Docstoc

CPE 542

Document Sample
CPE 542 Powered By Docstoc
					          Jordan University of Science and Technology
              Cryptography and Network Security
                            CPE542




          Main Attacks on Aljazeera website




                       Security Project




Names :

              Abd-alrahman Alhabash       20012171054
              Abd-alhameed Obied          20010171047
                              Table of contents
1         Abstract                                       3

2         introduction                                   4
2.1       Aljazeera                                      4
2.2       Aljazeera website                              4
2.3       Attack history on Aljazeera website            4
2.4       reasons for the attacks on Aljazeera website   5
2.5       main attacks on Aljazeera website              5

3         Denial of service attack                       6
3.1       DOS                                            6
3.1.1     introduction                                   6
3.1.1.1   what is denial of service attack               6
3.1.1.2   the attackers                                  6
3.1.1.3   motivation for the attackers                   7
3.1.2     Types of DOS attacks                           7
3.1.3     Examples for the attacks                       8
3.1.3.1   SYN flood                                      8
3.1.3.2   SMURF                                          10
3.2       D-DOS                                          11

4         DNS poisoning                                  12
4.1       introduction                                   12
4.2       motivation of the attackers                    12
4.3       Description                                    13
4.4       DNS attack on Aljazeera                        14
4.5       Recovering from DNS attack                     15




                                             2
1      Abstract
aljazeera is one of the most important news channels in the middle east The web site of the Arab
news agency Al-Jazeera has been under constant attack from hackers since the launch of its
English language site on March 24.

in this research we will cover the 2 most important hits aljazeera web site
1. distributed denial-of-service (DDOS) attack
2. DNS poison

1. DDOS:
brief introduction:
A denial of service (DoS) attacks a malicious attempt by one or
many users to limit or completely disable the availability of a
service.
In terms of network security a DoS attack can be used to,
 •Flood a network with garbage traffic.
 •Disrupt connections or communication between two machines.
 •Prevent an individual from accessing a service.
 •Disrupt service to a specific machine or person

the attack on aljazeera:
Al-Jazeera had been hit by a distributed denial-of-service (DDOS) attack
that began March 25 2003. A DDOS attack involves the flooding of a network with
data from any number of computers around the world

2. DNS poison:
brief introduction:

DNS poisoning targets the Domain Name Service protocol by which Web addresses
the links beginning with "www" are translated into the numerical Internet
Protocol (IP) addresses needed by computers so after poisoning the DNS the requests
will be redirected to another website other than the victim web site.

the attack on aljazeera:

on March 27 the site was replaced with an American flag and a pro-US
message which read, “Let Freedom Ring!” and “GOD BLESS OUR TROOPS!!!” The
hacker signed the page “Patriot” and claimed to be part of a group called
                                                 3
the Freedom Cyber Force Militia.
this was done by using the method DNS poison were The address of the site
had been hijacked to point to another server carrying the hacker’s message.
the hack caused web browsers that attempted to go to the domain name
www.aljazeera.net—as well as the English-language site—to be surreptitiously
redirected to the content hosted on NetWorld’s servers.

Expectations:

 in this research we expect to cover these two attacks in much more details, provide
general solutions for both of them if available and cover how aljazeera site deal with both threats




2      introduction
2.1 aljazeera
Aljazeera has come a long way since it was launched in November 1996.
Today the channel that sent shockwaves through the whole Arab world from its very first day
on air has become a global name which people, governments, and decision-makers cannot
afford to ignore.
With more than 30 bureaus and dozens of correspondents covering the four corners of the
world Aljazeera has given millions of people a refreshing new perspective on global events.

Free from the shackles of censorship and government control Aljazeera has offered its
audiences in the Arab world much needed freedom of thought, independence, and room for
debate. In the rest of the world, often dominated by the stereotypical thinking of news
“heavyweights”, Aljazeera offers a different and a new perspective.



