Re: Denial of Service, Good for AS/400? -- MIDRANGE-L

Just want to add that the packets sent to servers that was hit contained
protest like free kevin mitnick and that the internet should be free (also
from zdnet)

Paolo
----- Original Message -----
From: "Blair Wyman" <wyman@vnet.ibm.com>
To: <MIDRANGE-L@midrange.com>
Sent: Friday, February 11, 2000 12:15 PM
Subject: Re: Denial of Service, Good for AS/400?


> WinXX has been called "The Petri Dish of the Internet."  Everyone loves
> to hate B.G., and they express their feelings by writing viruses to
> crash boxes running his software.  (Personally, I think it's just
> "billionaire-envy," but I'm no psychiatrist.)
>
> And WinXX is *notoriously* easy to crash!
>
> Remember "winnuke" from a few years back?  Until M$ released their
> "fix," a very short Perl script could crash any WinXX box connected to
> the 'net, given it's name or IP address.  All the script had to do was
> connect to the target box on port 139, send so-called "out of band"
> (MSG_OOB) TCP data, and <plonk> -- instant BSOD.
>
> Excerpts from midrange-l: 10-Feb'00 Re: Denial of Service
>
> > [...]hard to fight something that you cannot see...specially if its
> > coming from multiple places (from what Zdnet say at least 1000+ pc s
> > attacked at the same time...its intimidating to think that you have
> > 1000+ hackers doing this from all over the world conducting this attacks
> > simultaneously.....
>
> What got me started on this thread was this expressed fear -- that
> thousands of hackers had suddenly banded together to simultaneously
> wreak some havoc.  On the contrary, even though thousands of machines
> might have been involved, I'm confident the attack could have been
> perpetrated by a lone cracker.
>
> From the little bit of news I've heard on the recent DoS attacks (sounds
> like the feds are keeping the details fairly close to their bureaucratic
> vests -- and even leveraging the general ignorance by saying they're
> playing "catch up", and that it'll take them more money for them to
> figure it out ;-) it sounds like the attacks could easily have been
> perpetrated by a *lone* cracker.  All the cracker would need would be a
> database of the addresses of machines known to be infected with the
> NetBus or BackOrifice programs.   This database would be easily
> compiled, given the subnet scanners in these programs.
>
> By way of background, NetBus and BackOrifice are something like "trojan
> horse" programs that are surreptitiously loaded on a WinXX machine and
> started at boot-up.  They can be attached to innocous programs or even
> legitimate programs from illegitimate sources, and can install
> themselves silently.  Once installed, for the most part they sit quietly
> and consume very little (if any) CPU.  AFAIK, they don't even show up on
> the 'process' list on WinXX.
>
> All that these programs do is "listen" on some TCP port (12345, 12346
> and 31337 are ones I'm aware of, but they can be configured to use any
> available port) for attempts to connect, and when another computer (our
> cracker) attempts to connect on that port, the program responds in the
> affirmative -- indicating that the box at this address is, in fact,
> infected.  (All our cracker would have to do, first time around, is have
> his scanner add that address to his database.)
>
> Once the computer responds -- effectively saying "I'm infected" (here's
> the kicker) -- the program on the infected PC effectively allows the
> remote cracker to do almost ANYTHING (s)he wants, up to and including
> making the CDROM drive open and close!  The cracker can copy files, run
> commands, take screen snapshots...  You name it.  And, if you don't
> happen to catch it while it's happening, you might NEVER KNOW.
>
> Well, with the proliferation of cable modems and other wideband home
> internet services -- services that are always "up" if the computer is on
> -- and with the incredible lack of awareness of the risks of running
> .exe files that are downloaded or arrive in e-mail (the original
> disseminator of BackOrifice was something called whackamole.exe or
> somesuch) -- NetBus and BO infections are undoubtedly proliferating
> rampantly.  And, while I've never tried it (trust me), I believe that
> the NetBus or BO could trivially be told to "ping" a given IP address
> (for instance), which could easily effect a DoS attack by flooding the
> common target with incoming ICMP packets from thousands of machines.
>
> So, that's how it could've been done by one miscreant.  Of course,
> firewalls work well to prevent the connection from the cracker machine,
> and there are programs you can run on your PC that will detect attempts
> to connect on a number of ports and report the attack to you.  There's
> even one program that has your machine "pretend" to be infected, so it
> can get honest-to-goodness actionable EVIDENCE of an attempt to break
> in, since just attempting to connect to a port (IIRC) is not considered
> "illegal."  (I'm not a lawyer, either -- there are already enough people
> who don't like me.)
>
> Excerpts from midrange-l: 11-Feb'00 RE: Denial of Service, Good.. "Bob
> Crothers"@cstoneind (855*)
>
> > >>What cannot possibly be done is to write an OS/400 object that is a
virus<<
>
> > This is totally wrong.  Nobody (that I know of) has successfully
distributed
> > one, but it would be possible to do.
>
> I don't want to open up Pandora's Box of Viral Etymology, but want to
> weigh in here, too...
>
> The AS/400's virus resistance is largely due to a couple of key factors.
>
> While WinXX exposes its cellular innards to anyone who can write a .dll,
> the AS/400 has a highly-specialized and selective "permeable membrane"
> around its nucleus -- the Technology Independent Permeable Nuclear
> Membrane (a/k/a the "MI" ;-) -- that reserves a set of special functions
> to only be done by the Trusted Mitochondrial Base (a/k/a "SLIC" and
> "OS/400").  <plonk> cannot be easily crafted in the same way as on
> WinXX, since the nucleus is so protected.
>
> Of course, a determined programmer can use system tools to modify the
> object code at the hardware-instruction level, but again the selective
> membrane is designed to detect such "viral" modifications, and to
> prevent them from passing from machine to machine.  So, the membrane
> works both ways.
>
> > That said, there are several things that make virus's on our AS/400's
> > unlikely.  The first is just the number of systems.  There are about
> 50,000+- AS/400's in the USA.
>
> Interesting numbers -- I don't know about US only, but I've heard a
> number more like 600,000 world-wide.  And, with the visibility the
> AS/400 is getting on various fronts, I expect it may become a target at
> some point.  I do hope and trust that we will continue to be as
> "infection-free" as we've been to this point -- get out the Lysol!  ;)
>
> Sorry for rambling.
>
> -blair
>
>   ___   _           Blair Wyman                  IBM Rochester
>  ( /_)  /  _  ' _   (507)253-2891            blairw@us.ibm.com
> __/__)_/_<_/_/_/_'  Opinions expressed may not be those of IBM
>
>
>
> +---
> | This is the Midrange System Mailing List!
> | To submit a new message, send your mail to MIDRANGE-L@midrange.com.
> | To subscribe to this list send email to MIDRANGE-L-SUB@midrange.com.
> | To unsubscribe from this list send email to
MIDRANGE-L-UNSUB@midrange.com.
> | Questions should be directed to the list owner/operator:
david@midrange.com
> +---

+---
| This is the Midrange System Mailing List!
| To submit a new message, send your mail to MIDRANGE-L@midrange.com.
| To subscribe to this list send email to MIDRANGE-L-SUB@midrange.com.
| To unsubscribe from this list send email to MIDRANGE-L-UNSUB@midrange.com.
| Questions should be directed to the list owner/operator: david@midrange.com
+---