[27114] in North American Network Operators' Group
RE: Yahoo offline because of attack (was: Yahoo network outage)
daemon@ATHENA.MIT.EDU (Roeland M.J. Meyer)
Wed Feb 9 12:59:20 2000
From: "Roeland M.J. Meyer" <rmeyer@mhsc.com>
To: "Deepak Jain" <deepak@ai.net>
Cc: "Shawn McMahon" <smcmahon@eiv.com>, <nanog@merit.edu>
Date: Wed, 9 Feb 2000 09:47:17 -0800
Message-ID: <NDBBJKGADKGFDIKIHOBJKEEPCDAA.rmeyer@mhsc.com>
MIME-Version: 1.0
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: 7bit
In-Reply-To: <Pine.BSF.4.21.0002091231050.4509-100000@aries.ai.net>
Errors-To: owner-nanog-outgoing@merit.edu
You mean, like the guy that threatened to publish 50,000 credit card
numbers, with x-dates, if he wasn't paid off?
> -----Original Message-----
> From: Deepak Jain [mailto:deepak@ai.net]
> Sent: Wednesday, February 09, 2000 9:34 AM
> To: Roeland M.J. Meyer
> Cc: Shawn McMahon; nanog@merit.edu
> Subject: RE: Yahoo offline because of attack (was: Yahoo network outage)
>
>
>
>
> If we assume that the attacks are being lead by competent attackers, we
> must also assume that their motive could be more complex than just "hah
> hah, let's see if we can make Yahoo disappear." In fact, it could be far
> more interesting than just a technical display of capabilities.
>
> In light of Yahoo, Exodus and UUNET's issues over the last three days,
> anyone who doesn't consider this a mandate to improve the accountability
> of net-connected sites is seriously missing the boat.
>
> Just my opinion,
>
> Deepak Jain
> AiNET
>
> On Wed, 9 Feb 2000, Roeland M.J. Meyer wrote:
>
> >
> > > From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu]On Behalf Of
> > > Shawn McMahon
> > > Sent: Wednesday, February 09, 2000 8:01 AM
> > >
> > > At 03:11 AM 2/9/2000 -0800, you wrote:
> > >
> > > >50 systems across the internet with enough CPU capacity to
> near-fill a
> > > >T-1 on a sustained basis with identical HTTP requests. Which is to
> > > >say any modern multi-hundred-mhz RISC or x86 box with a
> reasonable OS,
> > > >not really "largish".
> > >
> > > Multi-hundred-mhz, nothing; a 486/33 can do that.
> > >
> > > 50 cast-off 486 motherboards with $50 AMD 5x86 processors
> could saturate
> > > those T1s and still get good GUI response.
> > >
> > > 50 Pentium IIs could do that, running even Windows 95, and
> probably have
> > > enough CPU left to get good RC5 cracking rates. :-)
> > >
> > > I think we're leaping to majorly unwarranted conclusions here.
> >
> > A simple case of denial here, T1's are not cheap. It isn't the CPU
> > horsepower that is significant here. It is the access to the required
> > bandwidth that makes this so worrisome.
> >
> > In order to operate stealth-mode in a system, one must be on a
> box that has
> > sufficient power such that the operation of your code consumes
> less than 3%
> > of the box's available capacity. In addition, your network
> should consume
> > less than 5% of the site's pipe, even during an attack.
> Remember, it appears
> > that these hosts have been compromised for some time. Further, Sean
> > indicates that the entire attack system was tested at least
> once and no one
> > noticed. These guys have to be frugal with the assets if they want to
> > contnue using them undetected. This indicates planning and
> discipline. These
> > are NOT ignorant cracker-kiddies.
> >
> > This indicates one or two compromised hosts per site with 50-ish sites
> > penetrated, at minimum (probably, 100's). I would wager that
> even the 50-ish
> > sites actually used in the attacks had no idea that they were
> participating.
> > This indicates low resource usage on part of the attacking
> code, since the
> > first indicator SA's usually look for is abnormally high usage
> of resources.
> >
> > Let's quit assuming that all other operators are incompetent and start
> > assuming the worst, that crackers got this one by "competent"
> SAs, shall we?
> > If this is the case, then any of us are vulnerable. I find it
> difficult to
> > believe that there are 50 sites, with T3 connectivity or
> better, that are
> > all staffed exclusively by incompetent operators, let alone
> 100's or 1000's.
> >
> >
> >
>
