back to article Spam DDoS assault cuts off south Pacific state

Citizens of the Marshall Islands in the South Pacific have been left without a functioning email systems following a denial of service attack on the country's sole ISP. It could take days to full restore service, the general manager of the Marshall Islands National Telecommunications Authority (NTA) told Radio New Zealand …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    Coat

    Wilting under pressure

    ...try qmail - running on an inexpensive current spec box, it'll cope easily with 500 connections per second...

    Compile in a few of the funkier qmail mod patches, and 'what DOS?'.

    (Mines the one with 'Dan Bernstein Fanclub' on the back)

  2. Anonymous Coward
    Anonymous Coward

    Self defence?

    Is this country a purveyor of spam? Somebody may be trying to prevent spam.

  3. Foo Bar

    It's the number of open connections that's problematic

    I don't think they would have issues with 500 normal, short connections per second. The article talks about 'constantly locking' their servers to zombies. This looks to me like the zombies opened long-lasting connections at a rate of 500 per second.

    With that strategy, you quickly exhaust the available number of slots for TCP connections on a system. Even qmail wouldn't help then, because the TCP connection would be rejected on a much lower level by the TCP stack already.

    You need to set an aggressive, small TCP timeout on your server to combat that strategy. Even so: If the rate of new connections is too high, you will still have problems.

  4. Anonymous Coward
    Stop

    @ AC

    With even a small botnet, you can hammer a server with several thousand connections per second.

  5. Anonymous Coward
    Anonymous Coward

    Reason why...?

    Trial run, maybe? Checking the botnet's capabilities out for synchronised activity?

    So, who's next?

  6. Mike Groombridge

    proable some pleb

    not happy with his service decided to teach the isp a lesson and downed his self while he was at it proable now moaning at them he can't play wow

  7. Anonymous Coward
    Flame

    Another reason to write ...

    Event-driven servers! No forking, disk access or memory allocation unless necessary! Memory to kernel network buffers and huge fd counts! Then we can devote RAM to where it's really needed and a DoS won't actually impact the server more than needed given sensible policies even when under severe assault.

    Course, I don't want you to think botmasters are harmless or easy to defeat. They aren't. But that's another problem for the architects of the Internet and the service providers to work out between them. But for now, I want to encourage sensible uses of system resources, and qmail (qmail!!!) doesn't do that. Nor do the other MTAs in common use, but IMHO qmail is quite the worst because everything is a process and is never resident. 500 incoming connections means 500 individual smtpd process startups from nill; however fast that is, it's a bloody waste and is dreadfully slow compared to chatting at once!

    Alright, I'll stop now.

    Anon because the qmail molesters are everywhere! EVERYWHERE! And they're coming to get me!!!

  8. Ray Rowland

    THE MELT DOWN CAUSE WAS SPAM

    THE PROBLEM WITH THE INTERNET IS SPAM. THE GOV AND THE IP SHOULD STOP THE SPAM

  9. Lee Humphries
    Paris Hilton

    Splatellite

    I suspect that the Marshalls are running off a satellite connection which would make the problem really difficult to deal with. With a one second turn around on your first IP hop out of the country you can't have short timeouts on anything.

    Sounds to me like someone doing a test run.

    Paris - Because the signals will be going through a lot of air before they get anywhere.

  10. heystoopid
    Pirate

    And

    And where be the main US Star Wars interception long range missile test facility be but at an atoll that starts with a K within the Marshall island Group , along with a few island atolls that glow unnaturally in the dark for the next 25,000 years or so from weapons research post 1945 until circa 1963 ?

  11. tim
    Black Helicopters

    actually...

    even bikini itself is low-background underwater. you can actually scuba in the main bays and "bowls" safely. the abovewater has some metallic "hotspots" but has "cooled" to fairly safe levels. Discovery or nat geo did an article on it several years back. most of the fallout has been washed, swept , and deep-buried by ol' ma nature over the years since any of those lil' bangs last went off. you can even dive around the wrecks. ....and the place "starting with k" is also the site of a cruiser and destroyer escort running gun battle from when us forces closed with the jap fleet and sank many tons of jap warships and miscellaneous support craft with moderate losses of their own. all make for great dives... in addition to that, the prinz eugen was being towed back from the bikini area, and turned turtle off "the k place" where you can see it's aft keel jutting out of the water. recently, someone managed to filch the massive props off it's arse without getting caught. Brass for bronze,no?

