Okay, with all the recent, on-going attacks against a lot of the major "anti-spyware" sites, it seems as though it's all-out war now between those who would have your information and track you - and those that would prevent that.


SpywareInfo on and off, Net-Integration totally down - where will it all end and how can it be stopped?

The anti-scumware forces are fighting for their very lives here.

So, what's the attack mechanism?

It would seem to me that it would almost have to be a variant of the CoolWebSearch stuff designed specifically for this task.

IOW, the CWS people have come up with something that doesn't try to track you or change your homepage or search engine - whatever they've come up with has been designed to remain very stealthy on your machine.

And its' only purpose is to enable the CWS people to make a "bot" out of your computer so that they can direct it to attack anti-spyware websites( and multiple, switchable sites at that!).

This is where the fact that everyone on the net is not a security nut is killing everyone - of the millions and millions of users out there, the pickings are fat for anyone gathering machines to be used in attacks - and, sadly, that's not going to change.

So, what are the anti-spyware sites going to do?

Would requiring registration and logging in to post help? Especially if you had to use a "Human Interface Device" (like on ComputerCops) both to log in and to initially register? With no requests permitted that didn't come from such a "registered" source?

Or would that even help?

This latest round of stuff is not looking good for the "good guys", although I'm sure a lot of ISP's that are hosting these kinds of sites are having a real learning experience (which may not be a bad thing).

So, where's all the brains at around here when you need them? What's being done to combat the situation and what can we do to help? Pete

Hi Pete

Thaanks for the heads up.

Appears there is a fix on computer cops site now.

parinoidpete started it lol

http://computercops.biz/article-4680-nested-0-0.html

The antispyware field is still young (dating back to Gibon's optout?) , so perhaps we can look at the more established antivirus field for answers.

Have such tactics being used against Antivirus sites? How do they stand up to DDOS attacks?

Is it simply a matter of deep pockets? The antispyware area is unusual in the sense that it's still dominated by volunteers and freeware products so perhaps that why they are vulnerable, without the finanical muscle behind it?

PS The current attack doesn't seem to taget Lavasoft at all which arguably is still the most popular antispyware scanner..... Concindence?

-{ Quote: " quoting: controler link=board=18;threadid=23204;start=0#msg137599 date=1078071055]
Hi Pete

Thaanks for the heads up.

Appears there is a fix on computer cops site now. . . ." }-

The info there is getting a bit long in the tooth and it hasn't solved the problem, apparently. There were threads far more recent on net-integration (now apparently down from the DDoS) and currently on the LavaSoft forums about this issue.

Well, Wilders might be next on the target list, but I supposed Paul had considered that already. I think he mentioned experiencing this once before?

I guess what I'm trying to bear down more on here is - what's the answer?

The sites being DDos'd must have logs of the requesting addresses, right? Is there a method of filtering those logs to compare registered user requests from requests coming from addresses that haven't ever before even visited the sites in question?

If there is a way to do that, couldn't some of the people at those addresses be contacted and urged to scan their computers for whatever's causing the requests to be generated from those computers?

Maybe ask those people to run HijacjkThis and submit their logs?

Get them to d/l and run AutoStart Viewer from DCS and check for unknown start-ups? Pete

-{ Quote: " quoting: JayK link=board=18;threadid=23204;start=0#msg137600 date=1078071081]. . . . Have such tactics being used against Antivirus sites? How do they stand up to DDOS attacks?" }-
Since its a DDoS, in the first place, the bandwidth available is definitely an issue (and that means money), AV vendors have it (for the most part); AT/anti-spyware/anti-keylogger vendors have far less.

In the second place, if the current DDoS is being sponsored by CWS (or someone similar), they are far more concerned about the latter than the former.
-{ Quote: ". . . . PS The current attack doesn't seem to taget Lavasoft at all which arguably is still the most popular antispyware scanner..... Concindence?
" }-
I can tell you that there is an extended discussion in the Lavasoft forums regarding this very issue at the moment. They know they are not immune. As to whether they have far more bandwidth than the others, I do not know.

Interesting since this is what computer cops lists as targeted host file addys. and JVM are you saying the file Hostsfilereader posted from my link doesn't do anygood?

"The current (partial) list of sites blocked by this latest malicious hosts file is:

www.spywareinfoforum.com
www.spywareinfoforum.com
www.merijn.org
merijn.org
spywareinfoforum.com
www.computercops.biz
computercops.biz
dslreports.com
www.dslreports.com
www.lavasoftsupport.com
lavasoftsupport.com
forums.net-integration.net
www.tomcoyote.org
tomcoyote.org
www.wilderssecurity.com
wilderssecurity.com
www.lavasoftusa.com
lavasoftusa.com
security.kolla.de
www.security.kolla.de
www.lavasoft.de
lavasoft.de"

Apparently the F.B.I. is having a little problem getting off-the-stick and helping.

Perhaps this little message I just sent them will inspire them:

"It kind of amazes me that you aren't all over the web-site attacks against the Net-Integration and SpywareInfo sites.

Whatever the method of attack is that's being used could just as easily be directed against YOU and YOUR sites as against them (or ANY OTHER government agency_ so it seems to me as though it would behoove you (<g>) to get involved, find out what's happening and HELP THEM STOP IT!

It's not like you couldn't use some GOOD press for a change!

