Security websites taken down by unhappy hackers

[Highlander]

This came in to me and I though I would pass it around....
via www.thei3p.org

A group of hackers called "SIS-Team" have allegedly denied service to a number of security websites, including Rootkit.com, as revenge for disparaging comments posted to the websites. After a user going by the name "ATmaCA" posted a message on Rootkit.com advertising several SIS-Team spywares, other users posted comments objecting, pointing out that rootkits on Rootkit.com are usually open source. Users also questioned the quality of the spyware in the resulting flame war. Within a few hours, Rootkit.com was under attack by a botnet of around five- hundred nodes, flooding the site with 170,000 requests per second. Website administrators have received extortion e-mails that promise to end the attacks if the owners post public apologies to ATmaCA and SIS-Team. Rootkit.com has 25,000 registered users and around thirty regular contributors; most are security students and professionals studying how rootkits and other hacker tools work.
http://www.techworld.com/security/ne...fm?NewsID=3465

[kr5kernel]

Wow, the tune "jeremy" by perl jam is the first thing that pops into my head...

[Relyt]

Well, Well, Well,

“…under attack by a network of more than 500 compromised computers, or bots, that flooded the site with about 170,000 requests a second, making it unreachable for most Internet users…”

Hopefully Bubba will be getting some new playthings!

Cheers

[Tiger Shark]

Rootkit.com was under attack by a botnet of around five- hundred nodes, flooding the site with 170,000 requests per second.

Though I wouldn't want to have to deal with it on my network, a 500 bot net is in the high amateur range. There are botnets out there that are 10,000 plus that are regularly reported.... I'm sure there are botnets for the professional out there that could bring down 100,000 plus machines on you.... Now that's a DDoS...

[MoonWolf]

Really 500 nodes.

Rootkit.com must have been begging for them to stop

[Kite]

I think they should settle this disagreement in the traditional manner, a game of counter strike.

[ikalo]

Speaking of DDoS, is there any way that you could protect your web server from it?

[ByTeWrangler]

Originally posted here by Kite
I think they should settle this disagreement in the traditional manner, a game of counter strike.

B.R.I.N.G. IT ON.

[ByTeWrangler]

Ways to protect against DDOS

1. From cisco : (related only to cisco products but its a nice read)

http://www.cisco.com/warp/public/707/newsflash.html

2. From CERT. (nice read if for starters)

http://www.cert.org/homeusers/ddos.html

3. From US-CERT

http://www.us-cert.gov/cas/tips/ST04-015.html


But just to get you started there are lot of ways a DoS or DDoS can be carried out Ill mention a few of them :

1. Ping Of death :

This DoS attack is carried out by expoiting the maximum packet size that TCP/IP allows for being transmitted over the internet which is restricted to 65,536 octects.

I am not giving much information on this attack as this attack no longer exists as no operating system is affected by it unless you are using some ancient OS and its ancient version.

Anyway for more information you may want to read any of these documents
Information on ping of death

2. Teardrop

Teardrop attack uses a vulnerability present in reassembling of data packets. Whenever data is sent over the internet it is first broken insmaller fragments at the source system and put together at the destination.

For example. You need 4000 byte's from a system and this is broken down into 3 packets

packet 1 will carry data from 1 byte to 1500 byte's
packet 2 will carry data from 1501 byte's to 3000 byte's
packet 3 will carry data from 3000 byte's to 4000 byte's

Now there is an offset feild in the data packet which specifies from what byte to what byte the data is carried in that perticular packet.

Normally the system will recive data inform of

1 to 1500 then 1501 to 3000 and last 3000 to 4000 byte's.

but in teardrop attack
1 to 1500 then 1500 to 3000 and last "1001 to 2301" byte's (this is an exmaple)

hence the destination system gets confused and cannot re-assemble packet's and will hang and reboot.



3. SYN-Flood


This is one of the most easiest way to perform a DDoS attack. It is very hard to eplain but just for the sake of it. here is an exaple.

There are 10 telephone's at your office and I dial all the 10 numbers so all 10 of the teleplhon's will be busy now lets say one of your clients tries to call you he will placed on either hold or will not connect.

Thats how a SYN-Flood attack works. Legit users are denied access to the data by keeping the server busy.

SOLUTION : There is no one single countermeasure to protect from this attack but folowing are a good start.

1. reducing the duration of time required for a "timed out"
2. Increasing the queue of connection (will increase memory usage)
3. KEEPING YOUR SYSTEMS UPDATE.

THIS ATTACK IS MAINLY USED TO CARRY OUT IP SPOOFING


4. Land attack

This is same as SYN flood but only diffrence is that instead of bad ip address, IP address of the target system is used. This means that the packet conatins source and destination address (and ports) of the same system which then creats an INFINITE LOOP. ultimately crashing the system

BEST COUNTERMEASURE USE A FIREWALL.



5. Smurf Attack

THis is a sort of Brute force DOS attack where huge numbers of ping request are sent to a system (NORMALLY THE ROUTER). of a target network using IP address spoofed from the teret network.. This will in the end flood the entire network with ping or echo requests and its replies.

For more read
http://www.cert.org/advisories/CA-1998-01.html


Hope this information help's.

[ikalo]

Huh,

Not very encouraging, but nice reads...

I hope that IPv6 will make it harder to DDoS someone.