[27209] in North American Network Operators' Group
Re: Info on the DoS attacks.
daemon@ATHENA.MIT.EDU (Sean Donelan)
Thu Feb 10 01:24:54 2000
Date: 9 Feb 2000 22:15:46 -0800
Message-ID: <20000210061546.20567.cpmta@c004.sfo.cp.net>
Content-Type: text/plain
Content-Disposition: inline
Mime-Version: 1.0
To: jshaw@insync.net
From: Sean Donelan <sean@donelan.com>
Cc: declan@wired.com, nanog@merit.edu
Errors-To: owner-nanog-outgoing@merit.edu
On Wed, 09 February 2000, Joe Shaw wrote:
> I'd be worried if they didn't have theories or know about the known DDoS
> attacks, but not if they didn't have specifics. Tier1 NSP's seem to be
> very tight lipped about these sorts of things when they are the
> victim. I'm sure there are GC employees on this list, but none have come
> forward to give any details. Could be a gag order, which wouldn't shock
> me at all. Hopefully we'll know something eventually, but for now we're
> all mushrooms when it comes to official information.
I guess the techies reduced to reading the New York Times for technical
details.
Today's NYT has a description from GlobalCenter's PR person. The Yahoo
attack was a large number of ICMP EchoReplies(PINGs) coming via GlobalCenter's
50 peering connections (about half of GlobalCenter's total peering connections).
Which may explain the "50" number I've been hearing. The original ICMP EchoRequests listed Yahoo as the source address and were directed to other
networks which replied to Yahoo. GlobalCenter installed rate-limits, but
didn't know if they are effective in preventing attacks.
Yahoo's spokesperson confirmed GlobalCenter's account.
(free NYT registration required)
http://www.nytimes.com/library/tech/00/02/biztech/articles/10attack.html
Note: other people have sent me private mail saying it was actually a
different method, but this appears to be the official statement out of
GlobalCenter and Yahoo.
