Nonsense. Fire it up on all the Windows 95 workstations at a few public libraries around the country, throw in a hacked screensaver running on lots of RoadRunner PCs, and you've got more bandwidth than you can shake a stick at. The whole thing could be fired off by one trip to a public library, or from a high school. You cannot draw any conclusions about this attack from the amount of bandwidth used. You will have to track down source sites, track down who hacked them, and follow the chain. Either that, or get the big providers to tcpdump their user's IRC traffic and grep for keywords; somebody will shoot his mouth off about this. This could be anybody of any level of ability, but I'm telling you that this is not in any way beyond the ability of script kiddies. At 09:25 AM 2/9/2000 -0800, you wrote:
A simple case of denial here, T1's are not cheap. It isn't the CPU horsepower that is significant here. It is the access to the required bandwidth that makes this so worrisome.
In order to operate stealth-mode in a system, one must be on a box that has sufficient power such that the operation of your code consumes less than 3% of the box's available capacity. In addition, your network should consume less than 5% of the site's pipe, even during an attack. Remember, it appears that these hosts have been compromised for some time. Further, Sean indicates that the entire attack system was tested at least once and no one noticed. These guys have to be frugal with the assets if they want to contnue using them undetected. This indicates planning and discipline. These are NOT ignorant cracker-kiddies.