|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical RE: Yahoo offline because of attack (was: Yahoo network outage)
> Now I haven't seen these DDoS "tools", but if you want to imagine > something realy scary, imagine one exists that works like this: > > -attacker scans for the known OS vulns that will cough up a "#" prompt > -attacker installs root kit with DDoS tool > -that tool runs as a daemon that has the following features: > -remote 'admin' via icmp (payload of echo-request includes > password, host to attack, duration of attack > -daemon launches the http "GET" flood as described earlier based > on the info contained in that icmp echo-request > -daemon continues this attack as prescribed with no further > intervention > > So the attacker need only send a few packets to each compromised host to > cause extreme amounts of damage. > > How would you track down the attacker? You've just described stacheldraht (http://staff.washington.edu/dittrich/misc/stacheldraht.analysis). It wasn't built with forged IP sources on the ICMP "trigger messages", but we did just catch such an attack here recently, and the presumed ICMP trigger message had a forged source IP address. The bitch about it is that the DoS floods used forged source addresses, but only among the last octet of the source IP address; the first three octets are "valid" for the machine that's doing the flooding. This means that flood packets will get out even with ingress filtering down to the subnet level, one has to catch the attack in progress and stick in an access-list with log-input to snag the hardware address of the attack packets in order to be able track down the actual machine involved. It's very, very nasty. Often we can go back through our netflow logs and find the original breakin to the machine once we know its IP address, which of course leads us back to a valid IP address and possibly the perpetrator. /cvk
|