The latest war.

Eagle1,

See the thread at http://www.dslreports.com/forum/remark,9262804~mode=flat .

 

No offense but those comments make me wonder if this is the first time some of the site owners/operators may have considered the impacts of DDoS's and who gets targeted, how and why.

Steve Gibson may have gotten some sneers from some tech types when he wrote up his analyses of a series of DDoS attacks against his site several years ago. But the info there is still instructive and relevant today as when it was written IMO. Perhaps more so since apparently incidents of DDoS attacks using spoofed IP's have increased. Perhaps the articles at his site might be of some value to those who are interested. (Those who frequent his site and newsgroups might observe, however, that it likely may take more than just a more robust server and proper protection tools to mitigate the effects of very clever and determined attackers.)

I recall when sites that distributed Proxomitron and/or provided info and assistance with the app were under attack and knocked off the net for some time. Since Proxo's primary use for many is filtering advertising and popups (although it can do much more than that, including blocking ActiveX and scripting which is useful for both anti-spyware and anti-malware purposes), many of us did not suspect mere script kiddies just having fun as the perpetrators. That Proxo was known to advertisers and webmasters was shown when in some cases some websites on the net were set by their masters to not serve up the regular site but to instead reply with a nasty message if the earlier default Proxo referers/user agents were used and detected by the site. Some people with advertising money at stake simply didn't like what Proxo could do.

Except for Proxo users and fans who set up mirror sites, I don't recall much concern expressed at the time by the security or antispyware folks at large regarding such attacks (or perhaps my memory simply fails me in this case). Fortunately, Proxo is not an app that requires continued care and feeding, so missing out on updates for the app or filters was not really an issue. And there of course are other products, both commercial and free, that can provide some of its functions. So it was a slightly different situation, but I'm not convinced that the reasons for the attacks were entirely different in nature from what is being seen today.

My point is, the issues and problems existed before. This is nothing that new or novel IMO about these attacks except that those who now find themselves in this situation (as others have before them) perhaps regard these attacks as singular and ground breaking simply because they are now the targets.

That the concept of joining forces and resources (financial and intellectual) to mitigate the effects of such attacks apparently is a new concept for some is also rather surprising to me. First find out what it really takes for one site owner alone to fight back against a determined and protracted DDoS. Talk to others who have been there and what it takes to stay on the net in such circumstances. Including hardware, software, bandwidth, technical expertise, 24 hr support and perhaps also a responsive and cooperative ISP in addition to reliable hosting or self-hosting. Then check your bank balance and consider the alternatives.

 

To be quite frank I thought about ddos some. And I understand there is not always a rhyme or reason for them happening and sometimes there is. And I also thought about what steps I might be able to take. However, I knew I was not able to withstand an attack like the one I'm experiencing. And there was nothing I could do about it without changing the way I operated my site or so I thought. My thought was I would have to turn to advertising, affiliates, etc and this wasn't acceptable to me for this particular site. Even with that and my size its unlikely I'd have been able to afford the kind of hardware I needed.

I had not thought about doing things as explained by Paul. The concept as presented was new to me. The concept of collaboration is not and I've seen it in other industry along with attempts at it in this industry. But what he is proposing is a new concept to me and I think has promise.

I'm also very familiar with Steve, his NG's, and have read most of his site. I'm not trying to say ddos are new. The point I was making is that I think this is just the beginning for this industry. I suspect that more of this and worse can be expected and its imperative we as an industry take some steps to prepare. I don't think it can be done independently anymore than any of the other industries could and there are certain things that are going to have to be collaborated on and some joining of forces should occur.

I know I'm not going to survive without working with others, including folks like Steve. This is something I'm already doing and I think several in the industry are trying to brainstorm some effective ways of dealing with this issue without financially breaking everyone.

 

Yes, LWM, I see your points but I would suggest that those running fairly well known antispyware sites should already be well aware of the measure of their adversaries and what they are capable of. After all, the antispyware sites target an entire online commercial industry. An industry not known for its sense of honor and fair play.

Additionally, these site ops aren't newbie grannies* who understandably would be "shocked, shocked" that someone's DDoSing their web site because someone took particular exception to their featured taco casserole recipe. It's been a different ballgame for years now and who should be in a better position to understand that than those who have been helping others remove spyware and malware from their PC's?

