DALnet DDoS attacks
January 18, 2003 12:30 PM   Subscribe

The past week has been a complete shutout, but this has been going on for months now - two of the major servers had no choice but to de-link in December, instantly reducing Dal's capacity by about half, from what I'm told.

I have no idea why this is happening, nor do I understand why it's mainly just Dal - Undernet and Efnet and Quakenet seem to be functioning fine, along with all the little networks.
posted by danwalker at 12:44 PM on January 18, 2003

Efnet has been punished heavily in past years. Perhaps the script kiddies have moved on and are pissed that they can't score with the legendary Dalnet girls.
posted by shagoth at 1:04 PM on January 18, 2003

I haven't jumped on IRC in ages, but why would anyone want to target DALnet? I can understand kiddies attacking aohell.org or something similar - but why DAL? I'm a bit out of the loop...is DALnet known for quality mp3 channels? If so, it would be interesting to read some RIAA DDos conspiracy theories. All in all, this really sucks.
posted by foot at 1:05 PM on January 18, 2003

I used to use DALNet for, er, 'sharing documents'. However, I jumped to UnderNet when the problems began, and found a lot of people had the same idea too.. it's much better than DALNet was, thankfully.

Besides, when a bunch of trekkies found their own IRC network, you know it's all going to end in disaster..
posted by wackybrit at 1:08 PM on January 18, 2003

I can tell you why it usually happens - idiots hacking back and forth at each other until somebody gets K-Lined (or even Z-Lined, if the DALNet IRCd is anything like what I remember setting up on my own *nix boxen years ago). Cue frustrated leet kiddiez rounding up their armies of zombied Win9x machines and letting fly the packets of war. "You won't let us play in your playground? Fine! We'll stomp it to bits!"

The script kiddie tools for creating DDoS networks have dropped to the point where fairly bright and bored 15-year-olds have amassed networks exceeding 1000 clients.

End result everybody loses. The constant DDoSing as a result of similar activity has certainly done its share to help EFNet into an early grave (it isn't dead yet but the majority of major servers left nearly a year ago IIRC). Unless someone can dig up an explanation from the DALNet admins on this issue, there's no reason to suspect anything unusual going on.
posted by Ryvar at 1:09 PM on January 18, 2003

wow, people dos irc servers. who knew.

as for the zany conspiracy theory, well, how many people even know what dalnet is compared to the riaa?

yeah.
posted by kjh at 1:11 PM on January 18, 2003

Who would want to attack Dalnet of all things...the RIAA is who! Additional generic RIAA conspiracy theory comment! Arrggg!
posted by ac at 1:35 PM on January 18, 2003

I was just looking through this gallery, and the people that put together these "botnets" are obviously, very seriously f-ed up in the head. I mean, really disturbed. Normal people don't have the compulsion to do something like that.
posted by tomorama at 1:35 PM on January 18, 2003

Case in point, a quote from one of the users in that gallery running the botnet:

"It has to be done, this guy is taking up a slot and I want my movie. I will just keep hitting him 'till his movie times out."

He then fires a bunch of ddos attacks to flood the victim offline.

If I was a parent and I found evidence on my teenager's computer that they were doing something like this, I wouldn't let him near a computer for a year.
posted by tomorama at 1:39 PM on January 18, 2003

is DALnet known for quality mp3 channels?
Thats one of the reasons I found this phenomenon interesting...Some DAL chans, such as #mp3z, have f-serves where I could find any music I'de ever wanted. Considering the wide availibility once offered (which I'm guessing will no longer be so wide), you'de think the scipt kiddies would target something else...like the RIAA
posted by jmd82 at 1:42 PM on January 18, 2003

I figured I'd derail the thread with some nostalgia.

FWIW, IRC is where I got my first MP3s in about 1996. Winamp wasn't out till about 1997, but I can't remember what player I used before then. Memories!

The amount of MP3s around in those days was crap. Only geeks had heard of MP3 at the time, and I recall one of the more popular songs was B52s - Loveshack :-) The problem was, my machine was so slow I had to play MP3s in half sampling rate, and even then it was almost 100% CPU load while playing.

