~ Trolling tactics ~
| |
|
 |
|
Trolling for
information |
Version March 2001
[Trolling for
information]
[Trolling wars]
[Trolling weapons]
See also the ad hoc section [Luring
Lore]
Trolling for information
System administrators answering a troll |
Well... soon or later I would have had to teach you how to fish info through clever
placed trolls anyway, so learn it right now... (I'm just speaking for those among you that did
not know this trick already, of course :-) ...Unix-related trolls (or Linux ones) on
usenet can fetch a huge amount of interesting info, if cleverly placed.
This was the troll (first relevant part, note the typical trolling style):
>> I get this feeling that your anti-MS because your an old school
>> UNIX weenie that hates the fact of MS-NT eating your lunch with
>> zero administration and fast setup?
This was the first answer:
"Zero Administration?" ...Service packs that fix one problem while
introducing another. Distributed in straight binary format with no
source code and no compiler, so you can't fix bugs in the code
yourself. Changing simple things like IP settings requires a reboot.
Changing damn near anything requires a reboot. On what's supposed to
be an Enterprise-class server? The people that actually have to
administer NT systems usually _hate_ them. Their boss is the one who
bought MS's bullshit about "ease of use" and "reliability".
This was the second answer (quite interesting, I believe)
I can vouch for this somewhat, having to deal with an NT box at work,
although it's actually given us little trouble. The reason for this
is that we have only *one* mission-critical function running on NT:
our proxy server. The only other tasks it's used for are backing up
the network and file/application serving, neither of which would
cripple us if the box puked tomorrow. The *real* important stuff runs
on Linux or Solaris (and, as soon as Informix ports its DB tools to
Linux, the Sun box will find itself on the doorstep the next day).
What slays me about Microsoft is how badly their software can coexist
with other products, *including their own*. A classic example is
their aforementioned Proxy Server. When you set up NT with the Option
Pack and Service Pack 3, it installs Internet Information Server 4.0
by default. Which is fine, except for one small detail: it *breaks*
Proxy Server. We had to back IIS 4.0 out of the system and install
IIS 3.0, which has no trouble working with Proxy Server. AFAIK, there
is still no fix to get Proxy Server working properly with IIS 4.0.
Now tell me: if Microsoft can't be bothered to fix glaring
compatibility issues with its own products, what makes anyone think it
gives two shits about making them compatible with anyone else's? Why
the hell did Sun sue Microsoft over the Java issue in the first place?
Second part of the troll:
>> UNIX hit rock bottom 2 years ago when the DOD shit canned it due to
>> it high cost. NT is cheaper and faster to use. Who in their right
>> mind would spend $1,500 for a crude UNIX OS when NT is better and
>> almost $ 1,300 cheaper???
First answer
Well, why would you need to spend $1500 when you can get your pick of
various *BSD and Linux OS's for either the cost of the CD, or the time
it takes to download? NT Server costs $200? I think it's a bit more
than that. And you also have to buy client licenses by the seat. The
more workstations you have being served by NT, the greater the cost.
Second answer
He may be thinking of NT Workstation, which is a very different
animal.
Point of comparison: our upgrade to NT (we qualified, having run
Netware previously) cost us just under $1500 for the server and 30
client licenses (also not $200). But Solaris is much, much more
expensive, especially if you run it on SPARC hardware, although
there are no client-access restrictions.
I should add that actually both posters above realized they were
answering to a troll,
but, interesting enough, it worked nevertheless... and it was
possible to fish out some anti-M$ info allright :-)
Trolling wars
The waves system |
The following is the old alt.syntax.tactical (master trollers) foundation for the structure, strategy, and protocol of simple
USENET invasions. I have decided to publish it here because it gives good insight on the
complexity of a good troll attack. Many of the tactics descrived here can be applied, mutatis mutandis to any sort
of "lone wolf" action you may want to stage on your own. Seekers should know all sort of techniques, least
they may suddendly need them (or need to recognize them) in some obscure corners of the web.
* Waves of Invasion *
Flames and wars between groups are as old as Usenet. What we try to do
is in many ways fundamentally different from what is or has been done in
this area.
After picking a messageboard, we call for an invasion on that msgbrd. There are a
number of phases to an invasion. Each person can volunteer for which
wave they want to be in, but more times than not, it is a first come-
first served policy. It is always important that no one jump the gun and
go in before we have time to prepare and bounce ideas off each other.
It's also important that people don't switch waves without letting
everyone know. Flexibility is the key, as is communication.
Typically, we use between two and five Waves of attack. Waves will
generally break down into this kind of structure:
a: Reconnaissance (RECON): These people will go in early and usually
set up camp as "friends of the newsgroup". They will become trusted and
participate by joining previous discussions or starting non-
controversial ones themselves. They will also act as "double-agents" to
counter-flame the other waves as the invasion progresses. They key is
building a bit of credibility.
b: Wave One: Wave one will usually be what starts the flame war.
Those involved in this wave can go on and each have a different flame,
or go on and flame in unison. They can bring in a subject of their own
or flame a previous discussion. What matters is that this initial wave
will be the one that the invaded newsgroup will have their attention on.
This wave calls for extreme subtlety. The quality of the flame MUST be
at its highest point here.
c: Wave Two: Wave Two will consist of tactics to attack the people who
were sent in as recon and attempt to start totally new flame threads.
The key here is that even if we attack a group of people restrained
enough to resist our flame-bait, wave two will stir things up and get
others to join in.
d: Wave Three: Wave three will generally change depending on the
campaign, but will generally be added to push the confusion and chaos
over the top. Flame the recon, flame the first wave, flame the second
wave. These guys are our balls out, rude SOB's. Mop up and clean out.
