Stephen Wilcox wrote:
Given that the fastest edge connections (outside of Peter Lothbergs bathroom) are 10Gb this traffic can easily be directed to take out multiple parts of a networks critical connectivity.
(removed annoying cc's) Well I was actually hoping Mrs. Lothberg would be the next MAE-Scandanavia backbone provider. Do the math (anyone): // SNIP “The number of unique, infected hosts (bots), from which the attack is being launched by email, has also increased dramatically,” said Stewart. “They went from 2,815 in the beginning of 2007 through the end of May to a total of 1.7 million for the months of June and July.” http://www.darkreading.com/document.asp?doc_id=130745 // END SNIP Let's say its exaggerated and say this botnet is 1/4 of this size: 425,000 hosts waiting for a C&C dumbarse to launch a command. Something simple ping... 64bytes * 425,000 hosts = 25MB ... ping -s 128 or higher? A GET|HEAD|POST|etc would kill my server before the majority of traffic even eeked its way through. Bad scenario ... Cause a flap between two heavy peers (see Randy Bush's take on dampening/flapping). I could see this become a problem no matter what you think you can throw at it. Somewhere, someone down the line, will have something a bit misconfigured/*oops I forgot to place tcp intercept here*/etc and will cause some "could have been avoided if one woke up and smelled the coffee" scenario which will cause a major outage. Poop happens when you let it, why not open ones eyes now and be alert/aware of what's out there and make sure solutions are in place before its too late. Then again, I wonder what outside of massive filtering on fwsm's can one do in a situation like this. Its not like these are spoofed connections which something like tcp intercept would be able to mitigate against. RFC1918 filtering... Useless. Different story if there was filtering on provider side that says "Hey gee... This botnet that's 1.7 million strong is connecting on port xxxxx, let me take a pre-emptive strike and monitor this" http://atlas.arbor.net/ +207.0 % Slammer variant as of yesterday... School is what one two weeks away. Synonymous with all sorts of new improved crap... I can't for the life of me figure out why some of the best engineers in the world who are on this and other networking lists shrug these things off. Makes me wonder who profits via bandwidth sales from this. Someone obviously will irrespective of how rude, condescending it sounds. -- ==================================================== J. Oquendo "Excusatio non petita, accusatio manifesta" http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xF684C42E sil . infiltrated @ net http://www.infiltrated.net