, but by then the damage is already done. More emphasis on prevention and preparation for possible attacks seems to me to be more prudent (some ways of mitigating DDoS attacks are also listed on the page referenced above). If it costs more, so be it. That is the price of betting our economy on the Internet as its fundamental infrastructure.

The bad news here is that this tactic of filtering does nothing to deal with bandwidth (or other resource, like half-open socket) consumption attacks -- e.g., large packet UDP or ICMP floods, or SYN floods to random ports -- so again we've only solved a subset of the problems (forged addresses and directed broadcast), not to mention this solution doesn't help at all with the initial compromises and installation of agents.

Firewalls for Dummies?
by hiendohar

With the increasing popularity of broadband, always-on connections and the increasing distribution of networking software, it seems like "Joe DSL" faces a greater risk of having his system compromised than before. How much can the average user be expected to learn about securing their system? Do you foresee developments, either in software, education or in other services that might help private computer users or small time administrators protect themselves better?

Dave:

I expect the average Joe DSL to probably learn the hard way, just like he learned not to step off the curb in rush hour against the traffic light, and to take everything valuable out of his car when he parks it on a dark city street: by suffering an incident, and the resulting cleanup cost.

This is an education problem of *huge* proportion, and just like the filtering question, there isn't much motivation for ISPs to hand-hold their growing customer base, and their marketing department -- just take a look at their ads -- tells you how fast they are, but doesn't say a word about the new risks you will face (some will mail you a warning a few months later, which may be a bit too late.)

Not only that, but most broadband ISPs have user bases far larger than they have staffing to support, so even trying to contact them, find your way through the tier1/tier2/first line manager/Nth line manager hierarchy, and actually identify the owner of a compromised cable modem or DSL served system can take days. These customer's systems make excellent bases for scanning/attacking other sites, running eggdrop bots, or "bouncing" connections to make it harder to trace attack activity, and the intruders know this.

As for education, I am not quite sure what can be done there. Mandatory "driver's license" style tests before getting a DSL account? Forget it. "Tickets" handed out by the Net Police for allowing your system to be compromised and used to attack other sites? Not likely, and I don't think anyone wants that. Law suits by victims of attacks against the owners of compromised systems? That is already starting to happen, but do we really want people to learn as a result of law suits, to throw lawyers at the problem, diverting badly needed system admin funds to pay $200 an hour to the suits?

There probably will need to be some monetary incentive to securing systems (because people pay attention to money.) The federal government is passing laws about privacy of personal, medical, and credit information (and these can't be private if the systems that house them are not secure), and insurance companies will likely start charging higher rates for systems that are not managed well and become involved in security incidents with high dollar damages (but PLEASE, first raise the rates on anyone who drives a car while talking on a cell phone!)

Some ISPs now offer security services, and will provide "firewall" services for their customers, but this comes at a high price. Most users want $19.95 a month service, which is basically just buying a raw, wide open pipe.

"Personal firewall" software is also becoming popular, but I've wasted many an hour explaining to someone reporting an "attack" that what his program was reporting was either a false positive, or was mis-categorized, and not at all what they thought. Feature filled packet filtering programs allow users to shoot themselves in the foot and break TCP/IP applications, while overly simplified programs leave gaping holes or users turn off too much and only think they have security. A lot more work and education is needed in this area.

A fruitless exercise?
by john@iastate.edu

Isn't the intersection of the sets:

  • Clueless enough to allow massive DoS out of their network.
  • Yet likely to install this detector.
pretty darn small?

Dave:

Yes. Next question?

Seriously, the detection of agents/handlers on a system, and on the network, let alone doing forensic data gathering to assist in stopping a distributed attack and identifying the attacker, is not easy. There are too many ways for an intruder to disable logging and accounting, conceal programs and files using "root kits" and loadable kernel modules, and change the defaults for commands and packet contents that will defeat the file system and network scanners that have been developed to deal with these DDoS programs, and the learning curve is steep to counter the intruders' anti-detection measures.

This is one of my pet peeves; THERE ARE NOT ENOUGH GOOD SYSTEM ADMINISTRATORS. There needs to be WAY MORE of them, they need to be PAID AND TRAINED BETTER, and (to put it bluntly) they need to be considered a critical resource REQUIRED for powerful computers on the Internet today, not as overhead expense to be minimized.

The fundamental requirement for securing (or breaking into) any system is knowing how the system works, how to take it apart and how to put it back together again. These DDoS attacks over the past six months have been made more costly to respond to because of things like "root kits", which exceed the average admins ability to get around. For more on why, see:

http://staff.washington.edu/dittrich/misc/faqs/roo tkits.faq

I think a big reason that Universities, K-12s, small businesses and non-profits, and home users with cable modem and DSL lines have their systems regularly compromised is because these systems are often deemed a necessity for research or business, but the only money that goes into them is the money it took to buy the hardware in the first place. They very often do not have tape drives, software upgrade licenses and regular patch application, sufficient manuals or books on system administration, and the person administering the system is usually the first person who can spell "U-N-I-X" and has a "real" job doing research, programming, or Web page design.

People need to start thinking about today's top of the line computers on gigabit networks as the equivalent of a BMW, a Range Rover, or an Audi A series. You would be an idiot to only put gas into it and never take it in for regular maintenance, instead trying to do the work yourself in the garage, and to leave a spare set of keys in plain view on the dashboard. No, you take your car in regularly to a trusted and trained mechanic (and pay $50 an hour for their skills), change the oil and rotate the tires regularly, and do your best to keep it from being stolen (including buying those annoying car alarms that nobody pays attention to when they go off.) But that is basically what too many people do with computers; don't take care of them, don't hire skilled people to regularly maintain them, don't adequately monitor them, and don't really care if someone else hijacks them.

I regularly hear people say, "I don't care about securing my system. I don't have anything important on it. What could they steal?" Well, there are gigabytes of disc space these days, REALLY fast CPUs that can spit out lots of packets, and high-speed network connections. It is when tens or hundreds of thousands of people think and act this same way that someone else suffers. This attitude HAS to change and people HAVE to learn about the risks and ways to address them.

Should security research be done in obscurity?
by crush

It is nearly a mantra among us that there is no security through obscurity. It would seem that with a sufficient number of us too lazy or too ignorant to secure our own machines that there is possibly no security through openness either. Do you think that the open research model that Mixter, Farmer and others have always advanced as a reason for releasing their tools is still justified?

Dave:

Yes, I think the open research model is justified. There is a passage in the Bible (John 8:32, and on a plaque in CIA HQ), "And ye shall know the truth, and the truth shall set ye free." But that only works when everyone knows the truth (and uses that information wisely in their design and purchasing decisions). Until that balance is reached, those who wish to abuse this knowledge win out over those who have not yet attained it. It's that simple (and that hard - ooh, how Zen like.)

As you point out, there is a large percentage of system admins that don't have the same knowledge as those who break into their systems. If that percentage (of a very large, and growing number of powerful computers on fast networks) isn't reduced, the total number of systems that can be compromised and controlled by an attacker grows to the point where its now possible to build attack networks of two or three THOUSAND computers.

What I think needs to happen is to follow the advice of someone (I forget the source) who said, "There should be a hacker on every board of directors," and I would add on every development team. I don't think it helps to ignore weaknesses, or keep them quiet, because they will eventually cause problems. And it is not enough to identify the weaknesses if nobody learns from the mistakes of the past and actively tries to avoid them in the future. One reason that these changes occur so slowly, in my opinion, is that the people who really know the technical details of security are too far removed from the real decision makers, and the layers of managerial filtering inbetween often filter out the security voices in favor of the "lets please the masses" voices.

Engineers are not taught simply how to construct buildings, they are taught how to know when they will fail so they don't come crashing down and kill everyone. There are standards and codes that say how buildings should be constructed, and we (for the most part) don't have much trouble with buildings killing us in the U.S. But software and operating systems are designed for ease of installation and use by the largest number of (untrained) people possible and practically nobody complains. Where is this same sense of "we must build it so it doesn't break?"

I hear an ad for a new online bank and think, "Great. Now all my bank Web based business communication site and think, "Great. Now the people discussing business plans will have their discussions at risk." I hear a news story about a company that facilitates designing buildings online and think, "Great. Now the plans to unknown office buildings are at risk." I can just picture the CEOs and the stock analysts drooling at how cool and efficient these new web tools are, and how much money the company that produced them is going to make, but unless they are designed with security in mind from the start, they should all be considered very risky to use.

Somebody in a position of decision making authority for any e-business needs to understand these weaknesses that are discovered and publicized, and to make sure these weaknesses are acknowledged and addressed in ALL computer based system and application designs.

Recognizing DoS
by angst_ridden_hipster

I think one of the biggest issues will be identifying Denial of Service as an attack. I have a legitimate load testing utility that simulates actual browser traffic. Say I run it against someone else's site. They'll see that a lot of traffic's coming from me, and eventually figure out it's bogus and take appropriate measures. But distribute this and it'll look like actual traffic. Get enough friends doing it, and we take 'em down with what appears to be perfectly normal browsing.

The analogy to the "real" world is roads and bridges. During normal hours, they run well. During rush hour, they clog up and perform poorly. And during a demonstration (like recent examples in Seattle and Miami), they clog up and perform poorly. You can consider the recent anti-WTO situation up in Seattle to have been a DoS attack on downtown. But you wouldn't consider gridlock at 5:30 p.m. in Los Angeles to be a DoS attack.

To solve these problems, you have to know what's causing them. If it's just normal traffic and the infrastructure is insufficient, it gets ignored until people get fed up enough to vote more tax money into building wider roads or better public transportation (again, analogous to buying more servers or a fatter pipe). If it's demonstrators, you either address their concerns or you send in the National Guard to beat the crap out of them (depending on the political climate).

