|
Forum Rules | Firearms Safety | Firearms Photos | Links | Library | Lost Password | Email Changes |
Register | FAQ | Calendar | Today's Posts | Search |
|
Thread Tools | Search this Thread |
May 29, 2007, 02:03 PM | #176 | |
Member
Join Date: May 29, 2007
Posts: 18
|
Quote:
Seriously though, the only way we can win is by taking the high road (or if you will, taking it back). Since revenge attacks aren't exactly justified, would you please post the IP (or PM me, as I can't really do anything about it). |
|
May 29, 2007, 02:05 PM | #177 |
Junior Member
Join Date: May 15, 2007
Posts: 5
|
Since our geeks have given tutorials on everything else, could someone explain "portscanning?"
Thanks, fistful, not Scapegoat
__________________
Since everything is my fault - what load for albatross? |
May 29, 2007, 02:10 PM | #178 | |
Senior Member
Join Date: June 5, 2000
Location: Job hunting on the road...
Posts: 3,827
|
Quote:
__________________
Job hunting, but helping a friend out at www.vikingmachineusa.com - and learning the finer aspects of becoming a precision machinist. And making the world's greatest bottle openers! |
|
May 29, 2007, 02:10 PM | #179 |
Senior Member
Join Date: December 12, 1999
Location: Fort Collins, Colorado, USA
Posts: 2,682
|
Here is the site for one of the popular port scanners http://insecure.org/nmap/
And the Wiki entry for port scanner: http://en.wikipedia.org/wiki/Port_scanner Essentially it rattles the doors and windows of a host to see what ports are listening for connections. It is NOT an attack. It is standard practice for filtering to be in place to refuse connections to any port not specifically enabled to serve a specific service.
__________________
Zak Smith . DEMIGOD LLC . THUNDER BEAST ARMS CORP . COLORADO MULTI-GUN My PM inbox full? Send e-mail instead.
|
May 29, 2007, 02:11 PM | #180 |
Junior Member
Join Date: June 11, 2004
Posts: 3
|
You can often find a lot out about a target machine by scanning its TCP ports; depending on how well the machine is secured. Different applications and operating systems "listen" on different port #'s. If ports X, Y, and Z are open on a target machine, then you could conclude it's running Application A or B. Attackers do this to find vulnerabilities, customize attacks, etc. Scanning just means they're checking each port to see if it's open and listening for traffic.
Last edited by Marnoot; May 29, 2007 at 02:12 PM. Reason: poor terminology |
May 29, 2007, 02:13 PM | #181 | |
Senior Member
Join Date: May 29, 2007
Location: St. Louis, MO area
Posts: 4,040
|
Quote:
Port scanning is the process of hitting an internet address (IP address = X.X.X.X, where X = 0 to 255) in an attempt to find open ports. It is often considered a prelude to an attack (you're looking for vulnerabilities). It's analogous to going to a house you want to burglarize, and trying to jimmy windows and doors, looking for an easy way in. The server's responses to port scans vary, depending again on what the server is for. The most secure response is simply NOT to respond, giving the impression that there's no computer there. However, this means the server won't be serving anything. Again, other ports will be open or closed, depending on what your purpose is. Here's a list of the various port numbers and what they are used for. http://www.iana.org/assignments/port-numbers /Also a THR refugee |
|
May 29, 2007, 02:14 PM | #182 |
Member
Join Date: May 29, 2007
Location: In Free Utah
Posts: 46
|
At least I found out here at TFL how I can help THR
20 bucks on the way derek. and now to go poke around this site. |
May 29, 2007, 02:19 PM | #183 |
Senior Member
Join Date: February 5, 2002
Posts: 1,819
|
I have lost the hard copy notes I took.
Network Security meeting I was invited to attend and Cisco was one system that used a software to fend of Bad Guys. Bad Guys was the actual term used. I am not to this point in studies yet, so those that are can better educate me and everyone. PIX, firewall, and software that BGs have a hard time getting to and past. Not just for DOS attacks, not just for getting sensitive information. IIRC these "mirrored" meaning the software double the number. Seems like 20 was a standard basic set up, meaning a possible of 40. Configs automatically changed settings and default was to randomly select the times and duration of settings. Not a good idea to always be predictable and change every 8 hours at the same time of day for instance. I wish I could find my notes, with sketch. BGs were "drawn" to "servers that really did not exist, and kept in a holding cell if you will. I'm not there in studies yet, still most interesting.
