Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Yahoo offline because of attack (was: Yahoo network outage)

  • From: Henry R. Linneweh
  • Date: Wed Feb 09 03:54:11 2000

recent finds on backbones are multipliers that seem to add to the problem.

"Roeland M.J. Meyer" wrote:

> > From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu]On Behalf Of
> > Joe Shaw
> > Sent: Tuesday, February 08, 2000 9:20 PM
> > To: Paul Ferguson
> >
> > I'd be one to argue that implementing egress filtering, as opposed to
> > ingress filtering, would do more to stop DDoS attacks since one of the
>
> > X's dialup pool who's causing the CPU on the router to go up.  However,
> > neither ingress or egress filtering helps stop any of the latest "seen
> > in the wild" DDos attacks like trinoo, tribe, etc. because the floods are
> > all unforged packets.  Though they've been sketchy on details, it sounds
>
> You've nailed the heart of the problem right here and never noticed. It is
> significant that the packets were NOT forged. IOW, they were legitimate
> packets of sufficient number to cap those very large pipes. I recently
> performed the Platform Architect role in a large .COM deployment. As part of
> site evaluation I had a chance to visit the facility where eBay is hosted.
> In fact, that is the same facility that I wound up using. Lots of dark-fiber
> capacity and over 20 Gbps capacity at the facility and they support
> 10000baseSX back planes. I swear that I saw a few Cat 6509's in eBay's
> racks. This means 1 Gbps pipes, scalable in 1 Gbps increments, using
> gig-Ether link aggregation.
>
> > before it started if the traffic were forged.  If it's just unforged
> > traffic, you'd expect the attacking sites to notice the spike in bandwidth
> > utilization and increased traffic flows from one or several machines to
> > one destination, but that may be asking too much.
>
> Gentlemen, this is a very large site, with plenty of spare capacity. It is
> significant that those pipes were capped, via excessive, non-forged,
> traffic. Although it speaks well for the infrastructure that delivered that
> traffic, it also scares the shit out of me. There are a very large number of
> very large systems, sitting behind some very large pipes, that are
> compromised. Think about that for a moment. These are not small machines
> deployed by college kids and internet newbies. No one trusts the operation
> of a $1.5M Sun e6500 by a group of rookies. They can probably afford to hire
> the best SA's that they can find and no one running equipment behind
> anything larger than a T1 can afford to hire the ignorant. Not at the prices
> charged for that size of a pipe. Just the same, those systems were
> compromised.
>
> > Unfortunately, the rush to .COM riches has brought with it a lot of people
> > who have only half a clue as to what they're doing if we, as the Internet
> > community, are lucky, making the Internet landscape even more dangerous
> > with the amount of ignorance that's out there when it comes to security
> > issues.  It should also be said that some established educational
> > institutions seem to be having issues stopping attacks like smurf and
> > fraggle as well.  The media certainly isn't helping, classifying all DoS
> > attacks as packet flooding attacks, which is not the case either, though
> > all DDos attacks are (if you're a journalist, please feel free to ask
> > what the difference is;  I'll be more than happy to explain it).
>
> I smell denial here. The compromised systems (only 52?) had to have access
> to pipes at least 1 Gbps in size, in order to carry out this attack (do the
> math yourself). Either there were many more systems participating (in itself
> a scarey thought) or many of these large and professionally run systems are
> owned and their operators don't know it. The only other alternative is the
> conspiracy theory from hell.
>
> I suspect that this is not a kiddie-cracker activity. It is too well planned
> and carried out with too much discipline, over too long a time. I suspect
> that whomever is doing this has been silently "owning" systems for the past
> 18 months. I suggest that everyone start looking for signs of mwsh and its
> cousins. Because, I further suspect that the perpretrators have NOT used all
> of their assets. There are still a good many systems that are compromised,
> and not taking part in the current fracas, we just haven't found them yet.
>
> > On Tue, 8 Feb 2000, Paul Ferguson wrote:
> >
> > > Declan,
> > >
> > > This is a very complex issue, and made the DDoS BoF last
> > > night even more lively. ;-)
> > >
> > > Read RFC2267. More people should be doing it, and most of
> > > these silly problems will go away.

--
Thank you;
|--------------------------------------------|
| Thinking is a learned process so is UNIX   |
|--------------------------------------------|
Henry R. Linneweh







Discussion Communities


About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home


Merit Network, Inc.