Misconfigured routers blamed for spate of internet attacks

greenspun.com : LUSENET : TimeBomb 2000 (Y2000) : One Thread


Misconfigured routers blamed for spate of Internet attacks By Bob Sullivan MSNBC

Feb. 9  Security experts are still trying to learn whos been attacking Web sites this week and exactly what the vandals are doing. But theories are starting to emerge around an old-fashioned denial of service attack combined with a set of new software tools that make massive coordinated service denials possible. And MSNBC has learned that misconfigured computer routers lie at the center of the problem.

DENIAL OF SERVICE attacks are when a Web site is overwhelmed with so many requests that legitimate users get the cyber equivalent of a busy signal.

According to Joel de la Garza, security expert at Kroll OGara ISP, at the heart of the attack are third-party computer networks used as staging areas for attacks on big-name Web sites.

Common among these third-party networks are misconfigured routers, the boxes that act like air traffic controllers on a network. They have been targeted because they allow whats called broadcast pings  meaning the router can send a note to every machine on the network and insist on receiving reply. In most routers the service is turned off precisely because it could create large volumes of unnecessary traffic.

The real problem occurs when the computers on the third-party network are tricked  not only into replying to the host router  but also into replying to the real victims router. In one of the attacks, de la Garza said, broadcast pings were sent from 50 large networks right at the victims router, quickly toppling the Web site.

Key to the scheme is the ability to trigger such router activity remotely and simultaneously. To do that, the vandals apparently are using a new software designed to cause exactly this kind of mischief.

Late last year, the FBIs National Infrastructure Protection Center issued warnings about a new set of dangerous software tools which made their way around the Internet that enabled such simultaneous attacks. What was worse, the software tools  named Trin00, Tribal Flood Network, and more recently, Stacheldraht  had already been found lurking on computers around the Internet.

The new breed of tools coming out present the greatest threat to the Internet to date, de la Garza said. Everyone doing business on the Internet is vulnerable to this kind of attack.

-- Homer Beanfang (Bats@inbellfry.com), February 09, 2000


Great find Homer...Hmmm...hackers and misconfigured routers to blame...who misconfigured them? Sounds kinda like they're hedging their bets about what's actually causing the problems with the major websites.

-- Carl Jenkins (Somewherepress@aol.com), February 09, 2000.

Hackers are like short sellers...they keep the system on its toes over the long haul.

The very fact that this could happen is already stimulating thoughts on how to improve the system.

They might deserve to go to jail, but they do society a service on another level...no wonder they are often recruited to do computer security.

-- perhaps these (aregood@business.ttt), February 09, 2000.

In this case the "misconfigured routers" is very probably true. Routers can be configured to block packets in such a way that one network can not be used to attack another. It is really quite simple to do. As I have said elsewhere, the problem is that not many people managing ISP's or any other networks know how to do it.

What this article describes is a way to use a third party to attack the victims network. It is done by sending packets with return addresses of the victim to the third party. The third partys network responds to the victims network thus overwhelming the victims routers or servers or whatever.

This is difficult to track because the the return address on the packets is the address of the victim and that of not the criminal. The biggest offenders are the very large ISP's (AOL for example) and nearly any address ending in .edu. These institutions simply fail to configure their routers to stop packets which did not originate in their networks from leaving their networks... do remember the perp has to forge the return address on a packet to be the address of some other network for this to work...

Thus misconfigured routers is the correct answer. What is truly sad about this is that this problem has been well discussed and understood for more than two years now...

-- Michael Erskine (Osiris@urbanna.net), February 09, 2000.

Moderation questions? read the FAQ