__________________
Use Enough Gun TFL Alumni |
May 29, 2007, 02:23 PM | #184 | |
Senior Member
Join Date: August 19, 2006
Location: Denver
Posts: 104
|
Quote:
Sad to see these DoS attacks continuing, and hope Derek et. al. can find some resolution.... Thanks to the fine folks here on TFL for welcoming we THR refugees... |
|
May 29, 2007, 02:33 PM | #185 |
Member
Join Date: May 29, 2007
Posts: 17
|
Well, lookit that.
Hi, TFL members. |
May 29, 2007, 02:42 PM | #186 |
Senior Member
Join Date: July 17, 2002
Location: Lubbock, TX
Posts: 119
|
Howdy!
Sent my little contribution to the cause, too. (Derek, should be in your PP box as I type this). Brad
__________________
Exhilaro Meus Diem - Clintus Eastwoodicus |
May 29, 2007, 02:45 PM | #187 | |
Senior Member
Join Date: May 1, 2000
Location: Manassas, Virginia
Posts: 914
|
Quote:
My company used to sell one (maybe still does) that ran on a single hardened Solaris box. It could simulate up to 255 individual servers and network devices. The "web servers" could even serve up pages like a real web server. You had to really poke at it hard to determine it wasn't a real system. Chris |
|
May 29, 2007, 02:49 PM | #188 | |
Junior Member
Join Date: May 27, 2007
Location: Red Stick, LA
Posts: 1
|
Quote:
|
|
May 29, 2007, 02:59 PM | #189 |
Senior Member
Join Date: July 26, 2006
Location: Southern California
Posts: 245
|
1911Forum.com is also down--since yesterday afternoon.
Guys--I smell a liberal nut-case assault here. Wouldn't put it past them. |
May 29, 2007, 03:01 PM | #190 | |
Senior Member
Join Date: August 14, 2006
Location: Huntsville, AL
Posts: 437
|
Quote:
|
|
May 29, 2007, 03:20 PM | #191 | ||
Staff
Join Date: October 13, 2001
Posts: 3,355
|
Quote:
Sure, most attackers will portscan their target(s). I'd say it's about on the level of taking photographs of oil refineries and city landmarks. Just because terrorists might take pictures of those sites doesn't mean it's legitimate to suspect landmark photographers of terrorism. Without something more, I'm not inclined to think it's malicious. Quote:
__________________
“The egg hatched...” “...the egg hatched... and a hundred baby spiders came out...” (blade runner) “Who are you?” “A friend. I'm here to prevent you from making a mistake.” “You have no idea what I'm doing here, friend.” “In specific terms, no, but I swore an oath to protect the world...” (continuum) “It's a goal you won't understand until later. Your job is to make sure he doesn't achieve the goal.” (bsg) |
||
May 29, 2007, 03:30 PM | #192 | |
Staff
Join Date: October 13, 2001
Posts: 3,355
|
Quote:
__________________
“The egg hatched...” “...the egg hatched... and a hundred baby spiders came out...” (blade runner) “Who are you?” “A friend. I'm here to prevent you from making a mistake.” “You have no idea what I'm doing here, friend.” “In specific terms, no, but I swore an oath to protect the world...” (continuum) “It's a goal you won't understand until later. Your job is to make sure he doesn't achieve the goal.” (bsg) |
|
May 29, 2007, 03:46 PM | #193 |
Member
Join Date: December 24, 2006
Location: Fort Walton Beach, Florida
Posts: 76
|
I can't stand DDoS attacks, when I was in the webhosting industry we used to suffer them all the time as we hosted several different right wing political websites that attracted a lot of heat. The issue with DDoS attacks is that the majority of the servers are generally from all over the world and have been compromised through weak security in which a hacker has gained access to a server via several methods, sometimes bruteforce and then infects the server with a trojan. From there, they setup a botnet from IRC and literally use all the infected servers to flood a server or a router with bogus packets in attempts to take the server/router offline. I remember times when my bill was exceeding 10,000 dollars a month as I would be attacked in the wee hours of the morning, I eventually got fed up with it and set up MRTG graphs as well as hired a cage monkey and 2nd system admin to nullroute the servers in the event a DDoS attack happened so I wouldn't be losing a ton of money due to an attack.
