mIRC Home    About    Download    Register    News    Help

Print Thread
#6740 15/01/03 10:10 PM
Joined: Dec 2002
Posts: 11
G
gw1500 Offline OP
Pikka bird
OP Offline
Pikka bird
G
Joined: Dec 2002
Posts: 11
Does anyone know what steps are being taken to find and stop the perpetrators of these DoS attacks? Is there some flaw they are exploiting in the protocol that makes them pick on IRC rather then some other higher visibility servers? I know Yahoo! had an attack some time ago but it only took a couple of days to stop the attacks. IRC attacks apparently have been going on for over a month now. I assume there are traces being run to track down the perps but how are they able to hide so well? On the other hand I guess if someone publishes that answer it might give rise to more attacks.

I'm not a network security expert but I do find these security problems interesting.

#6741 16/01/03 12:01 AM
Joined: Dec 2002
Posts: 395
M
Fjord artisan
Offline
Fjord artisan
M
Joined: Dec 2002
Posts: 395

#6742 16/01/03 12:42 AM
Joined: Dec 2002
Posts: 11
G
gw1500 Offline OP
Pikka bird
OP Offline
Pikka bird
G
Joined: Dec 2002
Posts: 11
Cute explaination but I was more interested in possible solutions. From an academic perspective anyway. For example, if it is a virus, why not change connection ports, at least temporarily? It would require a replacement virus to use the new ports and that would at least buy some time. One possible solution might be to develop some kind of connection algorithm that allows an automatic rejection from an IP address, that makes too many connection attempts, by interacting with a fire wall. The DoS attacks would then be handled by a system that is designed for such attacks.

#6743 16/01/03 01:42 AM
Joined: Dec 2002
Posts: 33
Ameglian cow
Offline
Ameglian cow
Joined: Dec 2002
Posts: 33
Even if you block everything, they are still sending gigabytes of data down the connection which has to be processed by something eventually, displacing bandwidth for legitimate connections. Falsified IPs makes this problem even more difficult to deal with.
(If isps out there would just block outbound traffic that is obviously fake it'd make things soo much easier)

#6744 16/01/03 02:49 AM
Joined: Dec 2002
Posts: 2,985
Hoopy frood
Offline
Hoopy frood
Joined: Dec 2002
Posts: 2,985
They are just mini IRC clients (usually only a few KB's in size) that propagate via a website set up to automatically infect a user when the site is visited.

One recently experienced by my network was Lipreffs.Worm which I understand to be primarily set up to hammer the security related website http://grc.com/ yet that trojan also has a client which 'follows' your mIRC (I don't know how but it does) to the server you connect to effectively being a second connection. It doesn't join any rooms but DOES advertise via /msg to anyone joining any of the rooms you are present in. The setup is quite clever but very destructive. There are at least 7 Geocities websites that I know of that are infected with this trojan and possible dozens more than I don't know about because whoever has rebirthed this trojan means business. They want to nail GRC again.

The Dalnet problem is a bit similar but uses a trojan called ROL.vbs or a similar infection. It simply infects your mIRC directory with a bad text file which can (depending on the version) either just advertise itself, which invariably lures more chatters to the be-trojaned website, or can contain flood scripts, a botnet script where via a socket you are joined to some distant IRC server without any knowledge of doing-so and you join a channel where the master is. When enough infected people join his channel he can control the potentially 1000's of bots and can command them to join any server on any network and flood any channel he likes or just simply flood a server with useless /server and /quit commands until the server says "I've had enough" and crashes.

My network was attacked a while back by someone wanting to set up a botnet channel. Shame this network doesn't allow users to make their own room, they have to be applied for, which is probably why we enjoy a comparitivily increased level of peace and quiet. The senior admin told me there was around 2500 unique connections. It doesn't sound alot and it's about half of what Dalnet have experienced (quoting from their website) but 2500 connections every few seconds does place a big load on a server.

Is it easy to stop them connecting? Yes In time it is.
Is it easy to stop them trying to connect? It can be but not always. You need nous, teamwork and the will to do it.

Networks will of course be affected differently. It depends on the money spent on equipment the size of the connection, the software used and the features the software contains.

Who's next to cop a hammering from the flooders? Well both here and on several IRC related websites it has been noted and predicted that all the big networks are potential targets because the bigger the trophy the better the flooders will feel. That's understandable. Can another networks pending demise be prevented? Only the man upstairs knows the answer to that one. It will depend on how well the rest of the IRC community is prepared to try and stop it happening. For this to happen they MUST ACT NOW and plan for an attack even if it never happens.