Kevin of BOClean for example has frequently commented in various venues regarding the marriage between the malware makers and the spyware and spam industry. Claria (nee Gator) took the (relatively, by comparison) high road by simply suing was it the PC Pitstop site and winning (or was a settlement reached instead). Other outfits have gone so far as to simply target antispyware software on a PC: wasn't there some spyware bundled app that for a time deleted Adaware from PC's when detected? Other security related sites have been the targets of DDoS attacks. The signs have been there for some time: messing with unscrupulous commercial interests is not without consequence.

Perhaps I am simply surprised at what seems to me perhaps a rather provincial and perhaps even naive perspective considering the industry they've taken on. Yes, the net's been a rather nasty place for years now as many others have found out long before this. Hello?

I wonder if perhaps as long as this sort of thing happened only to "the other guys" their slumbers would have remained undisturbed. Again, no offense intended but I'm still surprised that such a wake up call was needed (if such is the case).

*Note: no offense intended to any grannies out there since grannies ain't what they used to be (if they ever were). I know some grannies who ride Harleys and scare me.

 

Good to hear that such discussions are taking place Eagle 1.

Perhaps establishing authorized mirror sites for app downloads and info and also combining resources and expertise will help maintain an effective online presence for the currently affected sites. After all, knowledge is like the genie that escaped from the bottle. Rather difficult to get it back again and contained/hidden once it's been out in the public.

They can take down your sites but they cannot take our knowledge!

(Blue paint and kilts optional. )

(Edited because I managed to screw up my paraphrase of Gibson's battle cry. That's Mel, not Steve. LOL.)

 

I guess there was a certain amount of putting the head in the sand happening I'll admit that. But I didn't stay ignorant of the facts or learn as much as I could about protecting the best I could. But I definitely rationalized why I was not a likely ddos target although I wasnt naive enough to think I never would be. I just didn't see a solution so I hoped for the best I guess. I'm sure others had/have similar thoughts.

I have every intention of sharing everything I learn whether learned through my own research or taught to me. In fact today I was doing a lot of groundwork research in preparation for the return of NI. When that will be has yet to be determined. But it is returning and sooner rather than later. I'm also working on some alternative ways of getting Spybotsd forum back up. That should be established within a day or so. I know others have set up mirror download locations for the tools everyone depends on.

LOL

 

http://www.emotipad.com/newemoticons/Big-Thumbs-Up.gif This I would be glad to see.

 

Pete

I don't know if anybody responded to your question about using Jason's bot detector but we talked about this batch file a few years ago.
Not many of us still find a need for using DOS files anymore.
We talked about adding more ports to his batchfile. It has been so long ago, I just can't remember what was all said in that old thread.
This is Jason's basic BATCH file. All basic DOS and NETSTAT commands which can be edited to whatever you want it to look for. If I missed the post to your answer about Jason's BOT batch file , I am sorry. I think I memtioned in my old post about not liking the idea of executing an EXE in the batch file.
the last part of the batch file shown here.
"@echo on
dir rundil.exe /s
@echo off
@echo Test #3 complete. If "File Not Found" is displayed your
@echo system passed the test."

controler

@echo off
@echo The commands this batch file executes will check for the
@echo presense of IRC Bots. Each test will let you know how to
@echo whether or not your system passed the test.

@echo Make sure any valid IRC program is closed down before
@echo you run this or you might get a false positive. (If you
@echo don't know what IRC is, chances are you don't have to
@echo worry about closing down any programs.)
pause

@echo Test #1:
@echo on
netstat -an | find ":6667"
@echo off
@echo Test #1 complete. If there is no line between this and the
@echo command above, your system passed the test.
pause

@echo Test #2:
@echo on
netstat -an | find ":113 "
@echo off
@echo Test #2 complete. If there is no line between this and the
@echo command above, your system passed the test.
pause

@echo Test #3:
@echo off
c:\
cd c:\
@echo on
dir rundil.exe /s
@echo off
@echo Test #3 complete. If "File Not Found" is displayed your
@echo system passed the test.

@echo Tests Completed.
pause

 

Thanks, con - I had already re-d/l'ed and installed and ran it myself to see if it was functioning correctly (it was).

The reason I suggested its' use was because it was so simple for the average user to utilize, and I thought that any hinky results could give some otherwise unseen clues.

But since everyone has clammed up on this issue, I'll just let the "brains" handle it - other than initiating a couple of threads, I don't have anything more of value to contribute to the problem, anyway. Later. Pete

 

In reference to sites taken down during the old Proxo days, Computer Cops was one of the few that remained as a source for support and download (including Yahoo). Hardware certainly does play a role.