North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

RE: Yahoo offline because of attack (was: Yahoo network outage)

  • From: Roeland M.J. Meyer
  • Date: Wed Feb 09 12:30:56 2000

> From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu]On Behalf Of
> Shawn McMahon
> Sent: Wednesday, February 09, 2000 8:01 AM
>
> At 03:11 AM 2/9/2000 -0800, you wrote:
>
> >50 systems across the internet with enough CPU capacity to near-fill a
> >T-1 on a sustained basis with identical HTTP requests.   Which is to
> >say any modern multi-hundred-mhz RISC or x86 box with a reasonable OS,
> >not really "largish".
>
> Multi-hundred-mhz, nothing; a 486/33 can do that.
>
> 50 cast-off 486 motherboards with $50 AMD 5x86 processors could saturate
> those T1s and still get good GUI response.
>
> 50 Pentium IIs could do that, running even Windows 95, and probably have
> enough CPU left to get good RC5 cracking rates.  :-)
>
> I think we're leaping to majorly unwarranted conclusions here.

A simple case of denial here, T1's are not cheap. It isn't the CPU
horsepower that is significant here. It is the access to the required
bandwidth that makes this so worrisome.

In order to operate stealth-mode in a system, one must be on a box that has
sufficient power such that the operation of your code consumes less than 3%
of the box's available capacity. In addition, your network should consume
less than 5% of the site's pipe, even during an attack. Remember, it appears
that these hosts have been compromised for some time. Further, Sean
indicates that the entire attack system was tested at least once and no one
noticed. These guys have to be frugal with the assets if they want to
contnue using them undetected. This indicates planning and discipline. These
are NOT ignorant cracker-kiddies.

This indicates one or two compromised hosts per site with 50-ish sites
penetrated, at minimum (probably, 100's). I would wager that even the 50-ish
sites actually used in the attacks had no idea that they were participating.
This indicates low resource usage on part of the attacking code, since the
first indicator SA's usually look for is abnormally high usage of resources.

Let's quit assuming that all other operators are incompetent and start
assuming the worst, that crackers got this one by "competent" SAs, shall we?
If this is the case, then any of us are vulnerable. I find it difficult to
believe that there are 50 sites, with T3 connectivity or better, that are
all staffed exclusively by incompetent operators, let alone 100's or 1000's.