Here's the background on the attack at NI:

http://www.wilderssecurity.com/showthread.php?t=21950;start=60#msg137547

and here's the time-line and developement of the attack on SI:

http://www.lavasoftsupport.com/index.php?showtopic=20306

I notice that it's been said that Mike healan's already contacted you and that you're playing "phone tag" with him - quit screwing around and DO something! Pete

Anyone wishing to add their sentiments to mine can do so by going to this site: http://www.fbi.gov/ and click on the "Submit a tip" link on the left-hand side of the page. Pete

Don't be a tease, JayK - what are you referring to? Pete

-{ Quote: " quoting: spy1 link=board=18;threadid=23204;start=0#msg137621 date=1078072898] I guess what I'm trying to bear down more on here is - what's the answer?" }-
Ah, yes, the question! ;)

It's actually two questions:

The first is how do the small (and often independent) vendors protect themselves against DDoS targeting like this? At times, it is easy to forget that Steve Gibson effectively got DDoSed by one single thirteen-year old kid -- or so the story goes. (And I most assuredly want them to do this, because I don't care to be wholely dependent on the megacorporations for my security software. We already know what that leads to.)

The second question goes a good deal further. Last time I heard, these guys still have no idea of exactly how the DDoS is being launched against them. They haven't identified it, they can't tell people what to look for, they can't put detection for it into their own products, and (last time I heard) nothing currently available (well, as of several days ago) seems yet capable of detecting, cleaning, or inoculating a system against this particular threat. This needs to be solved and sooner rather than later.
-{ Quote: "The sites being DDos'd must have logs of the requesting addresses, right? Is there a method of filtering those logs to compare registered user requests from requests coming from addresses that haven't ever before even visited the sites in question?" }-
In an effective DDoS, this is not necessarily so. When the pipe jams, it jams. (Paul, is that correct?)
-{ Quote: "If there is a way to do that, couldn't some of the people at those addresses be contacted and urged to scan their computers for whatever's causing the requests to be generated from those computers?" }-
Now, Pete, we all should know by now that this doesn't work. :-\ From the few details I've seen, it seems to be only a few thousand machines involved. I'm willing to bet that many of them are on dynamically assigned IP addresses, so this is like looking for a few thousand needles in a few acres of haystacks. (And, to make matters worse, the needles get up and move around every few hours!) And, I might point out that the MyDoom attack on SCO was much larger, but, since it was a worm, it could be identified and protected against (eventually) in time. These, on the other hand, seem to be a few thousand carefully placed bots.
-{ Quote: "Maybe ask those people to run HijacjkThis and submit their logs?" }-
Again, based on second-hand information, it appears that HJT does not pick this up (and that is informative, at least to me). This is not surprising since HJT seems to be one of the targets!
-{ Quote: "Get them to d/l and run AutoStart Viewer from DCS and check for unknown start-ups? . . . ." }-That might work, but I suspect there's another mechanism at work here, one we have yet to cotton on to.

How about making the anti-spyware sites secure ( https ) sites? Pete

-{ Quote: " quoting: spy1 link=board=18;threadid=23204;start=0#msg137591 date=1078069994]

Would requiring registration and logging in to post help? Especially if you had to use a "Human Interface Device" (like on ComputerCops) both to log in and to initially register? With no requests permitted that didn't come from such a "registered" source?

Or would that even help?" }-

Where is that pesky wabbit when you need him? ZX! Has your method of allowing people access to ComputerCops enhanced your ability to defend against DDos attacks? Pete

-{ Quote: " quoting: controler link=board=18;threadid=23204;start=0#msg137633 date=1078074295]
Interesting since this is what computer cops lists as targeted host file addys. and JVM are you saying the file Hostsfilereader posted from my link doesn't do anygood? . . . " }-

First, that was a first guess, as I understand it. Tom Coyote published that on 15 Feb. I don't know a single soul who's found this in their hosts file. (But if I'm right that this is originating primarily from clueless users who are only online occasionally and use dynamically assigned IP addresses, and probably have absolutely no security measure in places, what would you expect?)

Actually, that little utility sounds sort of cute, but most of the people who're going to read about it don't need it in the first place.

I think this is turning into another comedy of errors, sort of like watching Inspector Clouseau in "A Shot in the Dark", only in actuality it's only funny to the perps, not us.

Another lesson in unintended consequences. Remember when CR II started generated all those ARPs that effectively DDoSed a lot of cable subscribers? (There's no indication the author realized that was going to happen.) Remember when Tom Liston (Handler on duty at Internet Storm Center at the time) had to send out a rather nasty message to those ISPs that were automatically generating "E-Mail Rejected" messages to what were actually spoofed IP addresses in the first place in the recent MyDoom.A episode? (Again, there's no indication that the author realized that this was going to happen, but it simply made a bad situation worse.) Something similar has happened here.

Two things happened here:

First, apparently, some of the affected sites started redirecting these probes to 127.0.0.1 . This was done in response to MSBlast last year and -- just like the solution then -- this has now led to unanticipated consequences. Long before I ever heard about this current episode, I noticed that my router logs were again being heavily populated with "Spoofed IP" messages, all identifying the bogus source as 127.0.0.1:80 (Care to wonder what those might have been?) These are INBOUND to my Internet WAN IP, for those who may wonder from OUTSIDE the router.

