March 8th, 2004, 03:07 AM
The more things change, the more they stay the same. Andrew D. Kirch, security administrator for AHBL, infiltrated several script kiddie groups and shared some of his findings with us via IRC. From the (edited) interview transcript, you'll learn that one of the "new waves" in DDoS coordination is hijacking corporate conference call facilities, which is really an update of good old '60s-style phone phreaking, plus some insight into why some DDoSers do what they do -- and some tips on how they might be stopped...
...I've had my nick juped (taken by a bot) with my phone number and the away message "CALL ME FOR HOT ANAL SEX." No one called. I think perhaps I'm losing my sex appeal. Though I think the reason more likely is that I'm not packeting anyone or really involved except that I'm sitting in a channel watching all of this.
Roblimo: How do these "wars" affect the ISPs the kiddies use?
Andy: It varies. As the kiddies use shells from providers like the now defunct foonet, or pyroshells, or other DoS-hardened facilities, it's like letting them play in the sandbox. You say you haven't heard about it, it's because the kiddies are hitting things that either don't care, or if they're tricked (this is considered a real win) into hitting a government site, the FBI and Secret Service doesn't talk about their investigations.
I've seen ISPs crippled. A small Qwest acquisition was targeted by ADP [script kiddie nickname] as the user was an op in [a channel] on [major IRC network]. ADP knocked out the entire ISP (two T3s) for almost six hours. He was at one time affiliated with EMP [another nickname] who packeted the blacklists.
I have all of ADP's information, and a city and state on EMP. Unfortunately, until a few weeks ago the only authorities I could get to listen to me was Scotland Yard in England, and both ADP and EMP are Americans.
Most of these kiddies popped up after MyDoom. EMP's been around awhile, but ADP, SLiM (who recently attacked the NSA and NIPC websites, along with the White House mailserver), and izm purchased DoSnets (lists of "exploited" servers that can be used in DDoS attacks) with 10,000 hosts on them for the bargain value of $500. Since dcom was an NT exploit -- also for 2000 and XP -- all these machines can effectively spoof packets.
Roblimo: These are attacks we never hear about, right?
Andy: Yes. Unless you're watching.
The government on a whole is still very insecure. I've found several .gov machines in kiddies' DoSnets, some even from DoE fusion research labs, happily packeting away for them. Since you can spoof packets with Windows XP, most kiddies won't packet through proxies anymore. ISPs and major backbones don't effectively prevent bogon (unallocated and unannounced) IP space from traversing the wide Internet. Therefore a hacker with minimal sophistication can attack you from IP addresses that don't exist.
Roblimo: Wait -- you mentioned Win XP. You mean these aren't Linux advocates bent on destroying Windows?
Andy: Many of them use Linux. Having a compiler is a convenience. Using something like Wine to cross-compile is useful, but there are Windows users with minimal skill, and you have the eccentrics who swear no operating system has worked since Tru64.
Roblimo: But apparently we are *not* talking about Linux zealots attacking Windows out of moral conviction, right?
To steal a phrase from the con artists, Windows users are pretty clueless. It makes them an easy mark.
Though to prove they are elite, there are kiddies who will specifically target another OS. Solaris and Irix are popular as they're usually fast or enterprise-scale on large pipes. 20-30 Solaris machines will do the same damage in general as 2-300 Windows users on DSL because they're on business connections.
Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”
March 8th, 2004, 03:44 AM
Interesting read. I also liked the page about phone phreaking. Blah there are so many links I have pulled up in different tabs from this article. I'm gonna be reading for hours. thanks
When death sleeps it dreams of you...
March 8th, 2004, 04:42 AM
This post may bring people down on me hard, or change people's opinions of me, but I really don't care. The article while interesting, shows nothings new. I know many people on here come from rather dubious background, I know many people on here still lead dubious lives. I myself have a rather dark past. It's not something I'm proud of, or that I brag about (although I've found my friends like to do it.) As much as I deny it, they all still want to call me a hacker/cracker. Getting that kinda reputation to die is a hard one.