2.2 aljazeera website
Aljazeera.net is the online version of the same Aljazeera.
In January 2001, Aljazeera.net (Arabic) was launched as the first mainstream Arabic news
site and in no time, it rose to the top of the Arab media. In 2002, Aljazeera.net (Arabic)
received more than 811 million impressions and 161 million visits.
Boiling topics and heated debates along with objective news reporting and interactive
feedback are the attributes that put Aljazeera.net amongst the 50 most visited sites
worldwide.
The four sites are integrated through a portal that shows the latest and most important
content in each site.
News is an Arabic news site which offers comprehensive coverage of world affairs and
developments.
Knowledge offers an in-depth view of what goes on beyond the daily flow of news through
analysis, research, and comprehensive studies.
The Channel is Aljazeera’s special site. It shows the channel’s latest developments and
keeps a complete record of what it produces in a huge database that is made available to the
audience.
Business is Aljazeera’s electronic marketing tool selling web services and the channel’s
various productions.




2.3 attacks history on aljazeera website

                                                  4
The web site of the Al-Jazeera has been under constant attack from
hackers since the launch of its English language site on March 24.

Immediately following the site’s launch, it began to suffer from network outages. Internet
monitoring service Keynote Systems reported on March 25 2003 that Al-Jazeera and its English-
language counterpart were only intermittently available for the second straight day.

From approximately 12:30 p.m. Pacific Standard Time that day, the English news portion of the
site seemingly dropped off the Internet,.

While this was initially reported as simply being due to the popularity of the site and the inability
of Al-Jazeera’s hosting company to cope with demand.

As the sites remained inaccessible for the third day in a row, it was reported that Al-Jazeera had
been hit by a distributed denial-of-service (DDOS) attack that began March 25. A DDOS attack
involves the flooding of a network with data from any number of computers around the world.
Hackers increasingly make use of compromised home PCs with permanent broadband connections
to the Internet to launch the offending data packets. The attack is hard to detect as the data is
nearly indistinguishable from that normally created by Web users.

By far the most serious problem for Al-Jazeera came on March 27 when the site was replaced with
an American flag and a pro-US message which read, “Let Freedom Ring!” and “GOD BLESS
OUR TROOPS!!!” The hacker signed the page “Patriot” and claimed to be part of a group called
the Freedom Cyber Force Militia.

The attack on Al-Jazeera, however, was no ordinary defacement. The address of the site had been
hijacked to point to another server carrying the hacker’s message.

The actual defacement appeared on a free web site service provided by NetWorld Connections.
Technically known as a “redirect,” the hack caused web browsers that attempted to go to the
domain name www.aljazeera.net—as well as the English-language site—to be surreptitiously
redirected to the content hosted on NetWorld’s servers.
 The way in which the attack was carried out indicates that this was no ordinary hack. While most
defacements involve hacking into the server that hosts the site and changing the site’s content, this
one targeted the domain name itself, ensuring that administrators at NavLink could do nothing to
restore the site.




2.4 reasons for attacks on aljazeera website

 well the most of the reasons where political that is because aljazeera was covering the main events
                            of t he world from another perspective than the American or the Israel.
And the war on Iraq was a great motivation for the hackers to attack the site since it for example
show pictures of captured American soldiers



2.5 main attacks on aljazeera website

in this research we will cover the main two attacks that hit aljazeera website and they are:


                                                  5
1.Distriputed denial of service (DDOS)

2.DNS poisons

in the next section of this research we will cover the first attack :
DDOS




3       Denial of service attack

3.1 DOS Denial of service attack

3.1.1 introduction

3.1.1.1 What is a Denial of Service attack?

A denial of service (DoS) attack is a malicious attempt by one or many users to limit or completely disable
the availability of a service. They cost businesses millions of pounds each year and are a serious threat to
any system or network. These costs are related to system downtime, lost revenues, and the labor
involved in identifying and reacting to such attacks. DoS attacks were theorized years ago, before
the mass adoption of current Internet protocols. DoS is still a major problem today and the Internet remains
a fragile place.

there are two main approaches to denying a service: exploiting a vulnerability present on the target
or sending a vast number of seemingly legitimate messages. The first kind of an attack is usually
called a vulnerability attack, while the second is called a flooding attack.