What networks have been attacked in the last year? Heaps. Dalnet, Efnet, Austnet, Webnet, Telstra, and scores of others have been nailed and I mean nailed hard. Dalnet was the biggest of those though and is probably the main reason for the continued attacks. There's a report on IRCnews about infighting among Dalnet opers. If this is happening they will have to pull themselves together and work as a united front or the network will die.

Can the culprits be caught? Yes but the only chance of that happening is if they get complacent and 'slip-up' somewhere. They are obviously disguising their bona-fides when making the infectious websites. If they achieve this then they get off scot-free, simple. To be truthful, while it is a perfectly reasonable thing to try and track down the villians I personally think it is a waste of time and resources. Put the resources into making the network infrastructure more resilient to attacks therefore giving the users a more stable network is a better option. To be frank, I don't think either Dalnet owners or the chatters there care anymore about it being part of the Big 4. Just existing should be the main priority.

#6745 16/01/03 03:23 AM
Joined: Dec 2002
Posts: 11
G
gw1500 Offline OP
Pikka bird
OP Offline
Pikka bird
G
Joined: Dec 2002
Posts: 11
Excellent reply. Thank you for spending the time to explain it. Since some of this comes from infected IRC clients, do normal anti-virus (MacAfee, et. al) programs not detect them? If not, why not? If so, how can those who do not have/use antivirus software tell if they are infected? If there is a concerted effort by IRC users to disinfect themselves, would that not be a major help?

#6746 16/01/03 03:41 AM
Joined: Dec 2002
Posts: 2,985
Hoopy frood
Offline
Hoopy frood
Joined: Dec 2002
Posts: 2,985
All good AV programmes now detect Lipreffs.Worm and Rol.vbs and they also detect others as they become known to the AV companies. I use Inoculate IT which I think is better than Nortons, though Nortons have an excellent awareness/security related website. You can never have too much information I reckon.

The sad reality of this whole situation is that if people obeyed advice not to visit websites that are mass-advertised (most often via /msg or /notice) then it would be unlikely that any network would get attacked. I will soon be updating my own website with a swathe of new info about how to prevent being infected but the old addage holds true...

You can lead the horse to the water but you can't make it drink.

#6747 16/01/03 03:45 AM
Joined: Dec 2002
Posts: 2,985
Hoopy frood
Offline
Hoopy frood
Joined: Dec 2002
Posts: 2,985
Falsified IPs makes this problem even more difficult to deal with.

This is the big problem though. The IP's arn't falsified. They are genuine internet connections without being proxied, spoofed, etc. Detecting the movements of trojans is not easy either.

mIRC will issue /server wherever.whatever
rol.vbs will issue /server wherever.whatever
Misc trojan will issue /server wherever.whatever

All look the same visually and from the eyes of a computer.

#6748 16/01/03 05:20 AM
Joined: Dec 2002
Posts: 3,127
P
Hoopy frood
Offline
Hoopy frood
P
Joined: Dec 2002
Posts: 3,127
To add to Watchdog's excellent reply, equally sad is that many users simply dont care. Add the many who if they use antivirus software dont keep it updated. Others dont avail themselves of good free online scanners. They just merrily wander the various networks clicking and downloading and spreading the problem around in spite of the efforts many networks, help channels, and websites have made to educate them to the dangers.

Yes, a concerted effort by users would make a huge difference.


ParaBrat @#mIRCAide DALnet
#6749 16/01/03 06:28 AM
Joined: Dec 2002
Posts: 27
B
Ameglian cow
Offline
Ameglian cow
B
Joined: Dec 2002
Posts: 27
don't forget to poste the url to fix ie exploit used by rol.vbs and affiliated program.
IE exploit fix

#6750 16/01/03 01:11 PM
Joined: Dec 2002
Posts: 2,985
Hoopy frood
Offline
Hoopy frood
Joined: Dec 2002
Posts: 2,985
Good point! As a rule I visit my AV site once every two days and update if there's an update available. I have Windows set to download and install Windows and IE updates automatically and I always use the latest versions of all software or currently supported versions to avoid (or help avoid) the possibility of exploits hanging around for too long.

I'm behind a gutsy firewall but you can't be too careful... grin


Link Copied to Clipboard