[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[infowar.de] Could Attack on DALnet Spell End for IRC?

To: infowar - de -! - infopeace - de
Subject: [infowar.de] Could Attack on DALnet Spell End for IRC?
From: Maximillian Dornseif <md -! - hudora - de>
Date: Mon, 27 Jan 2003 10:18:47 +0100
Reply-to: infowar - de -! - infopeace - de
Sender: bendrath -! - zedat - fu-berlin - de

Infowar.de, http://userpage.fu-berlin.de/~bendrath/liste.html
-------------------------------------------------------------

[permalink http://md.hudora.de/blog/guids/35/52/4010902723178096.html]

http://www.internetnews.com/dev-news/article.php/1573551

January 24, 2003
  Could Attack on DALnet Spell End for IRC?
  By   Thor Olavsrud
  For at least a month, distributed denial of service (define), or DDOS, 
attacks have been crippling DALnet, one of the world's largest Internet 
Relay Chat (define) networks, bringing it to its knees and raising the 
possibility that many hosting providers may refuse to host IRC servers 
at all.

"DALnet is presently suffering extensive and prolonged Distributed 
Denial of Service attacks against our IRC servers, Web server, mail 
servers and DNS systems," DALnet said on its Web site. "These attacks 
are causing great inconvenience and financial loss to many of the 
organizations that host our services, as such some of them have 
suspended or discontinued their support of DALnet."

IRC, developed by Jarkko Oikarinen of Finland in 1988, allows people 
connected anywhere on the Internet to join in live discussions. Each 
discussion is on a "channel," and many people can join at once. DALnet 
was one of the earliest IRC networks, formed by users of EFnet (Eris 
Free Network) in June 1994 because of the netsplits (caused when the 
connection of one or more servers in a network is broken) and lag that 
were plaguing that network. DALnet pioneered Services, which allowed 
users to control their presence online without being harassed or having 
channels stolen from under them.

But these days DALnet -- which is manned by volunteers and run with 
equipment and bandwidth donated as a service to the Internet community 
-- is hanging on by a thread as sustained DDoS attacks flood its 
servers and even threaten the networks that host its servers. The 
attacks have forced DALnet's administrators to take down most of its 
client servers and leave them down rather than risk taking down its 
hosts.

"Yes, as you all know, DALnet has been attacked again by criminals who, 
for reasons known only to themselves, choose to spoil the enjoyment of 
so many," Emma/Curve, chief editor of the DALnetizen ezine and one of 
DALnet's administrators, wrote in the January issue of the ezine. 
"These latest attacks are worse than any of the server administrators 
have seen before, attacks large enough to cripple the networks which 
host our servers, let alone the servers themselves."

The attacks come in the form of 'botnets,' whole networks of malicious 
bots (define), created by Trojans (define), which flood DALnet's 
network with packets. According to Curve, those packets are coming in 
at a rate of Gbps (define).

"It's no secret that DALnet has suffered massive attacks recently, far 
greater than anything we've seen before," she said. "We've been ravaged 
by DDOS attacks in the Gbps range, attacks which are not just crippling 
our IRC servers, but causing disruption to the providers who host those 
servers."

She continued, "Why do I say that more than DALnet is at stake? Well, 
because the more these people amass herds of infected computers 
(botnets) to attack IRC servers with, the more service providers will 
quickly come to the conclusion that hosting an IRC server is a 
liability. Already many providers simply won't countenance hosting an 
IRC server and if this random vandalism continues, the harder it will 
be for non-profit IRC to continue in any reasonable form at all. That 
could jeopardize the future for all IRC networks, not simply DALnet."

The Trojan spreads through e-mail, or even when a user visits a Web 
site with a bit of hidden code, and the users won't know unless their 
anti-virus software is up to snuff. Once the Trojan makes its way onto 
a machine, the next time that computer connects to the Internet the 
Trojan will start up an IRC client and connect to a server -- often an 
IRC server set up on a shell account and paid for with a stolen credit 
card. The Trojan then creates a bot which is programmed to join a 
certain channel once it has connected.

A successful Trojan which has propagated widely can fill a channel with 
bots. Curve said she and other members of DALnet's Exploits Team have 
seen channels with as many as 4,000 to 5,000 bots -- each a home 
computer infected with a Trojan. A collection of such bots in a channel 
is a botnet.

Once the person who wrote the Trojan comes online, the botnet is 
waiting for him, and he can use it for a number of things, the worst 
being a DDOS -- using hundreds or thousands of bots to send data to a 
server until its connection becomes saturated and it crashes. Not only 
does such an attack inconvenience chatters using IRC services, it can 
also affect the service providers who host IRC servers, preventing 
their customers -- even ones who don't use IRC -- from going online.

"It could be surmised that people who launch DDOS attacks know their 
intended target and can find enough bandwidth to bring the target 
down," Aaron Schultz, a provider of DALnet hosting, wrote in the 
January issue of DALnetizen. "The problem that most don't seem to think 
about are the related networks which also get hit. The small ISP which 
has an infected customer who suddenly starts using all available 
bandwidth, the nationwide latency created on some networks due to the 
amount of packets or the small businesses that have servers on a 
network near the intended target."

"Another example of innocent targets being hit are when ISPs experience 
nationwide latency and regional outages due to these attacks," he 
wrote. "Are the attacks that I receive that have caused such major 
outages attacks on me, or the entire U.S.? And should all of the ISP's 
Southern California customers be taken offline just because of 
someone's disagreement with DALnet? No."

DALnet administrators continue to hold out hope that the situation can 
be resolved. DALnet said it is working with a number of law enforcement 
agencies to track down those responsible, has lodged complaints with 
the ISPs it has been able to trace, and has the help of experts in 
dealing with DDOS attacks.

So when will the attacks stop? "We don't know," DALnet said. "They will 
stop when either the attackers decide to stop attacking, the attackers 
get arrested or shut down by their ISPs, or when DALnet runs out of 
goodwill from its sponsors and is forced to close."

[<a href="http://www.linuxsecurity.com";>LinuxSecurity.com</a>]
-- 
Max Dornseif - http://md.hudora.de/blog/categories/originalContent/
Dipl. Jur., University of Bonn, Germany - ars longa, vita brevis!


---------------------------------------------------------------
Liste verlassen: 
Mail an infowar -
 de-request -!
- infopeace -
 de mit "unsubscribe" im Text.

Prev by Date: [infowar.de] Fighter plane programm plagued by software glitches
Next by Date: [infowar.de] The Register: DoD offering admin privileges on .mil Web sites
Previous by thread: [infowar.de] Fighter plane programm plagued by software glitches
Next by thread: [infowar.de] The Register: DoD offering admin privileges on .mil Web sites
Index(es):
- Date
- Thread