Well, second, it got worse. Somehow (and I don't understand the mechanism involved to date) some of these redirections actually ended up assigning 127.0.0.1 to www.merijn.org (for one). And, somehow, a lot of recent releases of NIS/NPF (2003/2004, in particular) ended up identifying 127.0.0.1 as www.merijn.org rather than as localhost. That created a second panic. (And there are one helluva lot of new NIS/NPF firewalls out there.) Suddenly what were basic loopback connections started being identified as connections from merijn.org to merijn.org (that's the tip-off, incidentally). (I believe that very few other software firewalls actually have a connections log in addition to the firewall log and that even fewer probably automatically resolve IP addresses to URLs in the log displayed to the end-user.) And I think this is where the 'false lead' to hosts files being tampered with came from.

Life goes on. Time to get back to work on this one.

-{ Quote: " quoting: spy1 link=board=18;threadid=23204;start=0#msg137636 date=1078074724]
Apparently the F.B.I. is having a little problem getting off-the-stick and helping." }-
Quite true. I know at least one knowledgable individual who went out of their way to telephonically contact the FBI groups involved with this issue when they noted a number of contacts going out to www.merijn.org in their logs. In a nutshell, the response they received was "Gee, sorry to hear that; have a nice day. Call us if you find something."

-{ Quote: ". . . Here's the background on the attack at NI:

http://www.wilderssecurity.com/showthread.php?t=21950;start=60#msg137547

and here's the time-line and developement of the attack on SI:

http://www.lavasoftsupport.com/index.php?showtopic=20306 " }-

Thanks, I'd not seen either of those links before. I think I'd best go read them.

If it is indeed a bot that somehow gets installed and evades detection - what about something simple to find it?

Like: IRCBot Detector 1.0 from Jason Levine?

http://www.jasons-toolbox.com/programs.asp?Program=IRCBot%20Detector

We don't need anyone who's harboring the bot to have to learn to do anything complicated to uncover it - probably just being able to discover it and get a clue as to where/how it's hiding would be sufficient to uncover it, wouldn't it? Pete

@ SPY 1

I agree with your attempt to urge the FBI to action, though sometimes justice works slowly, the balance is that is a very large, powerful mass, once
But, I would caution that phrasing is very important, especially in the post 9/11 world. Having worked in the legal arena for almost 20 years now, I guarantee that soft encouragement will generate more results than sharp admonitions.
Also, from what you posted, (and I know this was not intended)your words could be taken to be threatening a DOS, as opposed to drawing their attention to their own weakness. Please don't take this as criticism, but friendly advice! :)
**************
Has anyone else noticed the almost complete absence of news coverage on this (outside of anti-spyware sites?) Seems odd considering the way they jump on virus coverage etc.

just my two cents+ for now.

Vorpal - The F.B.I. is very well-acquainted with me and they deeply appreciate my puckish sense-of-humor. ;D

They are supposed to be working for us (tax-paying United States citizens) - but thank you anyway. Pete

I agree they are supposed to be working for us, and as citizens, we should expect it.

Just in my dealings with court personnel and sheriffs (yep, I'm one of those lawyer guys, but hold the jokes!), I have success with letting them think they came up with the idea and that its a big favor to share it with you. :)
Judges, well, they tend to be a different story. ::)

But, very cool the FBI is used to you, I hope they listen as well.

Would any of the Net statistic orgs be of use (NameIntelligence and the like)? I almost suggested ICANN, but if speed is of the essence....

I'll let you know when they get back to me. Pete

-{ Quote: " quoting: spy1 link=board=18;threadid=23204;start=0#msg137661 date=1078079042]
-{ Quote: " quoting: spy1 link=board=18;threadid=23204;start=0#msg137591 date=1078069994]

Would requiring registration and logging in to post help? Especially if you had to use a "Human Interface Device" (like on ComputerCops) both to log in and to initially register? With no requests permitted that didn't come from such a "registered" source?

Or would that even help?" }-

Where is that pesky wabbit when you need him? ZX! Has your method of allowing people access to ComputerCops enhanced your ability to defend against DDos attacks? Pete
" }-Thanks Pete for pointing me here. I've come to realize that there are a number of combinations to help prevent DOS attacks while maintaining http://computercops.biz and http://nukecops.com. They don't just include prevention against automated script bots for posting and registering (about to be enhanced), they also include filters on port 80, not just the rest of the ports.

I've been under medium size DOS attacks before that would last about 2 days, and the pages were still accessible -- albeit, with slow page generation times.

So yes, the methods I've used have most of the time been successful against attackers.

I've only recently implemented a new filter system for both my sites that monitors against port 80 attacks specific to the CMS itself. It hasn't yet been activated, as I'm working out the code. I want to ensure that all the good bots, like googlebot, are excluded from tracking (however, other measures are in place).

And lets not forget, hardware is a big one too. Do you own a high performance server or does one share out the resources with others?

Pete, off topic, I increased the sig space at CCSP a month or two ago per your request from last year.

Obviously I don't want to get into too much here since I think this is a public forum?

A very interesting thread this is - and a serious one as well.

Some remarks:

- yes, we are aware of the fact our server could be next in line as for attacks are concerned. Although we do have quite alot of bandwidth available, we and our host are aware of this - no further comment ;)

- as far as we know (see the comments from Joseph Morris), at this very moment, there's no way to grab and determine a (possible) bot involved.

- JayK and Joseph do have a strong case in regard to the essence of all this: funding/money is the real issue here. No doubt, the money is on the attacker(s) side.