Unfortunately preventing DDoS attacks is very difficult, many of the largest companys have been unable to completely stop them. There was an Israeli company called bluesecurity about 2 years ago who was dedicated to stopping spam, they were known to use some pretty questionable tactics but it worked, their methods were so effective that some of the worlds largest spam rings took it as a threat and DDoS attacked them for a week. The company shut down shortly after and spam tripled. The only ways I know of to prevent attacks. The investigative process should begin immediately after the DoS attack begins. There will be multiple phone calls, call backs, emails, pages and faxes between the victim organization, one's provider and others involved. It is a time consuming process, so the process should begin immediately. It has taken some very large networks with plenty of resources several hours to halt a DDoS. The easiest way to survive an attack is to have planned for the attack. Having a separate emergency block of IP addresses for critical servers with a separate route can be invaluable. A separate route (perhaps a DSL) is not that extravagant, and it can be used for load balancing or sharing under normal circumstances and switched to emergency mode in the event of an attack. Filtering is often ineffective, as the route to the filter will normally be swamped so only a trickle of traffic will survive. However, by using an extremely resilient stateful packet filter that will inexpensively drop any unwanted packets, surviving a DDoS attack becomes much easier. When such a high performance packet filtering server is attached to an ultra high bandwidth connection (preferably an Internet backbone), communication with the outside world will be unimpaired so long as not all of the available bandwidth is saturated, and performance behind the packet filter will remain normal as long as the packet filter drops all DDoS packets. It should be noted however, that in this case the victim of the DDoS attack still would need to pay for the excessive bandwidth. The price of service unavailability thus needs to be weighed against the price of truly exorbitant bandwidth/traffic. SYN Cookies SYN cookies modify the TCP protocol handling of the server by delaying allocation of resources until the client address has been verified. This seems to be the most powerful defense against SyN attacks. There are Solaris and Linux implementations. The Linux implementation can be turned on during runtime of the Linux kernel. Firewalls Firewalls have simple rules such as to allow or deny protocols, ports or IP addresses. Some DoS attacks are too complex for today's firewalls, e.g. if there is an attack on port 80 (web service), firewalls cannot prevent that attack because they cannot distinguish good traffic from DoS attack traffic. Additionally, firewalls are too deep in the network hierarchy. Your router may be affected even before the firewall gets the traffic. Nonetheless, firewalls can effectively prevent users from launching simple flooding type attacks from machines behind the firewall. Modern stateful firewalls like Check Point FW1 NGX & Cisco PIX have a built-in capability to differentiate good traffic from DoS attack traffic. This capability is known as a "Defender", as it confirms TCP connections are valid before proxying TCP packets to service networks (including border routers). A similar ability is present in OpenBSD's pF, which is available for other BSDs as well. In that context, it is called "synproxy". Switches Most switches have some rate-limiting and ACL capability. Some switches provide automatic and or system-wide rate limiting, traffic shaping, delayed binding (TCP splicing), deep packet inspection and Bogon filtering (bogus IP filtering) to detect and remediate denial of service attacks through automatic rate filtering and WAN Link failover and balancing. These schemes will work as long as the DoS attacks are something that can be prevented using them. For example SYN flood can be prevented using delayed binding or TCP splicing. Similarly content based DoS can be prevented using deep packet inspection. Attacks originating from dark addresses or going to dark addresses can be prevented using Bogon filtering. Automatic rate filtering can work as long as you have set rate-thresholds correctly and granularly. Wan-link failover will work as long as both links have DoS/DDoS prevention mechanism. Routers Similar to switches, routers have some rate-limiting and ACL capability. They, too, are manually set. Most routers can be easily overwhelmed under DoS attack. If you add rules to take flow statistics out of the router during the DoS attacks, they further slow down and complicate the matter. Cisco IOS has features that prevents flooding, i.e. example settings. Application front end hardware Application front end hardware is intelligent hardware placed on the network before traffic reaches the servers. It can be used on networks in conjunction with routers and switches. Application front end hardware analyzes data packets as they enter the system, and then identifies them as priority, regular, or dangerous. There are more than 25 bandwidth management vendors. Hardware acceleration is key to bandwidth management. Look for granularity of bandwidth management, hardware acceleration, and automation while selecting an appliance. IPS based prevention Intrusion-prevention systems are effective if the attacks have signatures associated with them. However, the trend among the attacks is to have legitimate content but bad intent. IPS systems which work on content recognition cannot block behavior based DoS attacks. An ASIC based IPS can detect and block denial of service attacks because they have the processing power and the granularity to analyze the attacks and act like a circuit breaker in an automated way. A rate-based IPS (RBIPS) must analyze traffic granularly and continuously monitor the traffic pattern and determine if there is traffic anomaly. It must let the legitimate traffic flow while blocking the DoS attack traffic. |
May 29, 2007, 04:07 PM | #194 |
Staff
Join Date: April 13, 2000
Location: Northern Virginia
Posts: 41,404
|
God it makes me hot when you guys start getting all geeky...
