Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Yahoo offline because of attack (was: Yahoo network outage)

  • From: lucifer
  • Date: Wed Feb 09 14:05:04 2000

Richard Steenbergen wrote:
> On Wed, Feb 09, 2000 at 09:25:43AM -0800, Roeland M.J. Meyer wrote:
> > A simple case of denial here, T1's are not cheap. It isn't the CPU
> > horsepower that is significant here. It is the access to the required
> > bandwidth that makes this so worrisome.
> > 
> > In order to operate stealth-mode in a system, one must be on a box that has
> > sufficient power such that the operation of your code consumes less than 3%
> > of the box's available capacity. In addition, your network should consume
> > less than 5% of the site's pipe, even during an attack. Remember, it appears
> > that these hosts have been compromised for some time. Further, Sean
> > indicates that the entire attack system was tested at least once and no one
> > noticed. These guys have to be frugal with the assets if they want to
> > contnue using them undetected. This indicates planning and discipline. These
> > are NOT ignorant cracker-kiddies.
> > 
> > This indicates one or two compromised hosts per site with 50-ish sites
> > penetrated, at minimum (probably, 100's). I would wager that even the 50-ish
> > sites actually used in the attacks had no idea that they were participating.
> > This indicates low resource usage on part of the attacking code, since the
> > first indicator SA's usually look for is abnormally high usage of resources.
> > 
> > Let's quit assuming that all other operators are incompetent and start
> > assuming the worst, that crackers got this one by "competent" SAs, shall we?
> > If this is the case, then any of us are vulnerable. I find it difficult to
> > believe that there are 50 sites, with T3 connectivity or better, that are
> > all staffed exclusively by incompetent operators, let alone 100's or 1000's.
> You are quite confused.
> T1's are cheap, OC12s are not cheap.
> CPU is the limiting factor in many of these attacks, but not because of
> the ability to saturate a T1 with HTTP GETs or any other such nonsense.
> These attacks often taken down the attacking-victim as much as the
> attacked-victim, infact often times they run their attacks so strongly
> that they are unable to access the systems to stop them, which is why all
> the distributed attack programs have a built in length of time for the
> attack to run, any signal to "stop" would often never be received.
> The belief that previously seen problem were some kind of "test" is
> totally ubsubstantiated guesswork, of little quality.
> Your numbers are totally random with no basis in reality.
> You are correct that most sites do not realize they are participating even
> after a huge attack that cripples BOTH networks.
> It has not so much to do with "competency" as attention to detail and
> careful network monitoring, though you could easily make the arguement
> that operators who do not do such are incompetent. If you find this
> difficult to imagine you need a better imagination.

One hard, solid data point:

I was talking to a friend who is a part-time SA on a box colocated at his
place of business (behind a 2xT1) which he found out was participating in
the attack.

He found this out when the links suddenly spiked through the roof and his
ethernet switch lit up with a nice, solid traffic light. The only reason
he spotted it? He was at work at the time. Had it occured at night, it's
quite probably that nobody would have noticed, given how rarely they check
the traffic stats (since it doesn't really matter to them until the traffic
is pushing their ability to carry it).

The box? RedHat 6.0 without the security patches; from logs, it appears to
have been taken by an automated attack, via the old NFS bug. Nothing at all
suprising there, of course.

This sort of thing is not exactly rare. Compromised boxes at .edu sites
have been a thorn in many operator's sides for a long time now, and other
sites happen as well; the difference is that the attackers are now biding
their time (which may not be all that long) before launching an attack, so
that they have enough points to fire it off from.

While this hardly rules out a more "professional" attack, it's quite
possible for this sort of thing to be accomplished by a bored or angry kid
with nothing better to do. Or more likely, a group of half a dozen of them
doing it for kicks, scanning for hosts for an hour while doing homework,
all week, until they have a sizeable list.

If you think that's bad, wait until they find a way to compromise Windows
hosts on DSL lines. That... will be deep pain.

(BTW, the box in question was taken off-net, and is currently being given
the scorched-earth treatment; the person in question will be undergoing
education in security principles from a veteran operator, and realizes
that the compromise was made possible by their own negligence... now.)
Joel Baker                           System Administrator -    
             KF6WAY (Tech) - 146.475 MHz (FM/Phone)

Discussion Communities

About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home

Merit Network, Inc.