Log in

View Full Version : Server Attack Foiled


Jason Dunn
01-24-2005, 07:30 PM
If you were wondering what happened to our server this morning, it was under attack. 870 different computers were pounding our server with a <a href="http://www.phpbb.com/phpBB/viewtopic.php?f=14&t=240513">known phpBB exploit</a> that we patched back in December. Unfortunately, the solution provided by the phpBB team didn't do anything to prevent the phpBB install in question from being overloaded with the requests. We've blocked the attacking computer in question and modified phpBB to essentially ignore such requests. Thanks to <a href="http://www.dejavusoftware.com">Jorj</a> and <a href="http://www.fabriziofiandanese.com">Fabrizio</a> for rescuing our server from the abyss. :-)<br /><br />You know, this makes me wonder at what point the issue of personal liability comes into question - if my computer is attacking your computer, even if I don't know it, shouldn't I be liable for that in some way? If my dog attacks someone, I'm held responsible. If a piece of my roof falls off and kills someone, I'm responsible. I wonder if we'll start to see some legal action against users, or against software companies, related to issues like this?

entropy1980
01-24-2005, 07:34 PM
Take it a step further couldn't Microsoft be liable in the first place for putting out software that has an exploit that allows it to become a zombie? Just playing devil's advocate! :devilboy:

Menneisyys
01-24-2005, 07:35 PM
You know, this makes me wonder at what point the issue of personal liability comes into question - if my computer is attacking your computer, even if I don't know it, shouldn't I be liable for that in some way?

Defending a computer from trojans / attacks is much harder and much more complicated (even for a seasoned user) than putting a muzzle on a dog / strengtening a roof. So, I don't think anyone should be liable for attacks he wasn't aware of. IMHO :)

pivaska
01-24-2005, 07:40 PM
If it is an unintentional attack let's all be a little more professional and help each other work through the problem to the solution like it was handled in this situation and foget about who is liable for what. Professionalism rises above all of that.

Ed Hansberry
01-24-2005, 07:46 PM
You know, this makes me wonder at what point the issue of personal liability comes into question - if my computer is attacking your computer, even if I don't know it, shouldn't I be liable for that in some way?
There is no life-guard for the gene pool and there doesn't seem to be one for internet users. :? I am more convinced every day you need a licenese to get online just like you have a license to drive a car.

You could contact their ISPs. ISPs hate their users being zombies and attacking/spamming other users. They will take action to help the innocent or crush the intentional behind their network.

HTK
01-24-2005, 07:51 PM
If someone hijack your car and run over a bunch of people, are you responsable? I think that applies better to the case, but it is certainly a interesting and open topic of discussion.

karen
01-24-2005, 07:56 PM
Well, there are some aspects of existing legislation (I am not a lawyer) that may include such liabilities.

Certainly if you own a computer that is infected, you could be causing financial damage to other computers. And if your computer is attacking www.whitehouse.gov or the homeland security website, I wouldn't rule out a nice notice from your ISP that the FBI or RCMP has asked to have your computer taken offline.

However, legislators are horribly bad at crafting usable and enforceable laws and penalties.

For instance, as we speak California legislators are working on legislation that will pretty much make developers who work on software targetted at the sharing of messages or files illegal on the internet. This is due to their poor definition of P2P software.

>CA BILL CALLS FOR POTENTIAL JAIL TIME FOR P2P DEVELOPERS A bill
>introduced in California's Legislature last week has raised the
>possibility of jail time for developers of file-swapping software who
>do not stop trades of copyrighted movies and songs online. If passed
>and signed into law, the bill could expose file-swapping software
>developers to fines of up to $2,500 per charge, or a year in jail, if
>they do not take "reasonable care" in preventing the use of their
>software to swap copyrighted music or movies, or child pornography.
>Bill at
>&lt;http://cainducebill.notlong.com>http://cainducebill.notlong.com
>Coverage at
>&lt;http://news.com.com/2100-1028_3-5540937.html>http://news.com.com/2100-
>1028_3-5540937.html

I guess 'reasonable care' will be left up to a judge...very nervous here.

Their definition of P2P:

"peer-to-peer file sharing software" means software that once installed
>and launched, enables the user to connect his or her computer to a
>network of other computers on which the users of these computers have
>made available recording or audiovisual works for electronic
>dissemination to other users who are connected to the network."

Sounds a lot like IE or Mozilla, eh?




Karen

karen
01-24-2005, 07:58 PM
If someone hijack your car and run over a bunch of people, are you responsable? I think that applies better to the case, but it is certainly a interesting and open topic of discussion.

Not so much if it's hijacked, but if you leave it running in front of the beer store, unlocked, you would be more liable.

K

Ed Hansberry
01-24-2005, 08:07 PM
If someone hijack your car and run over a bunch of people, are you responsable? I think that applies better to the case, but it is certainly a interesting and open topic of discussion.
Did you drive to a bad part of town, get out of your car and leave the door open with the keys running while you went into the local market to pick up some gum? I'd say in that case, yeah, the owner has some culpability.

