The Strange Tale of the Denial of Service Attacks Aagainst GRC.COM:
June 1, 2001 8:07 AM   Subscribe

The Strange Tale of the Denial of Service Attacks Aagainst GRC.COM: The story of Steve Gibson's infiltration into the hacker world after a series of Distributed Denial of Service (DDoS) attacks on his site. His in-depth analysis of the attacks is fascinating and scary, as is his assertion that new features in Windows XP will allow DDoS attacks to be more devistating than any currently possible attacks. [via DyREnet]
posted by tallman (30 comments total)
i'm jumping ship when windows XP comes out. osx, here i come.
posted by moz at 8:09 AM on June 1, 2001

It's an excellent article. Really gripping. I'm getting all gooey eyed over Macs too for some reason. I wish they'd port OS X for x86 though, that'd be just lovely...
posted by nedrichards at 8:22 AM on June 1, 2001

The one piece of info that's missing is how the zombie programs get installed on the PCs in the first place. Are they installed remotely via some known Windows exploit? Do users get duped into downloading and executing an .exe?
posted by tippiedog at 8:38 AM on June 1, 2001

Gibson's flair for the melodramatic needs to be taken with a grain of salt. Please remember the whole earthlink browser cookie deal which he trumpeted with great fanfare, only to recant later when he found out the real story. Yes he writes well for those who aren't super techy, but I find his journalism to be half-cocked.
posted by machaus at 8:40 AM on June 1, 2001

I don't know, I didn't think this article was sensationalist or half-cocked. Did you read it, machaus, or did you just assume because you've read his stuff before? Pretty methodical, seemed to me, and very well written. Scary, too. I think I'm going to download ZoneAlarm when I get home.
posted by starvingartist at 8:56 AM on June 1, 2001

Gibson mentions that the bots are propagated through the usual methods: downloaded as bogus .exes in email, newsgroup postings, etc.
posted by ahughey at 9:14 AM on June 1, 2001

He *has* been known to get a little around the corner, occasionally.

And a "zombie" is a dead unix process, waiting to be reaped. Gratuitous redefinition isn't well thought of, neither.

Especially since I think there's *already* a name for DDOS sleeper "clients".
posted by baylink at 9:15 AM on June 1, 2001

Honestly, the most shocking thing about all this to me isn't the fact that operating systems can generate evilness and inflict it upon others, it's that the ISPs don't seem to give a shit. I've had my own experiences with Verio (Gibson's ISP), and have been massively underwhelmed; likewise, experiences with the "security teams" at a few other of the biggies has left me wondering why these are the people left with the keys.

I can't stand that Gibson is blaming Windows, though. Linux does raw sockets, and MacOS X supports raw endpoints (it uses streams rather than sockets). Like tippiedog said, the problem occurs when the trojan gets onto the system, not with what it's allowed to do by the system.

Gibson's screaming to have cars banned, when what he really wants is for people to stop driving them drunk.
posted by delfuego at 9:20 AM on June 1, 2001


I'm not done reading this yet.

But Gibson's just *wrong* this time.

He seems to think that the consequence of WinXP allowing source address forging is that attack profiles will *change* somehow, into something different, which won't be filterable.

He's wrong.

All that would change is that the sources of the attack couldn't reliably be traced.

The edges of the internet should be dropping packets with spoofed source addresses anyway, but that's a different fight.
posted by baylink at 9:28 AM on June 1, 2001

damn. makes me want to learn some code.
posted by Hankins at 9:30 AM on June 1, 2001

And, to explain to starvingartist why it is that we think Gibsons' prose needs a little tuning...

it's that he occasionally has something important to say... and the people whom it's important to have listening are tired of the blather.
posted by baylink at 9:44 AM on June 1, 2001

This appears to be down -- mirror at
posted by ph00dz at 9:56 AM on June 1, 2001

Gibson is definitely a little too verbose when it comes to writing stuff. Some good points definitely get lost in the glut of text...