A large number of known vulnerabilities in network software and protocols exist; meaning DoS can
be achieved in a number of ways,


 Sending enough data to consume all available network bandwidth (Bandwidth Consumption)

 Sending data in such a way as to consume a resource needed by the service (Resource Starvation)

 Exercising a software .bug. causing the software running the service to fail (Programming Flaws)

 Malicious use of the Domain Name Service (DNS) and Internet routing protocols

Many DoS attacks exploit inherent weaknesses in core Internet protocols. This makes them
practically impossible to prevent, since the protocols are embedded in the underlying network
technology and adopted as standards worldwide. Today, even the best countermeasure software can only
provide a limiting effect on the severity of an attack. An ideal solution to DoS will require changes in the
security and authentication of these protocols.


3.1.1.2 the attackers
this attack is done by people known by the name Hackers :

A hacker was originally defined as .someone who makes furniture with an axe., in a modern sense, the
                                                     6
definition is

1. A person who enjoys learning the details of programming systems and how to stretch their capabilities. 2. One
who programs enthusiastically. 3. A person capable of appreciating hack value (q.v.). 4. A person who is good at
programming quickly. 5. An expert in a particular program . . . 6. A malicious or inquisitive meddler who tries to
discover information by poking around

Unfortunately, most hackers are branded with the last definition; the correct term for such a person
is .cracker
A cracker is an individual who attempts to gain unauthorized access to a computer system.




3.1.1.3 motivation of the attackers
Experienced hackers and the underground community generally view DoS attacks as
unsophisticated., since it is relatively easy for newcomers to download attacking programs from the
Internet. It has also become the tool of choice for frustrated crackers. After failing an attempt to
perform a malicious operation, a cracker will often bombard the target with a DoS attack. Listed below
are some other (less obvious) reasons for DoS attacks:

Sub-cultural status
Because DoS attack programs are easy to download and execute, many new crackers see this as an
easy entry point into a close-knit underground group. A DoS attack offers some tangible
evidence to prove to the group they are serious about their new career as a cracker

To gain access . It is unlikely that any DoS attack will give direct access to a target machine. But
they can be used to crash other machines in a network, disabling them while the
unauthorized access attempt is made. The attacker may want to disable a logging or tracking
service while they gain entry to the system. Crashing a router or firewall may disable some
security services.

• Political reasons . this is the main reason for the attacks on aljazeera

other reasons are :

• To divert attention .
• To force a reset
• To remove reminisces


3.1.2 Types of DOS attacks

Bandwidth Consumption

Attackers consume all the available bandwidth on a remote (or local) network. The victim.s
network connection is saturated by the large volume of traffic generated by the attacker. There are
two ways in which this can be achieved.

Larger Pipes

The attacker has a high speed or much faster network connection than the victim. For example
the attacker is using a TI line (1.544 MB/s) to flood a 128 KB/s network link with traffic. It should be
noted that this type of attack is not confined to low speed victims. If an attacker can gain illegal access to
a network with 100 MB/s of bandwidth, an attack can be launched against a T1 connected victim.
                                                           7
Amplification

Attackers amplify their DoS attack by engaging multiple sites to flood the victim.s network. Using this
process attackers with a slow 22 KB/s connection can completely saturate a T3 (45 MB/s)
connection. The attacker must convince. the amplifying systems to send traffic to the victim.s
network. This is usually done by taking advantage of poor security in core Internet protocols, e.g.
the Internet Control Message Protocol. (ICMP)

Resource Starvation

This type of attack targets system resources on the victim’s computer (rather than network resources). In
doing this the target system is no longer able to operate normally and provide a service across the network.
On entering a system the attacker will abuse their allocated quota of system resources to crash the
machine. The target system may crash or be forced to reset due to the file system becoming full,
processes hanging or CPU utilization at 100%. Alternatively, if the attacker has managed to gain

unauthorized access, they may choose to simply disable the running service by executing a .kill.
command.

