Elephant in the bloody room (or, how I lost faith in dalnet)
Stephen Dedalus
because "every little bit counts". How many servers DO work now? And once
you're there, how stable is it... not very. Around 6:00 EST we seem to begin
the nightly "dance of the netsplits". Last night I stopped counting at 27
different splits. It's become nearly impossible to do anything on dalnet
except try to preserve your channel(s) until all of this is over... But what
is "This", and will it end well? I'd love to know just what the hell has
been going on, a straight answer too. A clear and detailed explanation as to
why the network I've been on for 8+ years has become a very crowded
shithole. Pardon the language, but what else WOULD you call dalnet now?
Given the sorry state that dalnet is in, I would expect a detailed
explanation on the website... but what is there? a four month old statement
that "we occasionally are the targets of dos attacks"... well gee thanks
guys and gals. I realize that this is not a business, not your livlihood and
therefore the pressures of reality are distant... but you people either need
to shape up, or just close your doors so we loyal users can move on to
functional networks. If there is a light at the end of this exceptionally
bleak tunnel, let us know. If this has all been to wishy washy for you let
me put it another way. YOU ARE ALL FUCKING THINGS UP. THE ONLY THING WORSE
THAN RUNNING A NETWORK GONE TO SEED IS NOT EXPLAINING WHY YOU LET 140,000
USERS GO FUCK THEMSELVES WHILE YOU PICK THE NITS OUT OF YOUR HAIR.
Was that too harsh? Let me leave you with this: Irc is very labour
intensive. Running a channel well is not easy, and is an ongoing process.
Dalnet is composed of many islands of work, effort and the sweat of ops,
servers, users, etc... Please, tell us what is happening to the foundation
that work is built upon. And please, if you folks are going to go toe up,
give us enough time to jump shimp. Users made you, and you owe us this.
IL aka Stephen Dedalus
Stephen Dedalus
what a DoS, DDoS is, and I understand the principle that it is difficult if
not impossible to defend against them. You must understand however, that a
backissue of an ezine is not the proper place for information such as that.
Perhaps the general link under "news" on your webpage. As it stands one must
tie varied pieces of information together, plus personal conjecture, to come
up with a semi-accurate, and non-predictive explanation for dalnet's current
travails. Questions you might want to answer DIRECTLY... and without the
bullshit usually shoveled are "Does dalnet have a future that is not a
series of netsplits and delinks?". "Do you have any plans in the works to
combat or defend against what ails you?"... maybe a public forum... say a
CHANNEL would be a good place to discuss these things... Why is it that a
COMMUNICATIONS NETWORK is only talking about the most important issues
regarding it's present and future in a backissue of an ezine and rarely
frequented newsgroup? Don't leave this discussion solely in the hands of the
folks who come here... People DoSing you? Maybe you need a running post of
what info you have. Let some of the loyal (testosterone addled) packet
kiddies of dalnet knock themselves out counterattacking... Maybe that's a
truly stupid idea... maybe someone else has a better one, but we won't know
so long as you GROSSLY limit the forums these discussions occur in. You're a
communications network! You're business is to host and facilitate the
dissemination of information. It's what makes you great! SO DISSEMINATE
ALREADY!
IL aka Stephen Dedalus
"Stephen Dedalus" <inspe...@yahoo.com> wrote in message
news:lazH9.114833$GR5....@rwcrnsc51.ops.asp.att.net...
Aaron Schultz
> Let me clarify something, I am not a fool, I have read the ezine. I know
> what a DoS, DDoS is, and I understand the principle that it is difficult if
> not impossible to defend against them. You must understand however, that a
> backissue of an ezine is not the proper place for information such as that.
Perhaps if you were actually going to www.dal.net on a regular basis you'd
have seen the "message of the day" which also addressed the issue..
...or perhaps the front page of the network's website isn't the right
place either... where would you suggest?
(and yes, I noticed it's not on the MOTD now, but it was for a few weeks)
--
- Aaron / Wagahai
null
There are some valid points made by Stephen though. DOS attack information
wasn't posted on dalnet website at 1st, not until few weeks passed by. As
recent as these few weeks until today, we weren't informed drones attack nor
delink of twist.
"Aaron Schultz" <aa...@powertrip.net> wrote in message
news:Pine.LNX.4.44.021204...@localhost.powertrip.net...
