Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
From: Duncan Patton a Campbell (campbell_at_neotext.ca)
Date: Wed Jul 10 2002 - 02:10:29 CDT
This a report FYI on an ongoing Reflected Distributed Denial of Service attack
directed against the domain indx.ca since June 30/02.
The system (a website) consist of three FreeBSD 4.3 servers providing
a GIS goods and services locator function to the net. Indx.ca is
located in Burnaby B.C. on an ADSL link supplied by a Telus reseller,
Two boxes (ww1.indx.ca and ww2.indx.ca) provide the function's user
front-end with a third box (mail.indx.ca) providing support functions.
The system is supported remotely from babayaga.neotext.ca (aka ww0.indx.ca)
a FreeBSD 4.5 box located in Edmonton Alberta.
The attack appears to have gradually ramped-up over the weekend of
June 29/30 but was first notice by a squid proxy user as an inability
to access the web at about 9:30pm Sunday. Nothing special was
noted until July 02, when it was realised that an attack was under
way -- it was initially thought that a Windos trojan was responsible
for the failure, and our initial efforts were directed that way (we
are still not certain that the Windos trojan we have on ice isn't
one of the zombies used to instigate the attack).
By the early am of July 02 responses between ww0 and the rest of the
the servers in BC were degraded to performance that resembled a telebit
PEP link: 1300 to 1700 milisecond responses to pings and a packet loss
rate of > 70%.
By afternoon of July 02 we had become convinced that we were under
the gun of a reflected DDOS attack similar to that described by
Steve Gibson on grc.com. Mail to these guys provoked a peculiarly
blase' response, but, oh well. Thats when the fun began.
At this point verio (aka NTT) apparently blocked our addresses from
going to grc.com. At the same time, Telus blocked communication
between neotext.ca and indx.ca (yes, we have traceroutes) so I was
forced to use a tertiary server to talk thru.
Initially we attempted to contact our immediate service provider by
telephone and were met with a "sh!t deflection" response that called
into question our competence and sanity. We "clearly" had a malfunctioning
server that was causing the problem.
By July 03, we had convinced ourselves that it didn't matter what
OS was plugged in, and that if anything was plugged into the mail.indx.ca
address it would start a storm that would take several hours to die
down. We changed all three servers IP addresses and reconfigured our
VPN (arghh). Arps from the telus routers serving us (209.53.196.02 and
209.53.196.03) to our defunct mail address (126.96.36.199) continued
regarless as they continue even now.
By July 06 we had finally received some non-commital nonsense from
aebc.com's technical guy telling us that there were a lot of older
servers in asia and that maybe we should turn off named mapping on
the 188.8.131.52. Bilge. 184.108.40.206 had not existed for days,
and the portnames in the tcpdump trace we had supplied are from
inetd services, not named. As well, many of the servers/routers
involved in the attack were northamerican in origin.
At this point the arps continue to come in and I am sure that
plugging in a machine to the address would invoke a storm.
Maybe I'm being paranoid, but this is not a technical problem
at all. Our addressess were blocked by the Telco's in a
peculiarly useless and blatant manner, like the folks who did
it were operating under really stupid or malicious orders that
didn't make sense anyways.
As well, our site is seen as stealing much bread from the telcos'
managment/sales: it is a highly innovative prototype entirely
based on GNU/GPL software and systems that maps goods and services
available on the internet to real locations where people can go
buy these goods/services from other people. And it does this
better than anything the Telco managment could dream up.
So, given the finacially stressed nature of the Telcos and the
blind rapacity of their management (Telus is currently re-orging
again, and blaming their poor $$ performance on unions and over-paid
workers, again -- no, I'm not in the union, and have never worked
for Telus and after this letter probably never will ;-), it
seems to me very likely that some people without too much technical
know-how have got a hold of a tool that sets off a reflective DDOS
attack and are using it as a weapon to beat down anyone whose
business they don't like or want to "absorb".
Warning, Warning, Will Robinson!.
-- Duncan (Dubh) Campbell ;-)
To Unsubscribe: send mail to majordomoFreeBSD.org with "unsubscribe freebsd-security" in the body of the message