Programming Flaws

Operating systems, applications or even embedded software all have the potential to fail while handling
exceptional conditions. These conditions usually result when a user sends unintended data to the program.
Attackers can abuse this vulnerability to send non-compliant packets of data, in an attempt to
create a buffer overflow condition and crash the application. For specific applications that reply on
user input, attackers can send large data strings thousands of lines long. A service providing application
(e.g. web or ftp) running a service with a known flaw could be exploited, rendering that service
unavailable.

Instances of programming flaws are also common in embedded logic chips. The infamous Pentium .f00f.
DoS attack allowed a user-mode process to crash any operating system by executing the invalid
instruction at 0xf00fc7c8.




3.1.3 Examples of DOS attacks

3.1.3.1 SYN Flood

How does it work ?


When a TCP connection is initiated a three step process (often referred to as a three-way-handshake)
occurs. In the figure below, TCP A and B are TCP processes running on different hosts. TCP B begins in
the LISTEN state, ready to accept any incoming connection requests. Looking at a normal TCP handshake
operation we have;


Figure 3.1 . Basic TCP 3-way handshake




                                                     8
In line 2, TCP A begins by sending a SYN segment indicating that it will use sequence numbers starting
from 100. In line 3, TCP B sends a SYN-ACK and acknowledges the SYN it received from TCP A. Note
that the acknowledgment field indicates TCP B is now expecting to hear sequence 101, acknowledging the
SYN which occupied sequence 100.

At line 4, TCP A responds with an empty segment containing an ACK for TCP B's SYN; and in line 5,
TCP A sends some data. The sequence number of the segment in line 5 is the same as in line 4 because
the ACK does not occupy sequence number space.

Although this mechanism works for all valid TCP requests, attackers can leverage a weakness in this
system to create a DoS condition. The problem occurs due to the fact that most systems allocate a finite
number of resources when setting up a .potential. connection or a connection that has not yet been
established. Although many systems can sustain hundreds of concurrent connections to the same port (e.g.
port 80 for http), it may only take a dozen or so .potential. connection requests to exhaust all resources
allocated to setup a new connection. Thus SYN Flooding is a resource starvation attack The attacker
changes the source address of the SYN packet sent to TCP B. TCP B will then try to send a SYN/ACK
packet to this spoofed address. Normally if the spoofed address were an actual system, it would
respond to TCP B with a RST (reset) packet, since it did not initiate the connection. However the attacker
chooses to use the spoofed address of an unreachable system. Thus TCP B never receives a RST packet,
and the .potential. or .half-open. connection in the SYN_RECV state is placed in a connection
queue. This .potential. connection will only be flushed after a connection establishment timer
expires.
This timer can vary from 75 seconds to as long as 23 minutes on some systems.
 Because the connection queue is small, attackers many only have to send a few spoofed SYN
packets every 10 seconds to completely disable a port. The victim system will never be able to clear the
backlog of half open connections before receiving a new spoofed SYN packet. When multiple SYN flood
packets are directed at a specific port on the victim machine, the service running on this port becomes
starved of its resources.
 Hence a web server (port 80) or ftp server (port 20/21) can be disabled for the duration of the attack. If
the attack is severe enough (i.e. more resources consumed) the service or operating system may crash,
causing more disruption. This forces the administrator to reset the computer.

Some of its properties

1. Even with a very small amount of network traffic SYN flooding is very effective.
2. SYN flooding is also a stealth attack, since the source SYN packet contains a spoofed IP address.
3. By 1999 attacks had become more sophisticated. Examples include distributed DoS attacks, attacks on
  network infrastructure and the use of high speed networks

The solutions

 SYN threshold - Establishes a limit or quota on the number of incomplete connections, and
discards SYN packets if they reach this limit. This is the simplest type of SYN flood defence, and
is implemented in several firewall products.

                                                     9
SYN defender - When a SYN packet is received, the firewall synthesizes the final ACK packet in
handshake process, so the receiver does not need to wait for the actual ACK packet from the
originator.

Increase size of connection queue . Although each vendors IP stack differs slightly, it is possible
to adjust the size of the connection queue to help reduce the effects of a SYN flood attack. This is
helpful, but not an optimal solution since it uses additional system resources.