In this world, it's easier to differentiate the two situations. If a bunch of cars are jammed together at rush hour, you know it's a traffic problem. If it's crowds of people singing songs and holding signs, you know it's a demonstration. And if it's a possible sick-out at Northwest Airlines, you're not sure if it's a DoS or not, so you get a warrant to read their home e-mail and find out.

With computer protocols, though, usage and abuse can look identical. Even wild surges in activity can be from legitimate usage. How do you forsee systems being put in place that can differentiate between actual usage and DoS? Doesn't this almost inevitably lead to some non-forge-able, traceable, unique identifier? And doesn't this translate to the demise of privacy on the Web?

Dave:

Not necessarily. Sure, normal usage may exceed capacity. But a protest by thousands of people is not "normal usage;" that is a mass exercise of individual rights in a democracy to gather and express their opinions. [I live about four blocks from where the tear gas and concusive grenades were being lobbed at protesters, and I personally think the response was excessive and the protesters had a right to protest. They weren't damaging property in my neighborhood, they were chased into it, and traffic could simply go around it. Seattleites are used to backups, like you point out.]

I'm really don't know if I'd have a problem if 3,000 people decided to all individually use their browsers and click away at a major Web site as a form of protest, using their own computers and risking possible legal action as a price. (The JavaScript used to protest the WTO was a cool hack, and quite publicly known and used by individuals with their choice. That is less quesionable in my mind as a means of protest.) That's what it means to have freedom of assembly and freedom of speech; you protest in person, gathering with like minds. I marched against the Gulf War bombing, and was glad I could exercise that right when I felt it was important.

I *don't* think it is OK for a single individual (or small group) to take control of the resources of 3,000 *unknowing* individuals' resources and anonymously force them into that individual's service. That is not an exercise of democratic speech, that's theft of private resources. That's what DDoS attacks are.

If there is a problem with truly normal usage exceeding capacity, you could argue that capacity simply needs to be increased, and there is a cost associated with that increase. I start to question things when this increase in capacity is made on an insufficient budget, so there is nothing left for people and tools to protect the new "required" infrastructure. If the infrastructure is so vital, should its proper monitoring and administration be neglected? Is it wise to use this as the infrastructure for our record-setting-growth economy? If we build a fragile infrastructure for our economy just for the sake of growth and short term revenue (and pandering to customers demanding more and more services at lower and lower prices), and the result is that an individual can wage an anonymous protest and take parts of it down. I'd rather that the growth was a bit slower and infrastructure was more secure.

Antionline: True help?
by cswiii

I saw this evening on CNN that the FBI has enlisted the help of none other than Antionline, in its search for the perpetrators of the DoS attacks. What is your opinion, regarding this decision? How does this reflect upon the FBI's ability to investigate cybercrimes?

Dave:

I have not seen any news reports that Antionline was enlisted to assist the FBI (and don't see anything searching CNN online.) I also read a Reuters article that claimed Mixter wrote stacheldraht (he did not), and that stacheldraht is used to break into systems (it has nothing to do with breaking in, just sending packets -- the break-ins are done using other tools, which usually implement buffer overflows in services like rpc.cmsd, rpc.ttdbserverd, amd, named, etc.)

Just because the media says something (or worse, one reporter quotes another reporter) that doesn't mean it is true. They make plenty of mistakes, especially when reporting on tight deadlines (I have published corrections to some articles in the DDoS page I referenced above.)

Government
by interiot

If you've had much contact with security specialists working for the government, how much confidence do you have in them that they're smart enough to:

  • Understand the problem well enough
  • Spot good solutions if they come along
Slashdot generally seems to feel that the government doesn't have a clue about tech issues, but the NSA has had its moments of brilliance in the past.

DDoS attacks ARE a problem. I could imagine that they could serve as terrorist/psychological attacks in time of war. Because the computers that are doing the actual DoS attacks could be within the country being attacked, the attacks would be nearly impossible to stop at the borders.

Dave:

"The government" is a pretty big population, which includes federal law enforcement (as you point out), as well as a huge slew of departments and agencies, their state/local equivalents (including public schools and universities). In such a large population, you will find both skilled and unskilled members of that population (fitting a bell-shaped curve like most populations).

If we don't like it that all attacks are attributed to "hackers", we should likewise have some respect and not just jerk our knees and say anyone who works for the government is automatically clueless.

The Government Accounting Office (GAO) has been auditing and analyzing many of the federal departments and agencies for years, and some of its reports (I have a number linked on my home page) are pretty critical, while others highlight agencies that have done a lot to secure their systems and provide "best practices" advice to improve the situation.

As for law enforcement, the FBI has been doing a lot recently to create a skilled central core of computer crime analysis and investigation resources, and in establishing training facilities and developing working relationships with their peer agencies in other countries (since the Internet is global, response must be global). Since they haven't been at this very long, of course this will be a bumpy and sometimes inconsistent process, and it will take time to build depth and breadth of computer forensics skills (and there is usually a LOT of forensic data to process and understand), but they are working very hard.

I would also say that I think the Clinton administration has done a much better job than its predecessors in trying to address these issues (e.g., the President's Commission on Critical Infrastructure Protection, the formation of NIPC to coordinate incident response and information dissemination to the public and private business sectors, and the National Plan for Information Systems Protection.)

If you've read the National Plan -- subtitled "An Invitation to a Dialogue" -- you will see that a great deal of thought has gone into dealing with infrastructure protection, and that they are asking for cooperation and input from the private sector security experts, which means us. (Now is the time to make your opinions known, and that doesn't just mean ranting on the dc-stuff list, where you are preaching to the choir. Of course, people there will agree with you, but does that change anything? You need to write your Congressional representatives, the President's Council, and vote.)

I, too, question the amount of emphasis in the current budget being placed on surveillance, but I'm really happy to see money being allocated to programs like better forensic analysis capabilities and identifying talented high-school students and helping them to study computer security in college, rather than ignoring their talent (a form of disrespect or a result of fear) and risking losing them to a life of attacking systems instead of securing them.

For example, I know at least one admin (who was 15 at the time I met him) who knows more about securing Unix systems than many admins I encounter on a daily basis. Sure, he was 15 and had some issues with judgment that 15-year-olds have that caused friction with his employers, but he was just 15! Give him a break, and respect his talents! If he was managed more closely, his obvious skills would *still* be an asset to his former employers. I don't want to see someone like this get frustrated at not finding a place to get paid for what he loves to do, and land in jail for following his curiosity and passion in his own way (which usually involves making an eventual mistake in judgment that draws the attention of law enforcement). I already pointed out there is a lack of skilled system administrators, and I'd rather see young talent be put to use to solve these problems, and the National Plan addresses this.

Internet Worm
by Ex Machina

What do you have to say to the idea that this could be a DoS attack launched by computers infected with a Robert T. Morris style worm? Would it be possible to launch something like this and have it and its probes remain undetected until a date where it will launch a synchronized DoS?

Dave:

Given what I've seen as far as these particular tools go (including the scanner used by one group), I have no reason to believe the current attacks are automated and worm-like.

That said, I think it won't be long before someone *tries* to take that next step and further automate the process of scanning & intrusion to constitute DDoS networks.

Think about it, though, for a moment. Using the current DDoS tools, the intruders need to create a large network, without losing agents due to attrition as system/network admins notice the initial "setup" intrusions, and they would have to control the growth of this network so that the handlers are not crushed under the weight of an overly large network (or exposed because the agent "Hi mom!" traffic gets too noisy), hope that clocks are synchronized well enough to not expose the attack too early, and to control the resulting network during an attack, all without being detected. There are some tricky issues of coordination and communication that must be dealt with to prevent such a worm from running wild and disclosing itself. Whoever wants to try this should probably ask rtm about what it feels like to make that kind of mistake.

The alternative is to not use a coordinated/distributed model, but instead use the more standard model of propagating uncontrolled attack agents using a combination of social engineering and trojan horse programs. This has already happened.

In early February, 1999, a message faked to look like it came from Microsoft, claiming to be an upgrade to Internet Explorer (with an attached program named "ie0199.exe") was sent to many thousands of users on the Internet. Those who ran this program got what appeared to be an innocuous error message about a missing DLL, and most just gave up and deleted the message. What they didn't realize was that they had just unwittingly installed a program on their system that set itself up to run on boot the *next* time the system came back up. At next system startup, the program then started sending packets (as a self-described act of revenge) to random hosts on the Bulgarian Telecommunications Company network, causing them significant problems for who knows how long.

Worms also seem to work best against a single, self similar operating system/architecture/service combination, which means the attackers would have to do the same recon scanning they do now to get a list of these hosts, so why not just stick with what they know works and infect systems on the list in parallel, instead of by some non-deterministic spreading behavior?

This discussion has been archived. No new comments can be posted.

Security Expert Dave Dittrich on DDoS Attacks

Comments Filter:
  • by Anonymous Coward
    What's the difference between DDos and a strike? One hopes that in a picket line, the picketers have not had control-units implanted in their wetware, but are actually expressing their own views.

    In a DDos attack, the attackers are "pods" - Watch "invasion of the body snatchers" to get the picture...
  • by Anonymous Coward
    The Linksys and other router/firewall/hub systems are a better solution than buying an old PC and making one. Here's why:

    1. You have to remember the full cost of the old PC. Monitor. 2 NICs. Software. Shipping. Usually will work out to more than $150

    2. The Linksys and other small hardware router/firewall products use less power, take up less space, create less noise, generate less heat.

