Re: [Clips] Finger points to British intelligence as al-Qaeda websites are wiped out
On Mon, Aug 01, 2005 at 05:12:38PM -0400, Dan McDonald wrote: I'm surprised that the target node has that much INBOUND bandwidth, quite frankly. The node itself has only a Fast Ethernet port, but there's some 4 GBit available outside of the router. I'm genuinely glad the node has been taken offline as soon as the traffic started coming in in buckets, and I didn't have to foot the entire bill (the whole incident only cost me 20-30 GByte overall as far as I can tell). -- Eugen* Leitl a href=http://leitl.org;leitl/a __ ICBM: 48.07100, 11.36820http://www.leitl.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE signature.asc Description: Digital signature
Re: [Clips] Finger points to British intelligence as al-Qaeda websites are wiped out
On Mon, Aug 01, 2005 at 01:51:57PM -0400, Tyler Durden wrote: What?!! 300MB/s for a Tor node? OK, I'm a telecom guy and not a data guy but that sounds suspiciously like someone loaded up an OC-3's worth of traffic and then slammed your node. Ain't no hacker gonna do that. Any indication the ostensible originating IP addresses are faked? No, it looked like a vanilla DDoS. According to the hoster, I've only seen a small piece of the log, which looked like this: 09:21:54.322650 IP 67.9.36.207 213.239.210.243: icmp 09:21:54.322776 IP 218.102.186.215 213.239.210.243: icmp 09:21:54.322895 IP 24.242.31.137 213.239.210.243: icmp 09:21:54.323017 IP 61.62.83.208 213.239.210.243: icmp 09:21:54.323140 IP 68.197.59.153 213.239.210.243: icmp 09:21:54.323263 IP 202.138.17.65 213.239.210.243: icmp 09:21:54.323375 IP 221.171.34.81 213.239.210.243: icmp 1376: echo request seq 23306 09:21:54.323500 IP 150.199.172.221 213.239.210.243: icmp 09:21:54.323623 IP 62.150.154.191 213.239.210.243: icmp 09:21:54.323741 IP 221.231.54.152 213.239.210.243: icmp 09:21:54.323863 IP 222.241.149.165 213.239.210.243: icmp 1456: echo request seq 24842 09:21:54.323984 IP 61.81.134.200 213.239.210.243: icmp 09:21:54.324105 IP 60.20.101.125 213.239.210.243: icmp 09:21:54.324227 IP 219.77.117.204 213.239.210.243: icmp 09:21:54.324229 IP 85.98.134.51 213.239.210.243: icmp 09:21:54.324355 IP 61.149.3.249 213.239.210.243: icmp 09:21:54.324475 IP 218.9.240.32 213.239.210.243: icmp 1456: echo request seq 29962 09:21:54.324598 IP 24.115.79.52 213.239.210.243: icmp 09:21:54.324720 IP 12.217.75.61 213.239.210.243: icmp 09:21:54.324844 IP 202.161.4.210 213.239.210.243: icmp 09:21:54.324847 IP 139.4.150.122.14238 213.239.209.107.80: R 2598318330:2598318330(0) win 0 09:21:54.324973 IP 211.203.38.29 213.239.210.243: icmp 09:21:54.325101 IP 68.74.58.171 213.239.210.243: icmp 09:21:54.325240 IP 211.214.159.102 213.239.210.243: icmp 09:21:54.325341 IP 221.231.53.52 213.239.210.243: icmp 09:21:54.325465 IP 24.20.194.42 213.239.210.243: icmp -- Eugen* Leitl a href=http://leitl.org;leitl/a __ ICBM: 48.07100, 11.36820http://www.leitl.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE signature.asc Description: Digital signature
Re: [Clips] Finger points to British intelligence as al-Qaeda websites are wiped out
Actually, I did know that 300Mb/sec isn't super-huge for Denial of Service attacks at least, but this is an obscure Tor node. Someone attacking it at this stage in the game has a real agenda (perhaps they want to see if certain websites get disrupted? Does Tor work that way for short-ish periods of time?) At 4Gb/s into the router, I'd guess that router is hooked up to 2 GbEs mapped over a pair of OC-48s (Sounds a lot like the architecture Cisco has sold certain GbE-centered Datapipe providers.) Your attacker might actually be interested in pre-stressing the infrastructure in front of that router. Just a guess, but I'm stupid after all. -TD From: Eugen Leitl [EMAIL PROTECTED] To: Dan McDonald [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED] Subject: Re: [Clips] Finger points to British intelligence as al-Qaeda websites are wiped out Date: Tue, 2 Aug 2005 10:15:49 +0200 On Mon, Aug 01, 2005 at 05:12:38PM -0400, Dan McDonald wrote: I'm surprised that the target node has that much INBOUND bandwidth, quite frankly. The node itself has only a Fast Ethernet port, but there's some 4 GBit available outside of the router. I'm genuinely glad the node has been taken offline as soon as the traffic started coming in in buckets, and I didn't have to foot the entire bill (the whole incident only cost me 20-30 GByte overall as far as I can tell). -- Eugen* Leitl a href=http://leitl.org;leitl/a __ ICBM: 48.07100, 11.36820http://www.leitl.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
