Visit Your Local PBS Station PBS Home PBS Home Programs A-Z TV Schedules Watch Video Donate Shop PBS Search PBS
I, Cringely - The Survival of the Nerdiest with Robert X. Cringely
Search I,Cringely:

The Pulpit
The Pulpit

<< [ Service Denied ]   |  The Plot Thickens  |   [ The Cat is Out of the Bag ] >>

Weekly Column

The Plot Thickens: Why is Everybody Talking About Distributed Denial of Service but Nobody is Saying Anything?

Status: [CLOSED]
By Robert X. Cringely
bob@cringely.com

Last week's Distributed Denial of Service (DDoS) attacks led to this week's White House photo op. Did you see it? How do they decide who gets to be at these top-level events? Certainly there seems to be no priority placed on participants who actually know what is going on. There was only one person on the program (Peter Mudge) who even had a clue. In fact, the entire DDoS phenomenon has me confused. What's the point of it all?

As I mentioned last week, almost nobody was hurt by the flurry of DDoS attacks. They were aimed strictly at endpoints, not at upstream spots on the Net that might have caused far more disruption. With the exception of some lost deals on E*Trade, there was hardly any economic impact. Certainly the attacks were orchestrated for maximal publicity. So maybe it was just a show of force, some cracker proving that he or she was smarter than the rest of us. That's what I thought last week.

But this week, my thinking has changed. What bothers me most is how little we are being told about what actually happened in the attacks. Sure, there is the usual explanation about how a Denial of Service attack might generally be conducted. But why haven't we been told in excruciating detail about how these attacks were made? We know more about the metallurgy of MD-80 jackscrew gimbal nuts than we know about a computer attack that shut down important pieces of the Internet for hours, affecting millions of users. Why isn't there more information available? All we keep hearing is that the real crackers are offended by the brute force nature of these attacks, and that Janet Reno has the FBI donning pocket protectors in hot pursuit of ... well, nobody in particular.

Back in the early days of personal computing, we used to feel reluctant at the magazines where I worked to cover computer viruses. We all had this sinking feeling that just maybe those new viruses were coming from the anti-virus companies themselves. Now that I have spent some time with John McAfee, who pretty much invented the anti-virus business, I don't believe this was the case. And I certainly don't want to believe that last week's DDoS attacks were orchestrated by Internet security companies, though their stock prices certainly benefited.

Here are the questions I wanted answered. How were these attacks made? What particular vulnerabilities were exploited? Were any particular types of systems involved? What could be done to avoid future attacks? None of these questions were being answered in the general press, nor were they being answered by the computer press.

Frustrated by the lack of available information, I went looking for help and eventually found it. So here is my very amateurish attempt at explaining what really happened last week, and how it relates to the current state of world computing. Remember, I am not in any way an expert on this stuff, but since nobody else seems to be writing it, then it must be up to me.In last week's column I ran with some of the generic DDoS descriptions and surmised that a virus or worm of some sort was taking over PCs and triggering these packet storms. Not so. The Distributed Denial of Service attacks probably aren't being propagated by a PC virus — although I'm sure that if someone hasn't tried it yet, they will. The sad truth is that most of the attacks are probably coming from larger machines running Sun Microsystems' Solaris operating system, exploiting nasty bits of code that are called trin00 or TFN "amplifiers."

If Solaris systems are at the heart of this, why hasn't anyone mentioned it? These amplifiers have been doing their dirty work since October and were well understood by December, but the particular infection method used last week wasn't understood or at least not mentioned. The programs gain access through firewalls that allow outside connections to port 111, which is used for Sun Remote Procedure Calls. Control is generally from ports in the 600s, which suggested to folks much smarter than me that the primary launch sites were universities (UC Santa Barbara, UCLA, and two midwestern schools). The way these Distributed Denial of Service attacks work is by causing a bunch of amplifiers to send HTTP requests to the servers to be attacked. Trin00 and TFN have been propagated around the net using some vulnerabilities in Solaris 2.5 and 2.6 that have been "fixed" by Sun. A big part of the problem is that customers don't keep up on Sun's security patches.

What was significant about last week's attacks was their massive scale. This is the really scary part that certainly hasn't been mentioned anywhere to my knowledge. What appears to be happening is that the bad guys are keeping databases of IP addresses or domain names and the operating systems running at those sites. When a Solaris security vulnerability becomes evident — that is when Sun announces to its customers that they've found a problem that needs fixing — the crackers exploit that very announced vulnerability and use their database to quickly install the amplifier clients, which can be triggered later. Once these clients are installed, Sun's security patch doesn't do any good; you have to find and catch the client code, which has been concealed. That is part of the reason why the attacks took hours to end.

Many Solaris customers don't install security patches for months, or maybe forever, figuring the next OS revision will catch it. So once a vulnerability is known, there is a practically limitless pool of exploitable machines — even at Sun, which doesn't do a perfect job of keeping its own machines up-to-date.

How should system administrators react to this? They should immediately install the latest Solaris security patches. They should make sure their firewalls block port 111 and their servers outside the firewall should have the daemon removed. This is not rocket science, just basic IP security. So why do you have to read it here instead of in Computerworld ?

Get the government involved and the answer could be anything. Maybe they are trying to lure the perps into attacking again and expect this time to nab somebody. We need a nice conspiracy theory here. Maybe the government, itself, is launching the attacks? Nah. Maybe Microsoft is doing it in an effort to distract us from those thousands of bugs in Windows 2000. Probably not.

Now it's your turn. What the heck is going on?

Comments from the Tribe

Status: [CLOSED] read all comments (0)