North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Yahoo offline because of attack (was: Yahoo network outage)

  • From: Charles Sprickman
  • Date: Wed Feb 09 11:09:49 2000

On Wed, 9 Feb 2000, George Herbert wrote:

> 50 systems across the internet with enough CPU capacity to near-fill a
> T-1 on a sustained basis with identical HTTP requests.   Which is to
> say any modern multi-hundred-mhz RISC or x86 box with a reasonable OS,
> not really "largish".  The processing needed in the OS TCP and IP stacks
> on the attacking system is most of the effort, and we're only talking
> in rough numbers 1,000 connects/sec for the attacker.

Now I haven't seen these DDoS "tools", but if you want to imagine
something realy scary, imagine one exists that works like this:

-attacker scans for the known OS vulns that will cough up a "#" prompt
-attacker installs root kit with DDoS tool
-that tool runs as a daemon that has the following features:
 -remote 'admin' via icmp (payload of echo-request includes
  password, host to attack, duration of attack
 -daemon launches the http "GET" flood as described earlier based
  on the info contained in that icmp echo-request
 -daemon continues this attack as prescribed with no further 
  intervention

So the attacker need only send a few packets to each compromised host to
cause extreme amounts of damage.

How would you track down the attacker?  Sure, you could slowly find the
compromised hosts and block them.  You could even then look for where the
icmp "control" message that starts the thing comes from, but if it's a
one-way control channel, the source the attacker sends the control packet
from could easily be forged and you could easily miss the one magic
'ping' that starts the thing off...

The idea of such a tool is scary, and from what I've read about TFN and
friends, it seems that they could be modified to work as outlined
above.  The worst thing about any effective DoS is, in my mind, the lack
of an identifiable "attacker".

Charles

=-----------------=                                        = 
| Charles Sprickman                       Internet Channel |
| INCH System Administration Team         (212)243-5200    |
| [email protected]                          [email protected]  |
=                                         =----------------=

> -george william herbert
> [email protected]