Jim Murray
battle with the daemons of Usenet on 05/12/2002 02:50, saying:
> YOU ARE ALL FUCKING THINGS UP. THE ONLY THING WORSE
> THAN RUNNING A NETWORK GONE TO SEED IS NOT EXPLAINING WHY YOU LET 140,000
> USERS GO FUCK THEMSELVES WHILE YOU PICK THE NITS OUT OF YOUR HAIR.
> Was that too harsh?
>
Very well, you want to know exactly what's wrong. I'll tell you just as
bluntly as you like.
DALnet's being hammered to death by a bunch of script kiddie morons from
various countries where the governments simply don't give a fuck. You
think running a channel's labour intensive, try a server. Then try
explaining to your boss/shareholders/customers why your entire network
was unreachable for 12 hours JUST because you chose to support DALnet.
Try telling them that these kiddies are from Turkey and the like and
that the govt. there simply don't care. Tell them that the FBI aren't
interested unless you just happen to be a major e-commerce site OR you
happen to get very lucky and find an interested agent with time on their
hands.
People build bots and target them at us. Cluelss morons with windows
boxes download any piece of shit they see spammed to them in a link and
spread the crap further. Yet more clueless shits don't bother taking
BASIC security precautions and get infected with netbios worms bringing
yet more drones. The you have the commercial spammers who make money
from it, not to mention the fuckwits who don't know how to patch the
worlds buggiest browser and STILL get caught with the same stupid
security hole they got caught with two years ago.
We aren't 'picking nits out of our hair'. As a matter of fact we're
doing everything in our power to minimise the problems BUT when you get
no help from the authorities and no help from the users themselves it's
something akin to telling the tide not to come in. Regardless, we try
and I for one *really* don't appreciate your attitude and your
insinuations. You want to rant at someone, rant at the fuckwits
responsible for the problems not those trying damn hard to do something
about them.
Jim.
--
Jim-mm
CSoP, IRC Operator, Exploits Team Member
DALnet IRC Network.
Thund3rstruck
Constructive question here. If, going thru your logs, you find that a
good number of attacks come from one country or domain, that doesn't care,
wouldn't it be possible to block them upstream of dalnet, or even on the
appropriate port, at the router level? Or, is the way that dalnet is
designed that makes this impossible?
NOI
"Jim Murray" <not.int...@spam.dev.null> wrote in message
news:DuFH9.4151$9g.31...@news-text.cableinet.net...
Mattias Ahnberg
n> DOS attack information wasn't posted on dalnet website at 1st, not
n> until few weeks passed by.
There is a difficult line when it comes to information. If we chose to
post too many updates on what goes on in regards to attack we risk the
investigations we have going on to try to do something about the
individuals attacking us, plus if we post instant information about
"omen.* currently died because of a huge DDoS attack", the attackers
will see it more as a fun thing to be able to get a newsline on the
website.
I agree that we could have posted DDoS information much quicker, but
we tried to make a judgement on what path to take, how to deal with
things and what to proceed. Our first priority was for each admin to
secure his server, to try to lessen the impact of the attacks and to
prepare the sponsors for whats going on.
n> As recent as these few weeks until today, we weren't informed
n> drones attack nor delink of twist.
In todays world DDoS attacks are performed at large by drone networks,
so we didn't really explain it further than that. The Zine also
mentioned more of the theories and a bit of explanation about DDoS.
/ahnberg.
Mattias Ahnberg
T> Constructive question here. If, going thru your logs, you find that a
T> good number of attacks come from one country or domain, that doesn't care,
T> wouldn't it be possible to block them upstream of dalnet, or even on the
T> appropriate port, at the router level? Or, is the way that dalnet is
T> designed that makes this impossible?
The attacks usually don't originate from the same country as the
attackers, they get all the drones they can get their hands on, and
they aren't really grouped together regionally, they are global. So
during an attack you will basically see traffic from all over the
globe.
When we try to filter out ISPs who let users abuse on DALnet there is
always a majority of the users affected who are innocent, so what we
accomplish in such a situation is that we get a huge number of MORE
upset persons with DALnet, of whom a few might chose to "avenge" his
inability to connect to us. And voila, we have yet another enemy
attacking us with all he got.
/ahnberg.
