[Raven] German programmer "Mixter" addresses cyberattacks

"chefren" <chefren@pi.net> Tue, 15 February 2000 00:01 UTC

Received: from optimus.ietf.org (ietf.org [132.151.1.19] (may be forged)) by ietf.org (8.9.1a/8.9.1a) with ESMTP id TAA26944 for <raven-archive@ietf.org>; Mon, 14 Feb 2000 19:01:24 -0500 (EST)
Received: from optimus.ietf.org (localhost [127.0.0.1]) by optimus.ietf.org (8.9.1a/8.9.1) with ESMTP id SAA04310; Mon, 14 Feb 2000 18:14:29 -0500 (EST)
Received: from ietf.org (odin [132.151.1.176]) by optimus.ietf.org (8.9.1a/8.9.1) with ESMTP id SAA04278 for <raven@optimus.ietf.org>; Mon, 14 Feb 2000 18:14:27 -0500 (EST)
Received: from smtpe.casema.net (smtpe.casema.net [195.96.96.172]) by ietf.org (8.9.1a/8.9.1a) with SMTP id SAA26201 for <raven@ietf.org>; Mon, 14 Feb 2000 18:15:56 -0500 (EST)
Message-Id: <200002142315.SAA26201@ietf.org>
Received: (qmail 30192 invoked from network); 14 Feb 2000 23:15:39 -0000
Received: from unknown (HELO system) (195.96.121.100) by smtpe.casema.net with SMTP; 14 Feb 2000 23:15:39 -0000
From: "chefren" <chefren@pi.net>
To: raven@ietf.org
Date: Tue, 15 Feb 2000 00:15:37 +0100
MIME-Version: 1.0
Content-type: text/plain; charset=US-ASCII
Content-transfer-encoding: 7BIT
Priority: normal
X-mailer: Pegasus Mail for Win32 (v3.11)
Content-Transfer-Encoding: 7BIT
Subject: [Raven] German programmer "Mixter" addresses cyberattacks
Sender: raven-admin@ietf.org
Errors-To: raven-admin@ietf.org
X-Mailman-Version: 1.0
Precedence: bulk
List-Id: Raven Discussion List <raven.ietf.org>
X-BeenThere: raven@ietf.org
Content-Transfer-Encoding: 7BIT

Comment at the end...

= =


This NEWS.COM (http://www.news.com/) story has been sent to you from chefren@pi.net

German programmer "Mixter" addresses cyberattacks
By Stephen Shankland
February 14, 2000, 12:35 p.m. PT
http://home.cnet.com/category/0-1005-200-1549399.html

      The federal investigation into last week's attacks on major Web sites has reportedly turned to at least one anonymous programmer believed to have written software that may have been used in the assaults.  

  A programmer known only as "Mixter," who says he resides in Germany, has not been publicly accused in any of the cases and denies any responsibility for the "distributed denial of service" (DDoS) attacks. Mixter is part of a small group of underground programmers who say they create assault 
technologies that can be used in testing to improve Internet security.   

  The recent attacks have renewed controversy over this practice, raising questions about whether these programs increase the potential for misuse when they are posted publicly online. In an interview Wednesday with CNET News.com at the height of last week's shutdowns, Mixter explained his 
actions and philosophy on technological security.  

  CNET News.com: Were you in fact the author of the attack tools? (Several  versions of the attack tools exist, including Tribe Flood Network, its  sequel TFN2K, Trinoo and Stacheldraht.)
    Mixter: I am in fact the author of the programs called TFN and TFN2K, but not of Trinoo. The original Trinoo was made some months earlier than the first TFN, but unlike TFN, (it's) not distributed publicly...Stacheldraht isn't written by me. There have been many false rumors about this. There 
is another German hacker who goes by the name "Randomizer" who wrote that one.  

  Why did you write the software?
    I first heard about Trinoo in July '99, and I considered it as interesting from a technical perspective, but also as potentially powerful in a negative way. I knew some facts of how Trinoo worked, and since I didn't manage to get Trinoo sources or binaries at that time, I wrote my own server-
client network that was capable of performing denial of service; later that month I published a working version of TFN on a handful of security sites to make the information public and generate awareness of the issue. The original Trinoo and other distributed tools existed since 1998.  

  Were you involved directly or indirectly in any of the recent high-profile attacks on Yahoo, eBay, CNN, Buy.com or Amazon?
    No. The fact that I authored these tools does in no way mean that I condone their active use. I must admit I was quite shocked to hear about the latest attacks. It seems that the attackers are pretty clueless people who misuse powerful resources and tools for generally harmful and senseless 
activities just "because they can."  

