RE: Yahoo offline because of attack (was: Yahoo network outage)

["Roeland M.J. Meyer" <rmeyer () mhsc com>]

> From: owner-nanog () merit edu [mailto:owner-nanog () merit edu]On Behalf Of
> Joe Shaw
> Sent: Tuesday, February 08, 2000 9:20 PM
> To: Paul Ferguson
>
> I'd be one to argue that implementing egress filtering, as opposed to
> ingress filtering, would do more to stop DDoS attacks since one of the

> X's dialup pool who's causing the CPU on the router to go up.  However,
> neither ingress or egress filtering helps stop any of the latest "seen
> in the wild" DDos attacks like trinoo, tribe, etc. because the floods are
> all unforged packets.  Though they've been sketchy on details, it sounds

You've nailed the heart of the problem right here and never noticed. It is
significant that the packets were NOT forged. IOW, they were legitimate
packets of sufficient number to cap those very large pipes. I recently
performed the Platform Architect role in a large .COM deployment. As part of
site evaluation I had a chance to visit the facility where eBay is hosted.
In fact, that is the same facility that I wound up using. Lots of dark-fiber
capacity and over 20 Gbps capacity at the facility and they support
10000baseSX back planes. I swear that I saw a few Cat 6509's in eBay's
racks. This means 1 Gbps pipes, scalable in 1 Gbps increments, using
gig-Ether link aggregation.

> before it started if the traffic were forged.  If it's just unforged
> traffic, you'd expect the attacking sites to notice the spike in bandwidth
> utilization and increased traffic flows from one or several machines to
> one destination, but that may be asking too much.

Gentlemen, this is a very large site, with plenty of spare capacity. It is
significant that those pipes were capped, via excessive, non-forged,
traffic. Although it speaks well for the infrastructure that delivered that
traffic, it also scares the shit out of me. There are a very large number of
very large systems, sitting behind some very large pipes, that are
compromised. Think about that for a moment. These are not small machines
deployed by college kids and internet newbies. No one trusts the operation
of a $1.5M Sun e6500 by a group of rookies. They can probably afford to hire
the best SA's that they can find and no one running equipment behind
anything larger than a T1 can afford to hire the ignorant. Not at the prices
charged for that size of a pipe. Just the same, those systems were
compromised.

> Unfortunately, the rush to .COM riches has brought with it a lot of people
> who have only half a clue as to what they're doing if we, as the Internet
> community, are lucky, making the Internet landscape even more dangerous
> with the amount of ignorance that's out there when it comes to security
> issues.  It should also be said that some established educational
> institutions seem to be having issues stopping attacks like smurf and
> fraggle as well.  The media certainly isn't helping, classifying all DoS
> attacks as packet flooding attacks, which is not the case either, though
> all DDos attacks are (if you're a journalist, please feel free to ask
> what the difference is;  I'll be more than happy to explain it).

I smell denial here. The compromised systems (only 52?) had to have access
to pipes at least 1 Gbps in size, in order to carry out this attack (do the
math yourself). Either there were many more systems participating (in itself
a scarey thought) or many of these large and professionally run systems are
owned and their operators don't know it. The only other alternative is the
conspiracy theory from hell.

I suspect that this is not a kiddie-cracker activity. It is too well planned
and carried out with too much discipline, over too long a time. I suspect
that whomever is doing this has been silently "owning" systems for the past
18 months. I suggest that everyone start looking for signs of mwsh and its
cousins. Because, I further suspect that the perpretrators have NOT used all
of their assets. There are still a good many systems that are compromised,
and not taking part in the current fracas, we just haven't found them yet.

> On Tue, 8 Feb 2000, Paul Ferguson wrote:
>
> > Declan,
> >
> > This is a very complex issue, and made the DDoS BoF last
> > night even more lively. ;-)
> >
> > Read RFC2267. More people should be doing it, and most of
> > these silly problems will go away.