THR is down right now...again

[G36-UK]

Quote:

TFL was portscanned this morning from the webserver of a well-known, vocal, and sometimes tasteless liberal 501(c)(3), but as it wasn't really an attack and I don't want lynch mobs forming, I'm not going to identify it.

So where will I put all the rope?

Seriously though, the only way we can win is by taking the high road (or if you will, taking it back).

Since revenge attacks aren't exactly justified, would you please post the IP (or PM me, as I can't really do anything about it).

[fistful]

Since our geeks have given tutorials on everything else, could someone explain "portscanning?"

Thanks,

fistful, not Scapegoat

[Bogie]

Quote:

He has been... missing since the new servers from here were delivered.

Hopefully, this site can help. Apparently, they've come across problems of this type before.

Either the owners of those sites have never seen the movies, or they have zero sense of humor about it.

[Zak Smith]

Here is the site for one of the popular port scanners http://insecure.org/nmap/

And the Wiki entry for port scanner: http://en.wikipedia.org/wiki/Port_scanner

Essentially it rattles the doors and windows of a host to see what ports are listening for connections. It is NOT an attack.

It is standard practice for filtering to be in place to refuse connections to any port not specifically enabled to serve a specific service.

[Marnoot]

You can often find a lot out about a target machine by scanning its TCP ports; depending on how well the machine is secured. Different applications and operating systems "listen" on different port #'s. If ports X, Y, and Z are open on a target machine, then you could conclude it's running Application A or B. Attackers do this to find vulnerabilities, customize attacks, etc. Scanning just means they're checking each port to see if it's open and listening for traffic.

[Technosavant]

Quote:

Since our geeks have given tutorials on everything else, could someone explain "portscanning?"

All internet traffic goes into and out of computers via "ports." They aren't physical things, just logical. For example, all HTTP traffic (the vast majority of web traffic) goes via port 80. An internet server will have some ports open and some ports closed, depending on what it is supposed to do. There's thousands of ports, and not all of them have specifically assigned tasks (like port 80 does).

Port scanning is the process of hitting an internet address (IP address = X.X.X.X, where X = 0 to 255) in an attempt to find open ports. It is often considered a prelude to an attack (you're looking for vulnerabilities). It's analogous to going to a house you want to burglarize, and trying to jimmy windows and doors, looking for an easy way in.

The server's responses to port scans vary, depending again on what the server is for. The most secure response is simply NOT to respond, giving the impression that there's no computer there. However, this means the server won't be serving anything. Again, other ports will be open or closed, depending on what your purpose is.

Here's a list of the various port numbers and what they are used for.
http://www.iana.org/assignments/port-numbers

/Also a THR refugee

[flynlr]

At least I found out here at TFL how I can help THR

20 bucks on the way derek.

and now to go poke around this site.

[sm]

I have lost the hard copy notes I took.

Network Security meeting I was invited to attend and Cisco was one system that used a software to fend of Bad Guys. Bad Guys was the actual term used.

I am not to this point in studies yet, so those that are can better educate me and everyone.
PIX, firewall, and software that BGs have a hard time getting to and past.
Not just for DOS attacks, not just for getting sensitive information.

IIRC these "mirrored" meaning the software double the number. Seems like 20 was a standard basic set up, meaning a possible of 40.

Configs automatically changed settings and default was to randomly select the times and duration of settings.
Not a good idea to always be predictable and change every 8 hours at the same time of day for instance.


I wish I could find my notes, with sketch.
BGs were "drawn" to "servers that really did not exist, and kept in a holding cell if you will.

I'm not there in studies yet, still most interesting.

[DouglasW]

Quote:

Send paypal to [email protected]. Make a note in the paypal description field that it is for THR maintenance (or APS maintenance, etc.) so he will know what the funds are allocated for.

Done. Boy, nothing like a DoS attack to make us realize how much time we spend surfing THR...

Sad to see these DoS attacks continuing, and hope Derek et. al. can find some resolution....

Thanks to the fine folks here on TFL for welcoming we THR refugees...

[jlbraun]

Well, lookit that.

Hi, TFL members.

[Brad Johnson]

Howdy!

Sent my little contribution to the cause, too. (Derek, should be in your PP box as I type this).

Brad

[mtnbkr]

Quote:

BGs were "drawn" to "servers that really did not exist, and kept in a holding cell if you will.

Honeypots.

My company used to sell one (maybe still does) that ran on a single hardened Solaris box. It could simulate up to 255 individual servers and network devices. The "web servers" could even serve up pages like a real web server. You had to really poke at it hard to determine it wasn't a real system.

