nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Yahoo offline because of attack (was: Yahoo network outage)

From: Travis Pugh <tpugh () shore net>
Date: Wed, 9 Feb 2000 15:51:45 -0500 (EST)


Lots of NSPs and ISPs are tracking customer utilization of links, either
by MRTG or RRD ... .and many of them bill by utilization using these or
other SNMP-based tools.  It should be trivial, during a DDoS attack of the
scale that took down Yahoo, to find participating sites.  A jump from
normal utilization to 100% link utilization should be easily noticible if
it lasts more than 15 minutes (3 polling intervals, if you are doing it at
5 minutes).

It seems to me that a customer would be more than willing to have a 
rate-limit or filter installed on their routers during this kind of event,
especially if it helps them track down the compromised machine.

Host-by-host prevention, during an attack, should be very easy
... assuming a minimal amount of cooperation between upstream provider and
compromised network, if link utilization is tracked and the spike is
noticible.  Perhaps we should be notifying operations staff to be on the
lookout for suddenly saturated circuits, and to be prepared to help out
owners of compromised hosts with filter configuration?

Just a thought.

--------------------------------------------
Travis Pugh             Sr. Network Engineer    
tpugh () shore net              Shore.net
--------------------------------------------


On Wed, 9 Feb 2000 lucifer () lightbearer com wrote:


One hard, solid data point:

I was talking to a friend who is a part-time SA on a box colocated at his
place of business (behind a 2xT1) which he found out was participating in
the attack.

He found this out when the links suddenly spiked through the roof and his
ethernet switch lit up with a nice, solid traffic light. The only reason
he spotted it? He was at work at the time. Had it occured at night, it's
quite probably that nobody would have noticed, given how rarely they check
the traffic stats (since it doesn't really matter to them until the traffic
is pushing their ability to carry it).

***************************************************************************
Joel Baker                           System Administrator - lightbearer.com
lucifer () lightbearer com              http://www.lightbearer.com/~lucifer
             KF6WAY (Tech) - 146.475 MHz (FM/Phone)
Previous By Date Next
Previous By Thread Next

Current thread: