From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu]On Behalf Of Richard Steenbergen Sent: Wednesday, February 09, 2000 9:42 AM
On Wed, Feb 09, 2000 at 09:25:43AM -0800, Roeland M.J. Meyer wrote:
A simple case of denial here, T1's are not cheap. It isn't the CPU horsepower that is significant here. It is the access to the required bandwidth that makes this so worrisome.
In order to operate stealth-mode in a system, one must be on a box that has sufficient power such that the operation of your code consumes less than 3% of the box's available capacity. In addition, your network should consume less than 5% of the site's pipe, even during an attack.
This indicates one or two compromised hosts per site with 50-ish sites penetrated, at minimum (probably, 100's). I would wager that even the 50-ish
Let's quit assuming that all other operators are incompetent and start assuming the worst, that crackers got this one by "competent" SAs, shall we?
You are quite confused.
T1's are cheap, OC12s are not cheap.
From the POV of a start-up, OC12's are outragously expensive, and the prime reason to co-lo.
These attacks often taken down the attacking-victim as much as the attacked-victim, infact often times they run their attacks so strongly that they are unable to access the systems to stop them, which is why all the distributed attack programs have a built in length of time for the attack to run, any signal to "stop" would often never be received.
Your numbers are totally random with no basis in reality.
About a year and a half ago (ancient times) I had a client where three of their names servers were penetrated by the MWSH program (Millennium Worm Shell). The first one exhibited just the behaviour you describe here, the second one operated at the 3% level that I indicated, and the third one stayed dormant until I provoked it. The client was all set to believe that only the one name server was compromised. Whereas all three systems were completely "owned" by MWSH. We wound up scrubbing all the DASD down to bare magnetic particles (format with 0xe5 in all sectors) and rebuilding all three systems from known good sources. We also upgraded them to BIND8 and placed specific blocks in "/tmp/..." and "/...." (fs level 0000).
You are correct that most sites do not realize they are participating even after a huge attack that cripples BOTH networks.
How could this be? If a host goes into overload and the network is congested, one would think that there is something screwy going on ...