Wednesday, June 15, 2011

Electronic Warfare

Entry: day four hundred and ten.

The Neocom service has been glitchy all day, mostly off, sometimes on. There's a group of idiots out there than ran Distributed Denial of Service against the Neocom service across all of EvE. As we know it, ships don't work unless connected, and generally doing anything out of a station tends not to work.

Some people, however, tend to think that DDoS is equivalent to data theft. This is simply not true. Let me run it down, as I usually record these logs with the knowledge that someone else will pay attention eventually.

DDoS has nothing to do with stealing data. It's all about domination, forcing someone to submit and crumble under the pressure you put on. DDoS works by essentially spamming the target with so many request packets that the target no longer has any ports to accept new connections. When it does drop connections, those open ports are immediately filled again by more spam request packets.

DDoS fundamentally does not work with theft for several reasons. The first has to do with objective. If your objective is to effectively isolate the target, you don't give it a way out, so you don't try to take anything from your target, you just isolate it. Imagine a prisoner being thrown into isolation, and then letting a random person come in at any time and talk with the prisoner. It defeats the purpose. Further, attempting to extract the data is impossible, as the target itself is overloaded and dropping as many connections as it can, its processors so loaded down with network protocols that it doesn't have time for data retrieval, and with the connections constantly being filled by the spam request packets, there's no chance for the data to make its escape back to the thief.

The second reason is stealth. DDoS attacks are run by botnets, no surprise. What may surprise you is that the bots themselves are usually hidden from view by spoofed packets, that is, packets with incorrect route-back information. Even if these packets are not spoofed, the bots are owned by people unaware that they have in fact become bots because of the stealth employed in maintaining a bot. You can't just roll up to someone's residence, confiscate/wipe their terminal, and say, "Now you're safe," people won't stand for it.

The third reason DDoS has nothing to do with theft is pretty basic: stealth. DDoS doesn't have it except to protect the bots, and in every other respect it's the equivalent of a gorilla: big, dumb, powerful, and no stealth at all. Stealing requires subtlety, which DDoS lacks by definition.

Assuming you were going to steal data, DDoS is quite simply the worst move you can make for several reasons. The first, you're cutting off your flow of information. Second, even if you have your information, you had to get it from a stealth software package, usually a really nasty rootkit, and DDoSing the target exposes your rootkit as the white hats start poring over logs, looking through the Master Boot Record, checking BIOS images, things of that nature. Naturally, if anything is even suspected of being discovered, an isolated copy of the target is made, and the target itself has its BIOS reflashed and the drives wiped before restoration to pristine condition.

In effect, this destroys your chances for getting new data, and allows a strong possibility that the white hats discover your rootkit, dissect it, and figure out how to defend against it, making the rootkit you spent months and months to develop a piece of garbage. There is no hacker that would be so irresponsible as to waste his life's work with a DDoS. Inventing new rootkits, with new infiltration and stealth procedures, is incredibly difficult. Most of the black hat/grey hat/white hat community don't invent their own, but use builder programs that exploit known weaknesses. Only occasionally are new techniques developed, and it's rare enough and special enough that there is a yearly black hat meeting, of which only a few techniques are shared with that community AFTER those weaknesses have been shown to the vendors that make the hardware and software everything runs on.

I won't discount the fact that the Neocom DDoSers could have stolen data, but it goes against their M.O., which is essentially for fun and because they can. They're not concerned with helping people, or hurting people, and they aren't stupid enough to make use of what they've stolen if they want a chance in hell of getting away with it. They're in it for popularity, and nothing else.

Unfortunately, they've shown an ugly face to those like us, no doubt millions have turned against them with this blow on the Neocom. There's no doubt that the grey hats will rise up to at least attempt to destroy them, because grey hats do illegal penetration for good purposes, and a group of black hats that shallow is risky for everyone. I wouldn't be surprised to see other black hats attack them as well, if not for their own safety, then surely for the prestige of being the group that brought them down.

It's a dog eat dog world out there in those catacombs of computer architecture. Only time will tell how long they survive.

Computer: terminate recording

No comments:

Post a Comment