And I don't think Gibson is blaming windows... yet. I think he's just trying to warn people about the possible dangers of raw sockets, especially when the typical user of XP is bound to be a novice home user. Yeah, linux and unix support raw sockets, but if someone's using linux, chances are that they're more inclined to know about raw sockets and whatnot...
posted by tallman at 10:38 AM on June 1, 2001

Perhaps, before you are allowed to get DSL or any broadband connection, you are required to pass a home network security test. Or perhaps some kind of legislation is required that requires the bandwidth providers to perform network security checks on their end users' systems/LANs and notifies them when it finds a possible breachpoint.

The potential problem predicted by Gibson regarding the vulnerability of WinXP systems is a pretty big issue. The fact that Unix/Linux systems already have these kinds of capabilities is kind of a mute point because a pretty good majority of the sysadmins of these machines are aware of things like installing and configuring firewalls and not running apps and services that could cause security vulnerabilities. The problem only really comes to the forefront when suddenly millions of WinXP machines are hooked up to the Internet, many with broadband connections, which are being maintained by clueless and naive end users. The script kiddies are going have a field day.
posted by camworld at 11:04 AM on June 1, 2001

OSX + x86 = nightmare

the PowerPC is by far the better architecture.

Jumping ship on XP won't help to curb the issue. The only thing that can be done is to persuade MS to alter their socket implementation.

Not that you shouldn't jump ship on XP, of course. Because you should. But still, don't jump ship for the wrong reasons.
posted by Succa at 11:52 AM on June 1, 2001

People always bandy about the notion that Unix/Linux sysadmins, unlike Windows users, are aware of the security implications of things, but I'd *love* to see some data to support this. In my experience, Unix/Linux sysadmins come in as may varieties as do any other group of users -- there are very competent ones, there are semi-competent ones, there are ones who have passed basic proficiency level testing on the platform, and there are morons. (I can't say that the very competent ones make up the largest group, either, but again, that's in my experience.) But people -- in this very thread -- seem to generalize in two very distinct ways: Windows users are clueless and naive, and Unix/Linux users are savvy and intelligent.

The basic fact is that Windows gets the flack, blame, and stigma because it's so damn pervasive. Linux isn't a huge launching point for attacks in part because there aren't a bajillion of them out there connected to the net like there are Windows machines; same thing goes for Macs.
posted by delfuego at 11:58 AM on June 1, 2001

Gibson is quite right to focus on Windows systems. Not because Linux et al. can't be made to spoof packets, but because the vast majority of the raw material in the Petri dish is Windows systems hooked up to broadband.
posted by dws at 12:07 PM on June 1, 2001

Gibson hints at a product that goes one more level than current protections. Norton Anti Virus (and others) and Zonealarm (probably not others, because of Zonealarm's radically different design -- but rest assured that too will become an attack target eventually) are great at picking up current infections and removing them from individual systems. What we need is something that tags the IRC channel they're using and finds all the other systems in that set of zombies and then alerts the owners and ISPs, a little like ORBS does for open mail relays that are abused by spammers. In other words, defense needs to be proactive -- and somehow the ISPs need to be brought into the loop, TOS needs to be flexible for the white hats, and TOS needs to get harsh for the hapless victims who choose not to fix problems that are uncovered.

I think dws is correct from a strategic standpoint, though delfuego's also making a good point about the political aspects. It's unfortunate but true: Windows is going to be the bigger problem by far. Gibson, OTOH, needs to be less breathless and rush a little more slowly to judgement. He hurts his own cases with the Chicken Little routine. Will this be a bigger problem next year? Probably. Will it mean the end of the internet as we know it? Probably not.
posted by dhartung at 12:47 PM on June 1, 2001

oh, believe me, i wasn't quitting on windows because of the article.
posted by moz at 12:51 PM on June 1, 2001

Something Gibson only touches on is the fact that you CAN create spoofed packets with current windows machines, it is just more difficult to do. The Script-Kiddies don't much care if packets are spoofed or not, sure, someone MIGHT find the trojaned machine quicker but they have plenty more to work with. And if they need to spoof packets, someone will write up code to do it, whether it is an easy API call or a little more code to assemble packets.