SYN cookies - This method attempts to eliminate the need to store incomplete connection
information by including a package of information, or a .cookie. in the SYN/ACK packet sent by
the receiver to the originator. When the originator responds with the ACK packet, the cookie is
returned and the receiver is able to extract the information needed to rebuild the connection. This
allows legitimate users to connect, even under heavy attacks with the same unreachable source IP.




3.1.3.2 SMURF

How does it work ?

SMURF is one of the most devastating types of DoS attack. It makes use of a technique known as .traffic
amplification. to target network-level hosts. Attackers can amplify their DoS attack by engaging multiple
sites to flood the victim’s network

An attack begins by sending a few spoofed ICMP echo packets to the broadcast address (.255) of
the
amplifying network. Direct broadcast requests are typically used for diagnostic purposes, to see what is
alive in the network without using .Ping. on each address in the range. The source address field in these
packets is forged to make it appear that the victim has initiated the request.

Because the ICMP ECHO was sent to the broadcast address, all machines on the amplifying network will
respond to the victim. For example a single ICMP ECHO packet sent to an amplifying network of 100
machines, effectively allows the attacker to amplify the DoS attack by 100. The attacker must therefore
find a large network which, when replying to a spoofed ICMP ECHO packet, will completely saturate the
victim. Two parties are disrupted during this attack, the intermediary broadcast devices (or amplifiers),
and the spoofed address target (victim). Thus the victim is the target of a large amount of ICMP traffic
that the amplifiers generate.


Figure 3.2 the SMURF attack




The solutions
                                                     10
To protect a victim from SMURF traffic, it is possible to configure some operating systems to
silently ignore all ICMP ECHO reply packets (hence disabling diagnostic applications such as Ping). In
order to trace an attack, the victim must work closely with the amplifying site. By systematically
reviewing each router, starting with the amplifying site and working upstream it may be possible to trace
the origin. This is accomplished by determining the interface at which the spoofed packet was received,
and then tracing backwards.




3.2 D-DOS distributed Denial of service attack

3.2.1 introduction

A DDoS attack is one in which an attacker installs daemons on large number of compromised hosts. At a
later point, the attacker sends a request to the daemon asking it to begin flooding a victim with various
types of packets. The flood can take any form e.g. a SMURF attack, SYN flood or a constant stream of
legitimate packets. The ensuing massive stream of data overwhelms the victim's hosts or routers,
rendering them unable to provide a service. Thus DDoS attacks create large scale .bandwidth
consumption. conditions.

The first step for any DDoS attacker is to target and gain administrative access on as many
systems as
possible. This task is usually performed with a customised attack script that automatically
identifies
vulnerable systems. The process can be divided into the following steps, in which the attackers:


 Initiate a scan on a large number of hosts (100,000 or more) probing for vulnerabilities.

 Compromise the vulnerable hosts to gain access.

 Install the DDoS tool on each host (acting as an DoS Agent), and/or
 the compromised hosts for further scanning and compromising. (act as a Handler)
 Use

Because an automated process is used, attackers can compromise and install the tool on a single host in
under 5 seconds. In other words, several thousand hosts can be compromised in an hour. The hosts or
.zombies., are usually Linux and SUN computers; however, DDoS tools can be ported to other platforms.

After gaining access to a large number of systems, attackers will upload their chosen DDoS program to
each zombie. At this point the attacker is poised to launch the attack whenever they wish. The
compromised machines have no knowledge they are about to participate in a large scale attack, and the
attacker is completely removed from any trace attempt. All flood traffic will be generated from
these
zombie machines. The figure below illustrates this process, showing multiple-system compromising and
the final assault.

Figure 3.3 DDOS attack




                                                     11
A Handler is a compromised host with a special automated program running on it, scanning for
more
vulnerable systems. Each handler is also capable of controlling multiple agents. An Agent is a
compromised host that has the chosen DDoS tool installed. Each agent will be responsible for generating
a stream of packets directed toward the victim.

The number of DDoS tools grows almost monthly, a complete analysis of them all is beyond the scope of
this project. Some popular, well known DDoS tools will be discussed; Trin00, TFN, TFN2K
and Stacheldraht.