Tony Miller
Mattias Ahnberg <mat...@ahnberg.pp.se> wrote:
>>> "n" == null <nu...@privacy.org> writes:
>
>n> DOS attack information wasn't posted on dalnet website at 1st, not
>n> until few weeks passed by.
>
> There is a difficult line when it comes to information. If we chose to
> post too many updates on what goes on in regards to attack we risk the
> investigations we have going on to try to do something about the
> individuals attacking us, plus if we post instant information about
> "omen.* currently died because of a huge DDoS attack", the attackers
> will see it more as a fun thing to be able to get a newsline on the
> website.
I understand that. But do you *really* in your "heart of hearts" believe
that when the packet kiddies see "twisted.*'s delink had nothing to do
with the attacks" they believe you?
> I agree that we could have posted DDoS information much quicker, but
> we tried to make a judgement on what path to take, how to deal with
> things and what to proceed. Our first priority was for each admin to
> secure his server, to try to lessen the impact of the attacks and to
> prepare the sponsors for whats going on.
What we as users would like to see is a running commentary on the status
of the network when there are problems. Maybe once per hour, maybe with
an ETA on when things will smooth out (if that is possible, I know
sometimes that's not).
>n> As recent as these few weeks until today, we weren't informed
>n> drones attack nor delink of twist.
>
> In todays world DDoS attacks are performed at large by drone networks,
> so we didn't really explain it further than that. The Zine also
> mentioned more of the theories and a bit of explanation about DDoS.
Let me tell you my life from the perspective of a simple IRC user.
o I connect to DALnet to chit chat with some friends I still have on
there.
o I pop into the channel. Nobody is opped. So I ping chanserv. It's
about 10 minutes out.
o In the meantime I start chatting with someone in channel. In the
middle of the convo, they get disconnected. When they come back,
stats.dal.net kills them every 5 minutes for an "ident violation".
o While they are gone chanserv ops me I op the bot. Then *I* get
disconnected. When I come back, the bot is not opped, and I get killed
by stats.dal.net a few times just for fun.
o When we finally all get together, there's anywhere from 1-10 minute lag
on our conversations.
o This whole situation happens a few more times and I finally get
disgusted and go back to my home network.
Multiply that by about 80,000 and you get the situation for these people.
I am REALLY shocked that so many people hang around for that kind of
abuse. It's a tribute to the loyalty of your userbase. (Or "Random
DALnet Server" is their mIRC default and they don't know how to connect
anywhere else).
Now don't get me wrong. I'm not *blaming* DALnet for this at all. I'm
just stating that there is a minimal level of service expected (even if
it's free) and people will move on if it isn't met.
> /ahnberg.
-Tony
--
Reliable, "eggable" Unix shell accounts. http://www.jtan.com/proshell/
cl00bie @ IRC - /server cookie.sorcery.net 9000, http://www.sorcery.net
We welcome WebTV'ers - http://www.sorcery.net/help/index.html#WebTV
Tony Miller
Jim Murray <not.int...@spam.dev.null> wrote:
<Snip>
> We aren't 'picking nits out of our hair'. As a matter of fact we're
> doing everything in our power to minimise the problems BUT when you get
> no help from the authorities and no help from the users themselves it's
> something akin to telling the tide not to come in. Regardless, we try
> and I for one *really* don't appreciate your attitude and your
> insinuations. You want to rant at someone, rant at the fuckwits
> responsible for the problems not those trying damn hard to do something
> about them.
We're trying to do something to help. About 6 months ago we found a bunch
of these things on our network. I mailed your exploits team, and since I
didn't get a bounce I just assumed that I was ignored.
You really need to interface with the smaller networks on this. These are
the places that these kiddies go to hide when they attack you. You need
to educate some of these small networks on what to look for. I wouldn't
imagine that these kiddies would run an actual personal IRC server for
their own use in doing this.
Also, an unexplained jump in usercount (100 extra clients than the night
before) is a reason for concern. When we see that we start hunting.
But in the case I mentioned above, we found the dumbass that founded the
channel and we forwarded the date time and IP to his ISP.
> Jim.
homosexual
entire network
>was unreachable for 12 hours JUST because you chose to support
DALnet.
>Try telling them that these kiddies are from Turkey and the like and
>that the govt. there simply don't care.
