Berkeley CSUA MOTD:Entry 17494
Berkeley CSUA MOTD
 
WIKI | FAQ | Tech FAQ
http://csua.com/feed/
2025/05/25 [General] UID:1000 Activity:popular
5/25    

2000/2/11-13 [Computer/Networking, Computer/SW/Security] UID:17494 Activity:very high
2/11    Why can't they stop all these DoS with a simple TCP source quench? My
        understanding is that if the incoming data rate passes a certain
        threshold, you can simply ask the the upstream sender to slow down or
        drop packets. So why don't the end points just do this so that the
        systems don't go down?
        \_ But then if that's true and the upstream sender starts dropping
           packets, it will still appear the same to the clients that the
           server has crashed.  The effect is the same.  Right?  -- yuen
           \_ Sort of, my understanding is that you can do a source quench
              on one or more source IP's, so when you send a quench the
              message propogates all the the way back to the source. When
              the router's closest to the source start dropping, it will look
              like (from the source's perspective) the destination
              has gone away. Other source IP's won't be affected.
              \_ Source quench idea doesn't work necessarily because the
                 idea of source quench assumes that the sending host is
                 co-operative, not hostile.  When the sending host has
                 been root compromised, the compromise could change the
                 behavior to make it ignore source quench requests.
                 Also, a lot of the source IPs are being spoofed, so you
                 don't even know who the real sources are.
        \_ The attacks are a lot more complicated than just "send lots of
           packets to yahoo".  -tom
           \_ So where can I get a description about how these attacks work.
              And I'm not looking for the garbage in the general press.
                \_ http://www.securityfocus.com
                \_ http://staff.washington.edu/dittrich/misc/tfn.analysis
              \_ http://staff.washington.edu/dittrich
                 Look in the papers where he analyizes trinoo, tfn and
                 stracheldaht. Best analysis of them I have seen. -ausman
                \_ while (1) { httpget("yahoo.com"); }     And now you know!
                   \_ This is hardly untraceable since your IP will show up
                      in access_log. My understanding is that the attacks
                      have been untraceable, so they must involve header
                      rewritting or session hijack or something.
                      \_ No.  _some one's_ IP appears in the log.  Who is to
                         say httpget() isn't mushing the IP or using a proxy
                         or doing a million other things?
        \_ The problem with DoS attacks is not that they're crashing the
            machines, but that they're preventing normal users from accessing
            the service.  Your suggestion does nothing to change this.
            \_ If you or your upstream routers block/quench based on the
               sending rate of a source IP, then you could filter the DoS
               traffic (high incoming rate) and still allow most normal
               users (low incoming rate) to connect. I think that is is a L3
               analogy to the hammer filters in some ftp servers.
                \_ Except that many of the attacks consist of a low incoming
                   rate per IP address from thousands of different addresses.
                   Telling real traffic from attack is harder than you think.
        \_ Pull network cable, sell stock, go home.
                \_ Wrong order!
                        \_ You want to sell at the high moments before it
                           crashes to make sure you soak it for every last bit.
                           After all, who knows better when it's going down
                           than you?  It'll take a while for others to notice.
        \_ I opened a joint broker account with my girlfriend and placed $1000 in
           it, telling her that whatever is in it when engagement comes would be
           the price of her diamond ring.  GE didn't go fast enough for her, so
           we went into Checkpoint Software, and it went from $1000 to $4000
           in 4 months, and has been going through the roof since the DoS
           attacks.  Do you think my girlfriend might be involved?
                \_ She hired me to do it.  I get half the account, she gets
                   the other half for her ring.  Expect it to continue upwards
                   until you're engaged.
                   \_ I knew she was involved!  I once suggested to her that
                      instead of a diamond ring, I can give her a super cool
                      Sun workstation.  To my surprise, even though she is a
                      nerdy (but very beautiful, in my opinion) computer
                      science student, she didn't like the idea very much.
                      If you can convince her otherwise, it would be a great
                      favor for me!