    BLACK CHOPPERS OF DOOM because some moron will think secrets are involved regarding a widely public-published location that's been on newspaper front pages and in dozens of books and magazines during it's naval,nasa,airforce, and special interest group affiliations! :0

  12. heystoopid
    Thumb Up

    @tim not a numbers man I see !

    @tim , surely you jest , but there is no such thing as safe radiation levels as it is cumulative in it's effect as my old physics professor used to say and only requires a minor change in DNA to cause measurable long term damage !

    However , since a number of these weapons involved the use of pure plutonium the majority of which is not consumed in the chain reaction explosion by the way and whose toxic effects are off scale too!

    You appear to have forgotten to mention the bulk of the early Radiation Researchers died quiet young from assorted lethal career self induced cancers or what happened to large number of miners hired to work the US Uranium mines with no attention to any mine safety standards period . Or the even more unfortunate "Radiation Girls" (the company involved in that scam pulled strings in high places to avoid paying up like real men !). Then go on to miss some five hundred square miles of closed , sealed and uninhabitable land almost impossible to clean up with current technology for the next 25,000 years in a place called Hanford , Washington State where the Columbia River flows(Generation one reactors were all open loop direct river water cooled) or the many evil illegal without consent tests conducted on the states inhabitants allegedly in the name of science but more like war crimes exposed in a place called Nuremberg carried out in two other countries if truth be told .

    I seem to recall that the US government now has on very urgent recall the several million odd samples of a substance called trinityite glass that was foolishly handed out quite freely to tourists to ground zero not all that long ago because of it's hidden long term effect of slowly killing the owner by degrees but that be another tale !

    Yeah , as they say the radiation industry and the old test sites are truly safe until you run the numbers game relative to occupations and then the cluster effect clearly shows through !

    Such is life , for we all live and die by numbers in this universe !

    As for the Heavy Cruiser "The Prinz E." , the intertubes has all the answers for questions about what really happened to the missing three props !

  13. Henry Wertz Gold badge

    Sure there's safe levels.

    @heystoopid, sure there's safe levels. It's like any other type of energy -- if you go out in the sun for an hour you're fine, go under a high intensity tanning lamp for an hour you're burned, go under something 10x stronger you're probably burned to a crisp. Low enough intensities won't even penetrate skin; and to deal with cosmic rays etc., cells repair DNA damage, so low counts per minute of higher-intensity radiation doesn't cause a problem either. Is this island safe? No idea, I'd assume there's some hot spots that would make it not safe to reinhabit.

    No one's forgotten about early radiation researchers OR uranium miners... they were regularly exposed to high levels of radiation.

    As for trinitite -- I did some googling, the Trinity site was buried shortly after the blast for security reasons apparently.. so despite there being a 10 foot deep by 1100 foot section of it, there's not lots in circulation. But I found no mention anywhere of anyone actually trying to withdraw the existing samples from circulation.

  14. Trix
    Boffin

    Time to install Postfix

    And drop smtpd_timeout to less than 30 sec. And install fail2ban so that rejected/dropped hosts that try again too many times within a specified time period (I'd make it more than 3 times in 6 hours, if I was getting hammered like that) get banned at the IP level.

  15. Ed

    How to defend against this

    There are two defenses, which I would personally use in tandem.

    The first is identifying your known legitimate email sources - where do you get 90% of your good email from? Reserve a few TCP connections for just these hosts. With this, an attack like the above may degrade your service, but you can still get some mail from where it matters most.

    The second is using a dynamic firewall, which updates itself based on connection activity. The specific rule here is that sites that connect and do not send email for the command timeout period get added to the deny rule for a day per time they do this. This rule will of course not stop the whole attack, because there will be too many IPs to gather in too short a time. To augment it, one could put in a rule that if greater than 50% of the allowable connections are engaged in behavior similar to this, dynamically reduce the command timeout period, until we either reach a configured minimum time (say, 10 seconds) or the situation stabilizes.

    Of course, the real trick here is having a dynamic firewall product that lets one do this.

  16. Olivier

    @defend

    During the attack it is likely your servers behind the IP addresses targeted by the botnet will not deal with the flow, no matter qmail / rbldns etc..