    3. The hardware solutions are simple, quick, and reliable. The PC solution takes time / effort / and can break easier.

    4. With the hardware solutions (the Linksys at least) a 10/100 switched hub with the firewall/router. Which you would have to buy on top of the old computer as well.

    With my linksys setup, I have 3 computers on a switched 100Mbps lan, and a Cable modem providing IP to all of them. It does DHCP, and firewalls my LAN.

    And there are new products competeing with the Linksys:
    http://www.timhiggins.com

    At $130 - $170 a pop, they are a MUST for home LANs and a good idea for home broadband access in general.

    Also check out the links for "Securing your System" at the above tim higgins site. The "Shields Up" site is a great resource!
  • by Anonymous Coward
    Linksys makes a cheap (~$170) 4-port 10/100 switch that connects to DSL/Cable. Includes NAT/DHCP and a firewall. Once I get my DSL hooked up I plan on getting one, so the SO and I can both be connected
  • by Anonymous Coward
    Whoa whoa whoa wait a sec!! Since when does a ninja use a katana? A katana is a sword used by samurai not a ninja. There are DISTINCT differences in armory of both. I think your girlfriend must be a Ronin that once was Samurai, now posing as a ninja... Its the only plausible awnser! (pssst... aim for the ribs, it always gets 'em ;) )
  • Then you have a problem for services such as ICQ. If you block incoming packets, how are you supposed to recieve messages?
    I'm sure there are other examples, ICQ is just the obvious one that springs to mind.....

    Nick
  • SonicWall makes a nice little personal firewall starting at about $400. Easy to setup and use, works great, doesn't care what kind of OS you're using because it's a stand-alone box.
  • Fantastic, man!

    I was just about done putting up a page about DDoS at my web site and I just *had* to add this!

    You've really put the whole deal in perspective!

    t_t_b
    --

  • ftp passwords are always sent plaintext, so yes, the NORMAL operation of an ftp server on any server on the Internet is on shakey ground. This is particularly true with a home DSL connection, as the box hosting the ftp server tends to be used for many different things (and thus, is more important to the user, and is more distructive when it is compromised.).

    If you still want to use an ftp server, I suggest creating specific accounts for ftp usage only, who's shells are /bin/false (can't log in with those accounts, except via ftp - no shell access). Set up your ftp server in a chroot jail. Configure the ftp server to log every connection. While none of these things will prevent your box from being compromised, they all make things much more difficult for the 90% of crackers out there; those running canned scripts, with very little brains.

    Remember: The ip addresses of DSL and cable modems are well known to crackers. I monitor my home office (connected via DSL) with all sorts of various and sundry software ;-). My systems are port scanned an average of once every ten to twenty minutes, with stealth scan attempts almost as often. Every time I read about a new unix exploit on Bugtraq, I see crackers attempting it sever dozen times in my logs. If you have DSL, this is happening to you as well.

  • While this solves the problem for the ISP, it leaves Joe DSL without a way to run his own apache server, ftp server, telnet server, for hiw own low-volume stuff, even if he knows how to secure his machine.

    If Joe DSL is running telnet or ftp, he MOST CERTAINLY doesn't know how to secure his machine.
  • telnet and ftp send all data back and forth in plaintext, INCLUDING YOUR PASSWORD. Any network sniffer between you and your box now has captured that account's password. Account compromised. Game over.

    Your ignorance on this issue illustrated my point.
  • You have still COMPLELELY MISSED THE POINT.

    Haven't you read the analysis of the DDoS attacks? The TFN and TFN2000 clients and servers can be configured to run on a port greater than 1024. That means, ANY ACCOUNT ON YOUR SYSTEM CAN RUN THE DDOS ATTACK.

    Once one account is compromised, and shell access to the target system can be maintained, compromise of the root account is, in most cases, trivial.

    ssh is a secure replacement for telnet. scp is a secure replacement for ftp. There are ssh clients for all common operating systems (though I've never found a scp tool for a non-unix system). You can still offer shell access to your box; just use a service that is more secure.

    Your further ignorance, and hostility towards the correct solution further illustrates my point. Arrogance is no substitute for ability. The reason your box wasn't compromised (and it may very well have been, you could just be unaware of it) was pure luck. Nothing more.
  • I recently got another book that so far has been very informative and well written; the ones you cited are classics that should be mandatory reading. This new book is entitled "Linux System Security", written by Scott Mann and Ellen Mitchell. I haven't finished reading it but it covers all the pertinent topics, and it has a decidedly linux slant on things.

    Like all good security books it covers the usual suspects (ssh, inetd, tcp_wrappers, etc...), and also tries to pass on the proper mentality that one needs to have. It also has a good appendix section that has a bunch of good www sites, including slashdot (Linux and computing news). The URL is interesting, tho, http://www.slashdot.org.

    The only negative thing is that the book is a hardcover edition and is therefore a little bit more costly than a paperback version.

  • You havent read that fortune about how building something idiot-proof makes it only usable by idiots, have you?

    I agree 100% with making software more secure right out of the box (the current state, where you install an OS and it inmediatly opens all services know to man at the minimum level of security possible is awfully stupid), and to strive to make software easier to admin, but going from there to absolute no need of trained & skilled personnel, is too much.

    NO default will ever be good enough for everyone, NO "easy to use, no need to admin" system is going to be secure over time, no matter what. We have as big as a problem with "fool-proof", "intuitive" things that arent secure and/or flexible enough that with the complexity and absurdly difficult tasks of updating, configuring and understanding all that there is to know to be a good admin. Look at Windows for an example

    Keep it simple, but not THAT simple!

  • The vast majority of Slashdot-effect traffic is going to have Referrer fields pointing to the article in question. Simply grabbing any 10 requests and analyzing them will usually tell you where they're coming from...unless it's a DDoS attack, of course. ;-)
  • It's not uncommon for a cracker to:
    1. Compromise a machine.
    2. Install an IRC server and bot.
    3. Use the bot to distribute warez, mp3s, or whatever.

    That's why Dave is down on them.

  • I would have to say that ISPs, especially broadband, need to start taking some responsibility for educating their customers.

    I thoroughly agree. Not only do uneducated users know nothing of security resulting in things like DDoS attacks, they know nothing of what's out there and so get much less out of it, and more importantly they know nothing of the culture that has developed to allow the net to survive and so work to wreck it and with it the net.

    I know ISP's would claim expense, but when i opened my first account with a small town ISP they sent a guy to my house who expected to spend the lesser part of an hour or two setting up my system. The greater part he spent telling me the things i needed to know to understand the various things (the web, usenet, telneting to hosts, etc.) and a tiny bit of the culture. And this was with no setup fee. Now... they'll mail you a floppy to set things up. The last cable TV guy i saw did better than that; he come in and reprogrammed the TV himself.

    cheers,
    sklein

  • It may be pesimistic, but I can't see Average Joe ever understanding the issues and the tech to the point where they could adequately protect themselves.

    This section:

    Some ISPs now offer security services, and will provide "firewall" services for their customers, but this comes at a high price. Most users want $19.95 a month service, which is basically just buying a raw, wide open pipe.

    Gave me an idea... What if there were an OS (I'm talking Windows/Mac) option to not allow outsiders to initiate a socket? Such that all traffic in/out of Average Joe had to be initiated by Average Joe. For people on @home (or similar) this should not be a big limitation as they're not suppossed to be running servers anyway! (which is why I'm not a customer).

    The implementation of this is left as an exercise for the reader.

    GRH

  • There's nothing bad about eggdrop bots. Eggdrop is a well respected bot to manage an IRC channel and are quite popular on all the networks. I myself have run a few and they're quite fun to play with. While there are eggdrops scripts aimed at more malicious uses, the vast majority of eggdrops are just used to keep the peace and keep channels organized. eggdrop homepage [eggheads.org]
  • Yes, that may be true. I just wanted to point out that eggdrops are not necessarily used for cracking or warez or what-not, as people unfamiliar with eggdrop might have assumed having read Dave's response.
  • Linksys is already doing one, and it looks pretty sweet. It's called the "EtherFast Cable/DSL Router", and acts as a router, hub and switch with firewalling, NAT and IP masq abilities.

    It's right on their front page at www.linksys.com [linksys.com].

  • Damn. I knew she was lyin' to me. I should've guessed when she tried to stab me with the handle and cut all of her fingers off. Ninja's with no fingers don't make very efficient killers. Plus the blood drips down the wall when they try to blend in.
  • Why would you need to have amonitor hooked up ? I used my video card once to get my headless server running and all it is now is a pair of ethernet cards , memory and processor . $25 computer $50 for ethernet cards $0 download from linuxrouter.org & trinity OS firewall ruleset ( to start )
  • Folks, forget trying to correct the media when they call criminals 'hackers'. The term has stuck, and popular culture is going to keep using it in spite any attempts to educate them. I suggest that you pressure the media to call them 'criminal hackers', to distinguish them from the law-abiding people who prefer to wear the 'hacker' label.
  • If you're almost always at your computer when it's on, a neat trick is to trigger a sound effect whenever someone uses one of your services. For example, put something like this in /etc/hosts.allow (assuming you have TCP wrappers):

    in.telnetd: ALL: spawn (cat /usr/local/share/audio/telnet.au > /dev/audio) &

    A good way to make those sounds is the web text to speech converter [bell-labs.com].


    Broccolist

  • Of course, and free unix system for intel has all the 'firewall' tools you need built in. don't pay an 'ignorance tax' to these people.

  • Read bugtraq, visit packetstorm [securify.com] and Security Focus [securityfocus.com] regularly. Keep an eye out for weird utilization on your box, read your logs, and make sure you have as much locked down as possible. If you don't need a service, don't run it.

