Roeland writes:
George wrote:
Roeland wrote:
I smell denial here. The compromised systems (only 52?) had to have access to pipes at least 1 Gbps in size, in order to carry out this attack (do the math yourself). Either there were many more systems participating (in itself a scarey thought) or many of these large and professionally run systems are owned and their operators don't know it. The only other alternative is the conspiracy theory from hell.
No, they don't. Assume there's 40k of data in the homepage. How many bytes of SYN-SYNACK-ACK-GET / HTTP/1.0\n does it take to do a TCP connect and request? I just tested, I show 160 bytes. That's a 250:1 leverage for the attacker. To fill 1 GBPS worth of outbound trunking you only need to generate 4 MBPS (32 Mbps) worth of input. 50ish systems with T-1 connectivity gets there with margins.
Okay, but you've still missed the point. Even if I stipulate everything you said here, that's still 50 largish systems that are compromised. I would almost wager that the perpetrators didn't use all of their assets either. That's a shit-load of large compromised systems on the Internet. Doesn't that thought worry you in the slightest?
50 systems across the internet with enough CPU capacity to near-fill a T-1 on a sustained basis with identical HTTP requests. Which is to say any modern multi-hundred-mhz RISC or x86 box with a reasonable OS, not really "largish". The processing needed in the OS TCP and IP stacks on the attacking system is most of the effort, and we're only talking in rough numbers 1,000 connects/sec for the attacker. Do I believe that there exist 50 or more T-1 connected hosts with that capability level or higher which still have vendor default setups and thus are vulnerable to this sort of attack, penetration, and then use as a distributed DOS attack participant? Yes, without a doubt. 50 simultaneous sites compromised by one attacker would be on the ambitious side these days, but some of the remote exploit scripts (and corresponding known holes in vendor supplied system configs) are pretty damn easy to use and it wouldn't be out of the relm of the practical for someone to do it if they worked hard, or got a small cooperating team to work on it. Of course the significance of this is highly worrysome. But the numbers have been in this rough performance range for attacker capabilities for several years now. That the tools used by attackers took that long to catch up is actually somewhat suprising to me, I was expecting this sort of thing some time ago. -george william herbert gherbert@crl.com