Re: [Clips] Finger points to British intelligence as al-Qaeda websites are wiped out

2005-08-02 Thread Tyler Durden
Actually, I did know that 300Mb/sec isn't super-huge for Denial of Service 
attacks at least, but this is an "obscure" Tor node. Someone attacking it at 
this stage in the game has a real agenda (perhaps they want to see if 
certain websites get disrupted? Does Tor work that way for short-ish periods 
of time?)


At 4Gb/s into the router, I'd guess that router is hooked up to 2 GbEs 
mapped over a pair of OC-48s (Sounds a lot like the architecture Cisco has 
sold certain GbE-centered Datapipe providers.) Your attacker might actually 
be interested in pre-stressing the infrastructure in front of that router.


Just a guess, but I'm "stupid" after all.

-TD


From: Eugen Leitl <[EMAIL PROTECTED]>
To: Dan McDonald <[EMAIL PROTECTED]>, [EMAIL PROTECTED],    
[EMAIL PROTECTED]
Subject: Re: [Clips] Finger points to British intelligence as al-Qaeda  
websites are wiped out

Date: Tue, 2 Aug 2005 10:15:49 +0200

On Mon, Aug 01, 2005 at 05:12:38PM -0400, Dan McDonald wrote:

> I'm surprised that the target node has that much INBOUND bandwidth, 
quite

> frankly.

The node itself has only a Fast Ethernet port, but there's
some 4 GBit available outside of the router.

I'm genuinely glad the node has been taken offline as soon
as the traffic started coming in in buckets, and I didn't
have to foot the entire bill (the whole incident only
cost me 20-30 GByte overall as far as I can tell).

--
Eugen* Leitl http://leitl.org";>leitl
__
ICBM: 48.07100, 11.36820http://www.leitl.org
8B29F6BE: 099D 78BA 2FD3 B014 B08A  7779 75B0 2443 8B29 F6BE

[demime 1.01d removed an attachment of type application/pgp-signature which 
had a name of signature.asc]





Re: [Clips] Finger points to British intelligence as al-Qaeda websites are wiped out

2005-08-02 Thread Eugen Leitl
On Mon, Aug 01, 2005 at 05:12:38PM -0400, Dan McDonald wrote:

> I'm surprised that the target node has that much INBOUND bandwidth, quite
> frankly.

The node itself has only a Fast Ethernet port, but there's 
some 4 GBit available outside of the router.

I'm genuinely glad the node has been taken offline as soon
as the traffic started coming in in buckets, and I didn't
have to foot the entire bill (the whole incident only
cost me 20-30 GByte overall as far as I can tell).

-- 
Eugen* Leitl http://leitl.org";>leitl
__
ICBM: 48.07100, 11.36820http://www.leitl.org
8B29F6BE: 099D 78BA 2FD3 B014 B08A  7779 75B0 2443 8B29 F6BE


signature.asc
Description: Digital signature


Re: [Clips] Finger points to British intelligence as al-Qaeda websites are wiped out

2005-08-02 Thread Eugen Leitl
On Mon, Aug 01, 2005 at 01:51:57PM -0400, Tyler Durden wrote:

> What?!! 300MB/s for a Tor node? OK, I'm a telecom guy and not a data guy 
> but that sounds suspiciously like someone loaded up an OC-3's worth of 
> traffic and then slammed your node. Ain't no hacker gonna do that. Any 
> indication the ostensible originating IP addresses are faked?

No, it looked like a vanilla DDoS. According to the hoster, I've only
seen a small piece of the log, which looked like this:

09:21:54.322650 IP 67.9.36.207 > 213.239.210.243: icmp
09:21:54.322776 IP 218.102.186.215 > 213.239.210.243: icmp
09:21:54.322895 IP 24.242.31.137 > 213.239.210.243: icmp
09:21:54.323017 IP 61.62.83.208 > 213.239.210.243: icmp
09:21:54.323140 IP 68.197.59.153 > 213.239.210.243: icmp
09:21:54.323263 IP 202.138.17.65 > 213.239.210.243: icmp
09:21:54.323375 IP 221.171.34.81 > 213.239.210.243: icmp 1376: echo
request seq 23306
09:21:54.323500 IP 150.199.172.221 > 213.239.210.243: icmp
09:21:54.323623 IP 62.150.154.191 > 213.239.210.243: icmp
09:21:54.323741 IP 221.231.54.152 > 213.239.210.243: icmp
09:21:54.323863 IP 222.241.149.165 > 213.239.210.243: icmp 1456: echo
request seq 24842
09:21:54.323984 IP 61.81.134.200 > 213.239.210.243: icmp
09:21:54.324105 IP 60.20.101.125 > 213.239.210.243: icmp
09:21:54.324227 IP 219.77.117.204 > 213.239.210.243: icmp
09:21:54.324229 IP 85.98.134.51 > 213.239.210.243: icmp
09:21:54.324355 IP 61.149.3.249 > 213.239.210.243: icmp
09:21:54.324475 IP 218.9.240.32 > 213.239.210.243: icmp 1456: echo
request seq 29962
09:21:54.324598 IP 24.115.79.52 > 213.239.210.243: icmp
09:21:54.324720 IP 12.217.75.61 > 213.239.210.243: icmp
09:21:54.324844 IP 202.161.4.210 > 213.239.210.243: icmp
09:21:54.324847 IP 139.4.150.122.14238 > 213.239.209.107.80: R
2598318330:2598318330(0) win 0
09:21:54.324973 IP 211.203.38.29 > 213.239.210.243: icmp
09:21:54.325101 IP 68.74.58.171 > 213.239.210.243: icmp
09:21:54.325240 IP 211.214.159.102 > 213.239.210.243: icmp
09:21:54.325341 IP 221.231.53.52 > 213.239.210.243: icmp
09:21:54.325465 IP 24.20.194.42 > 213.239.210.243: icmp

