On Wed, 9 Feb 2000, George Herbert wrote:
50 systems across the internet with enough CPU capacity to near-fill a T-1 on a sustained basis with identical HTTP requests. Which is to say any modern multi-hundred-mhz RISC or x86 box with a reasonable OS, not really "largish". The processing needed in the OS TCP and IP stacks on the attacking system is most of the effort, and we're only talking in rough numbers 1,000 connects/sec for the attacker.
Now I haven't seen these DDoS "tools", but if you want to imagine something realy scary, imagine one exists that works like this: -attacker scans for the known OS vulns that will cough up a "#" prompt -attacker installs root kit with DDoS tool -that tool runs as a daemon that has the following features: -remote 'admin' via icmp (payload of echo-request includes password, host to attack, duration of attack -daemon launches the http "GET" flood as described earlier based on the info contained in that icmp echo-request -daemon continues this attack as prescribed with no further intervention So the attacker need only send a few packets to each compromised host to cause extreme amounts of damage. How would you track down the attacker? Sure, you could slowly find the compromised hosts and block them. You could even then look for where the icmp "control" message that starts the thing comes from, but if it's a one-way control channel, the source the attacker sends the control packet from could easily be forged and you could easily miss the one magic 'ping' that starts the thing off... The idea of such a tool is scary, and from what I've read about TFN and friends, it seems that they could be modified to work as outlined above. The worst thing about any effective DoS is, in my mind, the lack of an identifiable "attacker". Charles =-----------------= = | Charles Sprickman Internet Channel | | INCH System Administration Team (212)243-5200 | | spork@inch.com access@inch.com | = =----------------=
-george william herbert gherbert@crl.com