Things have certainly moved on!
posted by wackybrit at 1:53 PM on January 18, 2003

<still plays MP3s at half sampling rate>
<realizes he needs to get a new computer>
posted by IshmaelGraves at 2:00 PM on January 18, 2003

DALnet is more than just file swapping, so if the RIAA is behind this, it's done more than keep people from getting their hands on the latest hits. Not that the RIAA would care, of course.
posted by tommasz at 2:28 PM on January 18, 2003

tomorama - would you mind explaining what's going on in the image gallery you linked to? I understand the role of bots in flooding IRC servers, but exactly how they are replicating and what they are doing in these secret channels is gobbletygook to me.
posted by PrinceValium at 3:30 PM on January 18, 2003

Also, there may well be a governmental role in this attack, since Dalnet fosters a whole bunch of illegal activity besides music sharing - warez, xxxpasswords, h/p/a, and the like.
posted by PrinceValium at 3:33 PM on January 18, 2003

All the infected computers make a stealth connection to a private IRC server without the victim knowing, and join a specific channel. They people behind the scam are there, and use the channel to give commands to all the infected computers that show up. Those screenshots depict a couple of people sending off 200 - 400 bots to flood users and networks. One particular guy is destroying someone else's connection because the victim is downloading a movie from an fserve, and the "botmaster" also wants the movie and doesn't want to wait in queue.
posted by tomorama at 3:34 PM on January 18, 2003

Me and my friends have moved a channel we've had since 95 to a private server. It just got too annoying to try and connect. I mean all we did was stay in the same channel all the time anyway, so it's really no big loss.
posted by corpse at 3:35 PM on January 18, 2003

Anyone else at all find this weird that the hated RIAA his limited DDoS attacks, while smaller and more venerated org like DALnet has attacks lasting more than a week?

You'll find that DDoS attacks on Nestlé and McDonald's are probably pretty limited as well. Big corporations are evil but litigious, while small IRC networks are neutral but generally lack lawyers.

Also, as nasty as the RIAA are, they represent music. If I were going to go out and cause havoc, I'd definitely take aim at the spotty IRC kids instead; call it prejudice.
posted by bwerdmuller at 3:44 PM on January 18, 2003

I'd just like to interrupt here to say that the only words I understood in this entire thread were "B52s - Loveshack".

I got me a Chrysler, it's as big as a whale.
posted by yhbc at 4:25 PM on January 18, 2003

Tiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiin roof!

Rusted!
posted by sexualchocolate at 5:32 PM on January 18, 2003

wackybrit, you probably used FHG's own winplay3. In those pre-Winamp days it was winplay3 or nothing at all. I just LOVED the fact that you couldn't skip forwards or backwards while playing a song. And playlists? Who needs 'em!?
posted by zsazsa at 8:26 PM on January 18, 2003

I'll try and explain for the technically uninformed.

You probably know that each computer has an IP address - a series of 4 numbers seperated by periods from 0-255. For instance, I run a webserver at 206.124.137.13. Now, most cable-modem users lie on one of the following three groups of 16.7million potential IP addresses: 24.x.x.x, 65.x.x.x, and 66.x.x.x.

Many cable modem users, and in general computer users, aren't terribly bright. Most of them don't patch, don't upgrade too often, don't run anti-virus, anti-adware software and don't have a hardware or Linux/BSD firewall protecting their home machines (software firewalls like BlackICE often make security worse as continue to contain countless holes). End result: there are simple, easy to exploit holes in the code responsible for maintaining their internet connections. For instance, that copy of Windows XP you just bought at the store, connected to the Internet and unpatched can be trivially compromised via a well-known UPnP exploit.

Script kiddies can iterate through the 24.x.x.x IP block and quickly check each address for a suite of the hundred most common holes, and move on if none are found (you are probably swept for common exploits 20-50 times a day if you are on such an address). If any are found, a pre-scripted and entirely automated sequence takes place in which the hole is exploited, several new backdoors are installed on victim machine, and then the old hole is patched (!) to prevent other script kiddies from gaining access to 'their' new zombied machine. Finally, a program installed by the automated attack script on the victim's computer logs onto a (usually private) IRC (Internet Relay Chat) network channel and sits and waits for commands from the script kiddie.

