North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Yahoo offline because of attack (was: Yahoo network outage)

  • From: George Herbert
  • Date: Wed Feb 09 06:14:41 2000

Roeland writes:
>George wrote:
>> Roeland wrote:
>> >I smell denial here. The compromised systems (only 52?) had to
>> >have access to pipes at least 1 Gbps in size, in order to carry out this
>> >attack (do the math yourself). Either there were many more systems
>> >participating (in itself a scarey thought) or many of these large and
>> >professionally run systems are owned and their operators don't know it.
>> >The only other alternative is the conspiracy theory from hell.
>>
>> No, they don't.  Assume there's 40k of data in the homepage.
>> How many bytes of SYN-SYNACK-ACK-GET / HTTP/1.0\n does it take
>> to do a TCP connect and request?  I just tested, I show 160 bytes.
>> That's a 250:1 leverage for the attacker.  To fill 1 GBPS worth
>> of outbound trunking you only need to generate 4 MBPS (32 Mbps)
>> worth of input.  50ish systems with T-1 connectivity gets there
>> with margins.
>
>Okay, but you've still missed the point. Even if I stipulate everything you
>said here, that's still 50 largish systems that are compromised. I would
>almost wager that the perpetrators didn't use all of their assets either.
>That's a shit-load of large compromised systems on the Internet. Doesn't
>that thought worry you in the slightest?

50 systems across the internet with enough CPU capacity to near-fill a
T-1 on a sustained basis with identical HTTP requests.   Which is to
say any modern multi-hundred-mhz RISC or x86 box with a reasonable OS,
not really "largish".  The processing needed in the OS TCP and IP stacks
on the attacking system is most of the effort, and we're only talking
in rough numbers 1,000 connects/sec for the attacker.

Do I believe that there exist 50 or more T-1 connected hosts with
that capability level or higher which still have vendor default
setups and thus are vulnerable to this sort of attack, penetration,
and then use as a distributed DOS attack participant?  Yes, without
a doubt.  50 simultaneous sites compromised by one attacker would
be on the ambitious side these days, but some of the remote exploit
scripts (and corresponding known holes in vendor supplied system configs)
are pretty damn easy to use and it wouldn't be out of the relm of
the practical for someone to do it if they worked hard, or got a
small cooperating team to work on it.

Of course the significance of this is highly worrysome.
But the numbers have been in this rough performance range
for attacker capabilities for several years now.  That the
tools used by attackers took that long to catch up is actually
somewhat suprising to me, I was expecting this sort of thing
some time ago.


-george william herbert
[email protected]