- in this context, it's plain for all to see non profit domains/servers are a target first and foremost - and this does make sense: individual non-profit sites are in fact sitting ducks in the end. They do lack the money and therefore are no game in the end. For that reason joining forces is the only way to go - divided we are weak, assembled we are strong.

I for one am a strong believer in joining forces. That said, I'm fully aware this is a very different point of view for fairly all site/server owners picking up the fight; they are used to run their own business, no matter what. I can understand their point of view. Nevertheless, in the end there's just one approach here: joing forces and funds. In case "we" want to combat, we will have to organize and drop the "individual approach" to a certain extend.

Bottom line: IMO it's time to go proffessional - the one's targetting us are pro's as well for sure. The question is: are we willing to join forces and funds. We are.

regards.

paul

Well said, Paul.

With a bit of luck, that may be on the way.

-{ Quote: " quoting: Joseph V. Morris link=board=18;threadid=23204;start=15#msg137811 date=1078095748]
Well said, Paul.

With a bit of luck, that may be on the way.
" }-

Well, - no offense intended! - I for one do believe it's rather a big step to join forces. It will take more then luck to accomplish this - looking at the overall picture in the long(er) term, and take it from there. Most site owners at this very moment are still more focussed on running their own - small and/or vulnerable - business rather then looking upon this from a professional point of view. That said: We are open for discussion on this topic. My addy is in my profile ;)

regards.

paul

What I can tell you about this attack on NI is the IPs are spoofed in every case as far as I can tell at the moment. Filtering has been nearly impossible because of the constant changing of targeting IPs. The get HTTP header is not like anything I've seen before and provides no clues I can find. The attacks on the others are similar. IMO any further discussions on this need to be out of the public IMO.

I've contacted the FBI and CERT with my info. The FBI is unlikely to get involved unless a very strong concerted voice is spoken on behalf of all anti-spyware/adware vendors/supports/providers. Individually these attacks don't even constitute a crime in the US. Again, because we aren't big business.

I agree with Paul that its time to go professional. A few tiny steps have been made in that direction but a long road is left to hoe.

I've begun to take some steps to set up proxies again. Only this time they are going to be much stronger machines. The process has begun but may take awhile to determine success as we are going to have to wait for the NI DNS to propagate again.

In the meantime I'm making my net stat logs available to any experts who wish to review them. There has got to be a way to determine the source of this garbage.

Well some people were quick to laugh at Steve Gibson's write ups of the attacks on his site, but it's clear that it involves considerable work, expense and coordination with his ISP to mitigate the effects of such attacks.

Even so that is not a solution, but goes to show if the average site owner is hit they need considerable expertise, resources and assistance to just mitigate against such attacks if they hope to stay on the net more often than not. If the attacks involve spoofed IP's it's that much more difficult.

Paul has it right, I think, since likely this is no short term problem.

-{ Quote: " quoting: spy1 link=board=18;threadid=23204;start=0#msg137591 date=1078069994]

SpywareInfo on and off, Net-Integration totally down - where will it all end and how can it be stopped?" }- >:(Mike got taken down again.this is getting to be bull_ _ _!!!!been reading the thread here.And I guess that you guys have decided to unite....good hope you get the bas.....Paul hope your ready looks like your going to get draged in to the fight.Again?

Ahmad,

We'll do all it'll take - and if that 's not enough, we'll do more.

We all have to unite - and that includes you/NI as well. Battle(s) lost - by no means the war has been lost!

regards. paul

Joseph V. Morris:

-{ Quote: "Well, second, it got worse. Somehow (and I don't understand the mechanism involved to date) some of these redirections actually ended up assigning 127.0.0.1 to www.merijn.org (for one). And, somehow, a lot of recent releases of NIS/NPF (2003/2004, in particular) ended up identifying 127.0.0.1 as www.merijn.org rather than as localhost. That created a second panic. (And there are one helluva lot of new NIS/NPF firewalls out there.) Suddenly what were basic loopback connections started being identified as connections from merijn.org to merijn.org (that's the tip-off, incidentally). (I believe that very few other software firewalls actually have a connections log in addition to the firewall log and that even fewer probably automatically resolve IP addresses to URLs in the log displayed to the end-user.) And I think this is where the 'false lead' to hosts files being tampered with came from." }-

We think Norton is responsible for assigning 127.0.0.1 to www.merijn.org

I'll be back with more info and people.

Joseph V. Morris said:

-{ Quote: "First, that was a first guess, as I understand it. Tom Coyote published that on 15 Feb. I don't know a single soul who's found this in their hosts file. ........
" }-

The hosts issue is something that has no bearing in this at all.... and those sites were indeed being redirected to localhost at the time. I know, I tested it and wrote that writeup.... Coolwebsearch installed this hosts file with one of its variants, mainly the smartsearch one.
Coolwebsearch have shown they will stop at nothing to take down the help sites whether it is by redirecting people who need help to one of their domains or denying them access to these sites by sending them to 127.0.0.1. But that by no means make them the only possible source of attack....

Next issue, Norton and its firewall logs.......

It seems the Norton Firewall is using the DNS cache to resolve the IPs in its log.... so "any" connection to local host is switched to merijn.org after a visit of the site.

This was tested on a machine that had never been to merijn's before. Its firewall log had a lot of normal localhost traffic in it in the last days.... after trying to access merijn.org, "ALL" the local host connections in the log "changed" mysteriously to merijn.org. So those firewall logs are flawed in the fact that they show connections to the site even if they did not go to it.