Now that's surprising that the sell-out whore government of turkey,
the same piece of gutter trash filth that lets neo-colonialist
American Yankee doodle doo military personnel carry out terrorist
strikes on Iraq under the guise of "enforcing no fly zones" from the
military base of Incirlic, I find it hard to believe that this very
same government would fail to apprehend one of its citizens when they
are carrying out strikes against a civilian target primarily resident
in its colonialist masters home. I mean don't forget that this is the
same country that has a peace treaty with the terrorist state of
Israel and routinely allows them to practice F-16 flights over its
vast sand dunes. Its a crying shame that it would reject any
involvement in a criminal investigation involving the attacks on
Dalnet considering a great portion of the Dalnet administrations upper
echelons are in fact Jews who should be looked upon favourably by the
Turkish authorities.
The only solution that I can think of would be to bury the Turkish
government and its military under a hail of dumb bombs and
precision-guided munitions/BLU-82B daisy cutter fuel air bombs. You've
subjected 26 other states since World War II to the same "justice" for
even pettier reasons, why should Turkey be spared any?
>Tell them that the FBI aren't
>interested unless you just happen to be a major e-commerce site OR
you
>happen to get very lucky and find an interested agent with time on
their
>hands.
Well that's the beauty of capitalism isn't, isn't that what you
Americans would fight and die for? To uphold your criminal capitalist
regime that was "democratically" elected via massive voting fraud?
Isn't the whole point of this kind of "model society" to hold big
business interests above all else? You simply can't make up your mind
as to what you want can you? That comes as no surprise being the
confused transsexual gender benders that you are.
>People build bots and target them at us. Clueless morons with windows
>boxes download any piece of shit they see spammed to them in a link
and
>spread the crap further. Yet more clueless shits don't bother taking
>BASIC security precautions and get infected with netbios worms
bringing
>yet more drones.
This whole paragraph is moronic, given the level of filtering
expertise at Dalnet disposal I find it incredibly hard to believe that
clueless kiddies with a bot network can bring down any of the main
Dalnet servers (tiscali, acool, liberty and matrix).
It would be trivial for even the most retarded of Admins to add a few
access lists upstream to cut out any non-spoofed flood from a bot.
First it's people "testing new DoS tools", then its "people who just
want to ruin a good thing" and finally we have the blame put on the
ubiquitous bot flood. Could it be Dalnet has no clue as to who or why
they're being attacked? This would certainly make sense given the
conflicting explanations coming from certain quarters of the Dalnet
Administration.
And certainly we've had a fair number of accusations made by a certain
overweight wannabe nerd (you know who you are) being levelled at
certain people without proof.
On the subject of users not taking security precautions, this is
incredibly hypocritical given that a number of servers connected to
Dalnet that have in the past and even very recently failed to take
stringent enough security "precautions" and wound up being
compromised.
-someone who doesn't use Jewnet aka Dalnet
Thund3rstruck
"Mattias Ahnberg" <mat...@ahnberg.pp.se> wrote in message
news:873cpcf...@paranoia.ahnberg.pp.se...
> The attacks usually don't originate from the same country as the
> attackers, they get all the drones they can get their hands on, and
> they aren't really grouped together regionally, they are global. So
> during an attack you will basically see traffic from all over the
> globe.
>
> When we try to filter out ISPs who let users abuse on DALnet there is
> always a majority of the users affected who are innocent, so what we
> accomplish in such a situation is that we get a huge number of MORE
> upset persons with DALnet, of whom a few might chose to "avenge" his
> inability to connect to us. And voila, we have yet another enemy
> attacking us with all he got.
Good points all around. Guess I didn't see that for whatever reason.
NOI
null
You have good points there. I guess Dalnet is presented with 2 type of
communities here. One is ok with usual informatoin handed to them. Then
there are more technical users who long suspected something are going on but
has no revenue to their quest for information. These are who used to
Internet as free to asemble information. One only wish threshold would be
lower so information can be released in more timely manner. Imagine what
would technical users think when their irc.dal.net resolved to
255.255.255.255 (broadcast address)? We did find we can go to individual
servers but dal.net DNS server was totally down few times too. This is
comparible to ISP status report where users can stand down time but not lack
of informatoin. Thanks for lending your ears. Maybe we can make it
better next time around.