4      DNS poisoning

4.1 introduction

COMPUTER criminals are coming up with ever stealthier ways to make money. Rather than
attack PCs or email inboxes, their latest trick is to subvert the very infrastructure of the internet,
the domain name system (DNS) that routes all net traffic.

In doing so, they redirect internet users to bogus websites, where visitors could have their
passwords and credit details stolen, be forced to download malicious software, or be directed to
links to pay-per-click adverts.
This kind of attack is called DNS cache poisoning or polluting. It was first done by pranksters in
the early years of the internet, but it had limited impact and security patches eliminated the
problem.


4.2 motivation of the attackers
The motivation for these attacks is very simple: money. The end goal of the first attack was to
install spyware/adware on as many Windows machines as possible. A good spyware/adware
program can generate significant revenue for the attacker.



                                                   12
There is an excellent write-up by the folks at LURHQ that describes the pay-per-click (PPC)
advertising scheme that is likely behind the first/third attacks: http://www.lurhq.com/ppc-
hijack.html.

The second attack seems to have been launched by a known spammer. But this is quite a
complicated attack for a spammer, so my current theory is that the attacker(s) are contracting their
services for hire.

The motivation for our detailed analyis was because of the DNS cache poisoning attack, which has
the potential for affecting millions of Internet users and enabling some very dangerous attacks.
After receiving a couple of reliable reports, it became clear to us that we needed to get to the very
bottom of this attack.




4.3 Description


Basically, it is method for an attacker to change the IP address that a hostname resolves to. For
instance the hostname www.aljazeera.net points to the IP address 198.133.219.25. A DNS cache
poisoning attack allows an attacker to change the IP address for a host/domain and point it to a
different IP address.

If the above paragraph didn't make any sense, then take a step back and understand that DNS
(Domain Name System) is the method by which you can resolve a human name like
www.google.com into an IP address. An IP address is a computer's unique location on the
Internet.

Second, you must understand that most end-users on the Internet use a DNS server that is close to
them (at their ISP or within their organization's firewalls) to lookup names for them. For
performance reasons, these DNS servers cache the returned data so that it takes less time to
respond to the next client. If there is a vulnerability or misconfiguration in the software on these
DNS servers, then the cache poisoning attack is possible. When a victim DNS cache is poisoned,
the attacker will be affecting ALL future lookups of any domain name he chooses for ALL users of
that DNS server. Large ISPs may have thousands of users referencing a single DNS resolver. So
an attack against a resolver could affect thousands of users, without those users having
done anything wrong.

It is important to note that this attack could be used to hijack other domain roots besides .COM,
like .NET, .ORG, or the country TLDs like .CA or .DE. The attacker could hijack all of them. A
smart attacker would potentially just hijack specific hostnames and then return the correct
information for all other queries. This type of attack would not be as
noticeable and could potentially be very dangerous.

Poisoning is possible because of the way computers talk to each other to find internet addresses.
The DNS is a global network of servers that, among other things, takes surfers to whatever
websites they request. So for instance, if you are at work and you enter www.newscientist.com into
a web browser, your PC will ask your company's DNS server to take it to the numeric Internet
Protocol address that represents that domain name.

                                                 13
Your company's DNS server may know the IP address of the newscientist.com DNS server, but if
it does not, it forwards the request to a DNS server of a local internet service provider. That ISP
will know the newscientist.com address, or forward the request to a bigger ISP. This continues via
a succession of computers until your PC discovers the location of the full IP address The DNS is
also designed to take short cuts. Once your DNS server has learned the location of
www.newscientist.com, it stores it in a cache and routes directly to it. But herein lies the weakness
of the system, because hackers can persuade some servers to cache "poisoned" information.

First they set up their own DNS server called, say, hacker.com. From here, they poison your
company's DNS server by sending an email to a bogus email address at your company. This forces
your company's server to exchange information with the hacker.com server, and that interaction
gives the hacker a chance to insert a malicious code onto your company's server.