  • Not just universities! My ISP (att.net) pulled their pop server behind the firewall four days ago with absolutely no warning, making it impossible for me to get my e-mail without dialling in at 56k. Blech.

    And, typically, all the support people I talked to claimed that it was "always that way".
  • I have the same setup. We blew a fuse & the firewall was not shutdown gracefully. Unfortunately I don't have a spare keybpard or monitor lying around (both work stations are laptops)any suggestions for setting it up so it can recover from a reboot on its own or how I can set it up so I can console in & fsck?
  • LinuxPlanet has a step-by-step ipchains installation map at http://www.linuxplanet.com /linuxplanet/tutorials/1241/1/ [linuxplanet.com]. It's designed for those people who want multiple machines on a single internet connection, but it talks somewhat about securing the connection and using ip masquerading.
  • I think a big problem right now is the great deal of certifications available to anyone with the money. For $1000 and 3 days of class you too can become a system administrator. A person with a MCSE can get a job anywhere anytime, I have a friend with a 2-year accounting degree who spent 1
    week studying for the MCSE and tripled his salary
    in less than six months. Needless to say he doesn't have a clue but no one seems to notice. I think these quicky certifications are a big part of the problem.


  • Security should be the default.

    You should have to ASK your ISP to be allowed to set up a server. The vast majority of users never will, drastically reducing the number of unsecured machines, and reducing attacks such as DDoS.

    -Jeff

  • Dont tell a forum on slashdot which will be a magent to script kiddies that you are a sitting fat duck.

    If I had any clue about anything more than the technical side of cracking, then perhaps i would be enticed to your claim of being 'on a constant cable' & 'clueless newbie'

    For starters close off your ports, they're all open.

    A firewall is a great place to start
  • A lot of cable/dsl bridge group users raise issue specifically about others being able to see their computers in the windows Network Neighborhood, which is why your NetBIOS port is gone. The ISP hasn't really done anything to increase security; instead, they are responding to a general customer complaint in order to make everybody happy again. Since the majority of serious attacks and intrusions don't provide so obvious a sign as showing up in the Windows Network Neighborhood, chances are ISPs are still a long way off from providing any tighter security, since no one will be wise enough to complain...
  • A lot of DSL Routers/Modems have this functionality built into them. I just finished a consulting job where I set up a network for a small business. I got them a DSL Line, and the router that the provider gave us does DHCP, NAT and portmapping. This way they get their high speed access, but no one can come into the network since no portmapping is being done. Cheap simple security for a small company, and you can always set up portmapping if you want to add a Web Server, etc. Unfortunately to get a router like this you have to buy business class DSL which is considerably more expensive than home class. It's still pretty cheap on the grand scale of things, they pay about $300/mo for 1.1Mbit both ways.
    -
  • Dave skirted around the issue, but didn't really address what needs to be done: fix the problem. Making system administrators more 'clueful' isn't a reasonable solution, as truthfully, there aren't enough sysadmins with enough experience for all the positions available, and the problem is, as far as I can tell, getting worse. Moreover, the ie0199.exe demonstrates that unclueful users can be as bad as unclueful sysadmins. A majority of Dave's points about 'fixing' the problem deal with identifying the source of a packet. In the case of a smurf attack, for example, you know who's responding to the attack, you're just not certain who is sending the initiator of the attack. Finding smurf hosts is easy, so you could probably automate the process to find tens of thousands of them, which would be difficult to handle. Even if you get 'security' which ensures that the packets initiate at the source host in the IP header, if you can break into enough machines, there's still a problem, although not nearly as bad. Either I have to get my local ISP to install a filter on their end, or I have to contact the sysadmins for each of those cracked machines and get them to fix their machines. DDoS is a problem without a good solution at this point, and I'm not sure if they'll ever be a good solution. If I can get 50,000 users to install a program on their Windoze box that will, at my command, continually initiate web connections to a host, how can we distinguish this from 50,000 people really trying to talk to that web site (one could argue that posting a URL on /. is a DDoS for that web site :)
  • First of all, great interview. Definitely one that should go in the Good Stuff of Slashdot book.

    I think one point that is overlooked or underemphasized is the out of the box security. I am not a technical dude, just read my info. What I mean is that when I buy a car (to use that analogy) and I buy a good one like a Mercedes, it has features to keep me from f@cking up stuff. A standard Mercedes can only go 250km/h, has side impact protection, well you know the drill...

    With computers I have to install the airbag myself, seatbelts are an option. Yes for large sites we need better administrators, no doubt about it. But imagine that in 10 to 20 years everybody is lugging around a Tramsmeta powered screen, which interacts with their home-server, at school they get the sheets and the notes downloaded to it etc. and all that on *high* bandwith. They have no time to think about all the security. It should be taken care of allready in stead of implemented later on. Why can't a system be build with all the features turned off... instead of everything turned on and open wide?

  • It takes 9 million dollars to rent office space to set up a "command-center" for the use of the new "cyber-czar" which I guarantee will be nominated.
    My guesses for "cyber-czar":
    • Major campaign contributor
    • Al Gore, he invented the damned thing, you'd think he'd be #1 choice.
    • That Wen-Ho-Lee guy. He's an expert on computer security. Like letting his daughter play MUDs on a supercomputer.

    -=-=-=-=-=-=-
    This signature contains text from the worlds funniest signature.

  • I'll freely admit that I'm ignorant on many of these matters, particularly when it comes to the fine details. However, there are a lot of ftp servers on the web. Are you telling me that it's impossible to set up an ftp server that doesn't compromise your security? I'm currently awaiting the install of my DSL line. One of the things I want to do is set up a cheesy little family photo site. Everyone can scan in their old photos of grandma and grandpa and upload them for everyone else to share, etc. A lot of the people who will be using this are not highly computer literate. I don't want them to have to install a new program just to get to it. I can't do this safely?
  • Yes.. exactly what I have been saying all along. Why is everyone reporting them as "Hackers"? Flooders maybe.. but they sure aint hackers.


    I mean, if I went round saying I was an Emporer just because some moistened bint had lobbed a scimitar at me, they'd put me away!
  • I think one of the major problems now a days is the lax attitude taken towards mailicious events such as this. I understand that to the ignorant public, this is meaningless, but the knowing (nerds of the world) should help to stop some of these "attrosities".

    I am not talking about government interjection either. The last thing the intelligent internet public needs is more censorship by the government. The whole should not be punished for the actions of a few. The fact that they want to put $9M dollars into security is ridiculous. Leave security in the hands of the administrators. If they don't feel that security is important enough to look into, then they deserve to be taken down. We all know that security is an important issue. It should be dealt with on every machine; even going as low on the food chain as the average home user.

    The idea of security should not just be left to the computer junkies who know everything about everything. Security should be a concept that is driven home to more people than just SysAdmins and Webmasters. It is a net-wide problem that has to be dealt with at the core. And in this case, the core is the incompetent, otherwise known as average users.

    I think that if the government wants to spend $9M dollars on cyber security, they should spend it where it counts and drive the point home. It should be spent on educating the average Joe. They do it with every other major problem: drugs, pregnancy, smoking...so why not hit home with a problem that we can foresee getting worse rather than waiting to the real problem hits. Get the point out to the average user that they need to be careful. If they are not, they are then succeptablet o any number of possible problems. Of that this is just my opinion, but usually its right :). I know this is a strong viewpoint, but hell, we all have our own opinions.

  • I would also say that I think the Clinton administration has done a much better job than its predecessors in trying to address these issues Seeing how they have been the ONLY administration since the Internet became what it is today, I think that quote is quite silly. Don't you?
  • Absolutely. There are valid reasons not to use OpenBSD. There are valid reasons not to use any OS.

    We could argue on the technical merits of Linux and OpenBSD until we are both blue in the face, and in the end the conclusion would be that OpenBSD is good for some things, and Linux is good for others. The thing that seems to get missed is that the two overlap in several areas. There are a lot of things in OpenBSD that will be familiar to a Linux user. You may find OpenBSD's tighter adherance to Unix standards to be favourable, or maybe not. But you won't know unless you try it. If you don't like OpenBSD, you might want to take a look at FreeBSD as well. The community is much more Linux-like than the OpenBSD community.

    Don't get caught up in blindly following Linux because it is the big one right now. Check out the whole slew of OSes available out there today. They've got some cool things going too. They just don't have as many 'blind advocates' getting the message out.

    Oh, and to return to my original point once more, if you're paranoid about security, check out OpenBSD.
  • What weight does your opinion carry in security matters, oh anonymous coward. Prove to us why it should be considered.

    I urge anyone reading this thread to go out and look into this yourself. As a five month old newbie of OpenBSD, I am not qualified to discuss the technical merits of security issues surrounding Linux and OpenBSD. However, I have read the opinions of those who are qualified to make the judgement call, and time and again I have read that OpenBSD is the champ. Not once, ever, have I seen a credible security expert state that Linux is as secure as OpenBSD, default install or otherwise. Pound for pound, hour for hour spent administering the firewall, I'd wager that OpenBSD is the best fighter in the world (not to mention faster at dealing with network traffic).

    And as far as exploits go, check out the turn around time on security patches to OpenBSD as compared to Linux. When a problem is discovered on OpenBSD it is patched NOW. Here's something Theo de Raadt (OpenBSD head developer) had to say about the timely addressing of security issues by various factions of the open source movement:

    "The various failed Linux and FreeBSD "security-auditing" mailing lists are living, er, I mean dead, proof that the distributed nature of `open source' isn't enough of an assist. Speaking about ALL of these lists, they have always just done nothing except chit-chat.

