RE: Yahoo offline because of attack (was: Yahoo network outage)

["Roeland M.J. Meyer" <rmeyer () mhsc com>]

> From: owner-nanog () merit edu [mailto:owner-nanog () merit edu]On Behalf Of
> Richard Steenbergen
> Sent: Wednesday, February 09, 2000 9:42 AM
>
> On Wed, Feb 09, 2000 at 09:25:43AM -0800, Roeland M.J. Meyer wrote:
> > A simple case of denial here, T1's are not cheap. It isn't the CPU
> > horsepower that is significant here. It is the access to the required
> > bandwidth that makes this so worrisome.
> >
> > In order to operate stealth-mode in a system, one must be on a
> box that has
> > sufficient power such that the operation of your code consumes
> less than 3%
> > of the box's available capacity. In addition, your network
> should consume
> > less than 5% of the site's pipe, even during an attack.

> > This indicates one or two compromised hosts per site with 50-ish sites
> > penetrated, at minimum (probably, 100's). I would wager that
> even the 50-ish

> > Let's quit assuming that all other operators are incompetent and start
> > assuming the worst, that crackers got this one by "competent"
> SAs, shall we?

> You are quite confused.
>
> T1's are cheap, OC12s are not cheap.

> From the POV of a start-up, OC12's are outragously expensive, and the prime
reason to co-lo.

> These attacks often taken down the attacking-victim as much as the
> attacked-victim, infact often times they run their attacks so strongly
> that they are unable to access the systems to stop them, which is why all
> the distributed attack programs have a built in length of time for the
> attack to run, any signal to "stop" would often never be received.

> Your numbers are totally random with no basis in reality.

About a year and a half ago (ancient times) I had a client where three of
their names servers were penetrated by the MWSH program (Millennium Worm
Shell). The first one exhibited just the behaviour you describe here, the
second one operated at the 3% level that I indicated, and the third one
stayed dormant until I provoked it. The client was all set to believe that
only the one name server was compromised. Whereas all three systems were
completely "owned" by MWSH. We wound up scrubbing all the DASD down to bare
magnetic particles (format with 0xe5 in all sectors) and rebuilding all
three systems from known good sources. We also upgraded them to BIND8 and
placed specific blocks in "/tmp/..." and "/...." (fs level 0000).

> You are correct that most sites do not realize they are participating even
> after a huge attack that cripples BOTH networks.

How could this be? If a host goes into overload and the network is
congested, one would think that there is something screwy going on ...