[27576] in North American Network Operators' Group
DDoS/PPark (was: Re: government eavesdropping)
daemon@ATHENA.MIT.EDU (Ville)
Fri Feb 25 05:43:55 2000
Date: Fri, 25 Feb 2000 12:41:50 +0200 (EET)
From: Ville <viha@cryptlink.net>
To: Valdis.Kletnieks@vt.edu
Cc: nanog@merit.edu
In-Reply-To: <200002250639.e1P6dKc24648@black-ice.cc.vt.edu>
Message-ID: <Pine.LNX.4.21.0002251154530.13114-100000@populo.vip.fi>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Errors-To: owner-nanog-outgoing@merit.edu
[ Lengthy, but it's not like I'd bother you daily. ,-) ]
On Fri, 25 Feb 2000 Valdis.Kletnieks@vt.edu wrote:
> Smurf came along in what, 1996? And www.pulltheplug.com and www.netscan.org
> both are finding enough networks STILL vulnerable that they find it
> interesting to tabulate.
Indeed.
Though, smurf seems to be becoming too old-fashioned for people
to bother using it anymore. At least here the greater problem
is with DDoS, because no clear rulesets can be established to
prevent it to the degree necessary as is obvious.
I'm betting DDoS will become even more of a headache when IPv6
gains wider usage and simultaneously as taking advantage of the
v4 smurf-amplifiers just won't do the job anymore.
Kids seem to be finding their way to IPv6, just as well, as
days pass. For a while it seemed like a puzzling security by
obscurity thing when I transferred a bunch of my hosts to IPv6
only. Admittedly the tcp/ip-stack still wants a v4 IP, but that
I have under 192.168.x and plays by itself no great risk.
It was a setback of a kind for the people trying to pester the
box, they would mostly have to stick to the easily modified
tools that do not exploit any direct problems with the protocol,
instead they just go for exhausting the CPU by bugging the
services running on the box.
That is - if they manage to get IPv6 set up for themselves.
I'm very much thinking it's a good time for people to begin
looking at IPv6 and its basics if all haven't done it yet. It
would be a shame if the bad guys had been on the road with the
protocol for longer than some of us. ,)
Also, there's still time for a little thinking on how things
are to be done with no need to rush, time to let things evolve.
> [...pulltheplug...]
> under 200 replies. And the guy hasn't started on arin/ripe/apnic
> allocated space yet.
I may be missing something obvious, but I was actually under
the impression the scanning was already all complete until they
go for a rerun later. Everything down to /26's have been mapped,
as far as I recall.
> If ISPs and users had clues, we wouldn't have as big a potential
> DDoS problem. Oh, and this just in:
Notably users.
I'm currently trying to deal with PPark (PrettyPark, a Windows
virus|trojan). It automatically spreads itself via e-mail and
keeps gaining more and more infections by the day. It is nasty.
It wouldn't be much of my cake, but the virus unfortunately has
been set to connect to one of the servers I administer to
receive attack-coordinates and all that (the server refuses
them right after they have been succesfully identified on
connect).
Doesn't sound quite nasty? It is - just to put people on the
scale, we have _ninety-thousand_ unique hosts rapidly
connecting to our server and practically bringing the server's
accessibility down to its knees.
If 90 000 of them opening a connection a server can do that, I
must wonder what is their practical efficiency if people were
to ever have control over them and use them for malicious
purposes.
Some weeks ago, I did a compilation of ISPs/TLDs involved. I,
however, stripped the hostnames out to protect the innocent and
to stop people from misusing that information.
Brief stats are available at
http://www.vip.fi/~viha/Stats/PPark_ISP.txt and
http://www.vip.fi/~viha/Stats/PPark_TLD.txt
These are Windows-hosts, not running any virus-detection by the
looks of it. Some quotes might include --
% cat PPark_ISP.txt | egrep -i "\\.(gov|mil|int)"|head -3
10 navy.mil
4 nih.gov
4 army.mil
% cat PPark_ISP.txt | head -3
4389 aol.com
4172 hinet.net
1732 com.sg
Oh, before you suggest routing them to null - be warned we have
tried a few things. We were quite lucky, and most of them only
showed a quick way to a table overflow.
As for contacting antiviral-companies, the one we were in
contact with didn't show much but the compulsory 'I see.'
> Valdis Kletnieks
--
IPv6 Solutions | Security Coordination
Ville(viha@cryptlink.net, "Cryptlink Networking");
