Anti-Spyware Forums


Reply
Thread Tools Display Modes

Steve Gibson finally releases DDoS attack tool

 
 
Rob Rosenberger
Guest
Posts: n/a

 
      01-04-2006, 05:42 AM
LAGUNA HILLS, CALIFORNIA -- The problem of denial of service attacks could
be solved overnight if ISPs cleaned up their act, a security gadfly has
claimed.

Steve Gibson, president of Gibson Research Corp., has released a free tool
that will hold ISPs' feet to the fire if they have not implemented a
security technique known as "egress filtering." Gibson's "Spoofarino"
utility enables Internet users to test whether their ISPs allow them to send
forged or "spoofed" packets of data to Gibson's Web site. A spoofed packet
conceals the true Internet protocol address of the sender's computer, making
it appear to come from another machine.

Today is April Fool's Day, but "Spoofarino" is not a joke. Gibson has talked
about it on his website for five years. Users can download the utility at
http://www.Spoofarino.com for free.

According to Gibson, network administrators have long known that spoofing is
a problem, but the issue has become dire now that the technique is being
used in denial of service attacks to conceal the identity of the
perpetrators. "Once an invalid packet leaves the ISP and gets loose on the
Internet, backtracking it is virtually impossible. But every ISP has border
routers connecting their internal network out onto the Internet. Those
routers could have a line of code added to their rules that says, 'Is the
return address valid? If not, drop it,'" Gibson said.

Very few ISPs currently use egress filtering, according to Gibson, and he
believes it is time to hold them responsible. Besides enabling users to test
whether they can produce packets with bogus return addresses, Spoofarino
will allow them to add their test results to a virtual "hall of shame" to be
constructed at Gibson's site.

Gibson said Spoofarino employs a newly released technology called
"NanoProbes" that uses tiny, hand crafted, intention-directed Internet
packets consisting of just 224, 320 or 352 binary bits. "Their reception may
stimulate a programmed response from the probe target, causing it to launch
its own packets back to us. This is by design," Gibson explained. "Highly
specialized hand crafted NanoProbes such as we require are not found
wandering around in the typical computer," and these will be used to
determine which ISPs do not use egress filtering.

Not everyone was happy with the release of Spoofarino. Security critic Rob
Rosenberger believes "hundreds of thousands of mindless users will pummel
Gibson's website" with the utility. "Did he warn his own ISP to brace for a
massive global distributed denial of service (DDoS) attack aimed at his own
domain?"

Rosenberger compared Spoofarino to the LoveBug virus that knocked the
Philippines off the Internet in May 2000. "LoveBug was programmed to talk to
a specific website, and so is Spoofarino," he said. "If ten thousand users
run it at the same time and their ISPs aren't configured to stop the DDoS
attack...I think Gibson will be forced to look for a new ISP."

But Gibson insists the small size of each NanoProbe packet will protect his
website and his upstream provider from the attack that Rosenberger
envisions. "Our similar-function NanoProbe is less than HALF the size and is
therefore able to move through a bandwidth-constrained network, like the
Internet, at more than twice the temporal density of 'regular,' similar
function packets," Gibson explained, adding that each data construct "will
silently direct itself to the intended targets at a temporal density
relative to the current qmail instruction computational rate vector."

Today is April Fool's Day, but those are Gibson's exact words, and he wasn't
joking when he said them.

Even if the Internet was flooded with NanoProbes and Spoofarino packets,
Gibson believes "irresponsible" ISPs must accept the blame for letting them
get out. "We need a tool to hold ISPs accountable and publicly demonstrate
individual ISP irresponsibility," Gibson insisted. "Given the universal
reluctance they have demonstrated so far, I believe that only active public
scrutiny will bring about the changes required to insure [sic] a reliable
and secure future for the Internet."

Other experts were concerned about bugs in the Spoofarino utility and design
flaws in the NanoProbe technology. Security expert Martin Roesch, who
authored the "Snort" intrusion detection utility, warned that "the TCP
offset (TCP header length) is set to 6, which means that the TCP header
length should be 24, and the packet shown only has a 20 byte header. The
Sequence number is 0, which should never happen on a SYN packet and would be
easily picked up by any intrusion detection system (like Snort). The IP
datagram length field shows 44-bytes, but once again we're only shown
40-bytes. Where'd those other 4 bytes go?"