-- 
Eugen* Leitl http://leitl.org";>leitl
__
ICBM: 48.07100, 11.36820http://www.leitl.org
8B29F6BE: 099D 78BA 2FD3 B014 B08A  7779 75B0 2443 8B29 F6BE


signature.asc
Description: Digital signature


Re: [Clips] Finger points to British intelligence as al-Qaeda websites are wiped out

2005-08-01 Thread J.A. Terranson

On Mon, 1 Aug 2005, Dan McDonald wrote:

> On Mon, Aug 01, 2005 at 01:51:57PM -0400, Tyler Durden wrote:
> > What?!! 300MB/s for a Tor node? OK, I'm a telecom guy and not a data guy but
> > that sounds suspiciously like someone loaded up an OC-3's worth of traffic
>
> 300Mbits (using Eugen's quote), is 2xOC-3.  (OC-3 carries 155Mbit/sec ATM,
> but if it's IP/PPP/OC-3 you use more of the 155Mbits/sec).
>
> A couple of hacked university zombie armies can generate that kind of
> traffic.  I'm *not* a telecom guy, but don't most U's have at least an OC-3
> out to the backbones today?
>
> I'm surprised that the target node has that much INBOUND bandwidth, quite
> frankly.

Well, I am a telecom *and* a data guy, and I think I can clear it up :-)

First, I suspect that the Tor node did *not* have a 300mbit ingree or
egress, which is why the 300mbps was an effective DDoS ;-)

Second, as the guy who spent several years being the carrier schmuck on
call for these kinds of attacks, a 300mbps attack is a pretty small one.
Big enough to knock off the average web site or small ISP, but pretty
small from the carrier perspective.  He probably knew the sizeof the
incoming attack because the voice on the other end of the phone (the
carrier schmuck on call) told him how much data he saw coming down the
pipe at the target.

>
> Dan
>

Hopefully that'll clear some of the muddy stuff?

-- 
Yours,

J.A. Terranson
[EMAIL PROTECTED]
0xBD4A95BF


I like the idea of belief in drug-prohibition as a religion in that it is
a strongly held belief based on grossly insufficient evidence and
bolstered by faith born of intuitions flowing from the very beliefs they
are intended to support.

don zweig, M.D.



Re: [Clips] Finger points to British intelligence as al-Qaeda websites are wiped out

2005-08-01 Thread Dan McDonald
On Mon, Aug 01, 2005 at 01:51:57PM -0400, Tyler Durden wrote:
> What?!! 300MB/s for a Tor node? OK, I'm a telecom guy and not a data guy but 
> that sounds suspiciously like someone loaded up an OC-3's worth of traffic 

300Mbits (using Eugen's quote), is 2xOC-3.  (OC-3 carries 155Mbit/sec ATM,
but if it's IP/PPP/OC-3 you use more of the 155Mbits/sec).

A couple of hacked university zombie armies can generate that kind of
traffic.  I'm *not* a telecom guy, but don't most U's have at least an OC-3
out to the backbones today?

I'm surprised that the target node has that much INBOUND bandwidth, quite
frankly.

Dan



Re: [Clips] Finger points to British intelligence as al-Qaeda websites are wiped out

2005-08-01 Thread Tyler Durden
What?!! 300MB/s for a Tor node? OK, I'm a telecom guy and not a data guy but 
that sounds suspiciously like someone loaded up an OC-3's worth of traffic 
and then slammed your node. Ain't no hacker gonna do that. Any indication 
the ostensible originating IP addresses are faked?


