| killerr |
Help! I am being DoS'ed!
This page is setup to provide you a basic knowledge about Denial of Service attacks. And how to handle if you are the victim of such an attack. IRC is a great medium, being used daily by many thousands of ppl from all around the world. Unfortunally, being along those users are also ppl with a serious personality disorder, ppl wich like to take away your pleasure to chat with your online friends. Currently, these attacks to Efnet servers have lead to the close down of half the US servers within a single week. Other servers are setting up strict I-lines, only letting certain ISP’s connect.
DoS is a general name for a collection of attacks. Some well known attacks are Nukes and ping-floods. The trouble with DoS attacks is that even people with relatively slow connections can cause great harm to large networks with connection speeds that are much faster then the attackers connection. Websites like CNN.com and Amazon.com have been taken down by these types of attacks, and so have many IRC servers.
what are DoS attacks?
DoS attacks can be devided up into two basic categories, Operating System (OS) attacks, and Network attacks.
OS attacks make use of the vulnerability of the OS in question. Script kiddies continue to discover new holes in the security of all OS's, and make use of these holes to bring down the system. As such, a OS DoS attack for Windows 95 doesnt affect a Macintosh, and the other way around. Especially Windows OS's are well known to be funerable to OS attacks, the main reason being that Windows is used by the majority of users. And by nature, Windows users usually do not realise the security risks.
In most cases, OS attacks are performed from the attacker to you directly; IE, they are not performed over the IRC network. To help prevent these attacks, always have the latest patches for the OS you have installed. New holes in OS’s are known over the world in minutes, and new tools are often available to people without any technological knowledge (commonly called script kiddies) at the same time.
These attacks will usually result in your system crashing or rebooting, or simply causing one service to not respond until it is restarted, or the system is restarted.
The purpose of network attacks is to try to disconnect you from your ISP. They use misconfigured networks to perform the attacks. As such, downloading and installing patches for your OS dont help. Your system does not get damaged by these attacks. At worst you simply wont have access to Internet until the attack has stopped. A well known network attack is the icmp flood. The attacker sends a massive amount of ping data that your modem simply cant handle. This causes your connection to time out. Click is another attack frequently seen being used on IRC, this is sort of a fake Man-In-The-Middle attack, sending false data to both you and the server in the attempt to simulate major network problems.
what can you do against it?
First, do not try to take revenge, ever. Attacks are punishable by law in many countries, some countries even have imprisonment for years. Besides, starting a counter attack will only challenge the script kiddie in coming up with more attacks, or inviting his friends to join the "fun". Remember, no matter how good you think you are, there are people who are better, and attacking them could bring serious damage to your system(s).
If you have a changing host each time you connect to your ISP, its probally the best to disconnect, and connect again. Using a different nick this time they might not be able to find you again, and you can happily continue your chat with your friends.
If you are using a IRC network without a channel registration like Undernet and Dalnet have, these attacks might lead to your channel been taken over or losing ops. Networks without channel registration have the simple philosophy that whoever has ops, is the owner of the channel, and IRC opers will not interfere with channel politics. Some IRC networks like Efnet dont provide the opers with commands at all to reop you on your channel. Best thing to do, is making agreements with your channel visitors on what to do when these attacks take place, like joining #channelname2.
Always have the latest OS patches installed. New holes in a OS are known by attackers usually within minutes of being reported. And tools are being made by the few that have the knowledge how to perform those attacks, so every script kiddie with a personality problem can use them.
Running a firewall is always a good idea, especially for people that have permanent connection like cable or DSL. Don't expect a firewall to make you immune to all attacks. In the case of icmp floods the only real protection is having a faster connection then your attacker(s). Visualise this: your connection to the net is a river, and you use a firewall to filter out the particles in the water. But during an icmp flood, the unwanted particles highly outnumber the good water, and the effect is very little of the good water has a chance to get to the filter. Instead contact your ISP, they should have a decent firewall on their high-speed connections to the Net.
logging and reporting
As told earlier, DoS attacks are punishable by law. By reporting the attack to your ISP, and the attackers ISP, they will attempt to take apropiate actions. Unfortunally, these days getting thrown off an ISP means the attacker can easily go to another ISP (or use another stolen account), where he can continue his abusive behaviour. And not all ISP's feel they are responsible for what their customers do. Some countries have laws that forces ISP's to take action in these cases. In many cases it can not be known the attackers true ISP because he/she may use another network to perform the attack or he/she may be using a proxy relay. But you should still report the abuse to the system administrators where the attacks came from. If you take away the attackers tools, he can no longer attack you.
IRC ops often cant help either. First, most of these attacks dont take place over their IRC network, so they dont have any power to stop the attack. They might G or K-line the user from the IRC network, but it does not prevent the attack itself. Using a spoofed address the attacker can simply login using another address, and happily continuing his irritating behavior.
If the attacker is dumb enough to use his own address, you can find out what ISP he is using, and thus have the neccesary knowledge to get a email adres to send your firewall, and IRC logfiles to. Once you have his IP address (/dns nick, or from your firewall), goto websites that are setup for providing whois information. Specific whois information per continent: North and South America, Europe and Asia and Pacific and enter the IP address. Shortly after you will get the details for that ISP. Common adres to send reports and logfiles about abuse on Internet to is: [email protected]
|