The more things change, the more they stay the same. Andrew D. Kirch, security administrator for AHBL, infiltrated several script kiddie groups and shared some of his findings with us via IRC. From the (edited) interview transcript, you'll learn that one of the "new waves" in DDoS coordination is hijacking corporate conference call facilities, which is really an update of good old '60s-style phone phreaking, plus some insight into why some DDoSers do what they do -- and some tips on how they might be stopped...

...I've had my nick juped (taken by a bot) with my phone number and the away message "CALL ME FOR HOT ANAL SEX." No one called. I think perhaps I'm losing my sex appeal. Though I think the reason more likely is that I'm not packeting anyone or really involved except that I'm sitting in a channel watching all of this.

Roblimo: How do these "wars" affect the ISPs the kiddies use?

Andy: It varies. As the kiddies use shells from providers like the now defunct foonet, or pyroshells, or other DoS-hardened facilities, it's like letting them play in the sandbox. You say you haven't heard about it, it's because the kiddies are hitting things that either don't care, or if they're tricked (this is considered a real win) into hitting a government site, the FBI and Secret Service doesn't talk about their investigations.

I've seen ISPs crippled. A small Qwest acquisition was targeted by ADP [script kiddie nickname] as the user was an op in [a channel] on [major IRC network]. ADP knocked out the entire ISP (two T3s) for almost six hours. He was at one time affiliated with EMP [another nickname] who packeted the blacklists.

I have all of ADP's information, and a city and state on EMP. Unfortunately, until a few weeks ago the only authorities I could get to listen to me was Scotland Yard in England, and both ADP and EMP are Americans.

Most of these kiddies popped up after MyDoom. EMP's been around awhile, but ADP, SLiM (who recently attacked the NSA and NIPC websites, along with the White House mailserver), and izm purchased DoSnets (lists of "exploited" servers that can be used in DDoS attacks) with 10,000 hosts on them for the bargain value of $500. Since dcom was an NT exploit -- also for 2000 and XP -- all these machines can effectively spoof packets.

Roblimo: These are attacks we never hear about, right?

Andy: Yes. Unless you're watching.

The government on a whole is still very insecure. I've found several .gov machines in kiddies' DoSnets, some even from DoE fusion research labs, happily packeting away for them. Since you can spoof packets with Windows XP, most kiddies won't packet through proxies anymore. ISPs and major backbones don't effectively prevent bogon (unallocated and unannounced) IP space from traversing the wide Internet. Therefore a hacker with minimal sophistication can attack you from IP addresses that don't exist.

Roblimo: Wait -- you mentioned Win XP. You mean these aren't Linux advocates bent on destroying Windows?

Andy: Many of them use Linux. Having a compiler is a convenience. Using something like Wine to cross-compile is useful, but there are Windows users with minimal skill, and you have the eccentrics who swear no operating system has worked since Tru64.

Roblimo: But apparently we are *not* talking about Linux zealots attacking Windows out of moral conviction, right?

Andy: No.

To steal a phrase from the con artists, Windows users are pretty clueless. It makes them an easy mark.

Though to prove they are elite, there are kiddies who will specifically target another OS. Solaris and Irix are popular as they're usually fast or enterprise-scale on large pipes. 20-30 Solaris machines will do the same damage in general as 2-300 Windows users on DSL because they're on business connections.


read more:

http://software.newsforge.com/softwa.../0130209.shtml