Chris

[Dixie_Amazon]

Quote:

so who brought the beer?

Here ya go Tenbase...

[benedict1]

1911Forum.com is also down--since yesterday afternoon.

Guys--I smell a liberal nut-case assault here. Wouldn't put it past them.

[tydephan]

Quote:

Originally Posted by Douglas

Boy, nothing like a DoS attack to make us realize how much time we spend surfing THR...

This is absolutely right. I feel pretty helpless that I can't help in any other way. But for the amount of knowledge I have gleaned from THR, it is well worth the donation!

[tyme]

Quote:

Port scanning is the process of hitting an internet address (IP address = X.X.X.X, where X = 0 to 255) in an attempt to find open ports. It is often considered a prelude to an attack (you're looking for vulnerabilities). It's analogous to going to a house you want to burglarize, and trying to jimmy windows and doors, looking for an easy way in.

That kind of poor analogy is appealing in its simplicity, but is also widely disputed. That attitude is the reason I'm not disclosing more.

Sure, most attackers will portscan their target(s). I'd say it's about on the level of taking photographs of oil refineries and city landmarks. Just because terrorists might take pictures of those sites doesn't mean it's legitimate to suspect landmark photographers of terrorism. Without something more, I'm not inclined to think it's malicious.

Quote:

Originally Posted by mtnbkr

Honeypots.

My company used to sell one (maybe still does) that ran on a single hardened Solaris box. It could simulate up to 255 individual servers and network devices. The "web servers" could even serve up pages like a real web server. You had to really poke at it hard to determine it wasn't a real system.

Simulated honeypots are neat, and I know a fair number of people use them, but these days it's nearly as easy to set up real vulnerable systems inside guest VMs, with filtering of outgoing connections and ratelimits on outbound traffic. More realistic bait means a more accurate assessment of attacks and attackers.

[tyme]

Quote:

Originally Posted by benedict1

1911Forum.com is also down--since yesterday afternoon.

Different kind of attack, at least right now. The webserver's hosed, and latency is not consistent, but everything else seems fine. That could be an attack, or it could have gotten linked from a popular news site (slashdot effect).

[PILMAN]

I can't stand DDoS attacks, when I was in the webhosting industry we used to suffer them all the time as we hosted several different right wing political websites that attracted a lot of heat. The issue with DDoS attacks is that the majority of the servers are generally from all over the world and have been compromised through weak security in which a hacker has gained access to a server via several methods, sometimes bruteforce and then infects the server with a trojan. From there, they setup a botnet from IRC and literally use all the infected servers to flood a server or a router with bogus packets in attempts to take the server/router offline. I remember times when my bill was exceeding 10,000 dollars a month as I would be attacked in the wee hours of the morning, I eventually got fed up with it and set up MRTG graphs as well as hired a cage monkey and 2nd system admin to nullroute the servers in the event a DDoS attack happened so I wouldn't be losing a ton of money due to an attack.

Unfortunately preventing DDoS attacks is very difficult, many of the largest companys have been unable to completely stop them. There was an Israeli company called bluesecurity about 2 years ago who was dedicated to stopping spam, they were known to use some pretty questionable tactics but it worked, their methods were so effective that some of the worlds largest spam rings took it as a threat and DDoS attacked them for a week. The company shut down shortly after and spam tripled.

The only ways I know of to prevent attacks.

The investigative process should begin immediately after the DoS attack begins. There will be multiple phone calls, call backs, emails, pages and faxes between the victim organization, one's provider and others involved. It is a time consuming process, so the process should begin immediately. It has taken some very large networks with plenty of resources several hours to halt a DDoS.

The easiest way to survive an attack is to have planned for the attack. Having a separate emergency block of IP addresses for critical servers with a separate route can be invaluable. A separate route (perhaps a DSL) is not that extravagant, and it can be used for load balancing or sharing under normal circumstances and switched to emergency mode in the event of an attack.

Filtering is often ineffective, as the route to the filter will normally be swamped so only a trickle of traffic will survive. However, by using an extremely resilient stateful packet filter that will inexpensively drop any unwanted packets, surviving a DDoS attack becomes much easier. When such a high performance packet filtering server is attached to an ultra high bandwidth connection (preferably an Internet backbone), communication with the outside world will be unimpaired so long as not all of the available bandwidth is saturated, and performance behind the packet filter will remain normal as long as the packet filter drops all DDoS packets. It should be noted however, that in this case the victim of the DDoS attack still would need to pay for the excessive bandwidth. The price of service unavailability thus needs to be weighed against the price of truly exorbitant bandwidth/traffic.

