Archive for ddos

XBox Live DDoS Attack only $19.95

Posted in security with tags , , , on February 23, 2009 by hellnbak

Here is a horribly written article complete with FUD terms like “underground packet sniffing software” that was written based off of an equally bad article.  I wonder, does this make a horrible BLOG post?  😉

Anyways, the whole premise of the above is that “hackers” are performing a DDoS attack service for sore loser gamers on the XBox Live network.  While the articles and the quotes in the articles make is sound like some amazing accomplishment it really is not.  To do this requires almost zero skill, of course you need access to your very own botnet but these days those are not hard to come by and “borrow”.

Basically, one must simply sniff their XBox Live connection and, depending on the game (I believe and correct me if I am wrong that some games like EA games do not do direct connections but go through the EA servers), gather all of the IP addresses connecting to your network.

Now you have a choice, you can attempt to social engineer your way to the exact user you wish to DDoS or simply attack the entire group.  I mean it would be pretty simply to identify the geographical location of the IP address then simply say “Hey where is everyone from” and then make some guesses from there.

The whole thing is pretty lame as far as gamers go.  I mean what happened to losing the old fashioned way?  Yelling “your mom” jokes at the person who just beat you?

One of the articles mentioned something about sending the DDoS attack at the “Xbox Live port” (I can’t be bothered to double check which one) when in reality you need to simply just take out the person’s connection and not target any specific application which as we all know is simple enough to do.

Anyways, back to playing Afro Samurai on my 360.


RE: Richard Clarke’s Source Boston Talk

Posted in security with tags , , , , , , , , on March 12, 2008 by hellnbak

I wasn’t able to attend Source Boston this year so I have been following the blog for the event as well as some random Twitter traffic on it.  I wanted to comment on this blog post but for some reason the blog requires me to register/login to comment but that feature seems to be broken.


At least this gives me an excuse to add to my blog. 🙂

The first thing that struck me was this comment:

“Clarke cited the well-known DDoS attacks on Estoniaand the reported Chinese government hacks of other governments as examples of how what used to be called paranoia has become, in reality, state-sponsored cyber war. “

While I have the utmost respect for Mr. Clarke and I do agree with a lot of what he has to say.  This is pure FUD on his part.  The DDoS attacks on Estonia were not state sponsored and while you can loosely apply the term “cyberwar” to these attacks I wouldn’t say that this is the best example.  You can read a bit more on the Estonia thing over at Wired Threat Level.

The Chinese Government comment is very interesting to me.  This has been something that has been rumored and invoked by security salesmen for quite some time but with no actual proof attached to it. 

While I totally understand that any proof of this would be considered sensitive in nature if Mr. Clarke expects those outside of various .gov circles to believe these claims evidence must be produced.  This reminds me of one of my favorite Boondocks Episode.

Gin Rummy: I always say the absence of evidence is not the evidence of absence.
Riley: What?
Gin Rummy: Simply because you don’t have evidence that something does exist does not mean you have evidence of something that doesn’t exist.
Riley: What?

Anyways, I am getting side tracked.

The other comment I wanted to make on this topic is in regards to this:

“He went on to say that government regulations be put in place to require ISPs to clean all of their data to solve at least 80 percent of cyber threat issues; and that also require the government itself to report vulnerabilities discovered to hospitals, corporations, universities and financial markets. But quite frankly, this seems like a moot effort. Considering the molasses rate at which the U.S. government moves, what are the chances that even if it is first to discover a vulnerability, that it could get it patched and communicated quickly enough to really protect high profile data? I’m no expert, but my guess is low.”

Looking at the recent Comcast vs. BitTorrentexample consumers will not accept any ISP monitoring / cleaning or otherwise altering content.  Government regulation or not, users do not want their traffic monitored — it really is that simple.

The second part of this is U.S. Government reporting discovered vulnerabilities.  Is this not what CERT is for?  Has CERT not proved to all of us that this is actually a bad idea for various reasons.  I do think that we need a reliable, trusted, and secure third party to help researchers report vulnerabilities (I would love to do this with VulnWatch) but I do not think it needs to or should be a government entity. 

Many have the opinion that vendors are still moving too slow to fix security vulnerabilities (average of 120-150 days in my experience) adding government bureaucracy to the process will only make it worse.

Finally, after all the above complaining and tangents I do want to say that I agree with Mr. Clarke that one day we will see some sort of full scale state sponsored cyber-attack on critical infrastructure.  Sadly, nothing will be done to prevent this until it actually happens and even then there is a good chance that the wrong things will be done in response.  Take a look at the world since 2001 to see some very good real life examples of this.