|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical RE: Yahoo offline because of attack (was: Yahoo network outage)
You mean, like the guy that threatened to publish 50,000 credit card numbers, with x-dates, if he wasn't paid off? > -----Original Message----- > From: Deepak Jain [mailto:[email protected]] > Sent: Wednesday, February 09, 2000 9:34 AM > To: Roeland M.J. Meyer > Cc: Shawn McMahon; [email protected] > Subject: RE: Yahoo offline because of attack (was: Yahoo network outage) > > > > > If we assume that the attacks are being lead by competent attackers, we > must also assume that their motive could be more complex than just "hah > hah, let's see if we can make Yahoo disappear." In fact, it could be far > more interesting than just a technical display of capabilities. > > In light of Yahoo, Exodus and UUNET's issues over the last three days, > anyone who doesn't consider this a mandate to improve the accountability > of net-connected sites is seriously missing the boat. > > Just my opinion, > > Deepak Jain > AiNET > > On Wed, 9 Feb 2000, Roeland M.J. Meyer wrote: > > > > > > From: [email protected] [mailto:[email protected]]On Behalf Of > > > Shawn McMahon > > > Sent: Wednesday, February 09, 2000 8:01 AM > > > > > > At 03:11 AM 2/9/2000 -0800, you wrote: > > > > > > >50 systems across the internet with enough CPU capacity to > near-fill a > > > >T-1 on a sustained basis with identical HTTP requests. Which is to > > > >say any modern multi-hundred-mhz RISC or x86 box with a > reasonable OS, > > > >not really "largish". > > > > > > Multi-hundred-mhz, nothing; a 486/33 can do that. > > > > > > 50 cast-off 486 motherboards with $50 AMD 5x86 processors > could saturate > > > those T1s and still get good GUI response. > > > > > > 50 Pentium IIs could do that, running even Windows 95, and > probably have > > > enough CPU left to get good RC5 cracking rates. :-) > > > > > > I think we're leaping to majorly unwarranted conclusions here. > > > > A simple case of denial here, T1's are not cheap. It isn't the CPU > > horsepower that is significant here. It is the access to the required > > bandwidth that makes this so worrisome. > > > > In order to operate stealth-mode in a system, one must be on a > box that has > > sufficient power such that the operation of your code consumes > less than 3% > > of the box's available capacity. In addition, your network > should consume > > less than 5% of the site's pipe, even during an attack. > Remember, it appears > > that these hosts have been compromised for some time. Further, Sean > > indicates that the entire attack system was tested at least > once and no one > > noticed. These guys have to be frugal with the assets if they want to > > contnue using them undetected. This indicates planning and > discipline. These > > are NOT ignorant cracker-kiddies. > > > > This indicates one or two compromised hosts per site with 50-ish sites > > penetrated, at minimum (probably, 100's). I would wager that > even the 50-ish > > sites actually used in the attacks had no idea that they were > participating. > > This indicates low resource usage on part of the attacking > code, since the > > first indicator SA's usually look for is abnormally high usage > of resources. > > > > Let's quit assuming that all other operators are incompetent and start > > assuming the worst, that crackers got this one by "competent" > SAs, shall we? > > If this is the case, then any of us are vulnerable. I find it > difficult to > > believe that there are 50 sites, with T3 connectivity or > better, that are > > all staffed exclusively by incompetent operators, let alone > 100's or 1000's. > > > > > > >
|