North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Yahoo offline because of attack (was: Yahoo network outage)

  • From: George Herbert
  • Date: Wed Feb 09 03:58:49 2000

Roeland wrote:
>I smell denial here. The compromised systems (only 52?) had to have access
>to pipes at least 1 Gbps in size, in order to carry out this attack (do the
>math yourself). Either there were many more systems participating (in itself
>a scarey thought) or many of these large and professionally run systems are
>owned and their operators don't know it. The only other alternative is the
>conspiracy theory from hell.

No, they don't.  Assume there's 40k of data in the homepage.
How many bytes of SYN-SYNACK-ACK-GET / HTTP/1.0\n does it take
to do a TCP connect and request?  I just tested, I show 160 bytes.
That's a 250:1 leverage for the attacker.  To fill 1 GBPS worth
of outbound trunking you only need to generate 4 MBPS (32 Mbps)
worth of input.  50ish systems with T-1 connectivity gets there
with margins.

[Note that this is an a priori analysis; I haven't bothered to find
the attack codes in question and see if that's what they're doing,
nor am I involved in any of the current operational response]

Back in Nov 1996 when Sun was pushing WebNFS initially with the
Solaris 2.6 release, I wrote up a vulnerability analysis white paper
using the UDP NFS functionality and this leverage approach and
sent it in to Sun.  I suspect the ultimate inability to secure
against it was one reason WebNFS died on the vine.  With full HTTP,
you need more request bytes and a valid origionating IP address
since it's TCP... you need the SYN, SYNACK, ACK to work before
you send the request.  But there's enough leverage anyways with
modern pagesizes (8k was big then, it's nothing now... 40k worth
of html is typical) for it to work anyways.  The only downside to
doing it in HTTP is that all the attacking systems are clearly
identified since they have to use real routed IP addresses.


-george william herbert
[email protected]