    For instance, about a month ago, someone on the FreeBSD auditing mailing list reported about 80 programs that were just 'crashing'. The list this happened on had just come to the conclusion (like we had 3 years earlier) that increasing quality in all areas is better, and leads to security improvements, by accident if you like. In my mind, seeing 80 bugs being reported just like that is really nice. So what did they do? They fixed about 7. Three days later, by the time they had fixed about 7, we'd fixed 79 of them. As far as I know, they've still not fixed the other 73. They were er, `distributed'... but we were APPLIED."

    Here is a link to the OpenBSD press page. This will lead to some qualified opinions on the subject of OpenBSD security. Perhaps a little one sided, but it should only be considered a start: http://www.openbsd.org/press.html [openbsd.org]

    I'll leave you with three quotes gleaned from Slashdot interviews of people qualified to comment on the security offered by OpenBSD:

    "In retrospect, I wish I /had/ chosen OpenBSD ;-)

    And I would certainly choose OpenBSD over GNU/Linux if I were building a firewall, or an intrusion detection system (based on say, Marcus Ranum's NFR) where packet capture at wire speed was important. (No - that tells you nothing about CCTA's network architecture....)"

    -Mick Morgan, CCTA

    "All of those operating systems are (resonably) securable, in theory, but if you want to make the job of securing a box easier, why not run OpenBSD?"

    -Tweety Fish, cDc

    "I -know- this is a Linux crowd, but I'm tellin' ya, take a look at OpenBSD for PROACTIVE security when it comes to that mission critical firewall box, network monitor, webserver, etc."

    -DilDog, cDc

  • Wouldn't a proper sysadmin also have reported this to someone like CERT?
  • When you break through all the hype that the press has put on this and boil it all down, it is just common sense. It's a shame that it takes events like this to have "the average Joe" . . . finally understand that a little caution and a little foresight go an awful long way.

    Unfortunately, I don't think the "average Joe" will make his system any more secure now than it was before. Most people don't even know how their systems might be compromised (by DoS or otherwise) let alone know how to make them more secure.

    While average citizens may now be more inclined to approve of allocating resources towards computer security issues, most still don't know (or refuse to know) enough to make it a more important issue than, say, taxes, or gun control, or things that affect their lives in a more obvious manner.

    -- Qirien, Academy of Defenestration

  • Which quite naturally, requires an SSH client on the other end. I'm not allowed to install software on my machine at work, it's a reprimand if I do.
    Mindterm SSH [mindbright.se] client. Many computers has a Java enabled webbrowser.
  • I'm just your average, leisure cable modem user. I admit to having only taken basic steps to protect my system. Ive shut off netbios and all the other useless things, I could probably still be nuked, but I dont keep anything critical on this computer, and I'd rather have the performance. I can replace just about everything on my drive in a day or two. But I like to think I'm reasonably secure against script kiddies trying to get control.

    Now, the other day, when running my not-so-regular port scan, I noticed that port 139 (netbios) wasnt just closed, but gone! I'm not running any kind of firewall, and my only explanation (remember, im not so good at this, though) is that @home has cut off incoming traffic to port 139 to their end users on my segment, at an unknown router/firewall somewhere.

    Its a tiny step in the right direction, I suppose.
  • by Anonymous Coward
    I'd like to secure my Linux PC. I've edited inetd and turned off everything I'm not using--finger, ftp, http. I've looked at the SysV editor and turned off a few more things--sendmail, identd, for example. I need Samba, I need telnet, but only on the local network--not the internet.

    I've set up a simple ipchains firewall. It allows local network (192.168.x.x) traffic and loopack traffice, but not over ppp. It lets eth0 (but not ppp0) packets access the NetBIOS port, which Samba seems to need. It rejects all packets sent to all of the ports I'm not using--especially port that NMAP finds interesting.

    I uses strong passwords and don't operate as root unless I really need to. I use a dial-up connection and don't leave it open when I'm not using it.

    What else should I be doing? I'm not a skilled SysAdmin, and my PC is unlikely to be the target of a determined attack, but I'd like keep the script kiddies at bay.
  • before it gets better.
    A large part of the problem WRT basing economic growth
    on a vulnerable system is a combination of greed and naivete
    on the part of those who are not fascinated
    by the technological details
    (read PHB's and J.Random Luser).

    I have to wonder what will happen if UCITA becomes the law of the land.
    Does anybody else see the irony of government
    on the one hand, spending money with an eye towards making things more robust,
    yet on the other hand removing the onus of liability
    from those who produce the engines on which
    the info economy is based?

    Great interview though...
    browsing comments at 2 it almost seemed like 1998 again....
  • I saw this report too. It took me longer to explain to my dad why they were wrong than they spent on their "report." I'm used to local newscasters not having even a hint of a clue but the inaccuracy of that ABCNews report was shocking.
  • . . . who read the blurb on the front page, saw the "33717 bytes in body" and read it as "31337 bytes in body"?

  • Last night I was watching ABC News. They were showing some websites affected by the DoS attacks. Then the showed what the "hacker sees" as he does it (their words). They cut to a machine compiling something! Vaguely looked like Linux kernel, but it was only a brief screenshot...

    Then they went on to say that even if people think they're smart, they're leaving their ID behind and showed what they called a "unique ID #" on every bit of network information. They displayed something like this:
    128.1.5.666 (yes they actually had 666 for the last 3 digits of the IP address). They also failed to point out IP spoofing, etc.

    Is it REALLY asking too much for journalists to know something about what they report on?

  • As a sysadmin that works exclusively with security issues, I can tell you that the "personal firewall" is a worse solution than having no firewall at all. Security is a process; it is never ending, and requires a great deal of time and effort. Joe DSL is going to install that firewall, and think it will protect him forever. It creates a false sence of security.

    Security cannot be left to people who don't constantly work to improve it. Joe DSL has neither the ability nor the desire to do this. Sadly, neither do most self-styled sysadmins.
  • Problem is....YOU CAN'T educate the average Joe for security. It is far too involved and can't be solved with some magic pill or simple patch. Networked systems are horribly complex, with interactions on many different levels. It is better to leave the security in the hands of the few who have a passion for it.

    Here's my solution: Have all ISP's providing DSL and cable service host the firewall for all their customers. Have them hire vigilant security minded sysadmins (there are few of them, but they are out there), who's only job is to keep the firewalled area secure. This way, Joe DSL doesn't have to worry about it all.
  • "echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts" should be sufficient.

    Anyway, if using ipchains, I prefer:

    "ipchains -A input -i ! -d -j DENY"

    where 'ifname' is each interface and 'ifaddr' is the corresponding address. That basically ignores all broadcast or multicast traffic; only point-to-point IP to _your_ host is accepted. Of course if you have a router or you actually need to receive broadcast traffic for some reason, you have to RTFM...
  • Well, you see, modern modems strip off the start and stop bits before sending data to the V.42bis compressor. That way, it's even faster, right? Well, the compromised systems were all running some type of Unix variant, and everyone knows Unix is old. Even older than 9600 baud modems. So those Unix longhair hackers, when they make a PPP connection to The Internet, have to use start and stop bits, making their bytes 10 bits long. Now, even though they pay a penalty in speed (it's 1.25 times slower), they get the side benefit of getting to use IP addresses like 257.1023.1.666. It's sort of a 31337 status symbol.

    I think we should all explain that to the journalists.


    ---
  • While it may not be intentioned this way, getting /.ed can result in the same effect as a DoS attack, the lack of service from the site in question. If the site is not aware of a mention on /., they could easily miscontrue the resulting lack of service as having resulted from a DoS attack. A link from any media source has this potential. Slashdot has just had it happen often enough to have given it a name.
  • My girlfriend is a ninja, and she will offer consulting services. And now that she's all set up with her DSL line and Linux, she's an expert on the subject.

    I'll approach her tonight about it if I can find her. She likes to blend into the wall and jump out behind me and try to lop my head off with her katana. You'll probably want to consult over email with her because it's pretty dangerous being in the same room with her. She goes by "Nuprin" (little, yellow, different...).
  • That's total crap! I had a cable modem before I moved, and setup a nice little FTP server for myself. *I* used it. When ever I was offsite somewhere, and needed something I could just ftp it from home. Why shouldn't I be able to do that?

    Hey Rob, Thanks for that tarball!
  • No you moron, it hasn't. This is EASILY taken care of by two simple things, (which I did do by the way)

    #1: Don't make anything available that you wouldn't allow anonymous users to get and,

    #2: Use an account that has NO access to anything except those files. Duh.

    Hey Rob, Thanks for that tarball!
  • Since or`ther posters have addressed the "where to find more information" question, i'll pass on it.

    But one thing about your post concerns me. You say that you don't trust Mediaone to protect you from script kiddies. I would take that a step further: It is not their job to protect you from script-kiddies, it's yours. MediaOne's job is to provide you with a fat pipe. What you do with it is up to you (within their acceptable-use policy).

    Unfortunately, most users expect their ISP to protect them, which is a nearly impossible task, (unless you WANT them to sniff all traffic going to your machine).
  • Excellent point... and you got me there.

    At the time, it looked like it was some annoying irc related product, and as you might know, sys admins are overworked. Hence I had to fix this, report the problem to the upstream, and make a report to my boss, along with the rest of my work.

    Hence, reporting a script kiddie didn't seem like a big deal to me. because it was definately a manufactured root kit, with no knowledge required, otherwise they would have gotten the ftp ls as well.

    If I had a dollar for every script kiddie....

    --
    Gonzo Granzeau

  • Isn't this a "hole in the market" for Cobalt?
    Low-price nifty looking boxes with 2 plugs: 1 for your DSL stuff, 1 for your pc.