  What is your real name?
    I really prefer not to give you my real name. On the one hand it is a sad fact that many, many people have a bad opinion of anyone involved with "this strange hacking stuff" and that they make no difference between pointing out security weaknesses and exploiting them, and on the other hand, 
I'm using my handle, Mixter, because I do believe in privacy, and I simply want to keep my privacy on the Net, like many other nonmalicious people who care about security do.  

  What is your occupation?
    I finished school approximately half a year ago, and I have been getting some offers from security companies since then. However, due to personal issues I haven't yet been able to start an employment, but I will probably be going to work in the area of source code security auditing, where I 
will have a great potential of improving both my knowledge and network software.  

  How difficult is it to write the distributed denial of service attack tools?
    Not very difficult. The main concept is simply the client-server concept present in almost all Internet applications. Packet flooding and similar attacks are publicly known and available and can easily be implemented. When it comes to implementing stealth features, it might get a bit 
trickier. But factually, DDoS tools just make an old concept easier. Before DDoS, an attacker would just have to log on to every compromised machine, (then start) a flooding tool from each machine against the target.  

  How difficult is it to take over a sufficient number of computers to mount a distributed denial of service attack large enough to take down Yahoo?
    Unfortunately, it is quite easy. It is safe to assume that all of the flood servers are installed on hosts compromised through vulnerabilities that are publicly known, rather old, and can easily be patched. Most attackers use automated...scripts to do long-range scans for known 
vulnerabilities. This procedure can take some time, but the concept is really easy. They also do this from compromised and specially modified machines to be sure that their origin cannot be traced back.  

  How many computers would you estimate were used in the Yahoo attack?
    The amount they need depends. It isn't only the number, it is the bandwidth of each of these. From what I've heard from security mailing lists, attackers have already compromised Internet2 and other high-speed machines.  

  Given that TFN2K uses master and slave computers and encrypted communications channels, how diffi
cult is it to find out who originally sent  the order to attack?
    Remote detection is practically impossible unless the attack goes on for a timed amount of days
. In that case, if all backbone providers would cooperate and monitor their routers, the origin of 
some of the "slave" servers could be tracked. That was a point I wanted to prove.  

  Since the other existing DDoS tools weren't totally anonymous and untraceable, I saw the possibil
ity that security people would waste their time trying to find ways to track the attacker, while th
e DDoS tools would sooner or later become sophisticated enough to make this impossible. There is st
ill the chance of finding attackers if they aren't extremely careful and leave traces on the compro
mised hosts or manipulate and damage things on the compromised hosts enough so that the administrat
or detects them locally.  

  Do you know if TFN or Trinoo were used in the Yahoo, eBay, Amazon, CNN  or Buy.com attacks, or wa
s it other software?
    I'm pretty sure a tool derived from TFN and/or Trinoo was used. Currently, many people seem to 
be modifying those tools, or developing new, similar ones, and keeping them private. This is becaus
e when a program is publicly known, people have a chance of identifying it locally when it is installed on their server by searching for binary patterns, as the FBI (National Infrastructure Protection Center) proved. This is basically the Trojan/virus problem, where antivirus vendors continuously 
bring out updated scanners, and virus authors continuously bring out new or modified viruses.  

  Anything else you'd like to say?
    I'd like to remind people that the real problem is the insecurity of the huge amount of servers, and not the people that are exploiting it. If security companies and governments are starting a "hunt" against the people they call "hackers," they might succeed in tracking and persecuting some 
of them, but the real problem remains: Everyone who can manage to learn a handful of Unix commands and to set up a tool can commence DDoS attacks, as long as the overall Internet security is as bad as it is now.  

  I found it really disturbing and scary when I read that President Clinton is intending to dedicate $240 million for the sole purpose of wiretapping and domestic surveillance. In my opinion, no amount of denial of service attacks or computer intrusions could ever cause a comparable amount of 
money to be lost in the future. Additionally, such methods and laws can easily be circumvented by malicious people using compromised systems to relay through a number of encrypted channels and are therefore affecting everyone except the people they are intended against.  

  

-------------------------------------------------------

(Pretty clueless ideas regarding a society as far as I see 
it. It's simply not acceptable for a lawful society that 
vandalists can produce damage worth of millons of dollars 
without much chance of getting cought.)


It might well be that just tapping personal or business 
communication won't be enough to stop digital vandalism in 
the near future and police needs a sight at the traffic 
like they can look at numberplates of cars in a city...  

Oops! The net really starts growing up with both pain and 
joy...

+++chefren


p.s. I still think Raven might mark the point in time IETF 
lost the  guidance of Internet standards. I don't expect 
IPv6 to take off as we know it (maybe via UTMS with 
absolute(!) addresses), I expect a 5-10 year "standards" 
vacuum without a lot of new things and after that some form 
of government by UN/ETSI or even a new UN guided agency.


_______________________________________________
raven mailing list
raven@ietf.org
http://www.ietf.org/mailman/listinfo/raven