Victims of distributed denial-of-service attacks are usually reluctant to
admit they’ve been hit, let alone provide specific technical details about
the attacks. But Gibson Research
Corporation president Steve Gibson said Monday that he intends to turn
some weekend lemons into lemonade.
After having his site knocked offline for 17 hours from a DDoS attack that
began Friday night, Gibson plans to post a detailed report about the
experience, including a list of the hundreds of compromised machines
marshalled by an as-yet unknown attacker to launch the strike. A
preliminary version of the report was online Monday.
According to Gibson, who has gained renown for his popular freeware
security and privacy tools, GRC.com was forced off the Internet at around
8:00 Pacific Friday evening, as several hundred compromised computers
located across the Internet began issuing millions of bogus ICMP and UDP
requests. At it peak, the attack generated 25 megabits of bandwidth,
overwhelming the site’s 3.1-Mbit connection.
An initial review of the log files from the attacks did not reveal which of
the numerous DDoS tools were used in the attacks. But Gibson said many of
the “zombie” machines apparently were owned by Windows PC users with cable
modem connections — ironically the very sorts of people he tries to
educate and serve with his free resources, which include a firewall testing
tool and a Windows port security probe.
“I’ve got their IP addresses and the ability to make a loud noise about
this. I know that @Home and Rogers and others are going to be unhappy about
the attention I’m going to bring to them, but this is needed to bring about
some change,” said Gibson.
Because the IP addresses of the attacking computers were not disguised or
“spoofed,” the attack could have been quickly neutralized by the site’s
hosting company Verio, through the use of routing filters. But the ISP’s
most knowledgeable customer support personnel were gone for the weekend,
and Gibson reports he was unable to contact key staff until early Saturday
afternoon. At that point, a 10-minute fix by Verio shut down the attack.
“That’s just wrong, if we’re talking about the Internet being a national,
core infrastructure. It’s like the phone company turning off phone service
because it’s the weekend,” said Gibson, adding that he has no plans to
change ISPs however.
Gibson speculates that a dispute between some users of his discussion
forums may have led to the attack, but no one has yet claimed
responsibility or responded to his invitation to discuss the attacks.