[ISN] Internet Chat Wars Spill Over

From: mea culpa (jerichoat_private)
Date: Sat Jan 23 1999 - 01:27:49 PST

  • Next message: mea culpa: "[ISN] Hackers break into software distribution site"

    Forwarded From: anon <anonat_private>
    January 21, 1999
    Internet Chat Wars Spill Over 
    Filed at 8:13 p.m. EST
    By Andy Patrizio for TechWeb, CMPnet
    A growing number of network administrators are finding themselves on the
    receiving end of an attack that they can't stop, thanks to an exploit in
    TCP/IP and one malicious hacker.
    Problems often originate on Internet Relay Chat, a real-time chat network
    known as IRC with thousands of channels and tens of thousands of users
    where people meet and talk in "chat rooms" in real time. The oldest and
    most widely used is the EFNet, which has on average 8,000 channels and
    40,000 users during peak hours. 
    Fights frequently break out in these channels as network gurus put their
    knowledge of TCP/IP to the worst kind of use. By using a flaw in TCP/IP,
    it's possible to attack anyone on IRC -- to knock them off chat and even
    take down their ISP.
    The attack is called a "Smurf" attack. Smurf works by sending out a ping
    to hundreds or even thousands of sites and telling them to all respond to
    a single IP address. Without warning, users on IRC chat will find their
    entire bandwidth completely flooded with millions of ping responses, which
    overwhelms their connection and floods them off. 
    A user with a 28.8k modem can put out enough bandwidth to fill one-third
    of the capacity of a T1 (1.54 megabits/sec.) line, according to Gary, an
    IRC operator who asked that his full name not be used. Gary has been
    dealing with Smurf attacks for two years. 
    "I used to use IRC to chat, but now I've got to try not to get flooded off
    and try not to get hacked," he said. 
    The problem is growing, too. The Computer Emergency Response Team (CERT) 
    at Carnegie-Mellon University said Smurf attacks went up from 3 percent of
    reported incidents in January 1998 to 10 percent by December of that year,
    according to Jed Pickel, a member of the CERT technical staff.
    People use the Smurf attack for almost every reason, even if someone wants
    to use an IRC nickname and another person is using it. It has gotten so
    bad, said Gary, that whole ISPs are taken down if someone has a beef with
    another person. 
    Yale recently removed its IRC server because of these attacks and New York
    University was recently flooded so bad it was off the network for two
    weeks, he said. At one time, 100 servers handled EFNet chatters. Now there
    are between 40 and 50, with an average of three quitting every month
    because of Smurf attacks, said Gary.
    As bad as Smurf attacks are, there's no way to stop them. The packet flood
    can be blocked at the router or at the upstream service provider, but that
    doesn't prevent the flood from being unleashed in the first place. "The
    only way to solve it is to spread awareness about the problem," said
    While the ISP community has been active about trying to solve the problem,
    CERT has no authority and can't do any arm-twisting, said Pickel. But CERT
    has informed network administrators when it learns a site is being used in
    Smurf floods.
    There are ways to solve the problem, Gary said. IPv6, the next generation
    of the TCP/IP networking protocol, will close this loophole and not allow
    for domain spoofing, but it won't see wide deployment for several years. 
    In the meantime, administrators looking to secure their network or find
    out more information on Smurf attacks should check out the CERT advisory
    and a guide on Smurfing provided by a consultant for Quadrunner, a private
    Subscribe: mail majordomoat_private with "subscribe isn".
    Today's ISN Sponsor: Internet Security Institute [www.isi-sec.com]

    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:17:04 PDT