Gibson acknowledged bugs and design flaws are in Spoofarino because "I
started from scratch and wrote a complete, custom, TCP/IP protocol suite,
including an integrated firewall (super-hardened TCP) and a lightweight web
server." He insists that many popular and mature TCP/IP protocol suites
available today are unsuitable for computer security software. "I am
particularly proud of the TCP protocol handler," Gibson explained. "I solved
the problem of vulnerability to local resource depletion from denial of
service (DoS) attack flooding by designing a 'stateless connection opening'
technology named 'GENESIS.' Unlike all traditional (and DoS vulnerable)
TCP/IP stacks," he revealed, "GENESIS is able to accept and complete inbound
connections without needing to keep any 'state' information. Thus there are
no resources to exhaust when gazillions of inbound connections are being
spoofed and never completed, or completed but never used."

So why would Gibson choose April Fool's Day to release a DDoS tool that
attacks his own website? Rosenberger contrasted Spoofarino's debut with
1999's Melissa virus. "If Melissa's author had waited six days to release
the virus, he could have claimed it was an April Fool's joke gone awry."

"If a million users crush Gibson's ISP with forged packets, he can backpedal
and claim it was a practical joke. Second, if the FBI arrests him on
cyber-terror charges, he can tell the judge it was April Fool's Day."


 
Reply With Quote
 
 
 
 
Virus Guy
Guest
Posts: n/a

 
      01-04-2006, 03:25 PM
Rob Rosenberger wrote:

> Steve Gibson, president of Gibson Research Corp., has released
> a free tool that will hold ISPs' feet to the fire if they have
> not implemented a security technique known as "egress filtering."


> Gibson's "Spoofarino" utility enables Internet users to test
> whether their ISPs allow them to send forged or "spoofed"
> packets of data to Gibson's Web site.


http://www.spoofarino.com/

Please Stop
Using Spoofarino™

The incredible response to the release of my Spoofarino™ utility has
caused an overwhelming number of NanoProbe packets being sent to
GRC.com. The acceleration of PSPS (packets per second per second) is
3.17 and it's climbing at a geometric rate. If you don't know what
that means, trust me, it's bad and it's going to get a lot worse
before it gets better. I still believe that we need to hold ISPs
accountable for allowing Internet packets containing fraudulent return
addresses (spoofed source IPs) to escape onto the public Internet, but
apparently I have created the very Distributed Denial of Service
(DDoS) toolkit that I feared would someday be created! This is
probably not a good thing. But I meant well, and I will NOT apologize
for giving millions of concerned Users the ability to hold an
irresponsible ISP's feet to the fire. But please, if you are using
Spoofarino™ right now, PLEASE STOP! The Internet cannot handle the
incredible packet overload that is being created by GRC.com Users.
There is also a small bug in the way the GENESIS technology opens a
stateless connection. Routers and switches at thousands of ISPs all
over the world are crashing right now because they were never designed
to handle improperly crafted connections

> "If a million users crush Gibson's ISP with forged packets, he
> can backpedal and claim it was a practical joke. Second, if the
> FBI arrests him on cyber-terror charges, he can tell the judge
> it was April Fool's Day."

 
Reply With Quote
 
 
 
 
Virus Guy
Guest
Posts: n/a

 
      01-04-2006, 03:47 PM
The following is from:

http://www.eggheadcafe.com/anti-viru...st25767949.asp

--------------
7/2/2001 7:23:00 PM Spoofarino newsgroup open for business . . .

Everyone,

In preparation for the upcoming development and testing of the new
Spoofarino freeware, and to give us a sensible place to discuss
Denial of Service attacks, Windows XP, and such in the meantime ...

We now have: grc.spoofarino

See you all there!
---------------

Seems that Spoofarino has been in the works for quite some time.

News.grc.com doesn't carry any such "spoofarino" NG (did it ever?).

See also:

http://www.landfield.com/isn/mail-ar.../Jun/0062.html

http://www.itworld.com/nl/lnx_sec/06192001/

I've searched for a spoofarino download link, but can't find any -
even cached links. Can anyone confirm that spoofarino was actually
available from grc - either back in 2001 or recently?

I'm thinking that spoofarino never really existed. All I can find are
stories that talk about what spoofarino "will be" and nothing about
what it has actually done or what it has revealed about specific
ISP's.

What's strange is that the first appearance of the spoofarino concept
happened in June/July 2001 (well after April Fools day 2001) so it's
not clear that it was designed to be a hoax even back then.
 
Reply With Quote
 
Don Kelloway
Guest
Posts: n/a

 
      01-04-2006, 08:16 PM
"Rob Rosenberger" <(E-Mail Removed)> wrote in message
news:e0l3t2$c7q$(E-Mail Removed)...
>
> Today is April Fool's Day, but "Spoofarino" is not a joke. Gibson has
> talked about it on his website for five years. Users can download the
> utility at http://www.Spoofarino.com for free.
>



I find it interesting that if you view the source of www.spoofarino.com
you'll find the following:

<html>
<head>
<title>- Gibson Research Corporation Spoofarino Page - -</title>
<META name="description" content="April Fool">

</head>
<frameset rows="100%,*" border="0">
<frame src="http://www.kumite.com/rsnbrgr/rob/grcspoof/20060401"
frameborder="0">
<frame frameborder="0" noresize>
</frameset>
</html>
<!-- m -->

--
Best regards, from Don Kelloway of Commodon Communications
Visit http://www.commodon.com to learn about the "Threats to Your Security
on the Internet".