SYN Cookies

SYN cookies modify the TCP protocol handling of the server by delaying allocation of resources until the client address has been verified. This seems to be the most powerful defense against SyN attacks. There are Solaris and Linux implementations. The Linux implementation can be turned on during runtime of the Linux kernel.

Firewalls

Firewalls have simple rules such as to allow or deny protocols, ports or IP addresses. Some DoS attacks are too complex for today's firewalls, e.g. if there is an attack on port 80 (web service), firewalls cannot prevent that attack because they cannot distinguish good traffic from DoS attack traffic. Additionally, firewalls are too deep in the network hierarchy. Your router may be affected even before the firewall gets the traffic. Nonetheless, firewalls can effectively prevent users from launching simple flooding type attacks from machines behind the firewall.

Modern stateful firewalls like Check Point FW1 NGX & Cisco PIX have a built-in capability to differentiate good traffic from DoS attack traffic. This capability is known as a "Defender", as it confirms TCP connections are valid before proxying TCP packets to service networks (including border routers). A similar ability is present in OpenBSD's pF, which is available for other BSDs as well. In that context, it is called "synproxy".

Switches

Most switches have some rate-limiting and ACL capability. Some switches provide automatic and or system-wide rate limiting, traffic shaping, delayed binding (TCP splicing), deep packet inspection and Bogon filtering (bogus IP filtering) to detect and remediate denial of service attacks through automatic rate filtering and WAN Link failover and balancing.

These schemes will work as long as the DoS attacks are something that can be prevented using them. For example SYN flood can be prevented using delayed binding or TCP splicing. Similarly content based DoS can be prevented using deep packet inspection. Attacks originating from dark addresses or going to dark addresses can be prevented using Bogon filtering. Automatic rate filtering can work as long as you have set rate-thresholds correctly and granularly. Wan-link failover will work as long as both links have DoS/DDoS prevention mechanism.

Routers

Similar to switches, routers have some rate-limiting and ACL capability. They, too, are manually set. Most routers can be easily overwhelmed under DoS attack. If you add rules to take flow statistics out of the router during the DoS attacks, they further slow down and complicate the matter. Cisco IOS has features that prevents flooding, i.e. example settings.

Application front end hardware

Application front end hardware is intelligent hardware placed on the network before traffic reaches the servers. It can be used on networks in conjunction with routers and switches. Application front end hardware analyzes data packets as they enter the system, and then identifies them as priority, regular, or dangerous. There are more than 25 bandwidth management vendors. Hardware acceleration is key to bandwidth management. Look for granularity of bandwidth management, hardware acceleration, and automation while selecting an appliance.

IPS based prevention

Intrusion-prevention systems are effective if the attacks have signatures associated with them. However, the trend among the attacks is to have legitimate content but bad intent. IPS systems which work on content recognition cannot block behavior based DoS attacks.

An ASIC based IPS can detect and block denial of service attacks because they have the processing power and the granularity to analyze the attacks and act like a circuit breaker in an automated way.

A rate-based IPS (RBIPS) must analyze traffic granularly and continuously monitor the traffic pattern and determine if there is traffic anomaly. It must let the legitimate traffic flow while blocking the DoS attack traffic.

[Mike Irwin]

God it makes me hot when you guys start getting all geeky...

[Caimlas]

The fact that the attacks supposedly are originating from Chicago (anyone have more details on exactly what's going on and what they're doing about it? I'm not seeing anything specific as I'm reading through this thread) only really indicate that one of the originating attacker's machines is located somewhere in the Midwest. Most traffic from this region is routed through Minneapolis to Chicago, and then elsewhere, as that is where the major telcom lines are.

Again, the attacks could be coming from Shanghai; they're just jumping through somewhere around Chicago (if, indeed, that's the case).

[fistful]

You are a sick man. You know who you are.

[tyme]

Mike, put that thing back in your pants.

Caimlas, I called Derek earlier today to see if there was anyone I could help harass. He can't get to THR (obviously) so he doesn't know where this attack is coming from (yet). From what I understand, there's a full serving of communications-channel problems between him and the colo, with a side of noc monkey laziness and/or incompetence. For all he knows, the attack is long gone and they simply haven't restored THR's connectivity.

[dasmi]

Don't you just love that?

[WillB]

"1911Forum.com is also down--since yesterday afternoon."

Yes, I was going to 1911Forum to ask what the deal with THR was, only to find it was down also!

[tyme]

And now, for our scheduled entertainment break...

http://www.theonion.com/content/vide...embedded_video