recent finds on backbones are multipliers that seem to add to the problem. "Roeland M.J. Meyer" wrote:
From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu]On Behalf Of Joe Shaw Sent: Tuesday, February 08, 2000 9:20 PM To: Paul Ferguson
I'd be one to argue that implementing egress filtering, as opposed to ingress filtering, would do more to stop DDoS attacks since one of the
X's dialup pool who's causing the CPU on the router to go up. However, neither ingress or egress filtering helps stop any of the latest "seen in the wild" DDos attacks like trinoo, tribe, etc. because the floods are all unforged packets. Though they've been sketchy on details, it sounds
You've nailed the heart of the problem right here and never noticed. It is significant that the packets were NOT forged. IOW, they were legitimate packets of sufficient number to cap those very large pipes. I recently performed the Platform Architect role in a large .COM deployment. As part of site evaluation I had a chance to visit the facility where eBay is hosted. In fact, that is the same facility that I wound up using. Lots of dark-fiber capacity and over 20 Gbps capacity at the facility and they support 10000baseSX back planes. I swear that I saw a few Cat 6509's in eBay's racks. This means 1 Gbps pipes, scalable in 1 Gbps increments, using gig-Ether link aggregation.
before it started if the traffic were forged. If it's just unforged traffic, you'd expect the attacking sites to notice the spike in bandwidth utilization and increased traffic flows from one or several machines to one destination, but that may be asking too much.
Gentlemen, this is a very large site, with plenty of spare capacity. It is significant that those pipes were capped, via excessive, non-forged, traffic. Although it speaks well for the infrastructure that delivered that traffic, it also scares the shit out of me. There are a very large number of very large systems, sitting behind some very large pipes, that are compromised. Think about that for a moment. These are not small machines deployed by college kids and internet newbies. No one trusts the operation of a $1.5M Sun e6500 by a group of rookies. They can probably afford to hire the best SA's that they can find and no one running equipment behind anything larger than a T1 can afford to hire the ignorant. Not at the prices charged for that size of a pipe. Just the same, those systems were compromised.
Unfortunately, the rush to .COM riches has brought with it a lot of people who have only half a clue as to what they're doing if we, as the Internet community, are lucky, making the Internet landscape even more dangerous with the amount of ignorance that's out there when it comes to security issues. It should also be said that some established educational institutions seem to be having issues stopping attacks like smurf and fraggle as well. The media certainly isn't helping, classifying all DoS attacks as packet flooding attacks, which is not the case either, though all DDos attacks are (if you're a journalist, please feel free to ask what the difference is; I'll be more than happy to explain it).
I smell denial here. The compromised systems (only 52?) had to have access to pipes at least 1 Gbps in size, in order to carry out this attack (do the math yourself). Either there were many more systems participating (in itself a scarey thought) or many of these large and professionally run systems are owned and their operators don't know it. The only other alternative is the conspiracy theory from hell.
I suspect that this is not a kiddie-cracker activity. It is too well planned and carried out with too much discipline, over too long a time. I suspect that whomever is doing this has been silently "owning" systems for the past 18 months. I suggest that everyone start looking for signs of mwsh and its cousins. Because, I further suspect that the perpretrators have NOT used all of their assets. There are still a good many systems that are compromised, and not taking part in the current fracas, we just haven't found them yet.
On Tue, 8 Feb 2000, Paul Ferguson wrote:
Declan,
This is a very complex issue, and made the DDoS BoF last night even more lively. ;-)
Read RFC2267. More people should be doing it, and most of these silly problems will go away.
-- Thank you; |--------------------------------------------| | Thinking is a learned process so is UNIX | |--------------------------------------------| Henry R. Linneweh