[27108] in North American Network Operators' Group
Re: Yahoo offline because of attack (was: Yahoo network outage)
daemon@ATHENA.MIT.EDU (Richard Steenbergen)
Wed Feb 9 11:43:30 2000
Date: Wed, 9 Feb 2000 11:14:38 -0500
From: Richard Steenbergen <ras@above.net>
To: Charles Sprickman <spork@inch.com>
Cc: George Herbert <gherbert@crl.com>,
"Roeland M.J. Meyer" <rmeyer@mhsc.com>, nanog@merit.edu
Message-ID: <20000209111438.C21888@above.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
In-Reply-To: <Pine.BSF.4.21.0002091047000.16708-100000@shell.inch.com>; from Charles Sprickman on Wed, Feb 09, 2000 at 10:58:00AM -0500
Errors-To: owner-nanog-outgoing@merit.edu
On Wed, Feb 09, 2000 at 10:58:00AM -0500, Charles Sprickman wrote:
> So the attacker need only send a few packets to each compromised host to
> cause extreme amounts of damage.
>
> How would you track down the attacker? Sure, you could slowly find the
> compromised hosts and block them. You could even then look for where the
> icmp "control" message that starts the thing comes from, but if it's a
> one-way control channel, the source the attacker sends the control packet
> from could easily be forged and you could easily miss the one magic
> 'ping' that starts the thing off...
>
> The idea of such a tool is scary, and from what I've read about TFN and
> friends, it seems that they could be modified to work as outlined
> above. The worst thing about any effective DoS is, in my mind, the lack
> of an identifiable "attacker".
They do work as above, with encrypted control messages. If you look at
some of the code (and then manage to stop laughing) you will find some
interesting ways to counteract, trace to the control nodes, and in some
cases even immediately kill the daemon on every attacking node. Keep in
mind that the people writing these things are doing it with often very
little clue, experience, or thought. Most are blindly stabbing at things
they do not understand trying to tweak things and test them out to see if
it makes their victim "die any faster", ripping mismatched code from
various places (like blowfish code from eggdrop), and creating what will
quite possibly be one of the quickest ways to spend a long long long LONG
time in jail when they get caught and lawyers and accountants start adding
up the "cost" of their distributed fun and games...
--
Richard A. Steenbergen <ras@above.net> http://users.quadrunner.com/humble
PGP Key ID: 0x60AB0AD1 (E5 35 10 1D DE 7D 8C A7 09 1C 80 8B AF B9 77 BB)
MFN / AboveNet Communications Inc - ISX Network Engineer, Vienna VA
