|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: Yahoo offline because of attack (was: Yahoo network outage)
recent finds on backbones are multipliers that seem to add to the problem. "Roeland M.J. Meyer" wrote: > > From: [email protected] [mailto:[email protected]]On Behalf Of > > Joe Shaw > > Sent: Tuesday, February 08, 2000 9:20 PM > > To: Paul Ferguson > > > > I'd be one to argue that implementing egress filtering, as opposed to > > ingress filtering, would do more to stop DDoS attacks since one of the > > > X's dialup pool who's causing the CPU on the router to go up. However, > > neither ingress or egress filtering helps stop any of the latest "seen > > in the wild" DDos attacks like trinoo, tribe, etc. because the floods are > > all unforged packets. Though they've been sketchy on details, it sounds > > You've nailed the heart of the problem right here and never noticed. It is > significant that the packets were NOT forged. IOW, they were legitimate > packets of sufficient number to cap those very large pipes. I recently > performed the Platform Architect role in a large .COM deployment. As part of > site evaluation I had a chance to visit the facility where eBay is hosted. > In fact, that is the same facility that I wound up using. Lots of dark-fiber > capacity and over 20 Gbps capacity at the facility and they support > 10000baseSX back planes. I swear that I saw a few Cat 6509's in eBay's > racks. This means 1 Gbps pipes, scalable in 1 Gbps increments, using > gig-Ether link aggregation. > > > before it started if the traffic were forged. If it's just unforged > > traffic, you'd expect the attacking sites to notice the spike in bandwidth > > utilization and increased traffic flows from one or several machines to > > one destination, but that may be asking too much. > > Gentlemen, this is a very large site, with plenty of spare capacity. It is > significant that those pipes were capped, via excessive, non-forged, > traffic. Although it speaks well for the infrastructure that delivered that > traffic, it also scares the shit out of me. There are a very large number of > very large systems, sitting behind some very large pipes, that are > compromised. Think about that for a moment. These are not small machines > deployed by college kids and internet newbies. No one trusts the operation > of a $1.5M Sun e6500 by a group of rookies. They can probably afford to hire > the best SA's that they can find and no one running equipment behind > anything larger than a T1 can afford to hire the ignorant. Not at the prices > charged for that size of a pipe. Just the same, those systems were > compromised. > > > Unfortunately, the rush to .COM riches has brought with it a lot of people > > who have only half a clue as to what they're doing if we, as the Internet > > community, are lucky, making the Internet landscape even more dangerous > > with the amount of ignorance that's out there when it comes to security > > issues. It should also be said that some established educational > > institutions seem to be having issues stopping attacks like smurf and > > fraggle as well. The media certainly isn't helping, classifying all DoS > > attacks as packet flooding attacks, which is not the case either, though > > all DDos attacks are (if you're a journalist, please feel free to ask > > what the difference is; I'll be more than happy to explain it). > > I smell denial here. The compromised systems (only 52?) had to have access > to pipes at least 1 Gbps in size, in order to carry out this attack (do the > math yourself). Either there were many more systems participating (in itself > a scarey thought) or many of these large and professionally run systems are > owned and their operators don't know it. The only other alternative is the > conspiracy theory from hell. > > I suspect that this is not a kiddie-cracker activity. It is too well planned > and carried out with too much discipline, over too long a time. I suspect > that whomever is doing this has been silently "owning" systems for the past > 18 months. I suggest that everyone start looking for signs of mwsh and its > cousins. Because, I further suspect that the perpretrators have NOT used all > of their assets. There are still a good many systems that are compromised, > and not taking part in the current fracas, we just haven't found them yet. > > > On Tue, 8 Feb 2000, Paul Ferguson wrote: > > > > > Declan, > > > > > > This is a very complex issue, and made the DDoS BoF last > > > night even more lively. ;-) > > > > > > Read RFC2267. More people should be doing it, and most of > > > these silly problems will go away. -- Thank you; |--------------------------------------------| | Thinking is a learned process so is UNIX | |--------------------------------------------| Henry R. Linneweh
|