Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 229895 - Attack from Gentoo controlled machines
Summary: Attack from Gentoo controlled machines
Status: VERIFIED FIXED
Alias: None
Product: Gentoo Infrastructure
Classification: Unclassified
Component: Dev box issues (show other bugs)
Hardware: All Linux
: High trivial (vote)
Assignee: Gentoo Infrastructure
URL: http://ahfaeroey.wordpress.com/2008/0...
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2008-06-28 12:44 UTC by Alexander Færøy
Modified: 2008-07-09 18:00 UTC (History)
13 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
Accesslog with requests from Gentoo controlled machines. (logs_gentoo.txt,74.10 KB, text/plain)
2008-06-28 18:17 UTC, Alexander Færøy
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Alexander Færøy 2008-06-28 12:44:20 UTC
Hello,

I am writing on behalf of Exherbo's "infrastructure" team.

Yesterday our quote database (http://quotes.exherbo.org/) was under a very
primitive attack which appears to have been launched from Gentoo controlled
machines.

The attack basically changed all of our quote rank values into negative ones.
It started at 18:53 UTC and ended at 19:39 UTC.

Using grep and some other commands to get the interesting information out of
apache's access_log reveals the following:

[ snip ]
>>> 140.211.166.168:    18      168.166.211.140.in-addr.arpa domain name pointer osprey.gentoo.osuosl.org. ...
>>> 140.211.166.183:    322     183.166.211.140.in-addr.arpa domain name pointer smtp.gentoo.org. ...
>>> 64.127.104.142:     27      142.104.127.64.in-addr.arpa domain name pointer miranda.amd64.dev.gentoo.org. ...
>>> 89.16.176.11:       338     11.176.16.89.in-addr.arpa domain name pointer albatross.gentoo.org. ...
[ snip ]

The first column is the IP of the request sender, the second column is the
amount of requests in our access logs and the last column is the output of
$(host "${IP}").

Other machines participated in this attack as well, but they are not under
Gentoo's infrastructure teams control and therefore not interesting for this
bug.

Most of my research says that this attack was launched by 'astinus' (Alex Howells).

I am going to contact the abuse contact for the networks on which these
machines are located on and I must admit that I am very disappointed about
this and I hope that you are going to take actions against such behaviour so
that it wont happen again.

Best regards,
Alexander
Comment 1 Santiago M. Mola (RETIRED) gentoo-dev 2008-06-28 12:45:06 UTC
It's also worth a note that astinus announced the attack on #gentoo-infra:
185551  * astinus has a funny idea
185656 < astinus> for i in $(seq 1 25); do   wget -O /dev/null 
                  http://quotes.exherbo.org/?ratingminus\&id=$i;   sleep 6; 
                  done
185855 < astinus> additional brownie points if you use -q with wget and 
                  CFengine it for a one-time run on 500+ machines
185913 < astinus> "Hey guys! All your quotes suck!"
185921  * astinus sighs
Comment 2 Alex Howells (RETIRED) gentoo-dev 2008-06-28 14:08:27 UTC
Do I really need to point out that writing something into #gentoo-infra and actually doing anything are two different things, never mind the question of whether his traffic logs and/or this complaint is genuine in any degree?? 

Judging by http://lolgentoo.blogspot.com it's highly liable a random amount of my conversation in #gentoo-infra leaked, and he's decided to take it upon himself to "Have a bit of fun"? ;)

Last time I checked we had free speech, and I could threaten to break your legs in most countries. Not illegal, provided I don't actually start snapping bones.

Anyway, nice to see eroyf is finding new and more ingenious ways to waste time.

Perhaps as a side note Exherbo should "fix" their QDB so you can't skew it?  Pretty much everything except Rash implements a 'Has this IP rated this quote in the last 24 hours?' rather than a "primitive" 5s flood prevention system.