    What I would do: block all incoming smtp traffic but from yahoo, hotmail, and the top 3 ISP my customers deal with ( use of SPF records to create firewall rules - of course I treate ~all as -all ).

    Then quickly rent some servers anywhere in the world ( any linux virtual server for $10 a month will do ), declare it as MX for my domain, put in iptable rule to limit the the rate on incoming smtp traffic on it and tunnel the smtp traffic to my servers.

    It's a lot of manual work, but in 2 or 3 hours, for less than $150, one admin can have maybe up to 20 new mx ip addresses. If the attacker just sticks blindly to the initial ip addresses ( and believes he succeeds since you are blocking all his traffic at firewall level ), you have a sporting chance of having a degraded but functionning service. If the attacker follows your mx ip addresses you can rotate them on your pool or extend your pool, or both, and in parrallel analyze your logs and prepare a mega iptable rule to stop the botnet.

This topic is closed for new posts.

Other stories you might like

  • Cloudflare says it thwarted record-breaking HTTPS DDoS flood
    26m requests a second? Not legit traffic, not even Bill Gates doing $1m giveaways could manage that

    Cloudflare said it this month staved off another record-breaking HTTPS-based distributed denial-of-service attack, this one significantly larger than the previous largest DDoS attack that occurred only two months ago.

    In April, the biz said it mitigated an HTTPS DDoS attack that reached a peak of 15.3 million requests-per-second (rps). The flood last week hit a peak of 26 million rps, with the target being the website of a company using Cloudflare's free plan, according to Omer Yoachimik, product manager at Cloudflare.

    Like the attack in April, the most recent one not only was unusual because of its size, but also because it involved using junk HTTPS requests to overwhelm a website, preventing it from servicing legit visitors and thus effectively falling off the 'net.

    Continue reading
  • Voicemail phishing emails steal Microsoft credentials
    As always, check that O365 login page is actually O365

    Someone is trying to steal people's Microsoft 365 and Outlook credentials by sending them phishing emails disguised as voicemail notifications.

    This email campaign was detected in May and is ongoing, according to researchers at Zscaler's ThreatLabz, and is similar to phishing messages sent a couple of years ago.

    This latest wave is aimed at US entities in a broad array of sectors, including software security, security solution providers, the military, healthcare and pharmaceuticals, and the manufacturing and shipping supply chain, the researchers wrote this month.

    Continue reading
  • Google said to be taking steps to keep political campaign emails out of Gmail spam bin
    Just after Big Tech comes under fire for left and right-leaning message filters

    Google has reportedly asked the US Federal Election Commission for its blessing to exempt political campaign solicitations from spam filtering.

    The elections watchdog declined to confirm receiving the supposed Google filing, obtained by Axios, though a spokesperson said the FEC can be expected to publish an advisory opinion upon review if Google made such a submission.

    Google did not immediately respond to a request for comment. If the web giant's alleged plan gets approved, political campaign emails that aren't deemed malicious or illegal will arrive in Gmail users' inboxes with a notice asking recipients to approve continued delivery.

    Continue reading
  • International operation takes down Russian RSOCKS botnet
    $200 a day buys you 90,000 victims

    A Russian operated botnet known as RSOCKS has been shut down by the US Department of Justice acting with law enforcement partners in Germany, the Netherlands and the UK. It is believed to have compromised millions of computers and other devices around the globe.

    The RSOCKS botnet functioned as an IP proxy service, but instead of offering legitimate IP addresses leased from internet service providers, it was providing criminals with access to the IP addresses of devices that had been compromised by malware, according to a statement from the US Attorney’s Office in the Southern District of California.

    It seems that RSOCKS initially targeted a variety of Internet of Things (IoT) devices, such as industrial control systems, routers, audio/video streaming devices and various internet connected appliances, before expanding into other endpoints such as Android devices and computer systems.

    Continue reading
  • Man gets two years in prison for selling 200,000 DDoS hits
    Over 2,000 customers with malice on their minds

    A 33-year-old Illinois man has been sentenced to two years in prison for running websites that paying customers used to launch more than 200,000 distributed denial-of-services (DDoS) attacks.

    A US California Central District jury found the Prairie State's Matthew Gatrel guilty of one count each of conspiracy to commit wire fraud, unauthorized impairment of a protected computer and conspiracy to commit unauthorized impairment of a protected computer. He was initially charged in 2018 after the Feds shut down 15 websites offering DDoS for hire.

