[27104] in North American Network Operators' Group
Re: Yahoo offline because of attack (was: Yahoo network outage)
daemon@ATHENA.MIT.EDU (Charles Sprickman)
Wed Feb 9 11:07:17 2000
Date: Wed, 9 Feb 2000 10:58:00 -0500 (EST)
From: Charles Sprickman <spork@inch.com>
To: George Herbert <gherbert@crl.com>
Cc: "Roeland M.J. Meyer" <rmeyer@mhsc.com>, nanog@merit.edu
In-Reply-To: <200002091111.DAA13875@mail.crl.com>
Message-ID: <Pine.BSF.4.21.0002091047000.16708-100000@shell.inch.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Errors-To: owner-nanog-outgoing@merit.edu
On Wed, 9 Feb 2000, George Herbert wrote:
> 50 systems across the internet with enough CPU capacity to near-fill a
> T-1 on a sustained basis with identical HTTP requests. Which is to
> say any modern multi-hundred-mhz RISC or x86 box with a reasonable OS,
> not really "largish". The processing needed in the OS TCP and IP stacks
> on the attacking system is most of the effort, and we're only talking
> in rough numbers 1,000 connects/sec for the attacker.
Now I haven't seen these DDoS "tools", but if you want to imagine
something realy scary, imagine one exists that works like this:
-attacker scans for the known OS vulns that will cough up a "#" prompt
-attacker installs root kit with DDoS tool
-that tool runs as a daemon that has the following features:
-remote 'admin' via icmp (payload of echo-request includes
password, host to attack, duration of attack
-daemon launches the http "GET" flood as described earlier based
on the info contained in that icmp echo-request
-daemon continues this attack as prescribed with no further
intervention
So the attacker need only send a few packets to each compromised host to
cause extreme amounts of damage.
How would you track down the attacker? Sure, you could slowly find the
compromised hosts and block them. You could even then look for where the
icmp "control" message that starts the thing comes from, but if it's a
one-way control channel, the source the attacker sends the control packet
from could easily be forged and you could easily miss the one magic
'ping' that starts the thing off...
The idea of such a tool is scary, and from what I've read about TFN and
friends, it seems that they could be modified to work as outlined
above. The worst thing about any effective DoS is, in my mind, the lack
of an identifiable "attacker".
Charles
=-----------------= =
| Charles Sprickman Internet Channel |
| INCH System Administration Team (212)243-5200 |
| spork@inch.com access@inch.com |
= =----------------=
> -george william herbert
> gherbert@crl.com
