Re: Yahoo offline because of attack (was: Yahoo network outage)

[Jim Williams <jaw12 () ntrnet net>]

Anyone find it interesting that all the big name sites are getting hit
except AOL?  Makes you wonder....

Jim Williams                  Ntrnet Systems, Inc.
President/CEO                 Research Triangle Park, NC
jaw12 () ntrnet net              (919)484-0504 fax(919)484-0782


On Thu, 10 Feb 2000, Christopher B. Zydel wrote:

> On Wed, Feb 09, 2000 at 03:51:45PM -0500, Travis Pugh wrote:
> > Host-by-host prevention, during an attack, should be very easy
> > ... assuming a minimal amount of cooperation between upstream provider and
> > compromised network, if link utilization is tracked and the spike is
> > noticible.  Perhaps we should be notifying operations staff to be on the
> > lookout for suddenly saturated circuits, and to be prepared to help out
> > owners of compromised hosts with filter configuration?
>
> This sort of alarming is fairly trivial.  Just about any network management
> system can be configured to poll interface counters on a regular basis and
> alarm when some threshold is reached.  The difficult question to answer is
> "How long should the link be saturated before sending an alarm".  With high 
> speed links this is a lot easier.  It's relatively easy to saturate a T1
> with a file transfer, however the same would not be true for an OC-3c.  
> This type of alarming should be based upon deviation from the established
> mean as well.  (For example, if a circuit sees around 50mbit/sec worth of 
> usage on a regular basis, and then spikes to 130mbit/sec and stays there, 
> something is clearly wrong)
>
> /cbz