They talk about DOSNets, that's all fine and dandy. They're just keeping up with the times. It's no differen than the smurf bcast lists of 5-10 years ago. I can remember trading lists that were of a good size, and scanning for decent bcasts. Hell, you could find hosts that would easily return 100+ responses. I can remember pinning down ISPs with nothing more than a 28.8 modem and a good bcast list. That's really no different than these DOSNets, only they have bigger pipes and can go after those with bigger pipes.
As for them saying ISPs don't care, unless they've changed their ways. I've been removed from ISPs (for bot legal and illegal actions), I've recieved warnings from ISPs... mind you this was all years ago.
As for their new "conference calling" attacks and prank calls. That stuff is very old, again he raises no new points. I've heard and be involved in phone calls that spanned cities, provinces, states, countries and continents. It wasn't very hard, especially with all the companies that used to attempt to provide cheap conference calls using the internet. You give them your number and they call you. You then have a control panel type interface and enter in the other phone numbers you want to call.
I actually still have ops in a few of the channels I used to frequent, most of the same people are still there. Trading of 0day stuff isn't as exclusive as they make it out to be. All they had was old news, and somewhat misinformed news. I still get messages from some of my old friends, asking if I have any high speed packet boxes they can use. I also don't see the jumping as much as he mentions, then again it's been years since I associated with that scene. However when I go back to say hi to old friends and see if they have any news for me, they are still all the same people, sitting there chatting it up, having conversations. Many of them have families now, however due to the names of some of their channels, people are constantly wanting them and packet wars still happen, but like I said... it's been ages since I saw someone jump ship.
It's odd to see them writing this, people who infiltrate and sit and listen in, never seem to get the whole picture of what's going on. There's been write-ups before and this seems to be the impression they get, but it's not necessarily new stuff... just different methods. Just like when WinNuke died and you had Pimp.c/kod. Same type of thing (exploit), different method of attack (what they exploited)... both resulted in a crashed system.
They should say you've got mostly inadequate or social misfits, which is sometimes true, but more like half the time. It's more of an assumption they make. When I was involved in this kind of stuff, I was involved in at least half the groups my schools had. Like I said, I know several people with families that do this stuff.
I suppose it's getting more serious, and there's more people involved and most of them are teens. However this could be stopped. Why not set up after school groups for kids with computer interests. My HS teacher would open up the lab for an hour or so after class for people that wanted to play with our routers. He attempted to start up a video-game club. We had a robotics team (and we could program the robot ourselves if we wanted..). There were lots of options available.
I've prolly changed a lot of your opinions on me, but I wanted to clarify a few things about this article, especially for those of you thinking that it's new news. Things may be more serious now, but that's only because the internet is growing and expanding. Compare the number of skiddies that exist now, to the number of computers, and compare them with numbers from 5 or 10 years ago. Things grow and expand... it's part of life.
IT Blog: .:Computer Defense:.
(Pronounced Pinched): Acronym - Point 'n Click Hacked. As in: "That website was pinched" or "The skiddie pinched my computer because I forgot to patch".
March 8th, 2004, 05:21 AM
HT, I don't know why you would think that 'letting slip a little knowledge of your past' will change opinions of you. Most all of us have or had periods that we really don't wish others to know of. And, I purposely said have or had, as there are those on site that are just going through the first of theirs......and I hope they make it without too much legal ramifications. I personally judge other people by their current conduct, and attempt to treat others as I would like to be treated.....even if someone were to know my past (which is not intirely light).
The information you have given is excellent and compliments Tedob1 post with an extension of the history, that I assume most of us didn't know. At least I didn't, and because of which, I can draw a more informed view point of not only the original artical, but of the way some of these style of attacts may procede in the future.
\"Life should NOT be a journey to the grave with the intention of arriving safely in an attractive and well preserved body, but rather to skid in sideways, Champagne in one hand - strawberries in the other, body thoroughly used up, totally worn out and screaming WOO HOO - What a Ride!\"
March 8th, 2004, 09:39 AM
Tedob1 you do a good job of posting news and articles here, I think you read quite a bit of slashdot! thats where most of your storys seem to appear first and within 48hrs there posted here. Good work anyway
March 13th, 2004, 10:57 PM
I think this material was very informative.
\"If knowledge is power. Why doesn\'t everybody read?\"