    (and of course you can make it yourself using that old 386 lying around)
    _
    / /pyder.....
    \_\ sig under construction
  • A good starting point where I learned a great deal is the Trinity OS [csuchico.edu] document. Also try Unix Guru Universe [ugu.com] for all things *nix. The information is out there but don't expect to become an expert overnight. As a *nix user of 15 years I still feel like a newbie in a lot of situations. IMHO thats what makes it fun;-)
  • I advocated getting something in place now because I figure most people are like me and procrastinate the start of the job, prolong the course of the job in the name of perfection, and then just generally get sidetracked in the course of any home project. By the time I get around to 'scheduled' maint on many of my boxen, a month or more has passed since I was supposed to perform it.

    The problem with services is eliminated with a properly built ipchains firewall. Don't need people telnetting in? Reject requests from outside of the 'sandbox'. You should never have to deactivate a useful service if the firewall is configured properly.

    In the case of SuSE, I usually kill Apache and Sendmail, and finger, etc, are disabled by default.

    Besides, I would have mentioned service deactivation but I had to scoot off to a meeting and cut comment short... I appreciate you filling in the gap..

  • Hey now! I just played Rogue on a SGI Power Challenge 10000.. Theres absolutly nothing wrong with tying up a supercomputer for games, especially if you get to kill something!

    On a side note, it's the only box I have access to that has Rogue installed.. And I didn't even do it!
  • There's an excellent NetBSD/i386 Firewall setup available at www.dubbele.com [dubbele.com] that is meant for "Joe DSL" but has all the sources out in the open. Check it out.

    -John
  • Look at www.dubbele.com [dubbele.com]

    It comes close that what you want, in a way.

    -John
  • I've mentioned this elsewhere in the threads off this topic, but I guess it's worth repeating:

    It can be found at www.dubbele.com [dubbele.com]

    -John
  • Actually, I built my firewall/router/mail server using spare parts and a burnt Red Hat CD. It's not really that hard. I should actually write a howto about it.
  • Something I would like to see is ISP's block ALL incoming TCP/IP packets (incoming with the SYN bit set) unless the customer requests otherwise. It would seem to me that only servers need incoming TCP/IP connections. Am I missing something here?

  • 1. You can telnet or ssh or your preferred remote access method into a Linux/FreeBSD/your OS here box to perform about 99% of your maintenance... don't need a new monitor or keyboard...

    2. Can't argue there.

    3. Hardware solutions may be quicker and more reliable, but tend to get updated slower and less often when a security issue is discovered. Witness the many routers and switches which have known security loopholes that still have not yet had firmware upgrades issued.

    The biggest issue, though, is that if you're using a hardware solution because it's quick, easy, and most importantly because you don't have to learn anything to use it, then you aren't really doing much to secure yourself. Without active knowledge backing up your security measures, people WILL find ways around them.
  • Since schools started banning trench-coats and black clothing, do you think the government will start trying to ban computers and net access? Heal the foot by cutting off the leg; sounds like something politicians would pursue...
  • his is one of my pet peeves; THERE ARE NOT ENOUGH GOOD SYSTEM ADMINISTRATORS. There needs to be WAY MORE of them, they need to be PAID AND TRAINED BETTER, and (to put it bluntly) they need to be considered a critical resource REQUIRED for powerful computers on the Internet today, not as overhead expense to be minimized.

    That is an idea that businesses (big business and corporations in particular) need to realize.

    A happy workforce (regardless of job) is a loyal workforce. Give them all good pay and good benefits and you'll have employees willing to work late and go the extra mile 10 out of 10 times.

    It never made sense to me that management would want an unhappy workforce.

  • One already exists for personal use... The problem with the hardware firewalls are they cost thousands of dollars. I saw a personal firewall in the news awhile back for LINUX at http://www.progressive-systems.com/
  • Experience, experience, experience. It's the best way.

    Mail me if you have any specific questions, and I'll try to answer them for you.


    If you can't figure out how to mail me, don't.
  • In reading the very well written questions and answers, one question came to my mind.

    It was mentioned that there aren't enough Good system adminitrators. I am a very small time SA, and I probably fall under the "not good" category right now. My question to the /. community is, where can I go to learn to be a good SA? What books are recommended, what HOW-To's? (I've got Trinity bookmarked, it seems very extensive, but is it "good"?) How does one start to become a good SA?

    Thanks!
    --Adam


    This is my .sig. It isn't very big.
  • Creating [jya.com] a more "secure" internet. The "Flexible Deployment Assistance Guide" basically points out that telecommunications companies should hand over "certain" information to the FBI apon request. Looks like they have an impressive list of supporters. Great.
  • I was astonished by the low price of this unit. Seems to me, with no margins, it isn't likely that an enormous amount of $$$ went into the development of the product. Besides, it's a closed security system, (aka security via obscurity). How is anyone to know just how secure it is? What about patches? And if it has a flash chip for the firmware, what then?

    These low end products, in addition to giving an unsuspecting home user a warm fuzzy, are also designed for the consultant or installer that wants to be able to say "I tried to protect your network" to their client, without taking the learning curve on firewalls. My experience is while I have offered the WebRamp or Linksys products as a lower cost alternative to a "real" firewall, my clients have taken the attitude that they would rather not fsck around when it comes to their firewall.

    Get the cheap 486 at home, put a good ipchains script on it, disable everything that listens, and keep it well patched. On most of your DENY's, put a -l (I don't log, but I do DENY packets rx'd for port 137/138 - it's mostly my neighboring broadband customers that have IP bound to their M$ client/server) and have a look at your logs every so often. You may be surprised by the results.

  • Quicky certifications are a symptom of the deeper "problem". The real issue is that there just ain't enough skilled folk to go around. I'm not sure it's a "problem", well, at least if you're a skilled folk, it's not a problem. It just means higher pay. Enjoy it while it lasts. The high school I do a bit of work for has been firing up the old C/C++ courses once again. In 5-10 years, academia will overproduce techies again, and we'll see programmer jobs for $35K/year again.
  • >First, get a working firewall in place.

    You are doing the last step first. Setting up a firewall isn't vital in many cases.

    First step is to close unnecessary open ports. For instance, The SuSE distrib installs telnet, ftp and Apache demons as default. Joe DSL doesn't need this. Consider what you really need on your system and keep this. The less stuff you got running on your box the less stuff you have to maintain. You don't need sendmail/procmail if you use a mail client that directly gets mails from a POP3 and sends to the upstream mail server. One port shut (tho this only makes sense if there is only one user on the system and it doesn't hurt too much to be online when mailing). Joe DSL doesn't need a webserver running. SuSE installs apache so you can search the online-doc they provide. That's overkill. Get rid of it. BTW I had to grin when I read about the increase of apache installations. I think SuSE et al had their share in this. Joe Avarage doesn't need an FTP server. Away with this one. Joe most likely doesn't need telnetd. Get rid of it. And if you do need it, there are secure alternatives(ssh). Finger demons, talk demons and assorted knick-knack isn't needed. Kick it. Feel free to check your system with Saint. It can be a real eye opener. The reason for this house cleaning is the more services you got running, the more potential security loops are inserted into your system. And maintenance complexity is rising exponentially. Less is more in this case.

    Second step has to be the installation of some means to monitor unauthorized changes in your system. There are several ways to install alarms like these. It's most of the time the only way to find out somebody breached your system integrity. And logs are there for reading. Or at least to grep through them.

    Third step is to set up the firewall.

    Fourth step is to keep up-to-date with security fixes for the stuff you got up&running on your system.

    It is important that you know what is actually happening in your 'puter. If you even are unsure wether you have telnet running or not then the main security problem is sitting in front of your keyboard.

  • by Anonymous Coward on Wednesday February 16, 2000 @11:03AM (#1267691)
    Related to this topic...Windows' TCP stack will not respond to a directed broadcast ping (this is optional, according to the relevant RFCs). Other operating systems will, however, respond to these pings, which, under certain circumstances, could pose a problem (envision attacks from within the network).

    My question is: has anyone found a way to emulate Windows' behavior under Linux? I would think you could do this with ipchains, but have not been successful thus far.

    ipchains -A input -s 0.0.0.0/0.0.0.0 0:0 -d <broadcast address>/255.255.255.255 -i eth0 -p 1 -j DENY -l

    does not work, although I thought it would.

  • by Ken Williams (28157) on Wednesday February 16, 2000 @03:43PM (#1267692) Homepage
    maybe you should just consider complying with the university policies (III,3.02,h and III,3.02,k [cameron.edu]) that implicitly forbid running personal web servers on school networks. i actually do empathize with you, but i have played both sides of the game you're in, and it is always a losing battle for the student. the more you fight for what you perceive to be your 'Net rights, the closer you'll come to permanently losing all of your university computer resource privileges.

    key word == privileges
  • by GoNINzo (32266) <GoNINzo@@@yahoo...com> on Wednesday February 16, 2000 @12:29PM (#1267693) Homepage Journal
    A very important key was put forth in this interview that should be pushed to the rest of the world.

    Nothing can replace proper Systems Administration.

    As a real world example of this, I busted a TFN client that appeared on two Suns we had 2 days after they appeared (These were non-used systems, I just noticed the network traffic). The traffic was high, I didn't believe the results that the rootkit were telling me, and found the kit and client (Thank you ftp's static ls!). And this was before TFN was out on BugTraQ and other security mailing lists! I didn't know what it was, so I just cleaned up the systems, and threw a P-90 Linux firewall in between. Also notified the uplink that they were the ones talking to the client. (Strange udp packets incoming are not to be trusted!) Now that's proper Systems Administration!

