Steve Gibson finally releases DDoS attack tool

Discussion in 'Anti-Virus' started by Rob Rosenberger, Apr 1, 2006.

  1. LAGUNA HILLS, CALIFORNIA -- The problem of denial of service attacks could
    be solved overnight if ISPs cleaned up their act, a security gadfly has
    claimed.

    Steve Gibson, president of Gibson Research Corp., has released a free tool
    that will hold ISPs' feet to the fire if they have not implemented a
    security technique known as "egress filtering." Gibson's "Spoofarino"
    utility enables Internet users to test whether their ISPs allow them to send
    forged or "spoofed" packets of data to Gibson's Web site. A spoofed packet
    conceals the true Internet protocol address of the sender's computer, making
    it appear to come from another machine.

    Today is April Fool's Day, but "Spoofarino" is not a joke. Gibson has talked
    about it on his website for five years. Users can download the utility at
    http://www.Spoofarino.com for free.

    According to Gibson, network administrators have long known that spoofing is
    a problem, but the issue has become dire now that the technique is being
    used in denial of service attacks to conceal the identity of the
    perpetrators. "Once an invalid packet leaves the ISP and gets loose on the
    Internet, backtracking it is virtually impossible. But every ISP has border
    routers connecting their internal network out onto the Internet. Those
    routers could have a line of code added to their rules that says, 'Is the
    return address valid? If not, drop it,'" Gibson said.

    Very few ISPs currently use egress filtering, according to Gibson, and he
    believes it is time to hold them responsible. Besides enabling users to test
    whether they can produce packets with bogus return addresses, Spoofarino
    will allow them to add their test results to a virtual "hall of shame" to be
    constructed at Gibson's site.

    Gibson said Spoofarino employs a newly released technology called
    "NanoProbes" that uses tiny, hand crafted, intention-directed Internet
    packets consisting of just 224, 320 or 352 binary bits. "Their reception may
    stimulate a programmed response from the probe target, causing it to launch
    its own packets back to us. This is by design," Gibson explained. "Highly
    specialized hand crafted NanoProbes such as we require are not found
    wandering around in the typical computer," and these will be used to
    determine which ISPs do not use egress filtering.

    Not everyone was happy with the release of Spoofarino. Security critic Rob
    Rosenberger believes "hundreds of thousands of mindless users will pummel
    Gibson's website" with the utility. "Did he warn his own ISP to brace for a
    massive global distributed denial of service (DDoS) attack aimed at his own
    domain?"

    Rosenberger compared Spoofarino to the LoveBug virus that knocked the
    Philippines off the Internet in May 2000. "LoveBug was programmed to talk to
    a specific website, and so is Spoofarino," he said. "If ten thousand users
    run it at the same time and their ISPs aren't configured to stop the DDoS
    attack...I think Gibson will be forced to look for a new ISP."

    But Gibson insists the small size of each NanoProbe packet will protect his
    website and his upstream provider from the attack that Rosenberger
    envisions. "Our similar-function NanoProbe is less than HALF the size and is
    therefore able to move through a bandwidth-constrained network, like the
    Internet, at more than twice the temporal density of 'regular,' similar
    function packets," Gibson explained, adding that each data construct "will
    silently direct itself to the intended targets at a temporal density
    relative to the current qmail instruction computational rate vector."

    Today is April Fool's Day, but those are Gibson's exact words, and he wasn't
    joking when he said them.

    Even if the Internet was flooded with NanoProbes and Spoofarino packets,
    Gibson believes "irresponsible" ISPs must accept the blame for letting them
    get out. "We need a tool to hold ISPs accountable and publicly demonstrate
    individual ISP irresponsibility," Gibson insisted. "Given the universal
    reluctance they have demonstrated so far, I believe that only active public
    scrutiny will bring about the changes required to insure [sic] a reliable
    and secure future for the Internet."

    Other experts were concerned about bugs in the Spoofarino utility and design
    flaws in the NanoProbe technology. Security expert Martin Roesch, who
    authored the "Snort" intrusion detection utility, warned that "the TCP
    offset (TCP header length) is set to 6, which means that the TCP header
    length should be 24, and the packet shown only has a 20 byte header. The
    Sequence number is 0, which should never happen on a SYN packet and would be
    easily picked up by any intrusion detection system (like Snort). The IP
    datagram length field shows 44-bytes, but once again we're only shown
    40-bytes. Where'd those other 4 bytes go?"

    Gibson acknowledged bugs and design flaws are in Spoofarino because "I
    started from scratch and wrote a complete, custom, TCP/IP protocol suite,
    including an integrated firewall (super-hardened TCP) and a lightweight web
    server." He insists that many popular and mature TCP/IP protocol suites
    available today are unsuitable for computer security software. "I am
    particularly proud of the TCP protocol handler," Gibson explained. "I solved
    the problem of vulnerability to local resource depletion from denial of
    service (DoS) attack flooding by designing a 'stateless connection opening'
    technology named 'GENESIS.' Unlike all traditional (and DoS vulnerable)
    TCP/IP stacks," he revealed, "GENESIS is able to accept and complete inbound
    connections without needing to keep any 'state' information. Thus there are
    no resources to exhaust when gazillions of inbound connections are being
    spoofed and never completed, or completed but never used."