RE: [Clips] Finger points to British intelligence as al-Qaeda websites are wiped out
Gee, that's great. A global organization that has taken the task of worldwide censorship into its sweaty little hands. Did the google cache'd versions of these sites dissappear too? Tor networks, anyone? -TD From: R.A. Hettinga [EMAIL PROTECTED] To: cryptography@metzdowd.com, [EMAIL PROTECTED] Subject: [Clips] Finger points to British intelligence as al-Qaeda websites are wiped out Date: Sat, 30 Jul 2005 23:02:53 -0400 --- begin forwarded text Delivered-To: [EMAIL PROTECTED] Date: Sat, 30 Jul 2005 23:01:38 -0400 To: Philodox Clips List [EMAIL PROTECTED] From: R.A. Hettinga [EMAIL PROTECTED] Subject: [Clips] Finger points to British intelligence as al-Qaeda websites are wiped out Reply-To: [EMAIL PROTECTED] Sender: [EMAIL PROTECTED] http://www.timesonline.co.uk/printFriendly/0,,1-523-1715166-523,00.html The Times of London July 31, 2005 Finger points to British intelligence as al-Qaeda websites are wiped out Over the past fortnight Israeli intelligence agents have noticed something distinctly odd happening on the internet. One by one, Al-Qaeda's affiliated websites have vanished until only a handful remain, write Uzi Mahnaimi and Alex Pell. Someone has cut the line of communication between the spiritual leaders of international terrorism and their supporters. Since 9/11 the websites have been the main links to disseminate propaganda and information. The Israelis detect the hand of British intelligence, determined to torpedo the websites after the London attacks of July 7. The web has become the new battleground of terrorism, permitting a freedom of communication denied to such organisations as the IRA a couple of decades ago. One global jihad site terminated recently was an inflammatory Pakistani site, www.mojihedun.com, in which a section entitled How to Strike a European City gave full technical instructions. Tens of similar sites, some offering detailed information on how to build and use biological weapons, have also been shut down. However, Islamic sites believed to be moderate, remain. One belongs to the London-based Syrian cleric Abu Basir al-Tartusi, whose www.abubaseer.bizland.com remained operative after he condemned the London bombings. However, the scales remain weighted in favour of global jihad, the first virtual terror organisation. For all the vaunted spying advances such as tracking mobile phones and isolating key phrases in telephone conversations, experts believe current technologies actually play into the hands of those who would harm us. Modern technology puts most of the advantages in the hands of the terrorists. That is the bottom line, says Professor Michael Clarke, of King's College London, who is director of the International Policy Institute. Government-sponsored monitoring systems, such as Echelon, can track vast amounts of data but have so far proved of minimal benefit in preventing, or even warning, of attacks. And such systems are vulnerable to manipulation: low-ranking volunteers in terrorist organisations can create background chatter that ties up resources and maintains a threshold of anxiety. There are many tricks of the trade that give terrorists secure digital communication and leave no trace on the host computer. Ironically, the most readily available sources of accurate online information on bomb-making are the websites of the radical American militia. I have not seen any Al-Qaeda manuals that look like genuine terrorist training, claims Clarke. However, the sobering message of many security experts is that the terrorists are unlikely ever to lose a war waged with technology. -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire' ___ Clips mailing list [EMAIL PROTECTED] http://www.philodox.com/mailman/listinfo/clips --- end forwarded text -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA When the hares made speeches in the assembly and demanded that all should have equality, the lions replied, Where are your claws and teeth? -- attributed to Antisthenes in Aristotle, 'Politics', 3.7.2