Stage two takes place when you next type www.newscientist.com into your browser. This time the
hacker has instructed your company's server to send requests for this, and any other URLs they
specify, to hacker.com. There the hacker has constructed a fake New Scientist web page; it looks
identical, except the hacker gets to see any personal info you type in.

Replace New Scientist with your bank, and you can see how account holders could be conned into
entering personal details and passwords onto a fake site without ever knowing.



4.4 DNS attack on aljazeera

On Thursday March 27, 2003 the English-language website for Al-Jazeera's Arab satellite
television network was replaced with a U.S. flag and the message ''Let Freedom Ring.'' The small
print says ''Hacked by Patriot Freedom Cyber Force Militia."
   Because it showed the graphic, bloody images of American prisoners of war executed by Iraqi
forces earlier this week, the English-language website of Arab satellite television network Al-
Jazeera (english.aljazeera.net) has been intermittently taken down by hackers.

  On Thursday morning, though, a shadowy hacker group calling itself the ''Patriot Freedom
Cyber Force Militia'' claimed responsibility for actually hijacking the Al-Jazeera site and
redirecting it to a patriotically themed web page depicting a red, white, and blue United States map
with the message, ''God Bless Our Troops.''

   That unauthorized page was nested into computers run by the Networld Connections Inc. from 8
a.m. Thursday until 10:30 a.m. when it was removed. But merely taking the bogus Al-Jazeera
creation offline did not prevent the 75,000-customer Utah ISP from bearing the wrath of anti-war
hackers enraged by Al-Jazeera's cyber-abduction.


  While the attacks ''are from all over the world,'' Bowman said, they seemed concentrated most in
nations such as Russia, China and France--among the most vocal foes of the U.S.-British
coalition's attack on Iraqi dictator Saddam Hussein.

  However, no sooner than Networld took down the bogus site, Al-Jazeera's Web site was waylaid
once more to other ISPs.

  At one point, even Al-Jazeera's Arabic-language site was being diverted--to one promoting
pornography.

                                                 14
  Experts surmise the method used to detour traffic from the real Al-Jazeera site to hacker-created
ones was so-called ''DNS poisoning.''

   Considered a more difficult hacking technique than denial-of-service attacks, DNS poisoning
targets the Domain Name Service protocol by which Web addresses--the links beginning with
''www''--are translated into the numerical Internet Protocol (IP) addresses needed by computers.

The spokesman for Al-Jazeera, was apparently not impressed with the creativity involved.
Instead, he blasted Thursday's diversions of the site as ''a frontal, vicious attack on freedom of the
press.''

   And how did hackers slip their detoured Al-Jazeera site onto Utah's Networld, even if only for 2
1/2 hours? Bowman said they took advantage of the ISP's free online website design template--
service offered to member families.

  Bowman admitted to mixed feelings over the intrusion.

 As the operator of the ISP, he was upset with his network's security being breached; as an
American, he understands the rage over the gruesome pictures Al-Jazeera aired.


4.5 Recovering from a DNS attack

1. You need to be absolutely positive that you have not been infected with spyware. Many
spyware/adware programs today will modify the DNS settings or local hosts file on Windows
machines. So you should first run your favorite spyware/adware detection tool.

2. Try to find out the IP address(es) of the malicious DNS server(s) and check our website to
determine if this IP address has been reported.

3. You may want to block the IP address(es) of the malicious DNS server(s) at your border
routers/firewalls so that your so that your cache does not become poisoned again.

4. Cleaning up from a site-wide DNS cache poisoning may require flushing the cache on all of
your DNS servers in your organization probably starting with the most externally facing DNS
boxes first.

5. On Windows DNS servers, you can stop/start the DNS service to clear
   the cache. You can also use the dnscmd.exe command from the
   Resource Kit:

     dnscmd.exe /ClearCache

6. On Windows 2000, XP, and 2003 clients, you can flush the client cache by running "ipconfig
/flushdns". (Please note that this will do nothing to clean-up a poisoned DNS caching server
upstream.)

7. On BIND 9, you can clear the cache by running "rndc" command and executing the "flush"
command. On BIND 8 or below, it appears that you have to restart the server.




                                                  15

				
DOCUMENT INFO