-TD




From: Eugen Leitl <[EMAIL PROTECTED]>
To: Tyler Durden <[EMAIL PROTECTED]>, [EMAIL PROTECTED]
Subject: Re: [Clips] Finger points to British intelligence as al-Qaeda  
websites are  wiped out

Date: Mon, 1 Aug 2005 17:15:17 +0200

On Mon, Aug 01, 2005 at 10:54:26AM -0400, Tyler Durden wrote:

> Tor networks, anyone?

Caveat when running Tor on a production machine, I got DDoS'd
recently with some ~300 MBit/s. (Yes, my exit policy didn't
contain IRC).

--
Eugen* Leitl http://leitl.org";>leitl
__
ICBM: 48.07100, 11.36820http://www.leitl.org
8B29F6BE: 099D 78BA 2FD3 B014 B08A  7779 75B0 2443 8B29 F6BE

[demime 1.01d removed an attachment of type application/pgp-signature which 
had a name of signature.asc]





Re: [Clips] Finger points to British intelligence as al-Qaeda websites are wiped out

2005-08-01 Thread Eugen Leitl
On Mon, Aug 01, 2005 at 10:54:26AM -0400, Tyler Durden wrote:

> Tor networks, anyone?

Caveat when running Tor on a production machine, I got DDoS'd
recently with some ~300 MBit/s. (Yes, my exit policy didn't
contain IRC).

-- 
Eugen* Leitl http://leitl.org";>leitl
__
ICBM: 48.07100, 11.36820http://www.leitl.org
8B29F6BE: 099D 78BA 2FD3 B014 B08A  7779 75B0 2443 8B29 F6BE


signature.asc
Description: Digital signature


RE: [Clips] Finger points to British intelligence as al-Qaeda websites are wiped out

2005-08-01 Thread Tyler Durden
Gee, that's great. A global organization that has taken the task of 
worldwide censorship into its sweaty little hands.


Did the google cache'd versions of these sites dissappear too?

Tor networks, anyone?

-TD


From: "R.A. Hettinga" <[EMAIL PROTECTED]>
To: cryptography@metzdowd.com, [EMAIL PROTECTED]
Subject: [Clips] Finger points to British intelligence as al-Qaeda   
websites are wiped out

Date: Sat, 30 Jul 2005 23:02:53 -0400

--- begin forwarded text


 Delivered-To: [EMAIL PROTECTED]
 Date: Sat, 30 Jul 2005 23:01:38 -0400
 To: Philodox Clips List <[EMAIL PROTECTED]>
 From: "R.A. Hettinga" <[EMAIL PROTECTED]>
 Subject: [Clips] Finger points to British intelligence as al-Qaeda 
websites

  are wiped out
 Reply-To: [EMAIL PROTECTED]
 Sender: [EMAIL PROTECTED]

 <http://www.timesonline.co.uk/printFriendly/0,,1-523-1715166-523,00.html>

 The Times of London

 July 31, 2005

 Finger points to British intelligence as al-Qaeda websites are wiped out
 Over the past fortnight Israeli intelligence agents have noticed 
something
 distinctly odd happening on the internet. One by one, Al-Qaeda's 
affiliated
 websites have vanished until only a handful remain, write Uzi Mahnaimi 
and

 Alex Pell.

 Someone has cut the line of communication between the spiritual leaders 
of
 international terrorism and their supporters. Since 9/11 the websites 
have

 been the main links to disseminate propaganda and information.

 The Israelis detect the hand of British intelligence, determined to 
torpedo

 the websites after the London attacks of July 7.

 The web has become the new battleground of terrorism, permitting a 
freedom

 of communication denied to such organisations as the IRA a couple of
 decades ago.

 One global jihad site terminated recently was an inflammatory Pakistani
 site, www.mojihedun.com, in which a section entitled How to Strike a
 European City gave full technical instructions. Tens of similar sites, 
some

 offering detailed information on how to build and use biological weapons,
 have also been shut down. However, Islamic sites believed to be 
"moderate",

 remain.

 One belongs to the London-based Syrian cleric Abu Basir al-Tartusi, whose
 www.abubaseer.bizland.com remained operative after he condemned the 
London

 bombings.

 However, the scales remain weighted in favour of global jihad, the first
 virtual terror organisation. For all the vaunted spying advances such as
 tracking mobile phones and isolating key phrases in telephone
 conversations, experts believe current technologies actually play into 
the

 hands of those who would harm us.

 "Modern technology puts most of the advantages in the hands of the
 terrorists. That is the bottom line," says Professor Michael Clarke, of
 King's College London, who is director of the International Policy
 Institute.

 Government-sponsored monitoring systems, such as Echelon, can track vast
 amounts of data but have so far proved of minimal benefit in preventing, 
or
 even warning, of attacks. And such systems are vulnerable to 
manipulation:

 low-ranking volunteers in terrorist organisations can create background
 chatter that ties up resources and maintains a threshold of anxiety. 
There

 are many tricks of the trade that give terrorists secure digital
 communication and leave no trace on the host computer.