    So why would Gibson choose April Fool's Day to release a DDoS tool that
    attacks his own website? Rosenberger contrasted Spoofarino's debut with
    1999's Melissa virus. "If Melissa's author had waited six days to release
    the virus, he could have claimed it was an April Fool's joke gone awry."

    "If a million users crush Gibson's ISP with forged packets, he can backpedal
    and claim it was a practical joke. Second, if the FBI arrests him on
    cyber-terror charges, he can tell the judge it was April Fool's Day."
     
    Rob Rosenberger, Apr 1, 2006
    #1
    1. Advertisements

  2. Rob Rosenberger

    Virus Guy Guest

    http://www.spoofarino.com/

    Please Stop
    Using Spoofarino™

    The incredible response to the release of my Spoofarino™ utility has
    caused an overwhelming number of NanoProbe packets being sent to
    GRC.com. The acceleration of PSPS (packets per second per second) is
    3.17 and it's climbing at a geometric rate. If you don't know what
    that means, trust me, it's bad and it's going to get a lot worse
    before it gets better. I still believe that we need to hold ISPs
    accountable for allowing Internet packets containing fraudulent return
    addresses (spoofed source IPs) to escape onto the public Internet, but
    apparently I have created the very Distributed Denial of Service
    (DDoS) toolkit that I feared would someday be created! This is
    probably not a good thing. But I meant well, and I will NOT apologize
    for giving millions of concerned Users the ability to hold an
    irresponsible ISP's feet to the fire. But please, if you are using
    Spoofarino™ right now, PLEASE STOP! The Internet cannot handle the
    incredible packet overload that is being created by GRC.com Users.
    There is also a small bug in the way the GENESIS technology opens a
    stateless connection. Routers and switches at thousands of ISPs all
    over the world are crashing right now because they were never designed
    to handle improperly crafted connections
     
    Virus Guy, Apr 1, 2006
    #2
    1. Advertisements

  3. Rob Rosenberger

    Virus Guy Guest

    The following is from:

    http://www.eggheadcafe.com/anti-virus/grcnews/jul2001/post25767949.asp

    --------------
    7/2/2001 7:23:00 PM Spoofarino newsgroup open for business . . .

    Everyone,

    In preparation for the upcoming development and testing of the new
    Spoofarino freeware, and to give us a sensible place to discuss
    Denial of Service attacks, Windows XP, and such in the meantime ...

    We now have: grc.spoofarino

    See you all there!
    ---------------

    Seems that Spoofarino has been in the works for quite some time.

    News.grc.com doesn't carry any such "spoofarino" NG (did it ever?).

    See also:

    http://www.landfield.com/isn/mail-archive/2001/Jun/0062.html

    http://www.itworld.com/nl/lnx_sec/06192001/

    I've searched for a spoofarino download link, but can't find any -
    even cached links. Can anyone confirm that spoofarino was actually
    available from grc - either back in 2001 or recently?

    I'm thinking that spoofarino never really existed. All I can find are
    stories that talk about what spoofarino "will be" and nothing about
    what it has actually done or what it has revealed about specific
    ISP's.

    What's strange is that the first appearance of the spoofarino concept
    happened in June/July 2001 (well after April Fools day 2001) so it's
    not clear that it was designed to be a hoax even back then.
     
    Virus Guy, Apr 1, 2006
    #3
  4. Rob Rosenberger

    Don Kelloway Guest


    I find it interesting that if you view the source of www.spoofarino.com
    you'll find the following:

    <html>
    <head>
    <title>- Gibson Research Corporation Spoofarino Page - -</title>
    <META name="description" content="April Fool">

    </head>
    <frameset rows="100%,*" border="0">
    <frame src="http://www.kumite.com/rsnbrgr/rob/grcspoof/20060401"
    frameborder="0">
    <frame frameborder="0" noresize>
    </frameset>
    </html>
    <!-- m -->
     
    Don Kelloway, Apr 1, 2006
    #4
  5. Seems that Spoofarino has been in the works for quite some time.

    Correct. Gibson announced it ca. June 2001 and has highlighted it on
    www.grc.com/stevegibson.htm for nearly five years. It's still highlighted
    on his website as of the time I posted this reply.

    Yes, Gibson actually launched a newsgroup for Spoofarino in 2001. He
    dropped it after the publicity died down.

    The world has waited since 2001 for its debut -- so I announced its release
    as an April Fool prank.

    It was one of Gibson's typical PR stunts. Either that, or he just forgot to
    take his thorazine injection that day...
     
    Rob Rosenberger, Apr 2, 2006
    #5
  6. Rob Rosenberger

    Guest Guest

    Why then the warning message "Please Stop Using Spoofarino™ " ?

    And if packet-spoofing is possible (and if he doesn't or hasn't ever
    released spoofarino for ergonomic reasons) why doesn't Gibson at least
    post results of strategic, controlled use of spoofarino from various
    ISP's to prove the concept?
     
    Guest, Apr 2, 2006
    #6
  7. Rob Rosenberger

    Yourhighness Guest

    Hi,

    read this article, posted on some other newsgroup here:
    http://www.radsoft.net/news/roundups/grc/20060121,01.shtml

    Rather a rough piece of writing tonewise, but d fit to the actions
    described in this newsgroup thread.

    rgds,
     
    Yourhighness, Apr 2, 2006
    #7
  8. Rob Rosenberger

    4Q Guest

    *Cool* Well done Steve Gibson!


    4Q
     
    4Q, Apr 11, 2006
    #8
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.