Roeland wrote:
I smell denial here. The compromised systems (only 52?) had to have access to pipes at least 1 Gbps in size, in order to carry out this attack (do the math yourself). Either there were many more systems participating (in itself a scarey thought) or many of these large and professionally run systems are owned and their operators don't know it. The only other alternative is the conspiracy theory from hell.
No, they don't. Assume there's 40k of data in the homepage. How many bytes of SYN-SYNACK-ACK-GET / HTTP/1.0\n does it take to do a TCP connect and request? I just tested, I show 160 bytes. That's a 250:1 leverage for the attacker. To fill 1 GBPS worth of outbound trunking you only need to generate 4 MBPS (32 Mbps) worth of input. 50ish systems with T-1 connectivity gets there with margins. [Note that this is an a priori analysis; I haven't bothered to find the attack codes in question and see if that's what they're doing, nor am I involved in any of the current operational response] Back in Nov 1996 when Sun was pushing WebNFS initially with the Solaris 2.6 release, I wrote up a vulnerability analysis white paper using the UDP NFS functionality and this leverage approach and sent it in to Sun. I suspect the ultimate inability to secure against it was one reason WebNFS died on the vine. With full HTTP, you need more request bytes and a valid origionating IP address since it's TCP... you need the SYN, SYNACK, ACK to work before you send the request. But there's enough leverage anyways with modern pagesizes (8k was big then, it's nothing now... 40k worth of html is typical) for it to work anyways. The only downside to doing it in HTTP is that all the attacking systems are clearly identified since they have to use real routed IP addresses. -george william herbert gherbert@crl.com