nanog mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Yahoo offline because of attack (was: Yahoo network outage)

From: Deepak Jain <deepak () ai net>
Date: Wed, 9 Feb 2000 13:37:18 -0500 (EST)


Extortion is a very sloppy motivation. 

How about something like "Our website stays up, our competitor
doesn't." And the investors make out (either by shorting one, or going
long on the other)... No threats, just marketing.

My cup of tea may have been sour this morning. If am offending anyone's
sensibilities, please disregard me.

Deepak Jain
AiNET

On Wed, 9 Feb 2000, Roeland M.J. Meyer wrote:


You mean, like the guy that threatened to publish 50,000 credit card
numbers, with x-dates, if he wasn't paid off?


-----Original Message-----
From: Deepak Jain [mailto:deepak () ai net]
Sent: Wednesday, February 09, 2000 9:34 AM
To: Roeland M.J. Meyer
Cc: Shawn McMahon; nanog () merit edu
Subject: RE: Yahoo offline because of attack (was: Yahoo network outage)




If we assume that the attacks are being lead by competent attackers, we
must also assume that their motive could be more complex than just "hah
hah, let's see if we can make Yahoo disappear." In fact, it could be far
more interesting than just a technical display of capabilities.

In light of Yahoo, Exodus and UUNET's issues over the last three days,
anyone who doesn't consider this a mandate to improve the accountability
of net-connected sites is seriously missing the boat.

Just my opinion,

Deepak Jain
AiNET

On Wed, 9 Feb 2000, Roeland M.J. Meyer wrote:




From: owner-nanog () merit edu [mailto:owner-nanog () merit edu]On Behalf Of
Shawn McMahon
Sent: Wednesday, February 09, 2000 8:01 AM

At 03:11 AM 2/9/2000 -0800, you wrote:


50 systems across the internet with enough CPU capacity to

near-fill a

T-1 on a sustained basis with identical HTTP requests.   Which is to
say any modern multi-hundred-mhz RISC or x86 box with a

reasonable OS,

not really "largish".


Multi-hundred-mhz, nothing; a 486/33 can do that.

50 cast-off 486 motherboards with $50 AMD 5x86 processors

could saturate

those T1s and still get good GUI response.

50 Pentium IIs could do that, running even Windows 95, and

probably have

enough CPU left to get good RC5 cracking rates.  :-)

I think we're leaping to majorly unwarranted conclusions here.


A simple case of denial here, T1's are not cheap. It isn't the CPU
horsepower that is significant here. It is the access to the required
bandwidth that makes this so worrisome.

In order to operate stealth-mode in a system, one must be on a

box that has

sufficient power such that the operation of your code consumes

less than 3%

of the box's available capacity. In addition, your network

should consume

less than 5% of the site's pipe, even during an attack.

Remember, it appears

that these hosts have been compromised for some time. Further, Sean
indicates that the entire attack system was tested at least

once and no one

noticed. These guys have to be frugal with the assets if they want to
contnue using them undetected. This indicates planning and

discipline. These

are NOT ignorant cracker-kiddies.

This indicates one or two compromised hosts per site with 50-ish sites
penetrated, at minimum (probably, 100's). I would wager that

even the 50-ish

sites actually used in the attacks had no idea that they were

participating.

This indicates low resource usage on part of the attacking

code, since the

first indicator SA's usually look for is abnormally high usage

of resources.


Let's quit assuming that all other operators are incompetent and start
assuming the worst, that crackers got this one by "competent"

SAs, shall we?

If this is the case, then any of us are vulnerable. I find it

difficult to

believe that there are 50 sites, with T3 connectivity or

better, that are

all staffed exclusively by incompetent operators, let alone

100's or 1000's.
Previous By Date Next
Previous By Thread Next

Current thread: