nanog mailing list archives
RE: Yahoo offline because of attack (was: Yahoo network outage)
From: Deepak Jain <deepak () ai net>
Date: Wed, 9 Feb 2000 13:37:18 -0500 (EST)
Extortion is a very sloppy motivation. How about something like "Our website stays up, our competitor doesn't." And the investors make out (either by shorting one, or going long on the other)... No threats, just marketing. My cup of tea may have been sour this morning. If am offending anyone's sensibilities, please disregard me. Deepak Jain AiNET On Wed, 9 Feb 2000, Roeland M.J. Meyer wrote:
You mean, like the guy that threatened to publish 50,000 credit card numbers, with x-dates, if he wasn't paid off?-----Original Message----- From: Deepak Jain [mailto:deepak () ai net] Sent: Wednesday, February 09, 2000 9:34 AM To: Roeland M.J. Meyer Cc: Shawn McMahon; nanog () merit edu Subject: RE: Yahoo offline because of attack (was: Yahoo network outage) If we assume that the attacks are being lead by competent attackers, we must also assume that their motive could be more complex than just "hah hah, let's see if we can make Yahoo disappear." In fact, it could be far more interesting than just a technical display of capabilities. In light of Yahoo, Exodus and UUNET's issues over the last three days, anyone who doesn't consider this a mandate to improve the accountability of net-connected sites is seriously missing the boat. Just my opinion, Deepak Jain AiNET On Wed, 9 Feb 2000, Roeland M.J. Meyer wrote:From: owner-nanog () merit edu [mailto:owner-nanog () merit edu]On Behalf Of Shawn McMahon Sent: Wednesday, February 09, 2000 8:01 AM At 03:11 AM 2/9/2000 -0800, you wrote:50 systems across the internet with enough CPU capacity tonear-fill aT-1 on a sustained basis with identical HTTP requests. Which is to say any modern multi-hundred-mhz RISC or x86 box with areasonable OS,not really "largish".Multi-hundred-mhz, nothing; a 486/33 can do that. 50 cast-off 486 motherboards with $50 AMD 5x86 processorscould saturatethose T1s and still get good GUI response. 50 Pentium IIs could do that, running even Windows 95, andprobably haveenough CPU left to get good RC5 cracking rates. :-) I think we're leaping to majorly unwarranted conclusions here.A simple case of denial here, T1's are not cheap. It isn't the CPU horsepower that is significant here. It is the access to the required bandwidth that makes this so worrisome. In order to operate stealth-mode in a system, one must be on abox that hassufficient power such that the operation of your code consumesless than 3%of the box's available capacity. In addition, your networkshould consumeless than 5% of the site's pipe, even during an attack.Remember, it appearsthat these hosts have been compromised for some time. Further, Sean indicates that the entire attack system was tested at leastonce and no onenoticed. These guys have to be frugal with the assets if they want to contnue using them undetected. This indicates planning anddiscipline. Theseare NOT ignorant cracker-kiddies. This indicates one or two compromised hosts per site with 50-ish sites penetrated, at minimum (probably, 100's). I would wager thateven the 50-ishsites actually used in the attacks had no idea that they wereparticipating.This indicates low resource usage on part of the attackingcode, since thefirst indicator SA's usually look for is abnormally high usageof resources.Let's quit assuming that all other operators are incompetent and start assuming the worst, that crackers got this one by "competent"SAs, shall we?If this is the case, then any of us are vulnerable. I find itdifficult tobelieve that there are 50 sites, with T3 connectivity orbetter, that areall staffed exclusively by incompetent operators, let alone100's or 1000's.
Current thread:
- Re: Yahoo offline because of attack (was: Yahoo network outage), (continued)
- Re: Yahoo offline because of attack (was: Yahoo network outage) Troy Davis (Feb 11)
- Re: Yahoo offline because of attack (was: Yahoo network outage) George Herbert (Feb 09)
- Re: Yahoo offline because of attack (was: Yahoo network outage) Charles Sprickman (Feb 09)
- Re: Yahoo offline because of attack (was: Yahoo network outage) Richard Steenbergen (Feb 09)
- RE: Yahoo offline because of attack (was: Yahoo network outage) Charley Kline (Feb 09)
- RE: Yahoo offline because of attack (was: Yahoo network outage) Barry Shein (Feb 09)
- Re: Yahoo offline because of attack (was: Yahoo network outage) Charles Sprickman (Feb 09)
- Re: Yahoo offline because of attack (was: Yahoo network outage) Shawn McMahon (Feb 09)
- RE: Yahoo offline because of attack (was: Yahoo network outage) Roeland M.J. Meyer (Feb 09)
- RE: Yahoo offline because of attack (was: Yahoo network outage) Deepak Jain (Feb 09)
- RE: Yahoo offline because of attack (was: Yahoo network outage) Roeland M.J. Meyer (Feb 09)
- RE: Yahoo offline because of attack (was: Yahoo network outage) Deepak Jain (Feb 09)
- RE: Yahoo offline because of attack (was: Yahoo network outage) Patrick Greenwell (Feb 09)
- Message not available
- RE: Yahoo offline because of attack (was: Yahoo network outage) Shawn McMahon (Feb 09)
- RE: Yahoo offline because of attack (was: Yahoo network outage) James Smith (Feb 09)
- RE: Yahoo offline because of attack (was: Yahoo network outage) Patrick Greenwell (Feb 09)
- Message not available
- RE: Yahoo offline because of attack (was: Yahoo network outage) Declan McCullagh (Feb 09)
- Re: Yahoo offline because of attack (was: Yahoo network outage) Richard Steenbergen (Feb 09)
- Re: Yahoo offline because of attack (was: Yahoo network outage) lucifer (Feb 09)
- Re: Yahoo offline because of attack (was: Yahoo network outage) Dan Hollis (Feb 09)
- Re: Yahoo offline because of attack (was: Yahoo network outage) Henry R. Linneweh (Feb 09)
- Re: Yahoo offline because of attack (was: Yahoo network outage) Travis Pugh (Feb 09)