Regards,

Gal

Hey Gal,

Good to see you in this neck of the woods! :)
Make sure to visit often.
Allow me to buy you a cookie, and say Welcome!

Take care

-{ Quote: " quoting: RJ100 link=board=18;threadid=23204;start=30#msg137932 date=1078114286]
Hey Gal,

Good to see you in this neck of the woods! :)
Make sure to visit often.
Allow me to buy you a cookie, and say Welcome!

Take care
" }-

Thanks for the welcome :)

I'll try and do that. As long as it isn't a keebler cookie, I'll take it... I get plenty of those from my relatives.... ;)

You take care too!

-{ Quote: "Mike got taken down again.this is getting to be bull_" }-

No, not today, the reason SWI was down today was due to server relocation (yes, the host was actually unplugging and rearranging servers in the datacenter).

-{ Quote: " quoting: mjc1 link=board=18;threadid=23204;start=30#msg137953 date=1078117732]
-{ Quote: "Mike got taken down again.this is getting to be bull_" }-

No, not today, the reason SWI was down today was due to server relocation (yes, the host was actually unplugging and rearranging servers in the datacenter).


" }-thought it was the nastties again. couldn't get to dogreader. *puppy*

The bad guys are gonna lose and my money bets it's CoolWebSearch.

Net-Integration is down because Eagle1 lacks the funds to fight.

If we can please stay on track here....

Paul Wilder - Are you considering any plans to implement more secure log-in's (H.I.D.-wise) and registrations?

Eagle1 - I've related your offer to share logs over to the SI site.

Vorpal - Ditto (see above).

All - Can anyone respond to my suggestion of whether having people d/l and run Jason Levine's IRCBot Detector 1.0 would be a better choice for anyone suspecting being "bot"ed than trying to explain to them how to read logs, what to submit, getting them to learn complicated programs/commands for checking, etc? A good "first check", at the very least?

Joseph - I hope you're not telling me that this whole episode has been caused (innocently) by some kind of screwed up host re-direct, right? The attacks on SI started before any of that came into play, correct? Pete

Also, I'd like to know if anyone is actively pursuing/looking into the suggestion that was made regarding filtering out multiple, closely-spaced requests of any type right off-the-bat before they can even begin to bog down a server.

If you can use "flood control" for stopping multiple posts at the forum level, why can't it be done at the server level for multiple, too-frequent requests?

We've got an awfully lot of good ideas floating around here people - if we can keep up with and follow through on them all! Pete

-{ Quote: " quoting: spy1 link=board=18;threadid=23204;start=15#msg137695 date=1078083419]
I'll let you know when they get back to me. Pete
" }-

yes please do that..and i am sure they will also tell you the solution to keep those sties up...when that happens please post the instructions in one of your posts .

Thanks.

Sarcasm, John? Do you really think that's necessary here?

Or was that just some kind of humor that's falling seriously short of the mark?

But to seriously (if that's possible) respond to your "remark" - they should have the courtesy to respond to my letter to them, don't you think? Or, is that too much to ask of them?

Is them getting involved and trying to help out the "little guys" beneath them? Not a matter of "national security" (even though though those same bots could be turned against any site - including government ones?) and thus not "important" enough for them to look into?

What, exactly, are you trying to say, John?

It is tongue in check since all of these webmasters know the problem has to do with the hardware they are leasing from their hosts. Some hardware can stand it and handle the problems..some can not. Most are running their operations on older hardware..has to do with cost vs. functionality.


Does not make a difference "who" is behind the rash of DDOS attacks or where they are coming from..figure it to be the advertising guys who are now P.O. ed you are cutting into their free enterprise and they do not like it.

Being a Director of marketing at one point, i can tell you that nothing really happens in this world until " Some one sell somthing to another person " that is what makes the world go around.


If a court case came up odd are in favor of sellers not the stopper.

I do not like the methods being practiced one bit..just like you. But i think the approach is totally wrong.


One solution is to buy your own server..but you have to shop right if you want a good one. Then you have to be located where you can get some big pipes.

That kind of filtering would be nice, except you will then block a huge number of legitemate users.

Namely, anyone who happens to come here (or anywhere using such techniques) with an empty browser cache. Most browsers will cache all the components of a page on the first visit to that page, so for that initial connection a huge number (especially on pages with a lot of graphic elelments, like Post Reply page....42 individual images for the buttons and smileys....42 individual requests in a very short period of time; Avatars add more....).

Most users will not tolerate a delay such as the filtering would impose, and most forum users will not want to give up the graphics....

While researching the attack at SWI I discovered that caching does account for a huge number of connections from a particular IP intially but the number drops rapidly as a few pages are read. And on very graphics laden pages this number can hit several hundred in a few seconds with someone who is on a fast broadband connection.

-{ Quote: " quoting: mjc1 link=board=18;threadid=23204;start=30#msg138146 date=1078166697]
That kind of filtering would be nice, except you will then block a huge number of legitemate users.

Namely, anyone who happens to come here (or anywhere using such techniques) with an empty browser cache. Most browsers will cache all the components of a page on the first visit to that page, so for that initial connection a huge number (especially on pages with a lot of graphic elelments, like Post Reply page....42 individual images for the buttons and smileys....42 individual requests in a very short period of time; Avatars add more....).

Most users will not tolerate a delay such as the filtering would impose, and most forum users will not want to give up the graphics....

