Attacks bring chat servers to their knees

By MICHAEL FOREMAN

Local administrators of Undernet, one of the largest internet relay chat (IRC) networks, are preparing defences against distributed denial of service (Ddos) attacks that have crippled overseas servers.

This month a wave of withering Ddos attacks began to flood networks with spurious bandwidth-consuming traffic, forcing the closure of Undernet servers in the United States and Europe.

By late last week, only 27 out of a total of 45 servers around the world remained online.

Auckland-based volunteer administrator Lin Nah confirmed that the New Zealand Undernet server, the only server linked to Undernet in this part of the world, was still working last week.

The server had been quietly put back online over Christmas after being closed through an unrelated series of four attacks last September.

"We haven't had any problems since then," Ms Nah said.

The source of the attacks on the server last year was not known, but Ms Nah believes they had originated overseas.

"There were unsubstantiated rumours that one or two New Zealanders were also involved," she said.

"I was told that a couple of people had boasted on IRC channels that they had taken part - but they could have been just boasting."

Ms Nah said the attacks were severe enough to compromise the country's international internet links on at least two occasions for up to 30 minutes.

"A denial of service attack can take up so much bandwidth it kind of overpowers everything else."

Ms Nah said the server was now running in a new location where it was not as vulnerable to attacks from overseas, and was being configured to accept only users with New Zealand internet protocol (IP) addresses.

Unfortunately, technical complications at the new location were temporarily preventing the server from being accessed by users connected through Xtra, Paradise, TelstraSaturn and ClearNet outside Auckland.

Like most IRC networks, Undernet is a free service managed by volunteer administrators, who often provide the server hardware as well, while bandwidth is usually made available free of charge by sympathetic internet service providers.

But according to Undernet, the recent attacks have been so severe - often chewing up more than 100 megabits per second of bandwidth - that some providers have terminated their agreements to host IRC servers on the Undernet network.

Undernet points out that the attacks can use up bandwidth costing up to $US45,000 a month as well as hampering ISPs' day-to-day commercial operations.

But ISPs have discovered that pulling the plug on Undernet does not necessarily stop the attacks.

"Some providers continue to be the subject of extensive Ddos attacks, even after disconnecting their IRC servers," Undernet warns.

The ominous conclusion is that the purpose of the attacks is "not only to destroy an IRC network, but also to adversely impact the business enterprise of individual ISPs that have hosted Undernet IRC servers."

But Ms Nah believes reports predicting that the attacks would kill off IRC completely were exaggerated.

"There are many other IRC networks and there are too many people who are interested in keeping it alive."

The bandwidth used by the local Undernet server, and an alternative IRC server linked to the Galaxy network, is sponsored by local internet service providers.

In Australia, the two main IRC networks are AustNet, which maintains its own servers overseas, and Oz.org, which operates only within Australia.

Ms Nah said up to 75,000 people were using Undernet at any one time but the system averaged about 60,000 users.

The New Zealand server was hosting up to 300 local users at peak times, compared with 1200 people before it closed last September.

Ms Nah says the Undernet network can survive the loss of multiple servers - users are simply routed to an alternative server that is functioning.

But the permanent loss of the New Zealand server would degrade performance as local users would be forced to use US-based servers.

Bandwidth would be used much less efficiently and long login delays could occur as not all US servers would accept overseas users.

IRC has long been vulnerable to manual Dos attacks, but the distributed attacks, similar to those that closed high profile e-commerce websites Yahoo and eBay last February, are a recent phenomenon.

Using tools such as Tribal Flood Network (TFN) and Stacheldraht (the name means "barbed wire" in German), hackers launch an attack in two stages.

In the first "mass-intrusion phase," Trojan horse-like programs are used to remotely compromise large numbers of "handler" computer systems, usually without their owner's knowledge.

These handlers, which are chosen for their access to large amounts of bandwidth, are then instructed to infect hundreds or even thousands of agents, popularly known as "zombies."

In the actual attack phase, the zombies unleash massive denial of service attacks against targets.

The early Ddos tools were written for Solaris and Linux operating systems only, but security experts fear that such tools, which are under constant development, will be ported to Windows operating systems and become much easier to use.