nanog mailing list archives
Re: Yahoo offline because of attack (was: Yahoo network outage)
From: Richard Steenbergen <ras () above net>
Date: Wed, 9 Feb 2000 09:50:38 -0500
On Wed, Feb 09, 2000 at 01:20:13AM -0800, Roeland M.J. Meyer wrote:
From: George Herbert [mailto:gherbert () crl com] Sent: Wednesday, February 09, 2000 12:52 AM To: Roeland M.J. Meyer Roeland wrote:I smell denial here. The compromised systems (only 52?) had tohave accessto pipes at least 1 Gbps in size, in order to carry out thisattack (do themath yourself). Either there were many more systemsparticipating (in itselfa scarey thought) or many of these large and professionally runsystems areowned and their operators don't know it. The only otheralternative is theconspiracy theory from hell.No, they don't. Assume there's 40k of data in the homepage. How many bytes of SYN-SYNACK-ACK-GET / HTTP/1.0\n does it take to do a TCP connect and request? I just tested, I show 160 bytes. That's a 250:1 leverage for the attacker. To fill 1 GBPS worth of outbound trunking you only need to generate 4 MBPS (32 Mbps) worth of input. 50ish systems with T-1 connectivity gets there with margins.Okay, but you've still missed the point. Even if I stipulate everything you said here, that's still 50 largish systems that are compromised. I would almost wager that the perpetrators didn't use all of their assets either. That's a shit-load of large compromised systems on the Internet. Doesn't that thought worry you in the slightest?
You've all missed the point. I've done a fair bit of research into this, and I would put my money on the numbers looking something like this: 75-200 compromised systems 90% on 10Mbps ethernet Around 75% on compromised university servers and dorm ethernets Around 24% on compromised commercial connections, 1% other Somewhere around 35-40% of these will be non-US, a large number of .fi and .se universities where gov't funding has produced large university backbones, and these are often the ones with the most direct bandwidth being applied to the victim. The compromises will be done through standard script kiddie methods (I highly suspect the recent influx of compromised attack hosts is directly linked to the discovery of more and more remote bind exploits which can be easily AXFR'd and scanned for script-kiddie style), bind imap qpopper anything that someone can write a scanner script for and they can fire off against fast places they think might net them more attack-shells. I suspect the numbers of the attack are closer to 600-800Mbps and people like to round up. I also suspect that are very few "real" numbers of the attacks since 5 minute averages and MRTG are very bad at getting these things accurately (especially when routers are bogged down or unreachable). You'll see some hosts putting out more bandwidth then others, but probably around 40 will be the primary smurf "bandwidth generators", doing about 6-8Mbps, and getting amplified. -- Richard A. Steenbergen <ras () above net> http://users.quadrunner.com/humble PGP Key ID: 0x60AB0AD1 (E5 35 10 1D DE 7D 8C A7 09 1C 80 8B AF B9 77 BB) MFN / AboveNet Communications Inc - ISX Network Engineer, Vienna VA
Current thread:
- Re: Yahoo offline because of attack (was: Yahoo network outage) George Herbert (Feb 09)
- RE: Yahoo offline because of attack (was: Yahoo network outage) Roeland M.J. Meyer (Feb 09)
- Re: Yahoo offline because of attack (was: Yahoo network outage) Richard Steenbergen (Feb 09)
- <Possible follow-ups>
- RE: Yahoo offline because of attack (was: Yahoo network outage) Sykes, Phil (Feb 09)
- RE: Yahoo offline because of attack (was: Yahoo network outage) Havard . Eidnes (Feb 09)
- Re: Yahoo offline because of attack (was: Yahoo network outage) John Payne (Feb 09)
- Re: Yahoo offline because of attack (was: Yahoo network outage) Richard Steenbergen (Feb 09)
- RE: Yahoo offline because of attack (was: Yahoo network outage) Simon Lyall (Feb 11)
- Re: Yahoo offline because of attack (was: Yahoo network outage) Troy Davis (Feb 11)
- RE: Yahoo offline because of attack (was: Yahoo network outage) Havard . Eidnes (Feb 09)
- RE: Yahoo offline because of attack (was: Yahoo network outage) Roeland M.J. Meyer (Feb 09)
- Re: Yahoo offline because of attack (was: Yahoo network outage) Charles Sprickman (Feb 09)
- Re: Yahoo offline because of attack (was: Yahoo network outage) Richard Steenbergen (Feb 09)
- RE: Yahoo offline because of attack (was: Yahoo network outage) Charley Kline (Feb 09)