This will be my last response to this issue until at least Tuesday, I am off out with my other half for the weekend, and away (work related) all of Monday.  Doubtless there will be more hilarious posts to read when I return, after all, if eroyf + co didn't generate "smelly stuff" by the metric tonne they'd still be developers rather than forcibly retired by Developer Relations.
Comment 3 Mike Doty (RETIRED) gentoo-dev 2008-06-28 16:30:56 UTC
nothing but accusations, nothing to be done.
Comment 4 Fernando J. Pereda (RETIRED) gentoo-dev 2008-06-28 16:38:06 UTC
Do investigate who ran those commands on those machines. These are founded accusations. Don't try to stuff this under the carpet.

- ferdy

Comment 5 Andrew Gaffney (RETIRED) gentoo-dev 2008-06-28 16:51:05 UTC
Attack? This was obviously a joke by whoever did it. Get the sand out of your
collective lady parts and just fix your quotes db to not be susceptible to this
kind of thing. If it hadn't happened now, someone else would have done it in
the future.
Comment 6 Alex Howells (RETIRED) gentoo-dev 2008-06-28 17:00:36 UTC
(In reply to comment #4)
> Do investigate who ran those commands on those machines. These are founded
> accusations. Don't try to stuff this under the carpet.

So you have a public web service at quotes.exherbo.org?  You allow access to the world via a web server (Apache/1.3.37) and don't consider it to be an "internal" service -- there is no authentication required to access it?

Along comes a random person, they request http://quotes.exherbo.org and are delivered content.  They have sent a small number of *valid* HTTP requests to your service and that isn't a problem?  You have a function for allowing site visitors to rate quotes, via the URL:

    http://quotes.exherbo.org/?ratingplus&id=something
    http://quotes.exherbo.org/?ratingminus&id=something

Aforementioned random person clicks on a link. Rating is adjusted. No problem? If they reload the page, they get a message saying they must wait 5 seconds, then they can rate another quote, or even decrease the *same* quote further. Also not a problem, because this is how your application is setup? :)

Then you have this case where you are complaining about an "attack" -- yet I fail to see how this is an attack??  No exploit was used, the amount of data involved was probably less than the broadcast traffic your server sees from being on a LAN in a datacentre, and yet you feel the need to throw accusations?

If I didn't know better I'd swear this was legitimate usage of your service, albeit with a somewhat funny side-effect that all your quotes appear to suck.  Earlier suggestion to fix your application was a genuine one.
Comment 7 Alexander Færøy 2008-06-28 17:01:09 UTC
Added URL to my blag where I am writing all the details on this attack.
Comment 8 Lance Albertson (RETIRED) gentoo-dev 2008-06-28 17:32:00 UTC
Well, I kind of feel this bug is invalid until you provide proper evidence which includes a *full* access log and not just some accusation that included some wget/grep/wc output. Its kind of hard to verify anything with what you provided.
Comment 9 Lance Albertson (RETIRED) gentoo-dev 2008-06-28 17:52:31 UTC
To clarify, I only want full (unedited) logs for the IPs that are controlled by gentoo-infra. 
Comment 10 Alexander Færøy 2008-06-28 18:17:46 UTC
Created attachment 158793 [details]
Accesslog with requests from Gentoo controlled machines.

There you go.
Comment 11 Mike Doty (RETIRED) gentoo-dev 2008-06-28 18:24:19 UTC
Thank you for the logs.  We will use this information to audit our logs.
Comment 12 Steve Arnold gentoo-dev 2008-06-28 18:26:07 UTC
Just because you can, doesn't mean you should...  This behavior seems rather childish and abusive to me, but I'm just a random adult with an interest in getting things done.  Please review the provided logs, and try and refrain from minimizing or trivializing stupid behavior.  Perhaps a software change is also in order.  Ultimately, facts and rational behavior are in order here, not pissing on someone else's turf or picking on less than optimal web services...
Comment 13 Alexander Færøy 2008-06-28 18:27:16 UTC
Thanks Mike.

Timestamps are in CEST (UTC + 2).
Comment 14 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2008-06-28 18:47:01 UTC
eroyf: besides those four IPs, were there any other boxes with sustained wget
requests during that time period? Can we get those logs too?
Comment 15 Alexander Færøy 2008-06-28 19:14:42 UTC
(In reply to comment #14)
> eroyf: besides those four IPs, were there any other boxes with sustained wget
> requests during that time period? Can we get those logs too?