 
Reply With Quote
 
Rob Rosenberger
Guest
Posts: n/a

 
      02-04-2006, 12:25 AM
>>Seems that Spoofarino has been in the works for quite some time.

Correct. Gibson announced it ca. June 2001 and has highlighted it on
www.grc.com/stevegibson.htm for nearly five years. It's still highlighted
on his website as of the time I posted this reply.

>>News.grc.com doesn't carry any such "spoofarino" NG (did it ever?).


Yes, Gibson actually launched a newsgroup for Spoofarino in 2001. He
dropped it after the publicity died down.

>>I'm thinking that spoofarino never really existed. All I can find are
>>stories that talk about what spoofarino "will be" and nothing about
>>what it has actually done or what it has revealed about specific
>>ISP's.


The world has waited since 2001 for its debut -- so I announced its release
as an April Fool prank.

>>What's strange is that the first appearance of the spoofarino concept
>>happened in June/July 2001 (well after April Fools day 2001) so it's
>>not clear that it was designed to be a hoax even back then.


It was one of Gibson's typical PR stunts. Either that, or he just forgot to
take his thorazine injection that day...



 
Reply With Quote
 
Spam Guy
Guest
Posts: n/a

 
      02-04-2006, 12:36 AM
Rob Rosenberger wrote:

>>> I'm thinking that spoofarino never really existed.


> The world has waited since 2001 for its debut -- so I announced
> its release as an April Fool prank.


Why then the warning message "Please Stop Using Spoofarino™ " ?

And if packet-spoofing is possible (and if he doesn't or hasn't ever
released spoofarino for ergonomic reasons) why doesn't Gibson at least
post results of strategic, controlled use of spoofarino from various
ISP's to prove the concept?
 
Reply With Quote
 
Yourhighness
Guest
Posts: n/a

 
      02-04-2006, 11:42 AM

Spam Guy wrote:
> Rob Rosenberger wrote:
>
> >>> I'm thinking that spoofarino never really existed.

>
> > The world has waited since 2001 for its debut -- so I announced
> > its release as an April Fool prank.

>
> Why then the warning message "Please Stop Using Spoofarino™ " ?
>
> And if packet-spoofing is possible (and if he doesn't or hasn't ever
> released spoofarino for ergonomic reasons) why doesn't Gibson at least
> post results of strategic, controlled use of spoofarino from various
> ISP's to prove the concept?


Hi,

read this article, posted on some other newsgroup here:
http://www.radsoft.net/news/roundups...60121,01.shtml

Rather a rough piece of writing tonewise, but d fit to the actions
described in this newsgroup thread.

rgds,

 
Reply With Quote
 
4Q
Guest
Posts: n/a

 
      11-04-2006, 10:08 PM
Rob Rosenberger wrote:
> LAGUNA HILLS, CALIFORNIA -- The problem of denial of service attacks could
> be solved overnight if ISPs cleaned up their act, a security gadfly has
> claimed.
>
> Steve Gibson, president of Gibson Research Corp., has released a free tool
> that will hold ISPs' feet to the fire if they have not implemented a
> security technique known as "egress filtering." Gibson's "Spoofarino"
> utility enables Internet users to test whether their ISPs allow them to send
> forged or "spoofed" packets of data to Gibson's Web site. A spoofed packet
> conceals the true Internet protocol address of the sender's computer, making
> it appear to come from another machine.
>
> Today is April Fool's Day, but "Spoofarino" is not a joke. Gibson has talked
> about it on his website for five years. Users can download the utility at
> http://www.Spoofarino.com for free.


*Cool* Well done Steve Gibson!


4Q

 
Reply With Quote
 
 
 
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Steve Gibson continues to be a prat Far Canal Spyware 6 06-02-2006 10:57 AM
Steve Gibson and the WMF vulnerability Art Anti-Virus 3 20-01-2006 11:44 PM
Rootkit Web sites fall to DDoS attack SJL Spyware 1 12-04-2005 01:26 PM
DDOS Attack... Happened to me. What should i do? Ian Security Software 8 10-07-2004 04:53 AM
Net-Integration DDoS under attack again... SJL Spyware 0 28-02-2004 09:34 PM


All times are GMT. The time now is 09:33 PM.