Forwarded From: anon <anonat_private> http://www.nytimes.com/techweb/TW_Internet_Chat_Wars_Spill_Over_.html January 21, 1999 Internet Chat Wars Spill Over Filed at 8:13 p.m. EST By Andy Patrizio for TechWeb, CMPnet A growing number of network administrators are finding themselves on the receiving end of an attack that they can't stop, thanks to an exploit in TCP/IP and one malicious hacker. Problems often originate on Internet Relay Chat, a real-time chat network known as IRC with thousands of channels and tens of thousands of users where people meet and talk in "chat rooms" in real time. The oldest and most widely used is the EFNet, which has on average 8,000 channels and 40,000 users during peak hours. Fights frequently break out in these channels as network gurus put their knowledge of TCP/IP to the worst kind of use. By using a flaw in TCP/IP, it's possible to attack anyone on IRC -- to knock them off chat and even take down their ISP. The attack is called a "Smurf" attack. Smurf works by sending out a ping to hundreds or even thousands of sites and telling them to all respond to a single IP address. Without warning, users on IRC chat will find their entire bandwidth completely flooded with millions of ping responses, which overwhelms their connection and floods them off. A user with a 28.8k modem can put out enough bandwidth to fill one-third of the capacity of a T1 (1.54 megabits/sec.) line, according to Gary, an IRC operator who asked that his full name not be used. Gary has been dealing with Smurf attacks for two years. "I used to use IRC to chat, but now I've got to try not to get flooded off and try not to get hacked," he said. The problem is growing, too. The Computer Emergency Response Team (CERT) at Carnegie-Mellon University said Smurf attacks went up from 3 percent of reported incidents in January 1998 to 10 percent by December of that year, according to Jed Pickel, a member of the CERT technical staff. People use the Smurf attack for almost every reason, even if someone wants to use an IRC nickname and another person is using it. It has gotten so bad, said Gary, that whole ISPs are taken down if someone has a beef with another person. Yale recently removed its IRC server because of these attacks and New York University was recently flooded so bad it was off the network for two weeks, he said. At one time, 100 servers handled EFNet chatters. Now there are between 40 and 50, with an average of three quitting every month because of Smurf attacks, said Gary. As bad as Smurf attacks are, there's no way to stop them. The packet flood can be blocked at the router or at the upstream service provider, but that doesn't prevent the flood from being unleashed in the first place. "The only way to solve it is to spread awareness about the problem," said Pickel. While the ISP community has been active about trying to solve the problem, CERT has no authority and can't do any arm-twisting, said Pickel. But CERT has informed network administrators when it learns a site is being used in Smurf floods. There are ways to solve the problem, Gary said. IPv6, the next generation of the TCP/IP networking protocol, will close this loophole and not allow for domain spoofing, but it won't see wide deployment for several years. In the meantime, administrators looking to secure their network or find out more information on Smurf attacks should check out the CERT advisory and a guide on Smurfing provided by a consultant for Quadrunner, a private ISP. -o- Subscribe: mail majordomoat_private with "subscribe isn". Today's ISN Sponsor: Internet Security Institute [www.isi-sec.com]
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:17:04 PDT