Re: Yahoo offline because of attack (was: Yahoo network outage)

["Christopher B. Zydel" <czydel () aralan net>]

> > > T1's are cheap, OC12s are not cheap.
> >
> > That may be the case, but I think that Kim hit the nail on the
> > head earlier.  With the number of multi-megabit connected homes
> > growing rapidly, there is a rapidly growing number of exploitable
> > hosts for those perpetrating DDoS attacks to take advtange of.


On Wed, Feb 09, 2000 at 05:37:49PM -0800, Roeland M.J. Meyer wrote:
> Please remember that cable-modems are asymetric and the aggregate upstream
> pipe is shared.

Some MSOs choose to rate limit their user's upstreams as low as 128kbit/sec, 
others do not.  For example, we limit our users to 1mbit/sec currently.  
As for the upstream communications channel, this is not much of a limitation.

Typical DOCSIS configurations include multiple upstream ports tied to a single
downstream.  It is typical to combine a small number of optical receivers to a 
given upstream port (1 or 2).  Each optical receiver typically carries 
500 homes passed.  Operating a 16 QAM carrier with a channel width of
3.2MHz yields ~10.24mbit/sec of bandwidth.  Subtract a little for overhead, and
figure you're doing pretty well and subscribe 10% of your passed homes, or 
roughly 100 users per upstream port.  Your average user isn't pounding on the
upstream too hard, so figure less than a quarter of these users really hit it
hard, and they're not likely to all be doing it at the same time.  I'd consider
a few cable or DSL networks with handfuls of compromised hosts sitting on them
a large threat given that it doesn't take a huge amount of bandwidth to create
a rather damaging TCP flood.  

I realize that these users are not as threatening as a dorm network attached to a
T3/OC-3c, but the CM/DSL population is growing a lot faster than the dorm population.

/cbz