Janak Parekh
01-24-2005, 08:17 PM
Defending a computer from trojans / attacks is much harder and much more complicated (even for a seasoned user) than putting a muzzle on a dog / strengtening a roof. So, I don't think anyone should be liable for attacks he wasn't aware of. IMHO :)
In this case, we're talking about owned servers, not workstations. In theory someone with some PHP knowledge set up this phpBB board and has just left it alone, even though it's probably been hacked several times over.

--janak

Kati Compton
01-24-2005, 08:20 PM
I'm normally against integrating things in the OS, like browsers or email clients. But I think the SP2 firewall and a virus-checker would be appropriate... That would solve a lot of the problems. Not all, but a lot.

As for punishing the owners of the zombie machines... I think it'd be difficult to word a law fairly, and that if a law were imposed, it'd end up being grossly misused...

GoldKey
01-24-2005, 08:31 PM
I think if someone is not at least somewhat current on their OS updates, and is running a virus scanner/firewall and has someone up to date definitions, they should be held liable. In fact, this is the liability situation is just the scare tactic I have resorted to using to get stuborn family members to pay more attention to what I have been telling them to do for years.

Just because it is complex does not forgive liability. To me, car repairs are complicated. But if I dont have my car periodically maintained (since I can't do it myself) I should be liable for what occurs.

Jonathan1
01-24-2005, 09:11 PM
See that’s the point where you get the Pocket PC Thoughts orbital defense platform to take the SOB out.
There is a smoking crater in downtown Iowa that just suddenly appeared. Why do I get this image of Jason with an Atari 5200 controller and a determined look on his face?!?! 8O

R K
01-24-2005, 09:16 PM
You could contact their ISPs. ISPs hate their users being zombies and attacking/spamming other users. They will take action to help the innocent or crush the intentional behind their network.

Is there an easy way to track down an ISP by IP Address or does one have to start making phonecalls?

I tried using www.arin.net but I don't think that did the trick.

Jonathan1
01-24-2005, 09:28 PM
I think if someone is not at least somewhat current on their OS updates, and is running a virus scanner/firewall and has someone up to date definitions, they should be held liable. In fact, this is the liability situation is just the scare tactic I have resorted to using to get stuborn family members to pay more attention to what I have been telling them to do for years.

Just because it is complex does not forgive liability. To me, car repairs are complicated. But if I dont have my car periodically maintained (since I can't do it myself) I should be liable for what occurs.

Yah but if a car was as inherently insecure as windows we’d have premiums through the roof not to mention break downs every 30 miles. That and tell me why a user should be forced to install third party software to fix security issues in the OS. That's like saying the tires on your new off the line car could pop at any minute so you should go buy new ones immediately. The whole security thing on Windows is just one big racket. AV companies know they have the end user by their family jewels because no one in their right mind runs Windows without AV software at least those who don't have a death wish for their system. As for patches. Yah in a perfect world its as simple as install, reboot and your are done. Until an install goes horribly, horribly wrong. Like what happened to me in Dec. Had to rebuild my PC because a Windows update fragged Windows Update. Seriously. The Windows Update utility simply stopped working. I can’t explain itr but after the reboot I went to install additional components and nothing. I did the troubleshooting, I went to support.Microsoft.com, I even called them up. Nothing fixed the problem.
So don’t make it out like la la la la la...Oooo windows update. WEEEE!!! This will be easy.
When in actuality its more like WINDOWS UPDATE!?!?! AHHHHHH Back everything up!!! DLT my files! Batten down the hatches! Backup the reg! ERD that sucker!! Brace for impact!!
*does his best captain Kirk flying over the railing impersonation*

OSUKid7
01-24-2005, 09:39 PM
Is there an easy way to track down an ISP by IP Address or does one have to start making phonecalls?
Yes, once you know the IP address, it's typically very easy. First try a DNS lookup in (nslookup in Windows), and if that doesn't work, try a whois site, since all IP addresses are sold and must be recorded.

Hmm, I'm still seeing some phpBB Critical Errors. :(

safelder
01-24-2005, 10:12 PM
If someone hijack your car and run over a bunch of people, are you responsable? I think that applies better to the case, but it is certainly a interesting and open topic of discussion.
Did you drive to a bad part of town, get out of your car and leave the door open with the keys running while you went into the local market to pick up some gum? I'd say in that case, yeah, the owner has some culpability.

Bingo. Were you negligent? And did your negligence casue the harm? If not, no liability. More specifically, did you owe a duty of care to somebody, did you breach that duty of care, were there damages, and did your breach cause the damages?

So it's not entirely true that you're liable if your dog attacks somebody. Nor is it entirely true that every dog gets one free bite.

It'd actually be an interesting argument that all Internet users owe a duty of care to all other Internet users, and a more interesting argument to see what, exactly, one would have to do or not do in order to breach that duty of care. Does the reasonably prudent person use anti-virus software? Updated daily? Weekly? Whatever the default is for automatic updates? Is the reasonably prudent person Bill Gates or my mom?

stlbud
01-24-2005, 11:12 PM
Well, there are some aspects of existing legislation (I am not a lawyer) that may include such liabilities.

