[27198] in North American Network Operators' Group
Re: Yahoo offline because of attack (was: Yahoo network outage)
daemon@ATHENA.MIT.EDU (Christopher B. Zydel)
Thu Feb 10 00:20:31 2000
Date: Thu, 10 Feb 2000 00:21:29 -0500
From: "Christopher B. Zydel" <czydel@aralan.net>
To: nanog@merit.edu
Message-ID: <20000210002128.C20557@ares.aralan.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
In-Reply-To: <NDBBJKGADKGFDIKIHOBJCEGGCDAA.rmeyer@mhsc.com>; from Roeland M.J. Meyer on Wed, Feb 09, 2000 at 05:37:49PM -0800
Errors-To: owner-nanog-outgoing@merit.edu
> > > T1's are cheap, OC12s are not cheap.
> >
> > That may be the case, but I think that Kim hit the nail on the
> > head earlier. With the number of multi-megabit connected homes
> > growing rapidly, there is a rapidly growing number of exploitable
> > hosts for those perpetrating DDoS attacks to take advtange of.
On Wed, Feb 09, 2000 at 05:37:49PM -0800, Roeland M.J. Meyer wrote:
> Please remember that cable-modems are asymetric and the aggregate upstream
> pipe is shared.
Some MSOs choose to rate limit their user's upstreams as low as 128kbit/sec,
others do not. For example, we limit our users to 1mbit/sec currently.
As for the upstream communications channel, this is not much of a limitation.
Typical DOCSIS configurations include multiple upstream ports tied to a single
downstream. It is typical to combine a small number of optical receivers to a
given upstream port (1 or 2). Each optical receiver typically carries
500 homes passed. Operating a 16 QAM carrier with a channel width of
3.2MHz yields ~10.24mbit/sec of bandwidth. Subtract a little for overhead, and
figure you're doing pretty well and subscribe 10% of your passed homes, or
roughly 100 users per upstream port. Your average user isn't pounding on the
upstream too hard, so figure less than a quarter of these users really hit it
hard, and they're not likely to all be doing it at the same time. I'd consider
a few cable or DSL networks with handfuls of compromised hosts sitting on them
a large threat given that it doesn't take a huge amount of bandwidth to create
a rather damaging TCP flood.
I realize that these users are not as threatening as a dorm network attached to a
T3/OC-3c, but the CM/DSL population is growing a lot faster than the dorm population.
/cbz