"Mattias Ahnberg" <mat...@ahnberg.pp.se> wrote in message
news:877keof...@paranoia.ahnberg.pp.se...
null
Actually we do understand how difficult situation could be. In fact, users
do support dalnet and staffs behind the scene. that's why we're asking for
more information be posted on dalnet website. I don't believe you'll want
to be asked over and over on network/server status when you're busy getting
them up and running. I suppose a short post of current status on dalnet
website would serve everybody good? We then will refer users to website
whenever they're in doubt. We really don't need to fight among ourselves
but intruders. Thanks.
"Jim Murray" <not.int...@spam.dev.null> wrote in message
news:DuFH9.4151$9g.31...@news-text.cableinet.net...
null
Hehehe, I'll have to agree. IRC users are so touchy at times.
"Mattias Ahnberg" <mat...@ahnberg.pp.se> wrote in message
news:873cpcf...@paranoia.ahnberg.pp.se...
Jim Murray
with the daemons of Usenet on 05/12/2002 15:50, saying:
>
> We're trying to do something to help. About 6 months ago we found a bunch
> of these things on our network. I mailed your exploits team, and since I
> didn't get a bounce I just assumed that I was ignored.
Did you use the contact form on the web or send mail? If you sent mail,
please drop me a note and I'll pass on the appropriate contact address
for the team - expl...@dal.net is purely an auto-reply and does not get
read.
> You really need to interface with the smaller networks on this. These are
> the places that these kiddies go to hide when they attack you. You need
> to educate some of these small networks on what to look for. I wouldn't
> imagine that these kiddies would run an actual personal IRC server for
> their own use in doing this.
We are trying. DALnet has several representatives on the CERT-IRC list
where we willingly share information on attacks and the like with other
IRC networks. If you'd like more information on this, again please drop
me a note.
> Also, an unexplained jump in usercount (100 extra clients than the night
> before) is a reason for concern. When we see that we start hunting.
Anything we can do to help we will do. The view of DALnet's Exploits
team is that these idiots need stopped, regardless of which network they
happen to be on. If working with other, smaller networks will make their
lives harder then it's something I'll be happy to try and help arrange.
Jim.
--
Jim-mm (@dal.net to mail)
Jim Murray
daemons of Usenet on 06/12/2002 01:03, saying:
> Jim,
>
> Actually we do understand how difficult situation could be. In fact, users
> do support dalnet and staffs behind the scene. that's why we're asking for
> more information be posted on dalnet website. I don't believe you'll want
> to be asked over and over on network/server status when you're busy getting
> them up and running. I suppose a short post of current status on dalnet
> website would serve everybody good? We then will refer users to website
> whenever they're in doubt. We really don't need to fight among ourselves
> but intruders. Thanks.
Apologies for my tone earlier, I probably shouldn't have been quite as
blunt as I was :)
At one point we did have server uptime (and even traffic graphs!)
available, however we had to withdraw that service as the kiddiots were
using it to guage how effective their attacks were and what they needed
to packet harder. Likewise some statserv functions had to be restricted
for exactly the same reason. I'd love to provide this kind of detail but
sadly we can't do it because it invariably gets turned against us.
It's experiences like that which have forced us to be more circumspect
in what we release and when, we do understand that users value timely
information on server outages and network issues, however we need to
balance that with the potential damage providing such information may do.
I do maintain the exploits website site and if you can give me an
indication of the type of information you'd like to see posted then I'll
see if something can be arranged. Do please bear in mind what I've said
above - I'm willing to provide any information you feel valuable so long
as it's not security sensitive or priviliged in other ways.
HTH,
Jim.
--
Jim-mm (@dal.net to mail)
null
You insight information is greatly appreciated. I remember when we told
our users Exchange server was down and received 'what's Exchange'. We then
only described email is down instead, ^_^. I guess a simple
network/servers with red, yellow and green with one liner will be
informative enough without revealing vital stats of dalnet. That way users
can check website when they find problem and determine if problem lies
between their ISP or dalnet. And us helpers can use the same information
to better help our users. Although I am personally interested in detailed
stats, hehehe. Heck, your presence here already helps greatly. Thanks.
--
Theodore a.k.a. knownbad
"Jim Murray" <not.int...@spam.dev.null> wrote in message
news:pUTH9.51$a8.31...@news-text.cableinet.net...
Emma
> only described email is down instead, ^_^. I guess a simple
> network/servers with red, yellow and green with one liner will be
> informative enough without revealing vital stats of dalnet. That way
users
The problem with that is that the kiddies get a kick out of making all the
lights go red......
