|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: Yahoo offline because of attack (was: Yahoo network outage)
On Wed, Feb 09, 2000 at 01:20:13AM -0800, Roeland M.J. Meyer wrote: > > > From: George Herbert [mailto:[email protected]] > > Sent: Wednesday, February 09, 2000 12:52 AM > > To: Roeland M.J. Meyer > > > > Roeland wrote: > > >I smell denial here. The compromised systems (only 52?) had to > > have access > > >to pipes at least 1 Gbps in size, in order to carry out this > > attack (do the > > >math yourself). Either there were many more systems > > participating (in itself > > >a scarey thought) or many of these large and professionally run > > systems are > > >owned and their operators don't know it. The only other > > alternative is the > > >conspiracy theory from hell. > > > > No, they don't. Assume there's 40k of data in the homepage. > > How many bytes of SYN-SYNACK-ACK-GET / HTTP/1.0\n does it take > > to do a TCP connect and request? I just tested, I show 160 bytes. > > That's a 250:1 leverage for the attacker. To fill 1 GBPS worth > > of outbound trunking you only need to generate 4 MBPS (32 Mbps) > > worth of input. 50ish systems with T-1 connectivity gets there > > with margins. > > Okay, but you've still missed the point. Even if I stipulate everything you > said here, that's still 50 largish systems that are compromised. I would > almost wager that the perpetrators didn't use all of their assets either. > That's a shit-load of large compromised systems on the Internet. Doesn't > that thought worry you in the slightest? You've all missed the point. I've done a fair bit of research into this, and I would put my money on the numbers looking something like this: 75-200 compromised systems 90% on 10Mbps ethernet Around 75% on compromised university servers and dorm ethernets Around 24% on compromised commercial connections, 1% other Somewhere around 35-40% of these will be non-US, a large number of .fi and .se universities where gov't funding has produced large university backbones, and these are often the ones with the most direct bandwidth being applied to the victim. The compromises will be done through standard script kiddie methods (I highly suspect the recent influx of compromised attack hosts is directly linked to the discovery of more and more remote bind exploits which can be easily AXFR'd and scanned for script-kiddie style), bind imap qpopper anything that someone can write a scanner script for and they can fire off against fast places they think might net them more attack-shells. I suspect the numbers of the attack are closer to 600-800Mbps and people like to round up. I also suspect that are very few "real" numbers of the attacks since 5 minute averages and MRTG are very bad at getting these things accurately (especially when routers are bogged down or unreachable). You'll see some hosts putting out more bandwidth then others, but probably around 40 will be the primary smurf "bandwidth generators", doing about 6-8Mbps, and getting amplified. -- Richard A. Steenbergen <[email protected]> http://users.quadrunner.com/humble PGP Key ID: 0x60AB0AD1 (E5 35 10 1D DE 7D 8C A7 09 1C 80 8B AF B9 77 BB) MFN / AboveNet Communications Inc - ISX Network Engineer, Vienna VA
|