nanog mailing list archives
Re: Yahoo offline because of attack (was: Yahoo network outage)
From: Charles Sprickman <spork () inch com>
Date: Wed, 9 Feb 2000 10:58:00 -0500 (EST)
On Wed, 9 Feb 2000, George Herbert wrote:
50 systems across the internet with enough CPU capacity to near-fill a T-1 on a sustained basis with identical HTTP requests. Which is to say any modern multi-hundred-mhz RISC or x86 box with a reasonable OS, not really "largish". The processing needed in the OS TCP and IP stacks on the attacking system is most of the effort, and we're only talking in rough numbers 1,000 connects/sec for the attacker.
Now I haven't seen these DDoS "tools", but if you want to imagine something realy scary, imagine one exists that works like this: -attacker scans for the known OS vulns that will cough up a "#" prompt -attacker installs root kit with DDoS tool -that tool runs as a daemon that has the following features: -remote 'admin' via icmp (payload of echo-request includes password, host to attack, duration of attack -daemon launches the http "GET" flood as described earlier based on the info contained in that icmp echo-request -daemon continues this attack as prescribed with no further intervention So the attacker need only send a few packets to each compromised host to cause extreme amounts of damage. How would you track down the attacker? Sure, you could slowly find the compromised hosts and block them. You could even then look for where the icmp "control" message that starts the thing comes from, but if it's a one-way control channel, the source the attacker sends the control packet from could easily be forged and you could easily miss the one magic 'ping' that starts the thing off... The idea of such a tool is scary, and from what I've read about TFN and friends, it seems that they could be modified to work as outlined above. The worst thing about any effective DoS is, in my mind, the lack of an identifiable "attacker". Charles =-----------------= = | Charles Sprickman Internet Channel | | INCH System Administration Team (212)243-5200 | | spork () inch com access () inch com | = =----------------=
-george william herbert gherbert () crl com
Current thread:
- Re: Yahoo offline because of attack (was: Yahoo network outage) George Herbert (Feb 09)
- RE: Yahoo offline because of attack (was: Yahoo network outage) Roeland M.J. Meyer (Feb 09)
- Re: Yahoo offline because of attack (was: Yahoo network outage) Richard Steenbergen (Feb 09)
- <Possible follow-ups>
- RE: Yahoo offline because of attack (was: Yahoo network outage) Sykes, Phil (Feb 09)
- RE: Yahoo offline because of attack (was: Yahoo network outage) Havard . Eidnes (Feb 09)
- Re: Yahoo offline because of attack (was: Yahoo network outage) John Payne (Feb 09)
- Re: Yahoo offline because of attack (was: Yahoo network outage) Richard Steenbergen (Feb 09)
- RE: Yahoo offline because of attack (was: Yahoo network outage) Simon Lyall (Feb 11)
- Re: Yahoo offline because of attack (was: Yahoo network outage) Troy Davis (Feb 11)
- RE: Yahoo offline because of attack (was: Yahoo network outage) Havard . Eidnes (Feb 09)
- RE: Yahoo offline because of attack (was: Yahoo network outage) Roeland M.J. Meyer (Feb 09)
- Re: Yahoo offline because of attack (was: Yahoo network outage) Charles Sprickman (Feb 09)
- Re: Yahoo offline because of attack (was: Yahoo network outage) Richard Steenbergen (Feb 09)
- RE: Yahoo offline because of attack (was: Yahoo network outage) Charley Kline (Feb 09)
- RE: Yahoo offline because of attack (was: Yahoo network outage) Barry Shein (Feb 09)
- RE: Yahoo offline because of attack (was: Yahoo network outage) Roeland M.J. Meyer (Feb 09)
- RE: Yahoo offline because of attack (was: Yahoo network outage) Deepak Jain (Feb 09)
- RE: Yahoo offline because of attack (was: Yahoo network outage) Roeland M.J. Meyer (Feb 09)
- RE: Yahoo offline because of attack (was: Yahoo network outage) Deepak Jain (Feb 09)