Sometimes (usually with bigger groups) Wave three will simply be along
the lines of a wave two. We will call for a wave four (or five) to be
the balls out routine. We will sometimes add a wave or two because
depending on the size and intelligence of a newsgroup.
Miscellaneous Tactics:
There are three other things that we typically use, depending on
the sophistication of the invasion.
LOOSE CANNONS are people who come in and act so strange and obtuse that
it makes the rest of the flames look genuine.
THE ANON SERVICE can be used to send posts anonymously. This is a good
way to post and pretend to be scared of retribution. Only problem is
that this is usually the first sign that a post is a flame, so it should
only be used with a TREMENDOUS amount of DISCRETION.
CROSS POSTING is also a popular method of choice by other flame groups,
so it is important to Cross Post with discretion. If we can cross post
to bring in other newsgroups to unwittingly assist us, perfect. If we
cross post to suspicious newsgroups, our intentions will be obvious.
* Victory *
Ideally, signs of victory are the following:-
Our names appear in killfiles
- Majority or ALL threads in invaded newsgroup were started by us
- Regulars/legit people abandon invaded newsgroup
- Receive much hate mail - as does our SysAdmin
- To be reprimanded by the glorious SysAdmin
* Notes *
Most important is the need to be SUBTLE when it is required. One
misplaced post can ruin it for the rest of us. Those of you who have
participated in widespread flame wars know the feeling of having a
newsgroup going for a long time, then someone posts an obvious flame or
something so far out of context, that everyone says to just ignore the
flames, which eventually includes all of us. Blowing a flame war will
occasionally happen, but if it could have been avoided with a little
thinking, then it's not as excusable.
We've got to share duties. Everyone should get practice playing
different roles and different waves.
It has been assumed that if you don't want to participate, fine. No one
will hold it against you. What is expected is that if you don't want to
participate you don't have to, but that also means that you wont go
warning that newsgroup when an invasion happens. You will close your
eyes and turn a blind eye. NO NEWSGROUP AND NO MESSAGEBOARD IS OFF LIMITS!!!!!!
Another thing many people seem to be talking about are SIGS AND NAMES.
Try to take on appropriate names. If you are on alt.rap, D.J. Trouble is
not going to stir things up...if you show up on soc.culture.physics with
that name, you're caught before your first word of text. If a Sig is
going to blow your cover, lose it.
Do not meddle in the affairs of wizards
for they are subtle and quick to anger.
[email protected], see http://ddi.digital.net/~gandalf/trollfaq.html
Trolling
weapons
Deathpinging |
"OK, I have enough, let's screw the troller: I'll give him 200-300 ping -f -s 65000" ;-)
A+heist
What A+heist is referring to is an attack know as 'ping flood':
many large size pings sent continously against your target system in order to have a
buffer overrun. This kind of attacks are commonly used, for instance, during IRC channels wars.
A well known fact is that Windows 98 (and many other toy and older
systems)
REBOOTS after a ping -f 65000. Often only a single ping -f 65000 is
enough to reboot the system. The command must be issued from a Linux Box.
For slackware 3.6 Kernel 2.0.36, the correct line is: ping -f -s 65000 Target_IP_address
If you are playing on local networks, use ping -s -l instead
Usage: ping [-t] [-a] [-n count] [-l size] [-f] [-i TTL] [-v TOS]
[-r count] [-s count] [[-j host-list] | [-k host-list]]
[-w timeout] destination-list
Options:
-t Ping the specifed host until interrupted.
-a Resolve addresses to hostnames.
-n count Number of echo requests to send.
-l size Send buffer size.
-f Set Don't Fragment flag in packet.
-i TTL Time To Live.
-v TOS Type Of Service.
-r count Record route for count hops.
-s count Timestamp for count hops.
-j host-list Loose source route along host-list.
-k host-list Strict source route along host-list.
-w timeout Timeout in milliseconds to wait for each reply.
In this context I would like to recall
the similarly famous "ping of death" method.
For exact information see:
http://www.insecure.org/sploits/ping-o-death.html.
I'll quote: billions
of machines can be crashed sending IP packets that exceed the maximum 'dos'
length (65535 bytes). You can send from Linux, and,
also, of course you can hack your own dos in order
to let it send a packet bigger than that. There are also many nukers on the web
that have options to change the packetsize.
Netware, Routers, and of course toy systems like
Windows NT and 9* can be locked, but early versions of Linux and Solaris can be nuked as well.
The attacker needs to know nothing about
the machine other than its IP address.
Most implementations of ping won't allow an invalid packet (i.e. more than 65535 bytes)
to be sent. Among the exceptions are Windows '95 and NT :-)
This exploit is by no means
restricted to ping. The problem can be exploited by anything that sends an IP datagram
probably the most fundamental building block of
the net. An IP datagram consists of an IP header and an IP payload
The IP header is of variable size, between 20 and 60 bytes, in 4-byte increments.
It provides routing support, payload identification, IP header and datagram
size indication, fragmentation support, and options.
The IP payload is of variable size, ranging from 8 bytes
(a 68-byte IP datagram with a 60-byte IP header) to 65,515 bytes
(a 65,535-byte IP datagram with a 20-byte header).
Note also that not only ICMP echo, but TCP, UDP and even new style
IPX can be used to hit machines where it hurts.
(c) 1952-2032: [fravia+], all rights reserved