DDoS attacks

Hi people,

   For the last few days, I have experienced a series of DDoS attacks on
various targets around the globe. The general target is the EFNet irc
network, and servers have been attacked all through Europe, USA, Canada,
Israel, and such.

   Due to the various attacks, more than half of the servers on the
network were black holed (null routed). The others which hold 1/3 of the
client count, are attacked, or going to be attacked soon.

   If this keeps on going, this irc network will cease to exist. These
attacks are all coordinated, and some people are trying to locate the
source. Alot of traffic is coming via AboveNet from Korea. Alot of
"zombies" are used to attack targets, PCs infected with trojans, that can
be remote controlled.

   In this time of need, it would be a great help if the large carriers
would be helpful in tracing the traffic. I am, trying to gather more data,
and since alot of ISPs were attacked (C&W, Concentric, Global crossing,
exodus, different academic institues in the US, Internet Gold in Israel
via UUnet, the swedish telia backbone and academic institues in sweden,
russian rosstelekom, gigabell.de in germany and the list goes on), I
think this is a time when these people have to be stopped.

   At this time, it would be very helpful if AboveNet people could contact
me in private.

thanks,

--Ariel

  Hi people,

Hi IRC-nobody who should have contacted Abovenet directly.

   For the last few days, I have experienced a series of DDoS attacks on

On IRC servers? Have you contacted Ripleys? This has NEVER happened
before! I can't BELIEVE that an IRC server has attracted the attention of
a script kiddie!

   Due to the various attacks, more than half of the servers on the
network were black holed (null routed). The others which hold 1/3 of the

If the entire network were null routed, I'm betting that your attacks
would go away.

client count, are attacked, or going to be attacked soon.

Especially since you're giving free battle damage assessments out on
NANOG.

   If this keeps on going, this irc network will cease to exist. These

Finally someone has found a POSITIVE use of DDoS scripts!

attacks are all coordinated, and some people are trying to locate the
source. Alot of traffic is coming via AboveNet from Korea. Alot of

And in the true spirit of IRC, none of the brainchildren in charge had the
wherewithall to actually contact Abovenet directly, huh?

"zombies" are used to attack targets, PCs infected with trojans, that can
be remote controlled.

Zombies: People whose lifes revolve around IRC.

russian rosstelekom, gigabell.de in germany and the list goes on), I
think this is a time when these people have to be stopped.

I agree. DOWN WITH ALL IRC NETWORKS!

   At this time, it would be very helpful if AboveNet people could contact
me in private.

Have you perhaps considered picking up the telephone and calling them? I
hear it's a much faster route than whining on NANOG.

And I thought there was no more sarcasm on nanog. Silly me.

I'll get up off the floor in a few minutes.

before! I can't BELIEVE that an IRC server has attracted the attention of
a script kiddie!

I cannot believe the attitudes I am seeing on NANOG over this event.

Your comments do not help this situation whatsoever; if you do not like IRC,
feel free to rant in your own private forums rather than on a list for
network operators.

No matter what you may think about IRC, or EFNet in particular, it should
be accorded at least your professional courtesy. IRC (EFNet) has been
around a very long time. You probably would not define it as a "critical"
Internet service, but it has served many people in several different types
of situations - everything from natural disaster to personal distress.
It is as real a service provided on the Internet as the Web or anonymous
FTP sites. DDoS attacks affect us all - and his call for assistance
reflects the danger to the providers of IRC servers as much as anything
else.

Quite frankly, DDoS attacks in any form should be squashed with as much
energy as the network engineering community can muster. The reality of DDoS
is that if the "evil empire" (i'm speaking metaphorically here) of script
kiddies can just take down any service they want, then when those script
kiddies find reason to target you for any particular reason and you raise
a cry for help, nobody will listen.

If you do not define EFNet as critical, that is one thing. But the attacks
on one IRC network could grow to encompass any other IRC network, or any other
service on the Internet. I'm reiterating the obvious here, since you do not
seem to possess enough clue to get it yourself. The times, they are
a'changin'. Soon YOU will be the provider of content as well as a provider
of connectivity, and you will be subject to the same situation EFNet is
going through now.