 Ironically, the most readily available sources of accurate online
 information on bomb-making are the websites of the radical American
 militia. "I have not seen any Al-Qaeda manuals that look like genuine
 terrorist training," claims Clarke.

 However, the sobering message of many security experts is that the
 terrorists are unlikely ever to lose a war waged with technology.

 --
 -
 R. A. Hettinga 
 The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
 44 Farquhar Street, Boston, MA 02131 USA
 "... however it may deserve respect for its usefulness and antiquity,
 [predicting the end of the world] has not been found agreeable to
 experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
 ___
 Clips mailing list
 [EMAIL PROTECTED]
 http://www.philodox.com/mailman/listinfo/clips

--- end forwarded text


--
-
R. A. Hettinga 
The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
44 Farquhar Street, Boston, MA 02131 USA
"When the hares made speeches in the assembly and demanded that all should
have equality, the lions replied, "Where are your claws and teeth?"  --
attributed to Antisthenes in Aristotle, 'Politics', 3.7.2





[Clips] Finger points to British intelligence as al-Qaeda websites are wiped out

2005-08-01 Thread R.A. Hettinga

--- begin forwarded text


 Delivered-To: [EMAIL PROTECTED]
 Date: Sat, 30 Jul 2005 23:01:38 -0400
 To: Philodox Clips List <[EMAIL PROTECTED]>
 From: "R.A. Hettinga" <[EMAIL PROTECTED]>
 Subject: [Clips] Finger points to British intelligence as al-Qaeda websites
  are wiped out
 Reply-To: [EMAIL PROTECTED]
 Sender: [EMAIL PROTECTED]

 <http://www.timesonline.co.uk/printFriendly/0,,1-523-1715166-523,00.html>

 The Times of London

 July 31, 2005

 Finger points to British intelligence as al-Qaeda websites are wiped out
 Over the past fortnight Israeli intelligence agents have noticed something
 distinctly odd happening on the internet. One by one, Al-Qaeda's affiliated
 websites have vanished until only a handful remain, write Uzi Mahnaimi and
 Alex Pell.

 Someone has cut the line of communication between the spiritual leaders of
 international terrorism and their supporters. Since 9/11 the websites have
 been the main links to disseminate propaganda and information.

 The Israelis detect the hand of British intelligence, determined to torpedo
 the websites after the London attacks of July 7.

 The web has become the new battleground of terrorism, permitting a freedom
 of communication denied to such organisations as the IRA a couple of
 decades ago.

 One global jihad site terminated recently was an inflammatory Pakistani
 site, www.mojihedun.com, in which a section entitled How to Strike a
 European City gave full technical instructions. Tens of similar sites, some
 offering detailed information on how to build and use biological weapons,
 have also been shut down. However, Islamic sites believed to be "moderate",
 remain.

 One belongs to the London-based Syrian cleric Abu Basir al-Tartusi, whose
 www.abubaseer.bizland.com remained operative after he condemned the London
 bombings.

 However, the scales remain weighted in favour of global jihad, the first
 virtual terror organisation. For all the vaunted spying advances such as
 tracking mobile phones and isolating key phrases in telephone
 conversations, experts believe current technologies actually play into the
 hands of those who would harm us.

 "Modern technology puts most of the advantages in the hands of the
 terrorists. That is the bottom line," says Professor Michael Clarke, of
 King's College London, who is director of the International Policy
 Institute.

 Government-sponsored monitoring systems, such as Echelon, can track vast
 amounts of data but have so far proved of minimal benefit in preventing, or
 even warning, of attacks. And such systems are vulnerable to manipulation:
 low-ranking volunteers in terrorist organisations can create background
 chatter that ties up resources and maintains a threshold of anxiety. There
 are many tricks of the trade that give terrorists secure digital
 communication and leave no trace on the host computer.

 Ironically, the most readily available sources of accurate online
 information on bomb-making are the websites of the radical American
 militia. "I have not seen any Al-Qaeda manuals that look like genuine
 terrorist training," claims Clarke.

 However, the sobering message of many security experts is that the
 terrorists are unlikely ever to lose a war waged with technology.

 --
 -
 R. A. Hettinga 
 The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
 44 Farquhar Street, Boston, MA 02131 USA
 "... however it may deserve respect for its usefulness and antiquity,
 [predicting the end of the world] has not been found agreeable to
 experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
 ___
 Clips mailing list
 [EMAIL PROTECTED]
 http://www.philodox.com/mailman/listinfo/clips

--- end forwarded text


-- 
-
R. A. Hettinga 
The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
44 Farquhar Street, Boston, MA 02131 USA
"When the hares made speeches in the assembly and demanded that all should
have equality, the lions replied, "Where are your claws and teeth?"  --
attributed to Antisthenes in Aristotle, 'Politics', 3.7.2