nanog mailing list archives
Re: Yahoo offline because of attack (was: Yahoo network outage)
From: Richard Steenbergen <ras () above net>
Date: Wed, 9 Feb 2000 11:14:38 -0500
On Wed, Feb 09, 2000 at 10:58:00AM -0500, Charles Sprickman wrote:
So the attacker need only send a few packets to each compromised host to cause extreme amounts of damage. How would you track down the attacker? Sure, you could slowly find the compromised hosts and block them. You could even then look for where the icmp "control" message that starts the thing comes from, but if it's a one-way control channel, the source the attacker sends the control packet from could easily be forged and you could easily miss the one magic 'ping' that starts the thing off... The idea of such a tool is scary, and from what I've read about TFN and friends, it seems that they could be modified to work as outlined above. The worst thing about any effective DoS is, in my mind, the lack of an identifiable "attacker".
They do work as above, with encrypted control messages. If you look at some of the code (and then manage to stop laughing) you will find some interesting ways to counteract, trace to the control nodes, and in some cases even immediately kill the daemon on every attacking node. Keep in mind that the people writing these things are doing it with often very little clue, experience, or thought. Most are blindly stabbing at things they do not understand trying to tweak things and test them out to see if it makes their victim "die any faster", ripping mismatched code from various places (like blowfish code from eggdrop), and creating what will quite possibly be one of the quickest ways to spend a long long long LONG time in jail when they get caught and lawyers and accountants start adding up the "cost" of their distributed fun and games... -- Richard A. Steenbergen <ras () above net> http://users.quadrunner.com/humble PGP Key ID: 0x60AB0AD1 (E5 35 10 1D DE 7D 8C A7 09 1C 80 8B AF B9 77 BB) MFN / AboveNet Communications Inc - ISX Network Engineer, Vienna VA
Current thread:
- RE: Yahoo offline because of attack (was: Yahoo network outage), (continued)
- RE: Yahoo offline because of attack (was: Yahoo network outage) Roeland M.J. Meyer (Feb 09)
- Re: Yahoo offline because of attack (was: Yahoo network outage) Richard Steenbergen (Feb 09)
- RE: Yahoo offline because of attack (was: Yahoo network outage) Sykes, Phil (Feb 09)
- RE: Yahoo offline because of attack (was: Yahoo network outage) Havard . Eidnes (Feb 09)
- Re: Yahoo offline because of attack (was: Yahoo network outage) John Payne (Feb 09)
- Re: Yahoo offline because of attack (was: Yahoo network outage) Richard Steenbergen (Feb 09)
- RE: Yahoo offline because of attack (was: Yahoo network outage) Simon Lyall (Feb 11)
- Re: Yahoo offline because of attack (was: Yahoo network outage) Troy Davis (Feb 11)
- RE: Yahoo offline because of attack (was: Yahoo network outage) Havard . Eidnes (Feb 09)
- RE: Yahoo offline because of attack (was: Yahoo network outage) Roeland M.J. Meyer (Feb 09)
- Re: Yahoo offline because of attack (was: Yahoo network outage) Charles Sprickman (Feb 09)
- Re: Yahoo offline because of attack (was: Yahoo network outage) Richard Steenbergen (Feb 09)
- RE: Yahoo offline because of attack (was: Yahoo network outage) Charley Kline (Feb 09)
- RE: Yahoo offline because of attack (was: Yahoo network outage) Barry Shein (Feb 09)
- RE: Yahoo offline because of attack (was: Yahoo network outage) Roeland M.J. Meyer (Feb 09)
- RE: Yahoo offline because of attack (was: Yahoo network outage) Deepak Jain (Feb 09)
- RE: Yahoo offline because of attack (was: Yahoo network outage) Roeland M.J. Meyer (Feb 09)
- RE: Yahoo offline because of attack (was: Yahoo network outage) Deepak Jain (Feb 09)