All this is done transpearantly and without the victim noticing in the slightest in 99 out of 100 cases. There's always the exceptions and it doesn't always work out cleanly but most script kiddies have at least a semi-decent knowledge of networking and can work around extraneous issues that crop up.

The reason the focus lies on cable modems (and to a lesser extent DSL networks - for some reason cable modems tend to attract the step-above-AOLers crowd slightly more) is that they have massive bandwidth. Several hundred zombie'd cable modem-equipped computers will be sitting in a private IRC channel, just waiting for the script kiddie in question to log on, say 'attack 193.216.78.65' (or some other IP address)' and - *BOOM* each zombied machine starts attempting connections with the target IP address - or the next IP address up the route from it - and flings as much bogus data as they can possibly churn out at it.

The end result is that the target is instantly drowned out in a flood of the TCP/IP (or UDP or ICMP) equivalent to spam. At this level of stress, all sorts of bad things can happen from routers outright burning out to the target simply being disconnect by their ISP, to the entire ISP being delinked by their upstream provider - etc. etc. - quite frankly networks just stop working properly in myriad strange and horrible ways under that level of traffic hitting them depending on the hardware and admins.

Anyways, these script kiddies tend to be shadier characters online, and also largely somewhat juvenile (15-18 is common although you'll see anything up to mid-30s), so when some IRCOP (IRC Operator) completely bans them and their favorite proxy-connections from some chat network (in this case DAL), they tend to react with instant and overwhelming force. As someone else mentioned, the IRC networks can't afford to litigate like the RIAA can - and the FBI will NOT investigate until you can prove over $5000 in damages, kids.

The RIAA and government wouldn't dirty their hands with something so blatantly illegal, and quite potentially traceable. Guaranteed these are bot networks controlled by petty indvidiuals with a grudge and usually a ton of sexual/social frustration. It's the 'net equivalent to sticking M80s in mailboxes and butchering the neighborhood cat. There are far more subtle - and gray-illegal rather than outright - ways to disrupt networks that the RIAA would employ if they wanted. They can't begin to make the case that the chat networks (unlike P2P) serve no 'real purpose other than copyright violation', though, and the damage from IRC is nothing on the scale of Kazaa/Gnutella/Napster, so this almost definitely not them.
posted by Ryvar at 11:10 PM on January 18, 2003

Thanx for the post Ryvar...good stuff
posted by jmd82 at 11:19 PM on January 18, 2003

Wow! This thread needed a 'NERDS ONLY' alert.
posted by HTuttle at 1:15 AM on January 19, 2003

Welcome to the Internet: NERDS ONLY. Better? *grins*
posted by Ryvar at 2:24 AM on January 19, 2003

Thanks, Ryvar!

Another not terribly bright general user here. I like reading stuff like this. However, it raised a couple of questions, I hope you don't mind. You wrote: "software firewalls like BlackICE often make security worse as continue to contain countless holes." What about ZoneAlarm? I thought it was good enough, is it also full of holes?

And what about the stuff on this site: LockDown Corp., that someone linked to? "We pick up where anti-virus programs and firewalls leave off", they say. Do we need their stuff (only $99 a year)? Are they credible?
posted by Termite at 4:40 AM on January 19, 2003

Every software firewall for Windows that I know of has contained numerous holes throughout their history, including ZoneAlarm. ZoneAlarm has a *FAR* better track record than BlackICE, but both have at one time had published holes that allowed for full remote compromise of the target machine.

Here's what I got from 45 minutes of searching BugTraq, a mailing list that absolutely everbody who touches a computer should be forced to read. These are the significant failings since 2000 for the two major software firewalls for Windows.