While researching the attack at SWI I discovered that caching does account for a huge number of connections from a particular IP intially but the number drops rapidly as a few pages are read. And on very graphics laden pages this number can hit several hundred in a few seconds with someone who is on a fast broadband connection.

" }-

So what would you think about loading all of those from yet another server independent of their forum server ?

-{ Quote: " quoting: spy1 link=board=18;threadid=23204;start=30#msg138114 date=1078162619]. . . .
Joseph - I hope you're not telling me that this whole episode has been caused (innocently) by some kind of screwed up host re-direct, right? The attacks on SI started before any of that came into play, correct? Pete
" }-No, I'm not saying that.

Galadriel is right. The weird events in the NIS/NPF Connection logs (as opposed to the firewall logs) are an anomaly resulting from the way NIS automatically resolves IP addresses into DNS addresses if the rDNS is present in the DNS cache.

These are typically two paired events (one for Outbound Loopback and one for inbound loopback). The two events typically occur within the same second. Ignore these particular events; they are a distraction from the hunt.

That could be one possible solution, but then we are getting into the money question again....multiple servers are going to cost more.

Also it adds another layer of complexity...some else to be broken/messed with.

Filtering has a place, but a broad wide-brush application of it will not be THE answer...we need a little more surgical approach.

Pete,

No offense intended - but we are not going to discuss possible options that have/can be implemented in public; I do hope you see my point.

Overall, I will repeat this: joining forces - and coming with that funds/budgets seems like the way to go as far as I'm concerned. All non-profit site owners can do their upmost individually in order to put up defenses as best as possible - and fairly all of them will not be able to cope with attacks like these, simply because they run out of money in the end.

United is quite a different story in my view: combined budgets will provide the means needed to build real strong defenses.

I'm fully aware this would imply a total different approach and individual site owners would change their view drastically. I'm not convinced this will happen soon. Nevertheless, fact remains united we could be strong - individually we could be sitting ducks, targetted one by one.

regards.

paul

-{ Quote: " quoting: mjc1 link=board=18;threadid=23204;start=30#msg138157 date=1078167552]
That could be one possible solution, but then we are getting into the money question again....multiple servers are going to cost more.

Also it adds another layer of complexity...some else to be broken/messed with.

Filtering has a place, but a broad wide-brush application of it will not be THE answer...we need a little more surgical approach.
" }-


Yup agree..you have to either buy the hardware like this and do it yourself..

Mazu Enforcer is a dedicated system that protects networks from distributed denial of service (DDoS) attacks and other bandwidth-based threats. It is optimized for perimeter deployment, but is flexible enough to be deployed at any critical point in the network.
The Mazu Enforcer collects and analyzes statistics on network traffic distribution patterns and builds dynamic baselines of normal activity. It then "snapshots" current traffic and compares it in real time to the baseline to identify suspicious activity. Enforcer then surgically filters traffic to mitigate security threats.

http://www.mazunetworks.com/solutions/


Or you have to look at the farms that offer solutions for you.


web hosting sites
http://uptime.netcraft.com/perf/reports/performance/Hosters?tn=february_2004
(http://uptime.netcraft.com/perf/reports/performance/Hosters?tn=february_2004)




and make sure they have they harware you do want..


Directory of Web Server Home Sites

http://www.netcraft.com/Survey/servers.html

the buzz words still are..



. "Load balancing, load sharing, and high-availability Web sites"


Protecting Web Servers from Distributed Denial of Service Attacks

http://www10.org/cdrom/papers/409/

and I would certainly be looking at something other than Apache if at all possible. ..but in most cases even after 1.3 they have problems and they are most abundant .

;)


Find something else beside Apache


http://techrepublic.com.com/5100-6329-5058830-2.html


http://techrepublic.com.com/5100-6329-5058830-1.html


So I say thanks Paul for your consideration in having this thread..but I certainly agree the nitty gritty certainly is not for an open forum discussion.

Good Luck,

John

I hear what you're saying, Paul.

The only point about that is a caution on how not to unite:

If "joining forces" means everyone's going to be on the same server(s) (with maybe just a list of links to the different sites therein at the portal) - then it truly needs to be the best, most-well-maintained, totally up-to-date (patch-maintenance-hardware-wise) server set-up money can buy.

Because if it's not, and it gets attacked and goes down - not just one site will be affected - they all will.

That's all I'll have to say about that, since we all know that I know less-than-nothing about whatever it is I'm talking about! ;D Pete

John,

-{ Quote: "you have to either buy the hardware like this and do it yourself.." }-

For sure an option - but by no means a necessaty.

-{ Quote: "...
but I certainly agree the nitty gritty certainly is not for an open forum discussion." }-

We do agree on that one ;)

regards.

paul

Pete,

Money can buy all in this context - whatever the direction taken ;)

regards.

paul

Well I for one see benefits of a united effort. I've been pondering the concept since I first heard of the concept last night.

I'm not sure I'm convinced it will work without more than a couple committed website owners. But I think the concept has promise and think its worth looking at more seriously.

This attack has a couple unique aspects to it no doubt but I certainly believe I wouldn't be down if I had a real robust server and the proper protection tools in place. But as Paul indicated there is no way I can afford to spend the money necessary to obtain one.

I believe this attack is probably just the tip of the iceburg. I think its becoming clear not just script kiddies will stoop to this level from this day forward. And if these people, whoever they are, get away with this who knows who'll consider doing something like this next, and then waht...how far will it go.