    Gatrel, was convicted of owning and operating two websites – DownThem.org and AmpNode.com – that sold DDoS attacks. The FBI said that DownThem sold subscriptions that allowed the more than 2,000 customers to run the attacks while AmpNode provided customers with the server hosting. AmpNode spoofed servers that could be pre-configured with DDoS attack scripts and attack amplifiers to launch simultaneous attacks on victims.

    Continue reading
  • Thunderbird is coming to Android – in K-9 Mail form
    Rumble heard as two faithful friends merge into lycanthropic chimæra

    The cross platform email client Thunderbird is to launch an Android version, which will be based on the existing K-9 app.

    A month after Thunderbird's product manager, Ryan Lee Sipes, tweeted that a mobile version of the email client was "coming soon", the project has announced how it will do it.

    It has acquired the FOSS Android email client and one-time Register app of the week K-9 Mail, which will become Thunderbird for Android.

    Continue reading
  • Thunderbird 102 gets a major facelift, Matrix chat support
    Mozilla's messaging client appears to have benefited from sponsor shakeup

    Open-source cross-platform email and messaging client Thunderbird has hit version 102, with a new look and improved functionality, including Matrix chat support.

    The latest release is the first major upgrade since version 91, which The Reg looked at last August. This is normal for the app – it follows the same approximately annual release cycle as Firefox's Extended Support Releases, the most recent of which was also version 91. From now until the next major release, Thunderbird 102 will get a regular stream of minor updates and bug fixes.

    102 has a modernized look and feel. There's a new "Spaces" toolbar, which appears vertically on the left of the app window and lets users quickly flip between inbox, address book, calendar, task list, and chat tabs. All of these are built-in features – the former Lightning calendar add-on is now an integral part of the app, as is PGP support, which used to be an add-on called Enigmail. Thunderbird can talk to various groupware calendar and contact servers, including both private and corporate Google Mail accounts, Microsoft Exchange and Office 365, and others.

    Continue reading
  • LGBTQ+ folks warned of dating app extortion scams
    Uncle Sam tells of crooks exploiting Pride Month

    The FTC is warning members of the LGBTQ+ community about online extortion via dating apps such as Grindr and Feeld.

    According to the American watchdog, a common scam involves a fraudster posing as a potential romantic partner on one of the apps. The cybercriminal sends explicit of a stranger photos while posing as them, and asks for similar ones in return from the mark. If the victim sends photos, the extortionist demands a payment – usually in the form of gift cards – or threatens to share the photos on the chat to the victim's family members, friends, or employer.

    Such sextortion scams have been going on for years in one form or another, even attempting to hit Reg hacks, and has led to suicides.

    Continue reading
  • Malaysia-linked DragonForce hacktivists attack Indian targets
    Just what we needed: a threat to rival Anonymous

    A Malaysia-linked hacktivist group has attacked targets in India, seemingly in reprisal for a representative of the ruling Bharatiya Janata Party (BJP) making remarks felt to be insulting to the prophet Muhammad.

    The BJP has ties to the Hindu Nationalist movement that promotes the idea India should be an exclusively Hindu nation. During a late May debate about the status of a mosque in the Indian city of Varanasi – a holy city and pilgrimage site – BJP rep Nupur Sharma made inflammatory remarks about Islam that sparked controversy and violence in India.

    Continue reading
  • Vivaldi email client released 7 years after first announcement
    Multiple accounts, local storage, calendars, and feeds make it worth the wait

    Browser maker Vivaldi's email client has finally hit version 1.0, seven years after it was first announced.

    Vivaldi Mail, which includes a calendar and feed reader as well as an email client, first arrived in technical preview in 2020. A slightly wobbly beta arrived last year alongside version 4 of the Chromium-based browser. After another year of polish and tidying of loose ends, the company has declared the client ready.

    As before, the client is built into the browser, meaning it is unlikely to appeal to many beyond Vivaldi's existing user base. Enabling it is a simple matter of dropping into Settings pages and wading through until the option to enable Mail, Calendar, and Feeds can be selected. Vivaldi has a lot of settings – delightfully customizable for some and downright baffling for others.

    Continue reading

Biting the hand that feeds IT © 1998–2022