[ISN] Could Attack on DALnet Spell End for IRC?

From: InfoSec News (isnat_private)
Date: Sat Jan 25 2003 - 03:08:56 PST

  • Next message: InfoSec News: "[ISN] U.S. agencies get help with security patches"

    http://www.internetnews.com/dev-news/article.php/10792_1573551
    
    By Thor Olavsrud 
    January 24, 2003 
    
    For at least a month, distributed denial of service, or DDOS, attacks
    have been crippling DALnet, one of the world's largest Internet Relay
    Chat networks, bringing it to its knees and raising the possibility
    that many hosting providers may refuse to host IRC servers at all.
    
    "DALnet is presently suffering extensive and prolonged Distributed
    Denial of Service attacks against our IRC servers, Web server, mail
    servers and DNS systems," DALnet said on its Web site. "These attacks
    are causing great inconvenience and financial loss to many of the
    organizations that host our services, as such some of them have
    suspended or discontinued their support of DALnet."
    
    IRC, developed by Jarkko Oikarinen of Finland in 1988, allows people
    connected anywhere on the Internet to join in live discussions. Each
    discussion is on a "channel," and many people can join at once. DALnet
    was one of the earliest IRC networks, formed by users of EFnet (Eris
    Free Network) in June 1994 because of the netsplits (caused when the
    connection of one or more servers in a network is broken) and lag that
    were plaguing that network. DALnet pioneered Services, which allowed
    users to control their presence online without being harassed or
    having channels stolen from under them.
    
    But these days DALnet -- which is manned by volunteers and run with
    equipment and bandwidth donated as a service to the Internet community
    -- is hanging on by a thread as sustained DDoS attacks flood its
    servers and even threaten the networks that host its servers. The
    attacks have forced DALnet's administrators to take down most of its
    client servers and leave them down rather than risk taking down its
    hosts.
    
    "Yes, as you all know, DALnet has been attacked again by criminals
    who, for reasons known only to themselves, choose to spoil the
    enjoyment of so many," Emma/Curve, chief editor of the DALnetizen
    ezine and one of DALnet's administrators, wrote in the January issue
    of the ezine. "These latest attacks are worse than any of the server
    administrators have seen before, attacks large enough to cripple the
    networks which host our servers, let alone the servers themselves."
    
    The attacks come in the form of 'botnets,' whole networks of malicious
    bots (define), created by Trojans (define), which flood DALnet's
    network with packets. According to Curve, those packets are coming in
    at a rate of Gbps (define).
    
    "It's no secret that DALnet has suffered massive attacks recently, far
    greater than anything we've seen before," she said. "We've been
    ravaged by DDOS attacks in the Gbps range, attacks which are not just
    crippling our IRC servers, but causing disruption to the providers who
    host those servers."
    
    She continued, "Why do I say that more than DALnet is at stake? Well,
    because the more these people amass herds of infected computers
    (botnets) to attack IRC servers with, the more service providers will
    quickly come to the conclusion that hosting an IRC server is a
    liability. Already many providers simply won't countenance hosting an
    IRC server and if this random vandalism continues, the harder it will
    be for non-profit IRC to continue in any reasonable form at all. That
    could jeopardize the future for all IRC networks, not simply DALnet."
    
    The Trojan spreads through e-mail, or even when a user visits a Web
    site with a bit of hidden code, and the users won't know unless their
    anti-virus software is up to snuff. Once the Trojan makes its way onto
    a machine, the next time that computer connects to the Internet the
    Trojan will start up an IRC client and connect to a server -- often an
    IRC server set up on a shell account and paid for with a stolen credit
    card. The Trojan then creates a bot which is programmed to join a
    certain channel once it has connected.
    
    A successful Trojan which has propagated widely can fill a channel
    with bots. Curve said she and other members of DALnet's Exploits Team
    have seen channels with as many as 4,000 to 5,000 bots -- each a home
    computer infected with a Trojan. A collection of such bots in a
    channel is a botnet.
    
    Once the person who wrote the Trojan comes online, the botnet is
    waiting for him, and he can use it for a number of things, the worst
    being a DDOS -- using hundreds or thousands of bots to send data to a
    server until its connection becomes saturated and it crashes. Not only
    does such an attack inconvenience chatters using IRC services, it can
    also affect the service providers who host IRC servers, preventing
    their customers -- even ones who don't use IRC -- from going online.
    
    "It could be surmised that people who launch DDOS attacks know their
    intended target and can find enough bandwidth to bring the target
    down," Aaron Schultz, a provider of DALnet hosting, wrote in the
    January issue of DALnetizen. "The problem that most don't seem to
    think about are the related networks which also get hit. The small ISP
    which has an infected customer who suddenly starts using all available
    bandwidth, the nationwide latency created on some networks due to the
    amount of packets or the small businesses that have servers on a
    network near the intended target."
    
    "Another example of innocent targets being hit are when ISPs
    experience nationwide latency and regional outages due to these
    attacks," he wrote. "Are the attacks that I receive that have caused
    such major outages attacks on me, or the entire U.S.? And should all
    of the ISP's Southern California customers be taken offline just
    because of someone's disagreement with DALnet? No."
    
    DALnet administrators continue to hold out hope that the situation can
    be resolved. DALnet said it is working with a number of law
    enforcement agencies to track down those responsible, has lodged
    complaints with the ISPs it has been able to trace, and has the help
    of experts in dealing with DDOS attacks.
    
    So when will the attacks stop? "We don't know," DALnet said. "They
    will stop when either the attackers decide to stop attacking, the
    attackers get arrested or shut down by their ISPs, or when DALnet runs
    out of goodwill from its sponsors and is forced to close."
    
    Anyone with information about the attacks is asked to submit it to
    DALnet's contact form.
    
    http://kline.dal.net/exploits/info.htm
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Sat Jan 25 2003 - 11:34:35 PST