I think there is no doubt its going to take a collaborative effort in order to survive.

Eagle1,

See the thread at http://www.dslreports.com/forum/remark,9262804~mode=flat .

No offense but those comments make me wonder if this is the first time some of the site owners/operators may have considered the impacts of DDoS's and who gets targeted, how and why.

Steve Gibson may have gotten some sneers from some tech types when he wrote up his analyses of a series of DDoS attacks against his site several years ago. But the info there is still instructive and relevant today as when it was written IMO. Perhaps more so since apparently incidents of DDoS attacks using spoofed IP's have increased. Perhaps the articles at his site might be of some value to those who are interested. (Those who frequent his site and newsgroups might observe, however, that it likely may take more than just a more robust server and proper protection tools to mitigate the effects of very clever and determined attackers.)

I recall when sites that distributed Proxomitron and/or provided info and assistance with the app were under attack and knocked off the net for some time. Since Proxo's primary use for many is filtering advertising and popups (although it can do much more than that, including blocking ActiveX and scripting which is useful for both anti-spyware and anti-malware purposes), many of us did not suspect mere script kiddies just having fun as the perpetrators. That Proxo was known to advertisers and webmasters was shown when in some cases some websites on the net were set by their masters to not serve up the regular site but to instead reply with a nasty message if the earlier default Proxo referers/user agents were used and detected by the site. Some people with advertising money at stake simply didn't like what Proxo could do.

Except for Proxo users and fans who set up mirror sites, I don't recall much concern expressed at the time by the security or antispyware folks at large regarding such attacks (or perhaps my memory simply fails me in this case). Fortunately, Proxo is not an app that requires continued care and feeding, so missing out on updates for the app or filters was not really an issue. And there of course are other products, both commercial and free, that can provide some of its functions. So it was a slightly different situation, but I'm not convinced that the reasons for the attacks were entirely different in nature from what is being seen today.

My point is, the issues and problems existed before. This is nothing that new or novel IMO about these attacks except that those who now find themselves in this situation (as others have before them) perhaps regard these attacks as singular and ground breaking simply because they are now the targets.

That the concept of joining forces and resources (financial and intellectual) to mitigate the effects of such attacks apparently is a new concept for some is also rather surprising to me. First find out what it really takes for one site owner alone to fight back against a determined and protracted DDoS. Talk to others who have been there and what it takes to stay on the net in such circumstances. Including hardware, software, bandwidth, technical expertise, 24 hr support and perhaps also a responsive and cooperative ISP in addition to reliable hosting or self-hosting. Then check your bank balance and consider the alternatives.

Sig,

I guess I view all of this as more of "a wake up call" than anything else. I think that the idea of combining with others to host a site is not new to any of those involved here, but the idea that they may have to do so in order to survive now, well that probably is new.

A lot of people start off working with or for someone else on a site, combining effort, resources and money perhaps... In time they branch off in a different direction and so end up bringing up their own site, on their own nickel. It's very compelling to be able to go out and set up your own hosting deal, bring a website or forum online, and own and operate it all by yourself.

I've got two such business hosting deals myself; totally mine and separate from anyone else. Of course, they aren't large enough to survive any type of serious attack like the ones we're talking about here.

When I got those my only thoughts were: what kind of things can I host; what performance do I have; and how much download bandwidth is available. It's pretty cool to be able to do something like that on your own.

So, while a few well known sites have be historically DoS'd, my first thoughts weren't that I'd need to combine with someone else just to keep my sites running. It was just getting them up. After all millions of websites run just fine, day in day out without being targeted.

In any case, I guess this all simply shows that things are getting tougher and tougher out there, and perhaps now the only way to survive (if you're in "a business" that's likely to be targeted) is to combine forces. I think the main thing that has to be worked out is "how to combine" (for joint strengths) and yet "still keep your independence" (your content, your direction, your priorities...)

Difficult issues maybe, but not impossible to work out.

-{ Quote: "No offense but those comments make me wonder if this is the first time some of the site owners/operators may have considered the impacts of DDoS's and who gets targeted, how and why. " }-

To be quite frank I thought about ddos some. And I understand there is not always a rhyme or reason for them happening and sometimes there is. And I also thought about what steps I might be able to take. However, I knew I was not able to withstand an attack like the one I'm experiencing. And there was nothing I could do about it without changing the way I operated my site or so I thought. My thought was I would have to turn to advertising, affiliates, etc and this wasn't acceptable to me for this particular site. Even with that and my size its unlikely I'd have been able to afford the kind of hardware I needed.

I had not thought about doing things as explained by Paul. The concept as presented was new to me. The concept of collaboration is not and I've seen it in other industry along with attempts at it in this industry. But what he is proposing is a new concept to me and I think has promise.

I'm also very familiar with Steve, his NG's, and have read most of his site. I'm not trying to say ddos are new. The point I was making is that I think this is just the beginning for this industry. I suspect that more of this and worse can be expected and its imperative we as an industry take some steps to prepare. I don't think it can be done independently anymore than any of the other industries could and there are certain things that are going to have to be collaborated on and some joining of forces should occur.

I know I'm not going to survive without working with others, including folks like Steve. This is something I'm already doing and I think several in the industry are trying to brainstorm some effective ways of dealing with this issue without financially breaking everyone.