You cannot simply ignore DDoS attacks based on the fact they are targeting
EFNet. Attacks on EFNet (and any other Internet service of similar ilk)
are attacks, by extension, on the providers of Internet service at large
and of the very business model we attempt to make money on (some of us are
succeeding) - people want services that you do not offer, so they use you to
get there, but they will still call you if they do not work.

I'm getting windy here, but I think you get the idea.

T

I can't help but think of that quote "Guns don't kill people, people kill
people".

If you think IRC makes DOS attacks, you need to check do some serious
thinking.

Consistantly, attacks have been launched against IRC servers and then
later used to attack other entities.

But, there is a whole class of network operator out there that would
rather just say "Down with IRC" then deal with the actual issues of these
attacks.

A whole lot of information about the nature of these attacks could be
gained if the attacks against the IRC servers were analysed, but alas,
everyone seems to just think that if IRC servers go away, DOS attacks
will.

When they move on to hitting web servers with content they don't like, or
mail servers of people they don't like, and one of those happens to be
your, we'll see what you have to say.

Jason

> before! I can't BELIEVE that an IRC server has attracted the attention of
> a script kiddie!

I cannot believe the attitudes I am seeing on NANOG over this event.

Really? Strange. I can. And just so nobody is mistaken, 100% of my
sarcasm resulted in some IRC person whining to the NANOG list VS
contacting the NOCs of networks in question directly.

Your comments do not help this situation whatsoever; if you do not like IRC,
feel free to rant in your own private forums rather than on a list for
network operators.

My comments helped me substantially. I feel MUCH better! If they want to
whine about their IRC network being DDoS'd, they should do it on their IRC
network and NOT on the North American Network Operators Group mailing
list. OOPS! I almost forgot. They're being DDoS'd. They probably can't
even log onto their IRC servers. Too bad. Maybe they'll use this as an
excuse to perhaps expose themselfs to fresh air (as in OUTSIDE THEIR
HOMES.) We can only hope.

No matter what you may think about IRC, or EFNet in particular, it should
be accorded at least your professional courtesy. IRC (EFNet) has been

Excuse me? I'm not condoning ANY attack. If they MUST attack something,
I'd rather it be IRC then anything else I can think of.

around a very long time. You probably would not define it as a "critical"
Internet service, but it has served many people in several different types
of situations - everything from natural disaster to personal distress.

I'm going to be sick. Granted, it's "nifty" that someone used an
otherwise (IMHO) useless waste of bandwidth to summon help. Just think of
how much more efficient it would have been for them to hang up the
friggin' modem and dial 911. (And don't bother trying to argue that E911
service isn't a world-wide service. If they can master IRC, services,
bots, blah, they can manage to summon help via conventional means as
well!)

It is as real a service provided on the Internet as the Web or anonymous
FTP sites.

OK. If you say so. (Bwahahahahah!)

DDoS attacks affect us all - and his call for assistance reflects the
danger to the providers of IRC servers as much as anything else.

Hrm. The last time I checked, running through S. Central LA screaming
racist slogans would summon the attention of people who wanted to attack
you. When you do it, and get attacked, I don't know very many people who
would feel even the slightest bit sorry for you.

Running an IRCd is not any better. It's BEGGING to be attacked. I don't
feel the slightest bit sorry for you.

Again, I don't condone the attacks in either case. I do understand the
cause and effect relationship though.

If you do not define EFNet as critical, that is one thing. But the attacks
on one IRC network could grow to encompass any other IRC network, or any other
service on the Internet.

I don't define *ANY* IRC network as critical.

I'm reiterating the obvious here, since you do not seem to possess
enough clue to get it yourself. The times, they are a'changin'.

You're funny.

You cannot simply ignore DDoS attacks based on the fact they are targeting
EFNet. Attacks on EFNet (and any other Internet service of similar ilk)
are attacks, by extension, on the providers of Internet service at large
and of the very business model we attempt to make money on (some of us are
succeeding) - people want services that you do not offer, so they use you to
get there, but they will still call you if they do not work.

