[27089] in North American Network Operators' Group
RE: Yahoo offline because of attack (was: Yahoo network outage)
daemon@ATHENA.MIT.EDU (Roeland M.J. Meyer)
Wed Feb 9 04:23:57 2000
From: "Roeland M.J. Meyer" <rmeyer@mhsc.com>
To: "George Herbert" <gherbert@crl.com>
Cc: <nanog@merit.edu>
Date: Wed, 9 Feb 2000 01:20:13 -0800
Message-ID: <NDBBJKGADKGFDIKIHOBJKEECCDAA.rmeyer@mhsc.com>
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
In-Reply-To: <200002090852.AAA01728@mail.crl.com>
Errors-To: owner-nanog-outgoing@merit.edu
> From: George Herbert [mailto:gherbert@crl.com]
> Sent: Wednesday, February 09, 2000 12:52 AM
> To: Roeland M.J. Meyer
>
> Roeland wrote:
> >I smell denial here. The compromised systems (only 52?) had to
> have access
> >to pipes at least 1 Gbps in size, in order to carry out this
> attack (do the
> >math yourself). Either there were many more systems
> participating (in itself
> >a scarey thought) or many of these large and professionally run
> systems are
> >owned and their operators don't know it. The only other
> alternative is the
> >conspiracy theory from hell.
>
> No, they don't. Assume there's 40k of data in the homepage.
> How many bytes of SYN-SYNACK-ACK-GET / HTTP/1.0\n does it take
> to do a TCP connect and request? I just tested, I show 160 bytes.
> That's a 250:1 leverage for the attacker. To fill 1 GBPS worth
> of outbound trunking you only need to generate 4 MBPS (32 Mbps)
> worth of input. 50ish systems with T-1 connectivity gets there
> with margins.
Okay, but you've still missed the point. Even if I stipulate everything you
said here, that's still 50 largish systems that are compromised. I would
almost wager that the perpetrators didn't use all of their assets either.
That's a shit-load of large compromised systems on the Internet. Doesn't
that thought worry you in the slightest?