Zone Alarm:
major:
The big one.

minor:
Ignores certain packets
Subnet trust misplaced
Ignores certain packets 2
ZoneMail weakness
ZoneMail further weakness

BlackICE:
major:
The big one (EXPLOITABLE BUFFER OVERFLOW AAARGH)
Can be crashed via simple ping flood(!)

minor:
Autoblock as denial of service
Failure to restart from suspended mode
Failure to detect DOS attacks entirely
Failure to detect DOS attacks entirely 2
Sub-PARANOID BlackICE vuln. to BackOrifice

As for the product you ask about - I have no knowledge of this product, I've never heard of it when talking to other people interested in security (I'm not a qualified security expert here, just another OpenBSD tinfoil-hat type). I can't speak for it one way or another. I *CAN* tell you that the best approach for dumbed-down firewall security is a hardware solution. Many hardware companies that sell hubs also sell simple firewalls for $50-99, and I'd be highly wary of Linksys, btw. The hardware solution is what I'd go with if I couldn't be bothered to really get proactive.

If I could be bothered to do so, I'd use an old machine - that old Pentium II lying unused in the corner, say - slap in a second network card and make it an OpenBSD firewall. For the x86 platform, OpenBSD is pretty much the final word in security with constant ongoing auditing by all developers involved. And thank you DARPA for finally funding something really worthwhile with all that government money.
posted by Ryvar at 5:49 AM on January 19, 2003

Sorry for the bad link at the end, OpenBSD
posted by Ryvar at 5:52 AM on January 19, 2003

Thanks a lot!

I'm not anxious about computer security (nothing bad has ever happened to me so far), but I like to learn. Never heard of BugTraq. I will check them out.
posted by Termite at 9:50 AM on January 19, 2003

Great post, Ryvar.

And yeah, stay away from LinkSys. Several major office supply stores are having sales on LinkSys stuff right now... because they're blowing out their inventory and no long want to carry it.
I would suggest that anyone who has a cable modem connection should either set up a BSD machine as above, or they should buy a Cable/DSL router/hub for $100 at their local computer junk store, and plug it in. Usually, it doesn't even require any configuration. I always reccomend D-Link hardware. My Router and WAP are both DLink, and I never have problems with either.

And please, don't leave your computer hanging out in the DMZ all the time... If you use p2p programs or games that can't handle NATor firewalling, figure out how port-forwarding works and USE it.
posted by SpecialK at 2:28 PM on January 19, 2003

Well now, I'm sitting behind a router and I have set up port forwarding with various degrees ofsuccess. None of which means I'm invulnerable. Is there a good Ad-Aware type way to monitor this stuff? Ever since I moved to a router (and the hardware firewall), I kinda miss Zone Alarm popping up and letting me know things were trying to get in or out.
posted by yerfatma at 5:04 PM on January 19, 2003

Thanks, Ryvar.
posted by vito90 at 7:42 PM on January 19, 2003

SoulSeek
posted by Satapher at 11:57 PM on January 19, 2003

Arg, SoulSeek
posted by Satapher at 11:58 PM on January 19, 2003

Yerfatma: this is hugely dependent upon what hardware you have, and not to cop out on you and you alone here but I honestly cannot answer questions regarding specific models or even brands for fairly obvious reasons (I don't know). My own method is to use the BSD route and simply have both the NAT and webserver machines email me the second something suspicious hits them or goes on internally - this is the nice part of having a full OS for your firewall.

To be honest, provided you stay on top of updates for your firewall, it simply doesn't matter if you're being scanned provided you blackhole (outright drop without response) all incoming traffic. Hackers (or rather, their automated scripts) don't routinely bother to scan the upper port #s used by games that you are forwarding right now, and even if they did it's not like you're running a server on that port.

Once you stop blackholing and start running a service (mail, chat, web, gaming servers) that's when you become a specific target and need to become severely paranoid. If you're not serving, your only imperative is to make yourself significantly more of a hassle than the next IP address. Given the levels of security common today, this is a very, very easy requirement to fulfill.
posted by Ryvar at 2:32 AM on January 20, 2003

No problem-- I wasn't looking for any hand-holding,. What you provided is perfect. Thanks.
posted by yerfatma at 5:03 AM on January 20, 2003

some news about dalnet:

click here
posted by chrisroberts at 8:04 AM on January 20, 2003

Termite: Don't throw your money away.
posted by sonofsamiam at 10:09 AM on January 20, 2003

Thanks, sonofsamiam!

Maybe I'll spend that dough on a firewall/router instead, if I got anything left after my dentist takes his cut tomorrow...
posted by Termite at 11:23 AM on January 20, 2003