I am willing to give you that on the condition that you do not attach the file to this bug and that you are not going to put the logs online for public viewing.
Comment 16 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2008-06-28 19:51:13 UTC
FYI, I spoke with eroyf, and I'm taking back the request for the other logs. After some discussion, we don't really need them.
Comment 17 Mike Doty (RETIRED) gentoo-dev 2008-06-28 21:46:21 UTC
As reported on bug 229895, on 27 Jun 2008 at 19:04 UTC, there was unwarranted traffic sent to http://quotes.exherbo.org/ and some of the traffic involved originated from various Gentoo Linux infrastructure machines.  The Gentoo infrastructure team conducted an audit based on logs from the machines as well as those provided by Exherbo's infrastructure team.  Based on results of our audit and the user's admission via email, we have concluded that the said actions were taken by one of our developers named astinus.

We have taken appropriate action and have removed the developer in question from Gentoo Linux infrastructure.  We sincerely apologize to the administrator of quotes.exherbo.org for the involvement of Gentoo infrastructure machines.
Comment 18 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2008-06-28 21:51:16 UTC
For anybody following his retirement (again, from his -core email), that's on bug 82711.
Comment 19 Alex Howells 2008-06-29 15:10:18 UTC
Since there seems to be a bit of confusion about whether I retired, or was forcibly pushed, I'd like to clarify that I spoke to Gentoo Infrastructure and admitted what is essentially a stupid prank *not* intended to cause any damage, note the wording above states "unwarranted traffic" not "attack", and then drafted and sent a retirement message to gentoo-core (an internal list).

My message stated a number of reasons for retiring, most of which were not related to this incident but rather the state of Gentoo Linux at this time.

It's been my intention for a while to focus less on IRC-fuelled drama (particularly the Gentoo vs. Exherbo mess) and more on the 'real' world, and I am taking the opportunity to do just that.  I wish both distributions best of luck with their future endeavours, and who knows, maybe 2008.0 before 2009? ;)

Alex
Comment 20 micah 2008-07-09 15:21:39 UTC
(In reply to comment #2)
> Last time I checked we had free speech, and I could threaten to break your legs
> in most countries. Not illegal, provided I don't actually start snapping bones.

You should check again. Its nice that you are coming from an idealized free speech perspective, rather than the other direction, however you should get your facts straight before you get yourself into more trouble. In the US, for example, in California a threat is:

"Any person who willfully threatens to commit a crime which
will result in death or great bodily injury to another person, with
the specific intent that the statement, made verbally, in writing, or by means of an electronic communication device, is to be taken as a threat, even if there is no intent of actually carrying it out, which, on its face and under the circumstances in which it is made, is so unequivocal, unconditional, immediate, and specific as to convey to the person threatened, a gravity of purpose and an immediate prospect of execution of the threat, and thereby causes that person reasonably to be in sustained fear for his or her own safety or for his or her immediate family's safety."

This is called a "422" in California, and it can be a felony or a misdemeanor.

However, this seems to cross over the state-by-state situation as this example indicates:

On February 2, 1999 a federal jury in Portland, Oregon, awarded Planned Parenthood and four doctors who perform abortions $107 million in damages. The defendants—14 anti abortion individuals and two organizations—were convicted of threatening abortion providers through a series of posters—and a Web site.

The judge in the case said "I totally reject the defendants' attempts to justify their actions as an expression of opinion, or as a legitimate and lawful exercise of free speech." 

If you are going to make a threat, you do not automatically get a free pass because of your first amendment rights. Its a lot more complicated and you could get into trouble.
Comment 21 Alexander Færøy 2008-07-09 16:35:05 UTC
This bug is already fixed... Please leave it be.
Comment 22 Mike Doty (RETIRED) gentoo-dev 2008-07-09 18:00:53 UTC
closing