Tuesday, January 11, 2005

DDoS: Distributed Denial of Service

While I was away it appears that some of the big blogs have been/are being attacked. Specifically, Distributed Denial of Service (DDoS) attacks.

A DDoS attack, in the simplest terms, is an attack on a computer by tens or hundreds or thousands or even tens of thousands of other computers.

DDoS is against the law. I hope the lawbreakers are caught, but I won't bet a Mountain Dew on it.

I suspect there are few people who know what Internet Relay Chat (IRC) is and even fewer that use IRC.

IRC is the dark side of the internet. Not all of it, but a whole lot of it.

IRC is the home of hackers and crackers and phreakers and pirates and coders of trojans and worms and viruses.

Or in wannabe IRCese - y0 iRC iz dA sC3n3. y0 cHeCk iT OuT! H4x0Rs, cR4k0rz, pHr34KRz, PIrATEZ! y0 we gotz tr0j4Nz, w0Rmz, virii! wE goTz r00t! wE 0wN y0 aZZ! dA sC3n3 rULez!

If that didn't make any sense, consider that the first requirement of the IRC culture is to demonstrate that you don't need no stinkin' education! -- at least education in the classical sense.

Their mumbo jumbo aside, the kids (13-16 year olds) that make up the great majority of the darkside are just that -- kids. These particular kids can be subdivided into 2 groups:

1. Script-kiddies -- Kids who use scripts/programs coded by someone else because they aren't smart enought to write their own original code.

2. l337 (leet or elite) -- Kids who can run circles around most programmers getting paid top dollar in the corporate world.

Do you have one of these kids in your neighborhood? In your house? How would you know if you did?

Here's a profile (oh give it a rest, ACLU/Libs/etc) of a typical kiddie:

1. Spends a lot of time indoors.
2. Spends a lot of time at the computer (usually locked in his room).
3. Has an unhealthy pallor
4. Looks like he slept in his clothes
5. Smells like he's not showered in a couple of days
6. Overweight/underweight -- generally not in good physical condition
7. Drinks a lot of Mountain Dew
8. Eats a lot of junk food.
9. Wears DEFCON T-shirts
10. can't/won't spell/capitalize correctly. modified alphanumerics: 0=o z=s 3=E 4=A, etc, etc -- example: 0wNz for owns.
11. Has a database of hacked XXX porn sites, i.e. passwords for the sites
12. Has lots of XXX on computer in hidden/encrypted folders.
13. Always has the latest copy of Windows OS (why? because Linux is free), and software such as PhotoShop (the $1k version), and games such as Halo 2 and Grand Theft Auto 3, etc.
14. Favorite quote is: There are only 10 types of people -- those who understand binary and those who don't.
15. And there are others, but you get the picture.

93% of the kids fall into Group 1 (or maybe somewhere between Group 1 and Group 2) and while they are not l337, they can do a lot of damage. They have a limited ability to shut down bigtime servers without getting caught. Same is true for stealing passwords and financial information.

It's Group 2 that is the most troublesome. The 7%'ers. They can bring down almost any government, corporate, private server in the world. They can "own" you.

(Percentages are a rough estimate based on having observed the various IRC scenes for 10 years)

Then there are the old guys, the old pros (19-22 year olds). After age 22, the number of hackers, crackers, etc starts dropping off significantly because most of them have jobs ... in the IT department of your company.

The old guys are gods to the kiddies. The kiddies want nothing more than to be recognized by the old guys, to be deemed worthy and the kids dream of some day being a "made" old guy themselves. The kids will do almost anything to get recognized. Website defacements are the most common sign of a kid going through the passage of rites to l337d0m.

Not all of their activity is criminal or even malicious, but a lot of it is.

Not all hackers are bad. Not all hacking is bad. It is what you hack and the way you go about hacking that determine whether you're a good guy or a bad guy -- a white hat or a black hat.

These kids (scriptkiddies, l337 and old guys) are the majority on IRC and most of them are black hats.

They may or may not (unwittingly or otherwise) associate with other hacker inhabitants of IRC: terrorists, Russian mafia, Chinese government, etc.

Every day on IRC, hundreds of new trojans, worms and viruses are written or modified. Each and every day.

Every day hundreds of thousands of corporate and personal computers are scanned with port scanners, looking for a way in. And every day tens of thousands of computers are compromised and become zombies that connect to secret IRC channels under the control of hackers.

Computers with high bandwidth connections, such as T1/T3/Cable/DSL, are the preferred targets. The hackers can get into the home PC using a variety of methods. It might be through email attachments or it might be from hostile code embedded on an otherwise legitimate website that they've hacked. You visit the site and the code is automatically downloaded to your computer.

This computer code/program (known as a trojan) is written so that your computer will connect to an IRC network without you knowing it. Your computer becomes a zombie, or to use another popular term: bot.

If you have KaZaa, or other Peer-to-Peer (P2P) software (but especially KaZaa) installed on your computer, you have made life a lot easier for hackers. Not only is it easier to send trojans to your computer, some "copies" of KaZaa have embedded trojans.

Once on the IRC network, the zombie (program planted, hidden, and running on your computer) will enter a secret channel with hundreds or thousands of other zombies from infected PCs to form a BOTNET (bot network).

With one command, the hacker can direct all of the zombies in his BOTNET to request http://merrymadmonk.blogspot.com. This DDoS attack will most likely result in a meltdown of the blogspot server hosting The Monk. But heck, The Monk is small taters. Instapundit and Power Line are not. No glory in taking down The Monk (his blog anyway), but take down Glenn Reynolds and now you're talking l337 (elite) status.

DDoS attacks occur every day. Some big. Some not so big. A lot of companies are very hesitant to acknowledge that they've been hit. It could be bad for business if your customers find that your computer network is vulnerable to attack.

I think 2005 could be a very rough year for network administrators. DDoS attacks are on the rise for a number of reasons. More and more homes are being connected to the internet through Cable and DSL, more and more people are using WindowsXP. Steve Gibson has been warning about XP for years -- especially XP Service Pack 1. Don't get me wrong. I'm not a Microsoft basher. I admire Bill Gates (Flame away). Just read what Steve has to say. He gives his technical advice for free (and in layman's language) and he is one of the smartest IT types out there.

There are also some relatively new twists to DDoS attacks:

1. companies hiring hackers to attack their competitors' networks.
2. hacker groups extorting money from targeted companies. See here and here

The US Justice Department recently returned a 5 count indictment against a "Massachusetts businessman who allegedly paid members of the computer underground to launch organized, crippling distributed denial of service (DDoS) attacks against three of his competitors, in what federal officials are calling the first criminal case to arise from a DDoS-for-hire scheme."


OK. So what can we do? Something? Nothing? A little? A lot?

1. Everyone should have Anti-Virus software and keep it updated on at least a weekly basis -- daily is better.

2. Get a firewall. Zone Alarm works good and it's free.

3. Don't open email from people you don't know.

4. Don't let anyone put P2P (KaZaa) software on your computer without you knowing. Don't you put it on your computer unless you know what you're doing and understand the risks.

If everyone just followed those 4 little rules, DDoS attacks would decrease dramatically.

And it'd make the little wankers work harder at their mischief.




No comments: