Aarons Gets Hit by Ay Rabs subject logo: UNIX
2006-04-11
Posted by: badanov

Aaron's got hammered last week from Arabic speaking crackers.

Aaron is a routine visit for us over the course of a week. We enjoy his humor and his point of view and we were disappointed the site was taken down.

We are trying to help with another web site, getting it secured from similar attacks, although the other site was not defaced.

People we know who are doing the actual heavy lifting in this think that some of these attacks are reflection attacks, whereby a target server's inbound packets are read before being delivered, copied and sent to reflection machines and then resent by any number of other servers out there.

The cracker doesn't have to create any spoofed packets; he just has to tell his machine to sent them out the returned packets and disregard the headers.

This attack uses raw unix sockets, which are present on all Linux/Unix operating system platforms and on Windows XP and probably the upcoming Windows Vista, which enable the bad guy to write or send a packet with faked address headers, so the actual origin can't be traced.

This makes slowing attacks at the router very difficult because of the problem of tracing. Of the large numbers of httpd request a server processes in an attack, all of which can be captured, how can you be sure which packet is from a regular visitor and which is not?

Is there a solutioin to these types of attacks? Yes there are. Aaron Weisburd of Internet Haganah, after his and a number of other sites were taken down by a DDOS attack, turned to using mirrors. At one point he had 14 mirrors. Wew were honored and happy to provide one of this mirrors for about six months, and the offer for him to use out bandwidth still stands.

Aaron uses a very simple system for mirrors and despite reading on various MooseLimb boards of the bad guys intent to drag him down, Haganah hasn't been attacked since. ( All blow and no go... )

As for the defacing, we believe that will be more or less a permentant feature with blogs which record trackbacks. At this point we do not know if this is a bug in the Word Press software or in the database used (mysql).

The Saudi crackers sure know.

If you have something to add, Fire Away!

Number of Comments so far: 0

Click here for a list of stories in the Unix and Computer category