OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Duncan Patton a Campbell (campbell_at_neotext.ca)
Date: Wed Jul 10 2002 - 02:10:29 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    This a report FYI on an ongoing Reflected Distributed Denial of Service attack
    directed against the domain indx.ca since June 30/02.

    Background.

    The system (a website) consist of three FreeBSD 4.3 servers providing
    a GIS goods and services locator function to the net. Indx.ca is
    located in Burnaby B.C. on an ADSL link supplied by a Telus reseller,
    Infoserve.net(cypherkey/aka aebc.com).

    Two boxes (ww1.indx.ca and ww2.indx.ca) provide the function's user
    front-end with a third box (mail.indx.ca) providing support functions.

    The system is supported remotely from babayaga.neotext.ca (aka ww0.indx.ca)
    a FreeBSD 4.5 box located in Edmonton Alberta.

    History.

    The attack appears to have gradually ramped-up over the weekend of
    June 29/30 but was first notice by a squid proxy user as an inability
    to access the web at about 9:30pm Sunday. Nothing special was
    noted until July 02, when it was realised that an attack was under
    way -- it was initially thought that a Windos trojan was responsible
    for the failure, and our initial efforts were directed that way (we
    are still not certain that the Windos trojan we have on ice isn't
    one of the zombies used to instigate the attack).

    By the early am of July 02 responses between ww0 and the rest of the
    the servers in BC were degraded to performance that resembled a telebit
    PEP link: 1300 to 1700 milisecond responses to pings and a packet loss
    rate of > 70%.

    By afternoon of July 02 we had become convinced that we were under
    the gun of a reflected DDOS attack similar to that described by
    Steve Gibson on grc.com. Mail to these guys provoked a peculiarly
    blase' response, but, oh well. Thats when the fun began.

    At this point verio (aka NTT) apparently blocked our addresses from
    going to grc.com. At the same time, Telus blocked communication
    between neotext.ca and indx.ca (yes, we have traceroutes) so I was
    forced to use a tertiary server to talk thru.

    Initially we attempted to contact our immediate service provider by
    telephone and were met with a "sh!t deflection" response that called
    into question our competence and sanity. We "clearly" had a malfunctioning
    server that was causing the problem.

    By July 03, we had convinced ourselves that it didn't matter what
    OS was plugged in, and that if anything was plugged into the mail.indx.ca
    address it would start a storm that would take several hours to die
    down. We changed all three servers IP addresses and reconfigured our
    VPN (arghh). Arps from the telus routers serving us (209.53.196.02 and
    209.53.196.03) to our defunct mail address (209.53.196.69) continued
    regarless as they continue even now.

    By July 06 we had finally received some non-commital nonsense from
    aebc.com's technical guy telling us that there were a lot of older
    servers in asia and that maybe we should turn off named mapping on
    the 209.53.196.69. Bilge. 209.53.196.69 had not existed for days,
    and the portnames in the tcpdump trace we had supplied are from
    inetd services, not named. As well, many of the servers/routers
    involved in the attack were northamerican in origin.

    At this point the arps continue to come in and I am sure that
    plugging in a machine to the address would invoke a storm.

    Maybe I'm being paranoid, but this is not a technical problem
    at all. Our addressess were blocked by the Telco's in a
    peculiarly useless and blatant manner, like the folks who did
    it were operating under really stupid or malicious orders that
    didn't make sense anyways.

    As well, our site is seen as stealing much bread from the telcos'
    managment/sales: it is a highly innovative prototype entirely
    based on GNU/GPL software and systems that maps goods and services
    available on the internet to real locations where people can go
    buy these goods/services from other people. And it does this
    better than anything the Telco managment could dream up.

    So, given the finacially stressed nature of the Telcos and the
    blind rapacity of their management (Telus is currently re-orging
    again, and blaming their poor $$ performance on unions and over-paid
    workers, again -- no, I'm not in the union, and have never worked
    for Telus and after this letter probably never will ;-), it
    seems to me very likely that some people without too much technical
    know-how have got a hold of a tool that sets off a reflective DDOS
    attack and are using it as a weapon to beat down anyone whose
    business they don't like or want to "absorb".

    Warning, Warning, Will Robinson!.

    -- 
    Duncan (Dubh) Campbell ;-)
    

    To Unsubscribe: send mail to majordomoFreeBSD.org with "unsubscribe freebsd-security" in the body of the message