Re: Denial of Service Attacks & the Nets
From
Joshua Hirsh <someguy@tao.ca>
Date
Fri, 11 Feb 2000 16:58:56 +0000 (GMT)
[: hacktivism :]
Hey all, just adding another 2 cents into this topic..
> news reports cite 50 compromised hosts being used in this wave of
> attacks. I have to guess, but I'd be surprised if it look less than
There is no way to accurately tell how many compromised hosts were being
used, as most of the traffic being generated from the hosts to the target
network/system are using randomly spoofed bogus source IP addresses. A few
weeks ago I had the pleasure (sic) of experiencing the same type of attack
against one of my networks.
> two weeks, on average, to identify, penetrate, and stabilise access
> to a single compromised host. So, that's 100 weeks, or around 2
> years.
I'd have to argue against this statement. For some really experienced
cracker, a site could be penetrated in less than two minutes, it all
depends on what the site has vulnerable. A single person could easily
accomplish this task in far less time than you have suggested, it's all a
matter of finding the right hosts.
For the most effective use of the DDoS system, hosts on high speed
networks close to large backbones would be the best targets as they could
dispense a large amount of traffic to disrupt the target system/network.
> This means that more than one person must have worked to
> compromise the number of hosts required to mount this wave of
> attacks. Indeed, it implies that a team of around 4 people worked
> solidly for six months to compromise the minimum number of
> hosts required.
This is also very likely, but the time frame is a bit off I think. But I
think that the hosts were already compromised before the idea to launch
the attack even came into mind.
On average, I would say that any cracker that is actively out
compromissing hosts on a regular basis, would have a large list of
compromissed hosts at his or her command. I think that whoever is
launching the attacks just setup the DDoS system on a handfull of the
hosts under their control.
> evidence of concealment? Well, the FBI did say that they thought
> "a single teen" could have done it. This statement implies that this
> lone teenager was able to crack 50 hosts in 3 months, a sustained
> rate of 4 hosts per week. I am having difficulty believing this... are
> they obscuring the truth, or just being predictably foolish?
I could believe this.
> more? well, they did say that "it may be difficult to trace..." and
> that they had launched an investigation in case their own
> computers were used. Translation: we did it, but you can't catch
> us. And by the way we might be able to catch somebody, if you'd
> just send us some more cash.
Because of the nature of the Internet, it could be very hard to trace. An
experienced cracker would setup the DDoS network on a machine that has
been patched for his/her own purposes to hide the fact that they even
exist on the machine. After the attack, they might remove the DDoS system
from the machine, and then never return to that machine and move onto
another one, to prevent any means of someone knowing that they were there.
If anything, the FBI's biggest leads will probably be informers within
the hacker/cracker community.
But one thing that still sticks out in the back of mind is the fact of
the NSA _publicly_ saying that their machines have been crashing. Since
when does the NSA publicly say anything about themselves?
Regards,
Joshua - someguy@tao.ca
[: hacktivism :]
[: for unsubscribe instructions or list info consult the list FAQ :]
[: http://hacktivism.tao.ca/ :]