Re: [Clips] Finger points to British intelligence as al-Qaeda websites are wiped out
On Mon, Aug 01, 2005 at 10:54:26AM -0400, Tyler Durden wrote: Tor networks, anyone? Caveat when running Tor on a production machine, I got DDoS'd recently with some ~300 MBit/s. (Yes, my exit policy didn't contain IRC). -- Eugen* Leitl a href=http://leitl.org;leitl/a __ ICBM: 48.07100, 11.36820http://www.leitl.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE signature.asc Description: Digital signature
Re: [Clips] Finger points to British intelligence as al-Qaeda websites are wiped out
What?!! 300MB/s for a Tor node? OK, I'm a telecom guy and not a data guy but that sounds suspiciously like someone loaded up an OC-3's worth of traffic and then slammed your node. Ain't no hacker gonna do that. Any indication the ostensible originating IP addresses are faked? -TD From: Eugen Leitl [EMAIL PROTECTED] To: Tyler Durden [EMAIL PROTECTED], [EMAIL PROTECTED] Subject: Re: [Clips] Finger points to British intelligence as al-Qaeda websites are wiped out Date: Mon, 1 Aug 2005 17:15:17 +0200 On Mon, Aug 01, 2005 at 10:54:26AM -0400, Tyler Durden wrote: Tor networks, anyone? Caveat when running Tor on a production machine, I got DDoS'd recently with some ~300 MBit/s. (Yes, my exit policy didn't contain IRC). -- Eugen* Leitl a href=http://leitl.org;leitl/a __ ICBM: 48.07100, 11.36820http://www.leitl.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
Re: [Clips] Finger points to British intelligence as al-Qaeda websites are wiped out
On Mon, Aug 01, 2005 at 01:51:57PM -0400, Tyler Durden wrote: What?!! 300MB/s for a Tor node? OK, I'm a telecom guy and not a data guy but that sounds suspiciously like someone loaded up an OC-3's worth of traffic 300Mbits (using Eugen's quote), is 2xOC-3. (OC-3 carries 155Mbit/sec ATM, but if it's IP/PPP/OC-3 you use more of the 155Mbits/sec). A couple of hacked university zombie armies can generate that kind of traffic. I'm *not* a telecom guy, but don't most U's have at least an OC-3 out to the backbones today? I'm surprised that the target node has that much INBOUND bandwidth, quite frankly. Dan
Re: [Clips] Finger points to British intelligence as al-Qaeda websites are wiped out
On Mon, 1 Aug 2005, Dan McDonald wrote: On Mon, Aug 01, 2005 at 01:51:57PM -0400, Tyler Durden wrote: What?!! 300MB/s for a Tor node? OK, I'm a telecom guy and not a data guy but that sounds suspiciously like someone loaded up an OC-3's worth of traffic 300Mbits (using Eugen's quote), is 2xOC-3. (OC-3 carries 155Mbit/sec ATM, but if it's IP/PPP/OC-3 you use more of the 155Mbits/sec). A couple of hacked university zombie armies can generate that kind of traffic. I'm *not* a telecom guy, but don't most U's have at least an OC-3 out to the backbones today? I'm surprised that the target node has that much INBOUND bandwidth, quite frankly. Well, I am a telecom *and* a data guy, and I think I can clear it up :-) First, I suspect that the Tor node did *not* have a 300mbit ingree or egress, which is why the 300mbps was an effective DDoS ;-) Second, as the guy who spent several years being the carrier schmuck on call for these kinds of attacks, a 300mbps attack is a pretty small one. Big enough to knock off the average web site or small ISP, but pretty small from the carrier perspective. He probably knew the sizeof the incoming attack because the voice on the other end of the phone (the carrier schmuck on call) told him how much data he saw coming down the pipe at the target. Dan Hopefully that'll clear some of the muddy stuff? -- Yours, J.A. Terranson [EMAIL PROTECTED] 0xBD4A95BF I like the idea of belief in drug-prohibition as a religion in that it is a strongly held belief based on grossly insufficient evidence and bolstered by faith born of intuitions flowing from the very beliefs they are intended to support. don zweig, M.D.
