• Subject: Re: Denial of Service, Good for AS/400?
  • From: "PAOLO YABUT" <dp@xxxxxxxxxxx>
  • Date: Fri, 11 Feb 2000 16:38:16 -0500

Just want to add that the packets sent to servers that was hit contained
protest like free kevin mitnick and that the internet should be free (also
from zdnet)

Paolo
----- Original Message -----
From: "Blair Wyman" <wyman@vnet.ibm.com>
To: <MIDRANGE-L@midrange.com>
Sent: Friday, February 11, 2000 12:15 PM
Subject: Re: Denial of Service, Good for AS/400?


> WinXX has been called "The Petri Dish of the Internet."  Everyone loves
> to hate B.G., and they express their feelings by writing viruses to
> crash boxes running his software.  (Personally, I think it's just
> "billionaire-envy," but I'm no psychiatrist.)
>
> And WinXX is *notoriously* easy to crash!
>
> Remember "winnuke" from a few years back?  Until M$ released their
> "fix," a very short Perl script could crash any WinXX box connected to
> the 'net, given it's name or IP address.  All the script had to do was
> connect to the target box on port 139, send so-called "out of band"
> (MSG_OOB) TCP data, and <plonk> -- instant BSOD.
>
> Excerpts from midrange-l: 10-Feb'00 Re: Denial of Service
>
> > [...]hard to fight something that you cannot see...specially if its
> > coming from multiple places (from what Zdnet say at least 1000+ pc s
> > attacked at the same time...its intimidating to think that you have
> > 1000+ hackers doing this from all over the world conducting this attacks
> > simultaneously.....
>
> What got me started on this thread was this expressed fear -- that
> thousands of hackers had suddenly banded together to simultaneously
> wreak some havoc.  On the contrary, even though thousands of machines
> might have been involved, I'm confident the attack could have been
> perpetrated by a lone cracker.
>
> From the little bit of news I've heard on the recent DoS attacks (sounds
> like the feds are keeping the details fairly close to their bureaucratic
> vests -- and even leveraging the general ignorance by saying they're
> playing "catch up", and that it'll take them more money for them to
> figure it out ;-) it sounds like the attacks could easily have been
> perpetrated by a *lone* cracker.  All the cracker would need would be a
> database of the addresses of machines known to be infected with the
> NetBus or BackOrifice programs.   This database would be easily
> compiled, given the subnet scanners in these programs.
>
> By way of background, NetBus and BackOrifice are something like "trojan
> horse" programs that are surreptitiously loaded on a WinXX machine and
> started at boot-up.  They can be attached to innocous programs or even
> legitimate programs from illegitimate sources, and can install
> themselves silently.  Once installed, for the most part they sit quietly
> and consume very little (if any) CPU.  AFAIK, they don't even show up on
> the 'process' list on WinXX.
>
> All that these programs do is "listen" on some TCP port (12345, 12346
> and 31337 are ones I'm aware of, but they can be configured to use any
> available port) for attempts to connect, and when another computer (our
> cracker) attempts to connect on that port, the program responds in the
> affirmative -- indicating that the box at this address is, in fact,
> infected.  (All our cracker would have to do, first time around, is have
> his scanner add that address to his database.)
>
> Once the computer responds -- effectively saying "I'm infected" (here's
> the kicker) -- the program on the infected PC effectively allows the
> remote cracker to do almost ANYTHING (s)he wants, up to and including
> making the CDROM drive open and close!  The cracker can copy files, run
> commands, take screen snapshots...  You name it.  And, if you don't
> happen to catch it while it's happening, you might NEVER KNOW.
>
> Well, with the proliferation of cable modems and other wideband home
> internet services -- services that are always "up" if the computer is on
> -- and with the incredible lack of awareness of the risks of running
> .exe files that are downloaded or arrive in e-mail (the original
> disseminator of BackOrifice was something called whackamole.exe or
> somesuch) -- NetBus and BO infections are undoubtedly proliferating
> rampantly.  And, while I've never tried it (trust me), I believe that
> the NetBus or BO could trivially be told to "ping" a given IP address
> (for instance), which could easily effect a DoS attack by flooding the
> common target with incoming ICMP packets from thousands of machines.
>
> So, that's how it could've been done by one miscreant.  Of course,
> firewalls work well to prevent the connection from the cracker machine,
> and there are programs you can run on your PC that will detect attempts
> to connect on a number of ports and report the attack to you.  There's
> even one program that has your machine "pretend" to be infected, so it
> can get honest-to-goodness actionable EVIDENCE of an attempt to break
> in, since just attempting to connect to a port (IIRC) is not considered
> "illegal."  (I'm not a lawyer, either -- there are already enough people
> who don't like me.)
>
> Excerpts from midrange-l: 11-Feb'00 RE: Denial of Service, Good.. "Bob
> Crothers"@cstoneind (855*)
>
> > >>What cannot possibly be done is to write an OS/400 object that is a
virus<<
>
> > This is totally wrong.  Nobody (that I know of) has successfully
distributed
> > one, but it would be possible to do.
>
> I don't want to open up Pandora's Box of Viral Etymology, but want to
> weigh in here, too...
>
> The AS/400's virus resistance is largely due to a couple of key factors.
>
> While WinXX exposes its cellular innards to anyone who can write a .dll,
> the AS/400 has a highly-specialized and selective "permeable membrane"
> around its nucleus -- the Technology Independent Permeable Nuclear
> Membrane (a/k/a the "MI" ;-) -- that reserves a set of special functions
> to only be done by the Trusted Mitochondrial Base (a/k/a "SLIC" and
> "OS/400").  <plonk> cannot be easily crafted in the same way as on
> WinXX, since the nucleus is so protected.
>
> Of course, a determined programmer can use system tools to modify the
> object code at the hardware-instruction level, but again the selective
> membrane is designed to detect such "viral" modifications, and to
> prevent them from passing from machine to machine.  So, the membrane
> works both ways.
>
> > That said, there are several things that make virus's on our AS/400's
> > unlikely.  The first is just the number of systems.  There are about
> 50,000+- AS/400's in the USA.
>
> Interesting numbers -- I don't know about US only, but I've heard a
> number more like 600,000 world-wide.  And, with the visibility the
> AS/400 is getting on various fronts, I expect it may become a target at
> some point.  I do hope and trust that we will continue to be as
> "infection-free" as we've been to this point -- get out the Lysol!  ;)
>
> Sorry for rambling.
>
> -blair
>
>   ___   _           Blair Wyman                  IBM Rochester
>  ( /_)  /  _  ' _   (507)253-2891            blairw@us.ibm.com
> __/__)_/_<_/_/_/_'  Opinions expressed may not be those of IBM
>
>
>
> +---
> | This is the Midrange System Mailing List!
> | To submit a new message, send your mail to MIDRANGE-L@midrange.com.
> | To subscribe to this list send email to MIDRANGE-L-SUB@midrange.com.
> | To unsubscribe from this list send email to
MIDRANGE-L-UNSUB@midrange.com.
> | Questions should be directed to the list owner/operator:
david@midrange.com
> +---

+---
| This is the Midrange System Mailing List!
| To submit a new message, send your mail to MIDRANGE-L@midrange.com.
| To subscribe to this list send email to MIDRANGE-L-SUB@midrange.com.
| To unsubscribe from this list send email to MIDRANGE-L-UNSUB@midrange.com.
| Questions should be directed to the list owner/operator: david@midrange.com
+---

As an Amazon Associate we earn from qualifying purchases.

This thread ...

Replies:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.