                      \_ She is much smarter than you think. Diamonds are
                         forever. Sun workstations become obsolete.
                         She also realizes that you may in fact wish to
                         fondle the sun hardware instead of twiddle her bits.
                         And when the workstation becomes old, Sun allows
                         you to trade it in for a newer model, perhaps giving
                         you certain ideas she finds threatening.
2025/05/25 [General] UID:1000 Activity:popular
5/25    

You may also be interested in these entries...
2009/11/4-17 [Computer/SW/P2P, Computer/Networking, Computer/SW/Security] UID:53495 Activity:nil
11/4    Holy cow, I got a warning from my ISP that they were notified
        by BSA/baytsp.com that I was copying music/video/software.
        Do they do port scan or something? That's a first for me.
        \_ They hang out on P2P networks and track IP addresses.  -tom
           \_ I believe they are paid by content providers to perform this
              monitoring service, so you should only run this risk with content
	...
2008/11/7-13 [Computer/Networking] UID:51876 Activity:low
11/7    Need help on http proxy. After I VPN to work, I'd like to tunnel
        all the traffic to my machine. How do I setup my machine (Linux)
        as a proxy server so that my home computers can route through it?
        I'm asking because the site we're testing on requires that we
        come from the same IP. If I use VPN, the server will reject me
        based on the fact that it's a different IP than my work Linux.
	...
2008/8/5-10 [Computer/Networking] UID:50788 Activity:nil
8/5     It looks like my company has started blocking HTTPS tunneling.
        I used to do this by tunneling SSH through the HTTP/HTTPS proxy
        server, but this seems to have stopped working. Does anyone know
        how the implementation of tunneling detection works, and whether
        there are widely available implementations? We run a bunch of MS
        stuff, so I imagine we're running an MS proxy server or something.
	...
2007/6/28-7/2 [Computer/Networking] UID:47104 Activity:nil
6/28    what?
        We are deeply, deeply sorry to say that due to licensing constraints,
        we can no longer allow access to Pandora for most listeners located
        outside of the U.S. We will continue to work diligently to realize
        the vision of a truly global Pandora, but for the time being we are
        required to restrict its use. We are very sad to have to do this, but
	...
2006/6/16-19 [Computer/Companies/Google] UID:43418 Activity:nil
6/15    Oh dear lord.  It seems SpamCop is blacklisting certain IPs used by
        Gmail.  Gmail does not reveal the sending IP for privacy reasons, so
        when Gmail users send mail to honeypots, Gmail's servers get
        blacklisted.  Has anyone else noticed this?
        \_ SpamCop has long been a bastion of incompetence. --scotsman
        \_ If you're a proxy for spam you should be blocked the same as direct
	...
2006/2/18-23 [Computer/Networking] UID:41923 Activity:low
2/18    My DSL modem's ip address is 192.168.0.1, my internal network
        behind my router is 10.0.0.x. Is there a way I can configure
        the router so I can access the DSL modem from my 10.0.0.x
        network directly without re-wiring? Static routes? I tried it
        but no much luck. I also tried changing my internal network to
        192.168.0.x, but still does not work. Thanks.
	...
2006/1/22-24 [Computer/Networking] UID:41477 Activity:nil
1/21    I am trying to setup a small network for my girlfriend's
        mom's company.  They just bought an accounting package
        which requires windows 2003 server.  And they want internet
        access from each computer.  How should the network be setuped?
        Would it be dumb to use static IP for each computer and a
        computer as internet gateway?
	...
2005/8/29-30 [Computer/Networking] UID:39329 Activity:moderate 54%like:37400
8/29    What's the difference between a hub, a switch and a router?  Thx.
        \_ AFAIK, probably be corrected by someone:
           hub: Allows communication on a LAN with bandwith shared amongs all
                the nodes on the hub and maxing out at the max line speed.
           switch: Allows communication on a LAN with bandwith greater than
                the max line speed (point to point)
	...