Emma
Mattias Ahnberg
TM> I understand that. But do you *really* in your "heart of hearts"
TM> believe that when the packet kiddies see "twisted.*'s delink had
TM> nothing to do with the attacks" they believe you?
No, I don't think they believe it at all. But if it is the truth, why
should we lie about it? I am sure the attacks had _something_ to do
with the final decision that frink took to delink from DALnet, but the
actual delink decision wasn't because of it (as I have been told by
him). If DDoS was the main problem he wouldn't have stood up all this
time. :)
TM> Maybe once per hour, maybe with an ETA on when things will smooth
TM> out (if that is possible, I know sometimes that's not).
We're trying to, and I guess we can be better. I doubt that you will
see a "quick status" page in the near future, as Jim wrote it has been
attempted in the past but always turned against us. I wish there were
some way to give out information to the right persons, and hold it
back from others.
TM> Multiply that by about 80,000 and you get the situation for these
TM> people. I am REALLY shocked that so many people hang around for
TM> that kind of abuse. It's a tribute to the loyalty of your
TM> userbase. (Or "Random DALnet Server" is their mIRC default and
TM> they don't know how to connect anywhere else).
I am very well aware of the situation. I am a user of DALnet myself,
and I daily associate with larger channels with friends, so I see all
these problems up-front myself. It is very bothersome, and I really
appreciate the patience users shows us just to still stick around on
DALnet.
However, I do understand that people get fed up and chose to use other
services now and then. I hope that they will chose to come back to
DALnet again when things end up more stable again. But as you know I
can't predict when that time will come.
TM> I'm just stating that there is a minimal level of service expected
TM> (even if it's free) and people will move on if it isn't met.
*nods* I know. Believe me, I know. But as I mentioned above, I do hope
that the persons who chose to leave DALnet will eventually return.
/ahnberg.
Trahojen
> [...] BUT when you get no help from the authorities and no help
> from the users themselves it's something akin to telling the
> tide not to come in.
Jim,
I know this have come up before, but I think we all need to hear it
again.
What exactly can we, the users, do to help?
Except for tracing and reporting abusive or trojaned people to their
ISPs, I mean.
I've done so for say three years, but I keep finding myself reporting
the same people over and over again. The only benefit to this is that I
have come more personal to some abuse desks. I have suffered from
dedicated FUAD-carnevals from time to time too, but I won't take offence
until they show up outside my door.
This seems like being of no use, however, since very few of the
attackers or current trojaned win32-gateways reside on, or even know of
the precense of, a dalnet irc network. I base this statement on personal
experience and some constructive guessing.
How do your upstream providers handle the situation? They'd be idiots if
they didn't take it seriously.
Someone suggested that dalnet should make contact with other, smaller
networks, to educate them on the matter. While I think that is an
excellent idea, I think you would benefit from making contact with them
for other reasons. Small networks have more often than not closer
relations to each other, so it's more likely they can find trojan
commanders and report them to you. While you won't be able to nail them
all, you'll nail some.
regards,
--
- Samuel aka Trahojen
Mattias Ahnberg
T> What exactly can we, the users, do to help?
Keep eyes and ears open, and report abuse, attacks, threats,
dronerunners and obvious DDoS information to the network affected by
it. Also always share this information with the users current ISP, so
that they get multiple reports from all kinds of places. The more
reports they get about one of their customers messing about, the more
they will start to react. One should always keep in mind though to
keep the tone professional, to act seriously and professionally and to
include relevant logs of what you want to show.
Other than that I just hope that users will get to understand why
DALnet isn't working well, and that it really isn't DALnets
administration causing the havoc for fun. We're targets of other
peoples anger and immaturity.
My hope is that people will be patient, stick with us and do what
they can to help. If they can't stand it, I understand, but I do
hope that they will return when things eventually calm down.
T> How do your upstream providers handle the situation? They'd be
T> idiots if they didn't take it seriously.
We're not a commercial entity paying loads of money for our servers
and the bandwidth we use, usually we're sponsored entirely or partly
by the places supporting our servers. There is a limit to everything,
and tracing DDoS, filtering DDoS, reporting DDoS and such takes a HUGE
amount of time. Most companies don't have the time or interest on
their hands to help out that much, and thus a lot chose the easy way
out and ask for the servers to be shut down instead.