    Oh, and to sell people on my company, Collective Technologies [colltech.com], all we do is Systems Administration (and networks and DBA's now too). The best of the best sys admins out there... `8r)

    --
    Gonzo Granzeau

  • by 348 (124012) on Wednesday February 16, 2000 @10:14AM (#1267694) Homepage
    I expect the average Joe DSL to probably learn the hard way, just like he learned not to step off the curb in rush hour against the traffic light, and to take everything valuable out of his car when he parks it on a dark city street: by suffering an incident, and the resulting cleanup cost.

    When you break through all the hype that the press has put on this and boil it all down, it is just common sense. It's a shame that it takes events like this to have "the average Joe" and the PHB finally understand that a little caution and a little foresight go an awful long way. The three or however many of them they were, who pulled off the larger of the DdoS attacks really did the industry a favor in raising awareness, although I don't think this was the motive.

    I would also say that I think the Clinton administration has done a much better job than its predecessors in trying to address these issues (e.g., the President's Commission on Critical Infrastructure Protection, the formation of NIPC to coordinate incident response and information dissemination to the public and private business sectors, and the National Plan for Information Systems Protection.)

    I think the administration is still lacking in some major areas and it will take years to catch up with all the red tape. On a side note I heard on the radio that Clinton has requested $9M for cyber security, White House officials and the Internet community say they will band together to make computer security a high-profile issue. Hee hee, what do they really expect to do with only $9M?

  • by Drailex Mauder (132894) on Wednesday February 16, 2000 @05:34PM (#1267695)
    OpenBSD is the most secure OS around today. You can make an excellent firewall with it. If you don't know much about your network security, you need to get working on it. DL the install disk, do an FTP install on an old machine, and get learning how to set it up.

    I've been using it for five months and it is awesome. Easy to install (newbies: be sure to read the directions), everything works without a lot of messing around (something I can't say about the other freenixes I've tried), and version 2.6 now has OpenSSH to allow you to securely administer your machine (not like it needs much once you have it up and running). Just check out ipnat (network address translation) and ipf (packet filtering) on the OpenBSD website (the man pages are the place to look) for more information

    It is definitely better to run a basic OpenBSD firewall than to have Linux, Windoze, Solaris, or whatever else hooked up directly to the pipe. Run it on as little as a 486 with 8MBs RAM and a 200MB HD (you could probably run it on less, but I have only used it with the above minimum hardware). And if you really wanna get funky, run it as your workstation. Lotsa of programs have been ported to it, and the rest you can run using Linux emulation.

    Check it out: http://www.openbsd.org/ [openbsd.org]

    Also, for those of you interested in OpenSSH outside of OpenBSD use: http://www.openssh.org/ [openssh.org]

    For those of you with lingering doubts about ease of installation: five months ago when I first put it up, I was virtually clueless about Unix. I had muddled around with several Linux distros (Red Hat, Mandrake, Slackware, Turbo, Suse, Caldera, and Corel to be precise) but none of them worked as flawlessly as many Linux proponents say (two of them crashed on me (Mandrake and Corel), and many times library inconsistencies made my life a living hell when installing software from the Internet). It took me two weeks of spare time to figure out enough about OpenBSD to go ahead and install it with ipnat and ipf enabled. Since then I have learnt more about packet filtering in my spare time and tightened things up further. The machine has been going for 5 months strong and only came down once because I wanted to upgrade it to OpenBSD 2.6. In short, if I could get it running in two weeks, any regular moron should be able to do it in one, and any Unix knowledgable person should be able to get it going in a couple of hours.
  • by Sway (153291) on Wednesday February 16, 2000 @11:09AM (#1267696)
    This is an education problem of *huge* proportion, and just like the filtering question, there isn't much motivation for ISPs to hand-hold their growing customer base, and their marketing department -- just take a look at their ads -- tells you how fast they are, but doesn't say a word about the new risks you will face (some will mail you a warning a few months later, which may be a bit too late.)

    I'm an Average Joe. Actually, that's a lie. I know significantly more about computers than 50% of those who saw a commercial or a kiosk at a mall and signed up for a cable modem. In any case, I'm still an Average Joe when it comes to securing my computer. I would have to say that ISPs, especially broadband, need to start taking some responsibility for educating their customers. If a third party uses my computer's resources to attack someone who returns the favor with a lawsuit, you better believe that I'm not going down without involving my ISP. It would be in their best interest to hook me up with a little "Did you know..." pamphlet at the very least. All it took for me to get online was some guy to plug a modem into my wall and drop some IPs into my settings. Shouldn't these things come with a warning sticker like cigarettes or something?

    Am I blaming someone else for my own igorance? You tell me. I'm not too worried about a DDoS on my home PC. I'm upset about the tabloid journalism surrounding these events. But, beneath it all, the media is indirectly raising an important issue about making assumptions on your network security.

    Thanks for the interview, too. Good stuff.

    Peace. Sway
    icq 5202646
    Peace. Sway

  • by Anonymous Coward on Wednesday February 16, 2000 @12:28PM (#1267697)
    The Transport Control Pixies and the Internet Pixies system the Internet currently uses can be abused, as the recent DoS attacks illustrate, especially with the fat pipes to which many people now have access. These pipes allow many malicious Pixies to be sent to a target, completely overwhelming the targets ability to process them.

    The large numbers of Pixies that can traverse these fat pipes is the main problem as I see it. A good short-term solution would be the replacement of the fat pipes with bundles of thin pipes. At the targets end, each thin pipe would have a small tap - when a DoS attack is detected, simply open the taps in turn to allow the unwanted Pixies to drain out into a bucket. Alternatively, a manned barrier could be set up at the end of each thin pipe, and any swarthy looking, suspiciously odious, black hatted, or otherwise dubious Pixies can be turned away. This doesn't aid tracing the source, but will allow the froce of the attack to be diminished such that the target can remain relatively unscathed.

    Tracing an attack to the immediate source can easily be accomplished by having a little valve in the thin pipe that when turned will shut off the Pixie flow. Subsequent Pixes entering the pipe will cause it to bulge gradually as the backlog builds up. By repeating this procedure back from each machine the source will eventually be found. To save having to walk all that way, the valves could have long pieces of string attached to them so they can be turned on and off remotely.

    Finding the perpetrator of the DoS is more problematic. These days, the normal breadcrumb back trail can be easily garbled by the less than savoury elemnt on the internet. The new Internet Pixie v6 implements the Taut String from End to End system to tie the source to destination - any severing of the string to re-route it can be instantly detected by loss of tension. However, this does us no good currently.

    It only takes a single Pixie to start a DoS attack, and finding it may not always be possible. An amateur will often leave the initial Pixie unharmed, if a suspicious one is found, sieze it immediately (ensure to keep its hands away from any magic pouches/flowers/musical intruments that it may have on its person). A poorly cast Mind Erasure spell can easily be undone by any one of a number of Re Mind perl scripts. A properly cast Mind Erasure can be tricky to undo and will require a special Module be used - if you're not at ease with compiling programs, pop the Pixie in a Jiffy Bag and post it to hemos@slashdot.org (you may need to flatten the packet a little to get it into the floppy disk orifice) - hemos will de-spell it and send the results back by return).

    A professional won't allow such evidence to remain - a common method is the Pixie On A Bungee technique. The perpetrator fires said Pixie into the attack machine with a long rubber band attached. With skill, the Pixie shoots in, pushes the Start lever and gets yanked back out at very high speed. A telltale clue of this is often fingernail scratches - sometines a misjudgement as to bungee length can leave fingers embedded in the lever handle. Unfortunately, unless the Pixie drops his ID card, the chances of tracking back further are very small, and really best left to the authorities.

    Wingnut
  • by mosch (204) on Wednesday February 16, 2000 @11:53AM (#1267698) Homepage

    First of all, you should understand System Administration to some degree, this will help you understand basics like daemons, permissions, basic networking, and figuring out what you need and what's just cruft on your system. A text which I gladly recommend is Essential System Administration [fatbrain.com]. This will *not* secure your system but it will help. A lot. Step two, learn about security specifically. You can read Practical Unix and Internet Security [fatbrain.com] which gives a good overview and a fair amount of detail on securing a system, and being assured that they remain that way.

    Once you finish doing this, you'll be on your way to being a *competant* admin (even if it is just your own machine). From then on, while you'll be far from a security expert, when some kiddie checks your doorknob, you can be assured that your door is locked, and they'll move on.

    I know the books I mentioned cost $35 or so, which if you're young might be a non-trivial amount of money. If it is, I suggest saving up and buying them anyway. If you understand the stuff in them, then you'll know what you need to look up on the net for further info.

    Good luck, and feel free to e-mail me with any further questions.


    ----------------------------
  • by roystgnr (4015) <roystgnr AT ticam DOT utexas DOT edu> on Wednesday February 16, 2000 @12:35PM (#1267699) Homepage
    And remove unnecessary services, of course, but simply keeping your system up to date is the most important way to avoid having it compromised. You didn't say which Unix you were using, but all the major Linux vendors have security mailing lists and I can't imagine the BSDs and proprietary Unices lacking the same.

    Having a genuine hacker reverse-engineer a bug in a network service and turn it into a root exploit against your system is very rare; I've never seen it done. Having a script kiddie use that reverse engineering to automatically probe and attempt to crack entire blocks of IPs, on the other hand, that happens every day. The trick is to get the bugfix installed before the kiddies start trying to exploit it.

    Start out by removing all network services you don't need and using TCP wrappers to limit access to the ones you do need. A firewall wouldn't hurt, but is probably overkill. Then get onto one of those security mailing lists and make sure that no alert goes by without you either disabling the compromisable program or installing a secured update.