2005/6/2-3 [Computer/Networking] UID:37941 Activity:moderate
6/2     I've been to many places and almost every place I go to have
        802.11b/g. However, almost all of them have protected access,
        which I presume they use because they don't want people stealing
        their bandwidth. So here is one idea I think will really
        revolutionize 802.11X... an option in the router that allows you to
        specify the percentage of unprotected bandwidth you are willing to
	...
2005/2/25-27 [Computer/Networking] UID:36421 Activity:moderate
2/25    What is the smallest (physical and price) cisco router that can
        handle BGP?  It should be able to have more than 256 ram.
        \_ When you say ``handle BGP'', do you mean supports the bgp
           protocol or supports enough ram to keep a reasonable (what do you
           consider to be reasonable) number of routes in memory?  Do you want
           to be peering at PAIX, or do you just need a router to run the T1
	...
2005/1/13-14 [Computer/Networking] UID:35697 Activity:high
1/13    I need help fixing someone's Win2K box.  Setup:  Win2K box -> D-Link
        router -> DSL modem.  The Win2K box cannot obtain a DHCP address
        (other computers can).  So, I assign a static IP, and set the default
        gateway and DNS server to be the D-Link router.  After this, the Win2K
        box can access web pages on the Internet as long as you specify the
        web site IP address directly -- but DNS doesn't work.  Computer used
	...
2013/12/28 [Computer/SW/Security] UID:54760 Activity:nil
12/28   Happy holidays everyone.
        For some reason my work's ip address gets logged in /etc/hosts.deny and\
I cannot ssh in anymore from work
        (except from home where I can ssh in fine): anyone knows if this file is\
 auto-generated due to some event? Thanks
	...
2012/9/20-11/7 [Computer/SW/Unix, Finance/Investment] UID:54482 Activity:nil
9/20    How do I change my shell? chsh says "Cannot change ID to root."
        \_ /usr/bin/chsh does not have the SUID permission set. Without
           being set, it does not successfully change a user's shell.
           Typical newbie sys admin (on soda)
           \_ Actually, it does: -rwsr-xr-x 1 root root 37552 Feb 15  2011 /usr/bin/chsh
	...
2012/5/8-6/4 [Computer/SW/Unix] UID:54383 Activity:nil
5/8     Hello everyone!  This is Josh Hawn, CSUA Tech VP for Spring 2012.
        About 2 weeks ago, someone brought to my attention that our script
        to periodically merge /etc/motd.public into /etc/motd wasn't
        running.  When I looked into it, the cron daemon was running, but
        there hadn't been any root activity in the log since April 7th.  I
        looked into it for a while, but got lost in other things I was
	...
2012/2/9-3/26 [Computer/SW/Security, Computer/SW/Unix] UID:54305 Activity:nil
2/9     Reminder: support for mail services has been deprecated for *several
        years*. Mail forwarding, specifically .forward mail forwarding, is
        officially supported and was never deprecated.
        \_ There is no .forward under ~root.  How do we mail root and how do
           we get responses?
           \_ root@csua.berkeley.edu is and always has been an alias.
	...
2011/9/14-12/28 [Computer/SW/Unix] UID:54172 Activity:nil
9/12    We've restored CSUA NFS to something vaguely resembling normal
        functionality -- plus, with some luck, we should now have something
        vaguely resembling normal uptime, too!  Ping root@csua.org if you
        notice any problems.  --jordan
--------------------------------------------------------------------------------
        \_  Oh, and http://irc.CSUA.Berkeley.EDU is online again.
	...
2011/6/5-8/27 [Computer/HW/Memory] UID:54127 Activity:nil
6/5     In an effort to stabilize our services, we'll be rebuilding parts of
        the CSUA infrastructure over the course of this summer.  To give us
        some wiggle room, I've temporarily decreased soda's allocated RAM from
        8GB to 2GB.  If you need to run something that requires large amounts
        of memory, please send mail to root@csua.org and we'll try to
        accommodate your request.  --jordan
	...