I have NEVER gotten a SINGLE complaint from a SINGLE lUSER who couldn't
get to an IRC network. I don't anticipate it happening any time soon.

I'm getting windy here, but I think you get the idea.

I got the idea that you were windy in your first parahraph.

T

"I pitty the fool!"

From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu]On Behalf Of
John Fraizer
Sent: July 11, 2001 11:23 PM
To: Timothy Brown
Cc: nanog@merit.edu
Subject: Re: DDoS attacks

Really? Strange. I can. And just so nobody is mistaken, 100% of my
sarcasm resulted in some IRC person whining to the NANOG list VS
contacting the NOCs of networks in question directly.

He's not the first one to have posted NANOG asking "Can someone from
$NETWORK contact me please?"... Oftentimes if you're being ignored through
normal channels, it's probably a good enough method, since someone from
every single network seems to lurk around here.

> Your comments do not help this situation whatsoever; if you do
not like IRC,
> feel free to rant in your own private forums rather than on a list for
> network operators.

My comments helped me substantially. I feel MUCH better! If they want to
whine about their IRC network being DDoS'd, they should do it on their IRC
network and NOT on the North American Network Operators Group mailing
list. OOPS! I almost forgot. They're being DDoS'd. They probably can't
even log onto their IRC servers. Too bad. Maybe they'll use this as an
excuse to perhaps expose themselfs to fresh air (as in OUTSIDE THEIR
HOMES.) We can only hope.

Hmmm. Tell me, why can't we s/IRC network/AS13944/ and also s/They/John/ and
apply it to your network?

The issue here is simple: these people are trying to provide a service, one
that's fairly popular and also very easily abused (hmmm, reminds me of large
binaries on Usenet, but that's besides the point). They're getting DDoSed.

Tell me, with your attitude, do you expect people to help you if someone on
your network gets DDoSed? I mean, what makes your customers more important
to the rest of the universe than those people's IRC server? (And I should
mention that IRC server is someone's customer too, somewhere)

> No matter what you may think about IRC, or EFNet in particular,
it should
> be accorded at least your professional courtesy. IRC (EFNet) has been

Excuse me? I'm not condoning ANY attack. If they MUST attack something,
I'd rather it be IRC then anything else I can think of.

You seem to be condoning the attack, actually. You're saying above: "Great.
Too bad those people are being DDoSed, maybe they can go outside and get a
life." That doesn't strike me like an anti-DDoS stance.

Remember, their IRC servers and your customers' servers both speak IP...

> It is as real a service provided on the Internet as the Web or anonymous
> FTP sites.

OK. If you say so. (Bwahahahahah!)

Well, I say so too. Of _course_, for each of us, it seems that what matters
is only what we provide and our own networks, it seems (I guess humans'
natural instictive selfishness applies to network operators). Let's see
here: if 66.37.218.192/27 was to vanish, would you care much? would I care
much about 66.35.64.0/19 disappearing? Sadly, probably not, but we both
should care about each other's networks at least somewhat, because whatever
makes 66.37.218.192/27 go byebye may make 66.35.64.0/19 melt the next day.

Running an IRCd is not any better. It's BEGGING to be attacked. I don't
feel the slightest bit sorry for you.

And what do you propose to do about running ircd being begging to be
attacked? For all we know, in a week from now, it could be running httpd or
a DNS server that could be the target. We've already seen it once when a
whole bunch of major web sites were the target for a week or so, and I'm
fairly sure it could be MUCH worse.

> If you do not define EFNet as critical, that is one thing. But
the attacks
> on one IRC network could grow to encompass any other IRC
network, or any other
> service on the Internet.

I don't define *ANY* IRC network as critical.

I don't define AS13944 as critical, either... As I said above, everyone's
definition of critical seems to revolve around their own network and perhaps
extends to a few hops beyond their borders.

> I'm reiterating the obvious here, since you do not seem to possess
> enough clue to get it yourself. The times, they are a'changin'.

You're funny.

So are you. I'm glad all of us here have a good sense of humour.