Yes, LWM, I see your points but I would suggest that those running fairly well known antispyware sites should already be well aware of the measure of their adversaries and what they are capable of. After all, the antispyware sites target an entire online commercial industry. An industry not known for its sense of honor and fair play.

Additionally, these site ops aren't newbie grannies* who understandably would be "shocked, shocked" that someone's DDoSing their web site because someone took particular exception to their featured taco casserole recipe. ;) It's been a different ballgame for years now and who should be in a better position to understand that than those who have been helping others remove spyware and malware from their PC's?

Kevin of BOClean for example has frequently commented in various venues regarding the marriage between the malware makers and the spyware and spam industry. Claria (nee Gator) took the (relatively, by comparison) high road by simply suing was it the PC Pitstop site and winning (or was a settlement reached instead). Other outfits have gone so far as to simply target antispyware software on a PC: wasn't there some spyware bundled app that for a time deleted Adaware from PC's when detected? Other security related sites have been the targets of DDoS attacks. The signs have been there for some time: messing with unscrupulous commercial interests is not without consequence.

Perhaps I am simply surprised at what seems to me perhaps a rather provincial and perhaps even naive perspective considering the industry they've taken on. Yes, the net's been a rather nasty place for years now as many others have found out long before this. Hello?

I wonder if perhaps as long as this sort of thing happened only to "the other guys" their slumbers would have remained undisturbed. Again, no offense intended but I'm still surprised that such a wake up call was needed (if such is the case).

*Note: no offense intended to any grannies out there since grannies ain't what they used to be (if they ever were). I know some grannies who ride Harleys and scare me. :o ;D

Good to hear that such discussions are taking place Eagle 1.

Perhaps establishing authorized mirror sites for app downloads and info and also combining resources and expertise will help maintain an effective online presence for the currently affected sites. After all, knowledge is like the genie that escaped from the bottle. Rather difficult to get it back again and contained/hidden once it's been out in the public.

They can take down your sites but they cannot take our knowledge!

(Blue paint and kilts optional. ;) )

(Edited because I managed to screw up my paraphrase of Gibson's battle cry. That's Mel, not Steve. LOL.)

I guess there was a certain amount of putting the head in the sand happening ;) I'll admit that. But I didn't stay ignorant of the facts or learn as much as I could about protecting the best I could. But I definitely rationalized why I was not a likely ddos target although I wasnt naive enough to think I never would be. I just didn't see a solution so I hoped for the best I guess. I'm sure others had/have similar thoughts.

I have every intention of sharing everything I learn whether learned through my own research or taught to me. In fact today I was doing a lot of groundwork research in preparation for the return of NI. :) When that will be has yet to be determined. But it is returning and sooner rather than later. :D I'm also working on some alternative ways of getting Spybotsd forum back up. That should be established within a day or so. I know others have set up mirror download locations for the tools everyone depends on.

-{ Quote: "Blue paint and kilts optional. " }-

LOL :D

-{ Quote: " quoting: Eagle1 link=board=18;threadid=23204;start=45#msg138385 date=1078197618]
In fact today I was doing a lot of groundwork research in preparation for the return of NI. :)
LOL :D
" }- http://www.emotipad.com/newemoticons/Big-Thumbs-Up.gif This I would be glad to see.

Pete

I don't know if anybody responded to your question about using Jason's bot detector but we talked about this batch file a few years ago.
Not many of us still find a need for using DOS files anymore.
We talked about adding more ports to his batchfile. It has been so long ago, I just can't remember what was all said in that old thread.
This is Jason's basic BATCH file. All basic DOS and NETSTAT commands which can be edited to whatever you want it to look for. If I missed the post to your answer about Jason's BOT batch file , I am sorry. I think I memtioned in my old post about not liking the idea of executing an EXE in the batch file.
the last part of the batch file shown here.
"@echo on
dir rundil.exe /s
@echo off
@echo Test #3 complete. If "File Not Found" is displayed your
@echo system passed the test."

controler

@echo off
@echo The commands this batch file executes will check for the
@echo presense of IRC Bots. Each test will let you know how to
@echo whether or not your system passed the test.

@echo Make sure any valid IRC program is closed down before
@echo you run this or you might get a false positive. (If you
@echo don't know what IRC is, chances are you don't have to
@echo worry about closing down any programs.)
pause

@echo Test #1:
@echo on
netstat -an | find ":6667"
@echo off
@echo Test #1 complete. If there is no line between this and the
@echo command above, your system passed the test.
pause

@echo Test #2:
@echo on
netstat -an | find ":113 "
@echo off
@echo Test #2 complete. If there is no line between this and the
@echo command above, your system passed the test.
pause

@echo Test #3:
@echo off
c:\
cd c:\
@echo on
dir rundil.exe /s
@echo off
@echo Test #3 complete. If "File Not Found" is displayed your
@echo system passed the test.

@echo Tests Completed.
pause

Thanks, con - I had already re-d/l'ed and installed and ran it myself to see if it was functioning correctly (it was).

The reason I suggested its' use was because it was so simple for the average user to utilize, and I thought that any hinky results could give some otherwise unseen clues.

But since everyone has clammed up on this issue, I'll just let the "brains" handle it - other than initiating a couple of threads, I don't have anything more of value to contribute to the problem, anyway. Later. Pete

In reference to sites taken down during the old Proxo days, Computer Cops was one of the few that remained as a source for support and download (including Yahoo). Hardware certainly does play a role.