2011/4/27-7/30 [Computer/SW/Security, Computer/SW/Unix] UID:54096 Activity:nil
4/28    Will wall be fixed?   - jsl
        \_ What's wall?
           \_ An anachronism from a bygone era, when computers were hard to
              comeby, the dorms didn't have net, there was no airbears, and
              when phones didn't come standard with twitter or sms.
           \_ A non useful implementation of twitter.
	...
2011/5/19-7/30 [Computer/SW/Security] UID:54110 Activity:nil
5/19    Uh, is anyone still using this? Please mark here if you post and
        haven't added this yet. I'll start:
        \_ person k
        \_ ausman, I check in about once a week.
        \_ erikred, twice a week or so.
        \_ mehlhaff, I login when I actually own my home directory instead of
	...
2010/12/13-2011/2/19 [Computer/SW/Unix] UID:53978 Activity:nil
12/21   Help, all my files are owned by nobody! -ausman
        (yes I emailed root)
        \_ Things should be fine now. As usual, the NFS server caused a cascade
           of errors.
	...
Cache (406 bytes)
www.securityfocus.com
Mookhey Apr 26, 2004 This article discusses common attacks and vulnerabilities in e-commerce shopping cart systems, with reference to SecurityFocus vulnerability reports where relevant. Part one introduces vendor-neutral questions you should consider about firewalls and anti-virus software for your mobile users. This article extends the capabilities even further by discussing the concept of honeytokens.
Cache (2428 bytes)
staff.washington.edu/dittrich/misc/tfn.analysis
Fingerprints ------------ As with trinoo, the method used to install the client/daemon will be the same as installing any program on a Unix system, with all the standard options for concealing the programs and files. Both the client and the daemon must be run as root, as they both open a AF_INET socket in SOCK_RAW mode. The client program requires the iplist be available, so finding a client will allow you to get the list of clients. Recent installations of TFN daemons have included strings that indicate the author is (or has) added Blowfish encryption of the iplist file. This will make the task of determining the daemons much harder. Strings embedded in a recently recovered TFN daemon binary (edited and rearranged for clarity, with comments to the right) are: ------------------------------------------------------------------------------ blowfish_init blowfish_encipher blowfish_decipher Uses Blowfish for encryption of something. The initial packet has a sequence number of zero (seen as bytes 7 and 8 in the ICMP packet), which is incremented for each further packet sent in sequence. This is to prevent the kernel on the daemon system from replying with an ICMP_ECHOREPLY packet. The daemon then responds (if need be) to the client, also using an ICMP_ECHOREPLY packet. The payload differs with TFN, as it is used for sending command arguments and replies. The ICMP_ECHOREPLY id field contains the "command" (16 bit value, converted to network byte order with htons() in the code) and any arguments in ASCII clear text form in the data field of the packet. The daemon responds with the command reply 0x007B (decimal 123) in the id field, followed by a sequence number of 0x0000, followed by the NULL terminated ASCII string "shell bound to port 12345\n". This string is then echoed to the shell by the client, with the daemon's IP address prepended. Defenses -------- Because the programs use ICMP_ECHOREPLY packets for communication, it will be very difficult (if not impossible) to block it without breaking most Internet programs that rely on ICMP. The Phrack paper on LOKI states: The only sure way to destroy this channel is to deny ALL ICMP_ECHO traffic into your network. Short of rejecting this traffic, it will instead be necessary to observe the difference between "normal" use of ICMP_ECHO and ICMP_ECHOREPLY packets by programs like "ping". This will not be an easy task, especially on large networks.
Cache (250 bytes)
staff.washington.edu/dittrich -> staff.washington.edu/dittrich/
FRAME: corner FRAME: header FRAME: menu FRAME: viewer This document requires a browser capable of rendering frames to view it, unless you can see a link called "menu", in which case select that link. Or you can try my original home page References 1.
Cache (95 bytes)
yahoo.com -> www.yahoo.com/
La Toya London Entertainment Tonight goes one-on-one with this week's 'American Idol' cast-off.