North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Yahoo offline because of attack (was: Yahoo network outage)

  • From: Richard Steenbergen
  • Date: Wed Feb 09 11:45:45 2000

On Wed, Feb 09, 2000 at 10:58:00AM -0500, Charles Sprickman wrote:
> So the attacker need only send a few packets to each compromised host to
> cause extreme amounts of damage.
> 
> How would you track down the attacker?  Sure, you could slowly find the
> compromised hosts and block them.  You could even then look for where the
> icmp "control" message that starts the thing comes from, but if it's a
> one-way control channel, the source the attacker sends the control packet
> from could easily be forged and you could easily miss the one magic
> 'ping' that starts the thing off...
> 
> The idea of such a tool is scary, and from what I've read about TFN and
> friends, it seems that they could be modified to work as outlined
> above.  The worst thing about any effective DoS is, in my mind, the lack
> of an identifiable "attacker".

They do work as above, with encrypted control messages. If you look at
some of the code (and then manage to stop laughing) you will find some
interesting ways to counteract, trace to the control nodes, and in some
cases even immediately kill the daemon on every attacking node. Keep in
mind that the people writing these things are doing it with often very
little clue, experience, or thought. Most are blindly stabbing at things
they do not understand trying to tweak things and test them out to see if
it makes their victim "die any faster", ripping mismatched code from
various places (like blowfish code from eggdrop), and creating what will
quite possibly be one of the quickest ways to spend a long long long LONG
time in jail when they get caught and lawyers and accountants start adding
up the "cost" of their distributed fun and games...

-- 
Richard A. Steenbergen <[email protected]>  http://users.quadrunner.com/humble
PGP Key ID: 0x60AB0AD1  (E5 35 10 1D DE 7D 8C A7  09 1C 80 8B AF B9 77 BB)
MFN / AboveNet Communications Inc - ISX Network Engineer, Vienna VA