The real issue is preventing lusers from running and propogating these trojans in the first place, not the technical capabilities of consumer operating systems. A secondary issue is identifying the people that participate in these crimes. As shown, lots of people that should care don't and that is the attitude that will let this continue, again, not the capabilities of the OS.
posted by mutagen at 1:13 PM on June 1, 2001

The script kiddies are going have a field day


Wicked hates that.
posted by jpoulos at 1:15 PM on June 1, 2001

Ya, really. The last thing we need is yet *another* MF outage...
Wicked, if you're reading this, you're super-l33t.
posted by darukaru at 3:15 PM on June 1, 2001

actually, this is really scary
I just got an icq message from my friend about a virus he found in rundIl, which is the exact same file that this zombie program creates.
it could be any of us.
posted by starduck at 5:30 PM on June 1, 2001

It seems that may be undergoing another attack.

Visualroute reports that "Connections to HTTP port 80 on host '' are working, but ICMP packets are being blocked past [...]. Node [...] reports 'The destination network is unreachable.'"
posted by myl at 6:04 AM on June 2, 2001

I think Verio is blocking, as per Gibson's article. It was ICMP packets (and UDP) that were killing his site in the first place.
posted by PeterOA at 10:37 AM on June 2, 2001

On sort of a tangent here, does anyone know if ATM networks would help to eliminate this stuff, since they implement QoS and allow for better traffic policing. Or would running IP on top of ATM just leave things in pretty much the same state as they are now?
posted by shinji_ikari at 7:24 PM on June 2, 2001

The author of this article spends a couple dozen pages glamorizing a thoroughly mundane DDOS attack and thereby succeeds in making himself look like an ignorant, self-important buffoon. If the turgid descriptions of the eeeevil scriptkidde underground, bombastic proclamations of imminent danger, and constant references to past exploits aren't annoying enough, the overwhelming use of silly layout tricks makes the entire thing seem ridiculous. Just take a look at some of this stuff:

"While I was conducting research into the hacker world following these DoS attacks, I encountered evidence..."

"we are going to experience an escalation of Internet terrorism the likes of which has never been seen before"

"with the aid of custom spy-bots I created for the purpose"

"I hope it is becoming clear to everyone reading this, that we can not have a stable Internet economy while 13 year-old children are free to deny arbitrary Internet services with impunity."

"the case of the Russian hacker extortion ring, for which I had recently created the PatchWork utility"

"I needed to learn how these Zombie's operate and then infiltrate the Zombie High-Command"

Oh PLEASE. Will someone please restrain this man's ego? How on earth has he managed to remain completely ignorant of DDOS attacks, teenage crackers, legions of compromised @Home windows machines, and all the rest, while running a web site that appears to sell some kind of Internet security software? The volume at which he trumpets his own cluelessness suggests that either he has no idea how obvious his dramatic revelations sound to people who've been even casually following tech news for a few months, or that the entire thing is a cynical attempt to impress people even less well informed than himself.

Broader distribution of information about DDOS attacks and other Internet security issues is a good thing, but this sort of self-glorifying, obfuscatory drama just makes the whole thing seem more mysterious. It's good for the business of hack security consultants, but doesn't help anyone else.

posted by Mars Saxman at 8:27 PM on June 2, 2001

You... go... Mars.

posted by baylink at 4:24 PM on June 3, 2001

I, for one, found this article very interesting and informative. If there is a certain dramatization of the facts presented (there is, and it certainly serves the narrative aspect) it contributes to making the article readable - instead of plain indigestible.

I read it from start to finish in one breath, and I doubt I would have if there hadn't been the "detective story" tinge to it. I'm sure I'm not unique for that.
posted by Tara at 10:39 AM on June 9, 2001

...nice sisco router, btw im 13...

That is the only proof that Gibson has that "Wicked" is 13. speak of the implemented attacks...
...and it seems quite effective does it not?

To my ears, "Wicked" simply does not sound 13. His prose, though very hax0r and 1337, is too polished and structured underneath those run-on sentences.

Perhaps I am too cynical, but this seems a great way for Gibson to promote his own product.

My $.02.
posted by avowel at 11:34 AM on June 10, 2001

« Older NBA Finals Fixed,   |   Star Wars + Flash + Rap = Goodness Newer »

This thread has been archived and is closed to new comments