"peer-to-peer file sharing software" means software that once installed
>and launched, enables the user to connect his or her computer to a
>network of other computers on which the users of these computers have
>made available recording or audiovisual works for electronic
>dissemination to other users who are connected to the network."

Sounds a lot like IE or Mozilla, eh?

Karen

Or just about any operating system.

Bill B

ricksfiona
01-25-2005, 12:30 AM
If someone hijack your car and run over a bunch of people, are you responsable? I think that applies better to the case, but it is certainly a interesting and open topic of discussion.
Did you drive to a bad part of town, get out of your car and leave the door open with the keys running while you went into the local market to pick up some gum? I'd say in that case, yeah, the owner has some culpability.

Nope, someone STOLE that car. There is no law against stupidity, but theft is theft.

Jason Dunn
01-25-2005, 01:15 AM
I should probably be clear that I don't actually think people should be sued for not running Windows Update. ;-) But it does make for an interesting discussion, which is all I was hoping for.

Jorj Bauer
01-25-2005, 02:18 AM
I should probably be clear that I don't actually think people should be sued for not running Windows Update. ;-) But it does make for an interesting discussion, which is all I was hoping for.

I want to be there with you Jason, but more often than not I'm on the receiving end of this. I'm not sure if I want to raise public awareness by requiring better practicies (whether that be through a typically nonfunctional mechanism such as litigation, or through an unproved and untried mechanism such as licensing), or if I want things to continue the way they are to keep my job interesting. ;)

jeffmd
01-25-2005, 02:49 AM
While a user may not be held responsible fully, I think a LAW needs to be made where a host that is getting attacked can legally tell someones ISP to remove the offending computers net access, at which point the users computer needs to run a government or commity sactioned "cleaner".. something that will remove the backdoors and such and when the program gives the user a clean bill of health, the users net access can be reinstated. Also ISP's should simply drop repeated offenders who can't keep their computer from being infected.

This isnt a matter of someone stealing someones car and running someone over. This is more like someone selling drugs out of your trunk, only you don't know it. Or you might know it but just don't care. Or like someone installing a device in your glove box that siphons anthrax into your exhaust. You should be held SOME responability for not having any common sense to investigate what that white smoke is thats coming from your tail pipe on a hot summers day. ^^

safelder
01-25-2005, 02:54 AM
I should probably be clear that I don't actually think people should be sued for not running Windows Update. ;-) But it does make for an interesting discussion, which is all I was hoping for.

It's definitely an interesting question. You've actually got me thinking about a law review article. Any law students out there want to help me with research? Full byline credit if you do.

aroma
01-25-2005, 04:05 AM
Hmmm... how about MUCH stiffer pentalties for the little pri**s that actually start the viruses and worms, instead of slapping them on the wrist and then offering them a six figure salary at a security firm.

isilver
01-25-2005, 05:08 AM
I know there are a few internet providers out their that will stop the offending computer that is causing the attack. Once the connection is disabled the customer then calls tech support and is informed that they need to install proper firewall/virus protection/windows updates. Until the customer complies the connection is not re-established.

Should the person be held liable, I don't think so. Should the customer be forced to resolve the issue before they are permitted to connect to the internet again, absolutely.

Darius Wey
01-25-2005, 01:00 PM
Hmmm... how about MUCH stiffer pentalties for the little pri**s that actually start the viruses and worms, instead of slapping them on the wrist and then offering them a six figure salary at a security firm.

:rotfl:

Not *all* manage to secure a job though. These days, the penalties are becoming increasingly severe.

bjornkeizers
01-25-2005, 04:53 PM
I am more convinced every day you need a licenese to get online just like you have a license to drive a car.

I've said the exact same thing for the past five years. Some people do the stupidest things, unwittingly harming innocent people in the process.

See, if you want to say.. open a virus and infect your PC, fine - but don't send it to all your friends!!! And some people I know still insist on installing new icons or fish tank screensavers because 'it's free!!!!!!!!' - despite my warnings.

We really need to be protected from the stupid people. They're slowly killing the internet.

szamot
01-25-2005, 08:36 PM
If someone hijack your car and run over a bunch of people, are you responsable? I think that applies better to the case, but it is certainly a interesting and open topic of discussion.

Not so much if it's hijacked, but if you leave it running in front of the beer store, unlocked, you would be more liable.

K

by the same token just becasue my wallet is sticking out of my pocket does not mean that you can just take it becasue the opportyinty is there. The same goes for the car, once stolen, it is out of your hands. I live in a really nice hood, my foresight tells me that if I leave my car running no one will take it, but if some scum decided to steal it, well then he assumes the risk and the responisbility for his actions.

Ed Hansberry
01-26-2005, 02:10 AM
See, if you want to say.. open a virus and infect your PC, fine - but don't send it to all your friends!!!
Most people don't know they did. The virus sends itself automatically just by them opening it. THis is why ISPs have started blocking outbound port 25, which is wrongheaded thinking to say the least. :(