Really wrong attitude since it merely helps the attackers accomplish
what they want. But at the same time, working in the industry with the
same kind of businesses, I fully understand them. They have to think
about their other customers, and weight the cost and time it would
take to assist, versus the interest and use they could have for the
server(s).
T> While I think that is an excellent idea, I think you would benefit
T> from making contact with them for other reasons. Small networks
T> have more often than not closer relations to each other, so it's
T> more likely they can find trojan commanders and report them to
T> you. While you won't be able to nail them all, you'll nail some.
We do speak with other networks. And some of us deeply involved in the
administration of DALnet are also parts of other networks, this in
itself leads to an information exchange. We're always interested in
cooperation and information exchange though, and if I stumble over
something that I see affects another network I always share that
information to give them an easier task of solving their problems,
just as I hope others do to us too.
/ahnberg.
Jim Murray
the daemons of Usenet on 06/12/2002 09:03, saying:
> I know this have come up before, but I think we all need to hear it
> again.
> What exactly can we, the users, do to help?
> Except for tracing and reporting abusive or trojaned people to their
> ISPs, I mean.
DoS attacks have always been a fact of life for those running IRC
servers. The problem was generally contained by the fact that it
required a reasonable degree of clue to carry out a significant attack
in the firt place and considerably more clue not to get caught doing it.
Thye advent of the self-propagating botnet and point'n'drool DoS tools
changed that making it almost trivially easy to launch a virtually
untraceable DoS attack. The majority of these bots rely on user
gullability for their success, so the best help anyone can give us is to
spread the word about security as far and wide as they're able. The more
users begin to secure their machines the less easy it'll be to build
these botnets, with time the balance may just swing back far enough to
keep IRC viable as a free service.
Educating ISP's is also very helpful. There are still a sickening number
who'll happily act as smurf amplifiers and who don't have proper egress
filtering set up on their border routers to deter spoofing. ISP's like
that are a danger to everyone else on the internet but in todays market
driven economy only their users can force them to pull up their socks.
Decent abuse reporting procedures and a strong (and enforced!) AUP are
also a must for ISP's.
Proxy servers are the third major problem. So many are insecure by
default that it's just not funny anymore. Pester the vendors to fix
their products. Educate those who want to use them on how to do it safely.
Last but not least there's the sheer lunacy of certain ADSL router
manufacturers who leave telnet-accessible shells open to the internet by
default with no/stupidly-easy-to-guess or default passwords
>
> How do your upstream providers handle the situation? They'd be idiots if
> they didn't take it seriously.
That varies from provider to provider and incident to incident. I can't
give details other than to say that appropriate measures are taken when
necessary in accordance with each provider's escalation procedures. I'm
sure you understand that such actions are of themselves security
sensitive and cannot be discussed in an open forum.
> Someone suggested that dalnet should make contact with other, smaller
> networks, to educate them on the matter. While I think that is an
> excellent idea, I think you would benefit from making contact with them
> for other reasons. Small networks have more often than not closer
> relations to each other, so it's more likely they can find trojan
> commanders and report them to you. While you won't be able to nail them
> all, you'll nail some.
We maintain an active presence on the CERT-IRC list and encourage all
other networks to do the same. This helps communicate potential threats
and valuable information qucikly and securely between networks and also
to the various security teams who also maintain a presence there.
Jim.
--
Jim-mm (@dal.net to mail)
null
Anything is possible but we're loosing focus here. I believe we're serving
public on dalnet. We shouldn't alter our courses simply because of some
misbehaves. Majority of users are courteous and supportive. And more
importantly informed public is a educated/rational public. Of course there
may be some pit falls but us users will support you along the way. Thanks.
--
Theodore a.k.a. knownbad
"Emma" <cu...@clothes.dal.net> wrote in message
news:aspm3m$tbu$1...@newsg2.svr.pol.co.uk...
Richard Revis
> Cluelss morons with windows
> boxes download any piece of shit they see spammed to them in a link and
> spread the crap further. Yet more clueless shits don't bother taking
> BASIC security precautions and get infected with netbios worms bringing
> yet more drones.
