http://www.msnbc.com/news/368039.asp?cp1=1
Misconfigured routers
blamed
for spate of Internet
attacks
By Bob Sullivan
MSNBC
Feb. 9 � Security experts are still
trying to learn who�s been
attacking Web sites this week
and exactly what the vandals are
doing. But theories are starting
to emerge around an
old-fashioned �denial of service�
attack combined with a set of
new software tools that make
massive coordinated service
denials possible. And MSNBC
has learned that misconfigured
computer routers lie at the center
of the problem.
DENIAL OF SERVICE attacks
are when a Web site is overwhelmed
with so many requests that legitimate
users get the cyber equivalent of a
busy signal.
According to Joel de la Garza,
security expert at Kroll O�Gara ISP,
at the heart of the attack are
third-party computer networks used
as staging areas for attacks on
big-name Web sites.
Common among these
third-party networks are
misconfigured routers, the boxes that
act like air traffic controllers on a
network. They have been targeted
because they allow what�s called
�broadcast pings� � meaning the
router can send a note to every
machine on the network and insist on
receiving reply. In most routers the
service is turned off precisely
because it could create large volumes
of unnecessary traffic.
The real problem occurs when
the computers on the third-party
network are tricked � not only into
replying to the host router � but also
into replying to the real victim�s
router. In one of the attacks, de la
Garza said, broadcast pings were sent
from 50 large networks right at the
victim�s router, quickly toppling the
Web site.
Key to the scheme is the ability
to trigger such
router activity
remotely and
simultaneously.
To do that, the
vandals
apparently are
using a new
software
designed to
cause exactly
this kind of
mischief.
Late last
year, the FBI�s National
Infrastructure Protection Center
issued warnings about a new set of
dangerous software tools which made
their way around the Internet that
enabled such simultaneous attacks.
What was worse, the software tools
� named Trin00, Tribal Flood
Network, and more recently,
�Stacheldraht� � had already been
found lurking on computers around
the Internet.
�The new breed of tools coming
out present the greatest threat to the
Internet to date,� de la Garza said.
�Everyone doing business on the
Internet is vulnerable to this kind of
attack.
-- Homer Beanfang (Bats@inbellfry.com), February 09, 2000
Hackers are like short sellers...they keep the system on its toes
over the long haul.
The very fact that this could happen is already stimulating thoughts
on how to improve the system.
They might deserve to go to jail, but they do society a service on
another level...no wonder they are often recruited to do computer
security.
-- perhaps these (aregood@business.ttt), February 09, 2000.
In this case the "misconfigured routers" is very probably true.
Routers can be configured to block packets in such a way that one
network can not be used to attack another. It is really quite simple
to do. As I have said elsewhere, the problem is that not many people
managing ISP's or any other networks know how to do it.
What this article describes is a way to use a third party to attack
the victims network. It is done by sending packets with return
addresses of the victim to the third party. The third partys network
responds to the victims network thus overwhelming the victims routers
or servers or whatever.
This is difficult to track because the the return address on the
packets is the address of the victim and that of not the criminal.
The biggest offenders are the very large ISP's (AOL for example) and
nearly any address ending in .edu. These institutions simply fail to
configure their routers to stop packets which did not originate in
their networks from leaving their networks... do remember the perp
has to forge the return address on a packet to be the address of some
other network for this to work...
Thus misconfigured routers is the correct answer. What is truly sad
about this is that this problem has been well discussed and understood
for more than two years now...
-- Michael Erskine (Osiris@urbanna.net), February 09, 2000.