I have NEVER gotten a SINGLE complaint from a SINGLE lUSER who couldn't
get to an IRC network. I don't anticipate it happening any time soon.

You're lucky, then... Every large ISP that I've seen (usually with an
incompetent abuse department) that gets blocked from $MAJOR_IRC_NETWORK
generally has a number of angry complaining users very soon.

Vivien

Unfortunately john's apathy and arrogance is typical of most providers
i've dealt with when trying to get them to stop originating ddos attacks.

At this point I don't think john has any bridges left to burn.

-Dan

On Wed, Jul 11, 2001 at 11:22:40PM -0400, John Fraizer scribbled:

[ snip ]

> It is as real a service provided on the Internet as the Web or anonymous
> FTP sites.

OK. If you say so. (Bwahahahahah!)

John-
I might want to mention that there are many people on this
list who are affected by DDoS attacks on a daily/weekly
basis- and who do not have any IRC servers on their
networks. DDoS is serious and is certainly not going to
just magically go away with IRC.

> DDoS attacks affect us all - and his call for assistance reflects the
> danger to the providers of IRC servers as much as anything else.

Hrm. The last time I checked, running through S. Central LA screaming
racist slogans would summon the attention of people who wanted to attack
you. When you do it, and get attacked, I don't know very many people who
would feel even the slightest bit sorry for you.

Running an IRCd is not any better. It's BEGGING to be attacked. I don't
feel the slightest bit sorry for you.

You really should. IRC servers are not the only targets in
DDoS attacks, and more attacks will continue to be launched
to *all* areas of the internet community in the near future.

Again, I don't condone the attacks in either case. I do understand the
cause and effect relationship though.

Your logic could also conclude - if you dont want your
website to get attacked by a DDoS, then you have no business
having a presence on the internet to begin with.

> If you do not define EFNet as critical, that is one thing. But the attacks
> on one IRC network could grow to encompass any other IRC network, or any other
> service on the Internet.

I don't define *ANY* IRC network as critical.

That is not the point.

> I'm reiterating the obvious here, since you do not seem to possess
> enough clue to get it yourself. The times, they are a'changin'.

You're funny.

> You cannot simply ignore DDoS attacks based on the fact they are targeting
> EFNet. Attacks on EFNet (and any other Internet service of similar ilk)
> are attacks, by extension, on the providers of Internet service at large
> and of the very business model we attempt to make money on (some of us are
> succeeding) - people want services that you do not offer, so they use you to
> get there, but they will still call you if they do not work.

I have NEVER gotten a SINGLE complaint from a SINGLE lUSER who couldn't
get to an IRC network. I don't anticipate it happening any time soon.

Everyone has a different customer-base. My users go
crazy when they can not connect to IRC servers.. And if
there is anything I can do to help eliminate DDoS attacks
from spreading like wildfire, I am all willing. Just
because you may not have much experience with being
victimized and/or being a colo provider when DDoS's randomly
take out segments of your network, does not mean you should
discredit others' posts reguarding this serious network
operator's issue. Doing so just makes having lists like
this useless to those who would like them to become somewhat
productive.

Stoned koala bears drooled eucalyptus spit in awe as John Fraizer exclaimed:

My comments helped me substantially. I feel MUCH better! If they want to
whine about their IRC network being DDoS'd, they should do it on their IRC
network and NOT on the North American Network Operators Group mailing
list. OOPS! I almost forgot. They're being DDoS'd. They probably can't
even log onto their IRC servers. Too bad. Maybe they'll use this as an
excuse to perhaps expose themselfs to fresh air (as in OUTSIDE THEIR
HOMES.) We can only hope.

Why don't you follow your own advice instead of being such a sarcastic ass on here 24x7?

Jeff

Issues surrounding IRC go back to the days when we invented it (anyone here
remember the RELAY network on BITNET?). For some good reading, check out:

  http://web.inter.nl.net/users/fred/relay/relhis.html

And read the section labeled "The Growing Pains" where we ran into problems
when we had 30 (thirty) people connected.

AlanC {been there, done that, have the NETCON tee-shirt}