I always said there should be some kind of basic internet proficiency test..
something like a week using command line tools before they let you loose
with anything faster than a 9600 baud modem. You could always sue MS for
the lost revenue to your bandwidth providers for making life to easy for
script kiddies :o)
FWIW have you considered making DALnet web-only access for a week or so,
which would kill off all the bots/rancid scripts while letting regular
users restore some normalcy to their chatting. It wouldn't cure non-IRC
attacks but these are somewhat easier (ie not impossible) to filter, and
may let you restore some normalcy before opening up a limited number of
servers to $any_client again.
--
People carriers are for the clueless about contraception.
7:41pm up 5 days, 23:46, 3 users, load average: 0.12, 0.18, 0.10
RX bytes:1237014551 (1179.7 Mb) TX bytes:2181162217 (2080.1 Mb)
E-mail address munged to prevent spam.
Eyes to the Skies.
> Casting off the cloak of HTML, Stephen Dedalus ventured forth to do
> battle with the daemons of Usenet on 05/12/2002 02:50, saying:
>
> > YOU ARE ALL FUCKING THINGS UP. THE ONLY THING WORSE
> > THAN RUNNING A NETWORK GONE TO SEED IS NOT EXPLAINING WHY YOU LET
> 140,000
> > USERS GO FUCK THEMSELVES WHILE YOU PICK THE NITS OUT OF YOUR HAIR.
> > Was that too harsh?
>
>
I for one am happy to see SOMEONE put some blame on clueless users,
especially someone in your posistion.
The situation sucks but it could be made far less worse if many end
users had a clue.
This isn't eleiteism, it is fact.
The *MIGHTY* (yet modest) Two Tub Man
wrote:
Okay, it's Dec 8 now and this message was from the 4th but there's
nary a word about dalnet's troubles on www.dal.net 's front page and
you gotta know which back issue of the zine to look for it in cos
there's nary a word in this month's zine either.
I think users will find this frustrating and it will reflect
negatively on dalnet. I think they will get the impression that
dalnet is run in a very sloppy and irresponsible fashion... I know
that this is not necessarily the case but most people will tend to be
left with that feeling, IMO.
Tub
Emma
> Okay, it's Dec 8 now and this message was from the 4th but there's
> nary a word about dalnet's troubles on www.dal.net 's front page and
> you gotta know which back issue of the zine to look for it in cos
> there's nary a word in this month's zine either.
The zine is a monthly magazine and December's has not been built yet. The
purpose of the Zine is not to supply real-time information on the network's
status.
Emma
Jeff Garber
>
<snip>
>
> The zine is a monthly magazine and December's has not been built yet. The
> purpose of the Zine is not to supply real-time information on the
network's
> status.
>
> Emma
>
Aaron Schultz
> Okay, it's Dec 8 now and this message was from the 4th but there's
> nary a word about dalnet's troubles on www.dal.net 's front page and
> you gotta know which back issue of the zine to look for it in cos
> there's nary a word in this month's zine either.
The zine isn't a news source.. and the MOTD box on www says:
------------------------------------------------------------------------
It is a sad fact that it has been somewhat difficult to connect to DALnet
for some time. There are several reasons for this, including ongoing
attacks and a loss of servers.
This weekend, these problems have increased. DALnet has been under an
unusually strong, unusually persistent attack. These attacks are directed
at all DALnet client servers, rather than just a few.
The DALnet administration is working with service providers and with law
enforcement to stop these attacks, but this is not an easy task. We
apologize for the disruption, and ask that you bear with us through these
difficult times.
------------------------------------------------------------------------
--
- Aaron / Wagahai
Trahojen
> Last but not least there's the sheer lunacy of certain ADSL router
> manufacturers who leave telnet-accessible shells open to the internet
> by default with no/stupidly-easy-to-guess or default passwords
Sad but true. From real life experience, I had an argument with one of
my relatives, on why running KaZaa 24/7 (or at all) wasn't a good idea.
The problem is they don't think of Internet as a global network, where
they are all potential nodes in a sofisticated attack. I can tell we are
both putting much of the resposibility on the ISPs to stop doing
clueless measures. It's more likely to reach them, than to reach the
average home user. Sadly enough.
Trahojen:
> How do your upstream providers handle the situation? They'd be
> idiots if they didn't take it seriously.
Jim Murray:
> [...] I'm sure you understand that such actions are of
> themselves security sensitive and cannot be discussed in
> an open forum.
Of course. Being a global network has it's drawbacks.
Good luck, we'll keep our eyes open.