__________________
"The gift which I am sending you is called a dog, and is in fact the most precious and valuable possession of mankind" -Theodorus Gaza Baby Jesus cries when the fat redneck doesn't have military-grade firepower. |
May 29, 2007, 04:13 PM | #195 |
Member
Join Date: May 28, 2007
Location: SF, SD
Posts: 50
|
The fact that the attacks supposedly are originating from Chicago (anyone have more details on exactly what's going on and what they're doing about it? I'm not seeing anything specific as I'm reading through this thread) only really indicate that one of the originating attacker's machines is located somewhere in the Midwest. Most traffic from this region is routed through Minneapolis to Chicago, and then elsewhere, as that is where the major telcom lines are.
Again, the attacks could be coming from Shanghai; they're just jumping through somewhere around Chicago (if, indeed, that's the case). |
May 29, 2007, 04:21 PM | #196 |
Junior Member
Join Date: May 15, 2007
Posts: 5
|
You are a sick man. You know who you are.
__________________
Since everything is my fault - what load for albatross? |
May 29, 2007, 04:28 PM | #197 |
Staff
Join Date: October 13, 2001
Posts: 3,355
|
Mike, put that thing back in your pants.
Caimlas, I called Derek earlier today to see if there was anyone I could help harass. He can't get to THR (obviously) so he doesn't know where this attack is coming from (yet). From what I understand, there's a full serving of communications-channel problems between him and the colo, with a side of noc monkey laziness and/or incompetence. For all he knows, the attack is long gone and they simply haven't restored THR's connectivity.
__________________
“The egg hatched...” “...the egg hatched... and a hundred baby spiders came out...” (blade runner) “Who are you?” “A friend. I'm here to prevent you from making a mistake.” “You have no idea what I'm doing here, friend.” “In specific terms, no, but I swore an oath to protect the world...” (continuum) “It's a goal you won't understand until later. Your job is to make sure he doesn't achieve the goal.” (bsg) |
May 29, 2007, 04:30 PM | #198 |
Senior Member
Join Date: January 18, 2005
Posts: 882
|
Don't you just love that?
__________________
If we look at the black record of mass murder, exploitation, and tyranny levied on society by governments over the ages, we need not be loath to abandon the Leviathan State and ... try freedom. --Murray Rothbard, For a New Liberty |
May 29, 2007, 04:37 PM | #199 |
Junior Member
Join Date: May 29, 2007
Location: MA
Posts: 6
|
"1911Forum.com is also down--since yesterday afternoon."
Yes, I was going to 1911Forum to ask what the deal with THR was, only to find it was down also! |
May 29, 2007, 04:39 PM | #200 |
Staff
Join Date: October 13, 2001
Posts: 3,355
|
And now, for our scheduled entertainment break...
http://www.theonion.com/content/vide...embedded_video
__________________
“The egg hatched...” “...the egg hatched... and a hundred baby spiders came out...” (blade runner) “Who are you?” “A friend. I'm here to prevent you from making a mistake.” “You have no idea what I'm doing here, friend.” “In specific terms, no, but I swore an oath to protect the world...” (continuum) “It's a goal you won't understand until later. Your job is to make sure he doesn't achieve the goal.” (bsg) |
|
|