North American Network Operators Group|
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
RE: Yahoo offline because of attack (was: Yahoo network outage)
- From: Roeland M.J. Meyer
- Date: Wed Feb 09 13:02:11 2000
You mean, like the guy that threatened to publish 50,000 credit card
numbers, with x-dates, if he wasn't paid off?
> -----Original Message-----
> From: Deepak Jain [mailto:firstname.lastname@example.org]
> Sent: Wednesday, February 09, 2000 9:34 AM
> To: Roeland M.J. Meyer
> Cc: Shawn McMahon; email@example.com
> Subject: RE: Yahoo offline because of attack (was: Yahoo network outage)
> If we assume that the attacks are being lead by competent attackers, we
> must also assume that their motive could be more complex than just "hah
> hah, let's see if we can make Yahoo disappear." In fact, it could be far
> more interesting than just a technical display of capabilities.
> In light of Yahoo, Exodus and UUNET's issues over the last three days,
> anyone who doesn't consider this a mandate to improve the accountability
> of net-connected sites is seriously missing the boat.
> Just my opinion,
> Deepak Jain
> On Wed, 9 Feb 2000, Roeland M.J. Meyer wrote:
> > > From: firstname.lastname@example.org [mailto:email@example.com]On Behalf Of
> > > Shawn McMahon
> > > Sent: Wednesday, February 09, 2000 8:01 AM
> > >
> > > At 03:11 AM 2/9/2000 -0800, you wrote:
> > >
> > > >50 systems across the internet with enough CPU capacity to
> near-fill a
> > > >T-1 on a sustained basis with identical HTTP requests. Which is to
> > > >say any modern multi-hundred-mhz RISC or x86 box with a
> reasonable OS,
> > > >not really "largish".
> > >
> > > Multi-hundred-mhz, nothing; a 486/33 can do that.
> > >
> > > 50 cast-off 486 motherboards with $50 AMD 5x86 processors
> could saturate
> > > those T1s and still get good GUI response.
> > >
> > > 50 Pentium IIs could do that, running even Windows 95, and
> probably have
> > > enough CPU left to get good RC5 cracking rates. :-)
> > >
> > > I think we're leaping to majorly unwarranted conclusions here.
> > A simple case of denial here, T1's are not cheap. It isn't the CPU
> > horsepower that is significant here. It is the access to the required
> > bandwidth that makes this so worrisome.
> > In order to operate stealth-mode in a system, one must be on a
> box that has
> > sufficient power such that the operation of your code consumes
> less than 3%
> > of the box's available capacity. In addition, your network
> should consume
> > less than 5% of the site's pipe, even during an attack.
> Remember, it appears
> > that these hosts have been compromised for some time. Further, Sean
> > indicates that the entire attack system was tested at least
> once and no one
> > noticed. These guys have to be frugal with the assets if they want to
> > contnue using them undetected. This indicates planning and
> discipline. These
> > are NOT ignorant cracker-kiddies.
> > This indicates one or two compromised hosts per site with 50-ish sites
> > penetrated, at minimum (probably, 100's). I would wager that
> even the 50-ish
> > sites actually used in the attacks had no idea that they were
> > This indicates low resource usage on part of the attacking
> code, since the
> > first indicator SA's usually look for is abnormally high usage
> of resources.
> > Let's quit assuming that all other operators are incompetent and start
> > assuming the worst, that crackers got this one by "competent"
> SAs, shall we?
> > If this is the case, then any of us are vulnerable. I find it
> difficult to
> > believe that there are 50 sites, with T3 connectivity or
> better, that are
> > all staffed exclusively by incompetent operators, let alone
> 100's or 1000's.