    That's about all you need to worry about. Most systems that get broken into are cracked simply because their owner never heard about an imapd exploit 6 months before, shouldn't have been running imapd in the first place, and so wasn't ready when the script kiddies started port scanning for it.
  • by seifried (12921) on Wednesday February 16, 2000 @10:21AM (#1267700) Homepage

    A DDoS FAQ is available here. [securityportal.com]

    Kurt Seifried - Senior Analyst http://www.securityportal.com/ http://www.cryptoarchive.net/ http://www.seifried.org/

  • by bripeace (112526) on Wednesday February 16, 2000 @10:57AM (#1267701) Homepage
    Speaking of security. I have had significant problems with my university lately. Cameron University in Lawton, Ok (www.cameron.edu). Ever since these DDos attacks have been all over the news, The admins here have gone completely crazy. First I lost my hostsname (kirk.cameron.edu) because there was 'consentful/unconsentful' traffic coming to my computer and i was running a web server. So I hookedup with kirk.dyndns.org. Then they turned off all incoming/outgoing traffic to my ip address. I notified them after changing IP's, and they're reason being is so I would contact them. I had been running a 'server' without the net admins consent and they wanted to notify me. I requested a meetting with the network admin citing that I was not in violation of any AUPs namely cameron.edu's AUP and onenet.net (our provider) AUP. I have since been given the run around and have since had all incoming traffic cut off, ie you can't telnet in or hit my webserver. All of this in the name of security. I have also not been able to secure a meeting with the net admin. I know see them going completely crazy over 'security' now although I know i run my server much better than there own (ie. daemon9.cameron.edu) which ahd the php3 status page sitting up all day yesterday. This hysteria reminds me of what happened after Columnbine schools have since rushed to provide better 'security' and in alot of instances have gone over board like that school who required students to wear id badges with their SSN encoded on the front. I know see this happening here at my school with 'computer' security. Sigh! -Brian Peace
  • by slarti (15513) on Wednesday February 16, 2000 @10:45AM (#1267702) Homepage
    I'm just shaking my head as I read all the reports about these attacks.

    I especially like the part about the Banks not telling the FBI that the attacks were coming.

    I worked with the FBI and Army Investigators at the end of August when some co/lo hosts on our network were used as launch pads for a trin00 attack. At the beginning we couldn't understand why they would have chosen our network (we're that high profile). Turns out that they saw that one of our Co/Lo boxes had been hacked 24 hours before (it was posted on www.attrition.org). From there they scanned the network looking for other boxes (which they found). Assuming this was their SOP I started checking with other UNIX sites which had been posted on Attrition not long after/before ours and found 4 other sites which had the exact same thing happen.

    A few notes from that experience.

    1. Person(s) responsible were stupid and made numerous mistakes which allowed me to track them all the way back to one of their base accounts. There I found all the source code and numerous binaries involved in my attack and in the others I mentioned above.

    2. Although the DDoS attacks can have a devastating effect on the target I'm more concerned with the effect it had on the source network. Our outbound bandwith never went above 60 mb, (we have 150mb), but our core router was slammed to 100% by having to process millions of tiny UDP packets (which is why it never went above 60mb). This effectivly shutdown our backbone for normal customer traffic (which is how we got the FBI to take notice).

    Again this happened in late August, about three weeks after it happened at AboveNet on the west coast. Seems to me like this was their (alpha-beta) testing period.

    My concern with these tools is if they can be used to attack backbones instead of sites. i.e. Use many distributed systems to flood backbones with hundreds of millions of tiny UDP packets, keeping their processors so busy they can't pass normal traffic.

    Or is it just me?
  • by ZZamboni (30487) on Wednesday February 16, 2000 @01:17PM (#1267703) Homepage
    Any pointers or links would be highly appreciated, by myself and others.

    Apart from the other recommendations made (Essential Sys Admin and Practical Unix Security are must-haves), I would suggest:

    • Install TCP Wrappers [purdue.edu] and configure it appropriately. Block anything that you don't need, log everything else.
    • Read the corresponding tech tips [cert.org] from CERT [cert.org], depending on what you need (e.g. if you want to set up an FTP server, read the "Anonymous FTP Configuration guidelines")
    • Read the WWW security FAQ [w3.org] if you are planning on running a web server.
    • Use Tripwire [tripwire.com]. They have a commercial version, but you can always use the free version (1.3). I think they also give the newer version for Linux for free.
    • Read other documents at http://www.cert.org/nav/securityim provement.html [cert.org] and http://xforce.iss.net/library/faqs/ [iss.net].
    • Be always alert for anything strange that happens on your system. There is no substitute for an alert and informed sysadmin.
    --Diego
  • by technos (73414) on Wednesday February 16, 2000 @12:05PM (#1267704) Homepage Journal
    First, get a working firewall in place. It doesn't matter that you don't comprehend it, because you're wide open as-is. Visit ipchains.nerdherd.org [slashdot.org] and download the automatic firewalling scripts.

    Second, print a copy of the Ipchains HOWTO. Yeah, you just killed .1% of a tree, but it you can always use it as toilet paper after the Great War. Read it and the ipchains man page until you feel you have mastery of the 'chain' concept and of DENY, ACCEPT, and REJECT. This should take you less time than printing the HOWTO on an Epson 1200.

    Sit down and determine what ports you need wide open, what ports you need one-way and what ports you need closed. /etc/services helps here. Write it down, perhaps on the back of the ipchains HOWTO.

    Now you actually write the firewall script. You've got your ports picked and you know the basics of the ipchains command, so it shouldn't be hard. Test it. Have a friend nmap you, etc. Test your applications. Do they still make it out fine? Print it and staple it to the HOWTO.

    Why have I told you to make hard copies? That box is probably going to be running without intervention far longer than you will remember every decision you just made. When it does need attention, or you need to do the same sort of thing again, pull down the HOWTO and you have everything you need.
  • by Syn.Terra (96398) on Wednesday February 16, 2000 @10:55AM (#1267705) Homepage Journal

    I'm a SysAdmin newbie. I know only rudimentary UNIX. I am ignorant. I also have a constant cable modem connection.

    (There, I said all the facts, so now none of you can for me.)

    I want to learn how to be more secure. I don't trust MediaOne to protect me from all the Big Bad Script-Kiddies. I want to do this myself, but I have no idea how to start. And I feel this is a fundamental problem with many people who have constant connections.

    The question was asked in the interview but I don't think the answer was satisfactory (instead of "here is a solution" it was more like "here is what everyone should do"). Does anyone have some easy references for people like me who want to keep their constantly connected system "more secure"?

    Any pointers or links would be highly appreciated, by myself and others.


    ------------
  • by Animats (122034) on Wednesday February 16, 2000 @09:24PM (#1267706) Homepage
    • There aren't enough good system administrators...

      Wrong answer. We need systems that need less system administration, not more system administrators. The problem is that Microsoft and the UNIX/Linux crowd have both botched it so badly it's hard to conceive of getting it right. (The Mac, before it had to interoperate with non-Mac stuff, wasn't bad.) Bottom line: it's got to be secure out of the box.

      System administration is an afterthought of existing operating systems. It needs to be a driver in the basic design. UNIX/Linux, in particular, needs a major rethink in this area. There are all those vaguely related text files, and no formal model that defines what a "valid" or "secure" configuration is. If the Linux crowd got their act together on this, it would give them a big edge over Windows. (That's a tough thing for the open source process to do - change a large number of different programs to behave consistently. But that's a different discussion.)

    • Is vulnerability to DDoS-type attacks due to a flaw in the design of TCP or IP, or is the design of a network that's inherently resistant to such attacks an unsolved problem? Is it possible to imagine a fix that would address this, or a protocol that wouldn't be vulnerable even when many machines are compromised?

      Certainly you could have a network that was immune to DoS attacks. It would look like X.25 or ISDN. You "dial up" an end-to-end connection, you get a virtual circuit, for which you pay by either time or traffic, and you're very limited on bandwidth. That was the telco model of data transmission, and it lost out to the pure datagram model.

      The key thing to realize about denial-of-service attacks is this: any attack that's more effective than simply sending datagrams that get dropped represents a problem in the receiver's protocol stack. Once those problems get fixed, the attacker has to generate enough traffic to saturate the links, not just the servers. That takes much more traffic than SYN flooding.

      Now we have a straight network congestion problem, made worse by forged source addresses. There are things you can do about that. It's hard, given forged IP addresses, but it's not hopeless. Among other things, that level of traffic is very visible at routers in the path involved. The traffic has wierd statistics; the ratio of IP source addresses to packets is way too high, and you can detect that from a sample of the packets. (If some security vendor isn't selling something that does that, I'd be suprised.) You immediately apply rate limiting to an incoming pipe with statistics like that, (yes, this will hurt legit users too, but only ones on subnets generating attacks), and bitch to the operator of the other end of the pipe, who clearly isn't checking outgoing source IP addresses. If something like that is deployed at major routers, it will a strong incentive for ISPs and other subnet operators to implement IP source address checking.

      As for an attack that simply consists of huge numbers of legitimate requests from captured zombies, that's a pure congestion management problem, to which known techniques can be applied.

    And please, stop making dramatic announcments to the press about how it's unfixable.

  • by madbomb (123832) on Wednesday February 16, 2000 @11:14AM (#1267707)
    This goes back to my original comment [slashdot.org] posted above on people taking initiative on how to secure themselves from the outside world. I have a certain amount of admiration for people who want to learn things such as this.

    Anyways, the Sercity-How-To [tucows.com] would be an excellent place to begin. Along with check some of the other how-tos. Shadow Password [tucows.com] and Secure Programs [tucows.com] would also be decent documents. Beyond that, make sure to keep a constant eye on Bugtraq (mailing list) as well as CERT advisories for newly found bugs.

COMPASS [for the CDC-6000 series] is the sort of assembler one expects from a corporation whose president codes in octal. -- J.N. Gray

Working...