RE: Yahoo offline because of attack (was: Yahoo network outage)
For purposes of this kind of attack, bandwidth is *FREE*. Remember what we're positing here: 1) The attacks come from compromised sites. 2) The trigger is a single ICMP packet sent to each of those sites. You could run this over a 14.4k modem, no problem. You could run this over a Palm Pilot, plugged into a pay phone. You could run this from a PC sitting in your local public library, for free. It just takes setup time, and that can be done by writing a program that does something else, and has this lying in wait. Or, an ActiveX control sitting on a site somewhere that fires up when it's hit and attacks. Put some information on the site (DeCSS info, maybe?), post a link on Slashdot so lots of folks hit it, and whammo, hundreds or even thousands of dupes running Internet Explorer suddenly use all their bandwidth launching bits of your attack. 200 dupes with 33.6k modems can flood a T1. 200 dupes with 512k ADSL can flood multiple T3s. 200 dupes with Road Runner can flood OC-[insert small integer here]. Multiply by your worst nightmares. Again, the fact that X amount of bandwidth was consumed tells us *NOTHING* about the nature of the attack. (Which is the only point I'm arguing, here, and is the fallacy the initial poster fell victim to.) At 12:54 PM 2/9/2000 -0500, you wrote:
On the other hand, I have a 768k DSL line at home for $89/mo. Bandwidth isn't as cheap as you might think.
Again, the fact that X amount of bandwidth was consumed tells us *NOTHING* about the nature of the attack. (Which is the only point I'm arguing, here, and is the fallacy the initial poster fell victim to.)
For those of you who STILL don't agree with this.. Consider this thought: Random user breaches 10 sites each behind a T1. This user leaves these servers up and writes a script to take the IPs out of a file and start the attack. The user publishes the script to the user's friends. One of them goes and adds another 25 hosts to the list and re-advertizes it. However, this user has found sites on 10 meg ethernet being fed by a T3 and figures that 5 megs can be had from these hosts on average. This user publishes this AGAIN to someone who adds another 15.. repeat ad-nauseum. People, thats 45 hosts that are just kind of let up, open for all to use. There is no reasoon that there can't be HUNDREDS of hosts on that list. There is no reason that there cannot be HUNDREDS of lists with a couple of dozen hosts each. The possibility of being able to use large numbers of hosts to launch such an attack is VERY REAL. And at that level, if you have an average of, say, 768K from 150 hosts, you are sending 115 megabits at the target. If you manage to pull 2 megs each from these (say, cable movem or something), then that goes up to 400 megs. The possibility is there, people.. And it gets worse. ---------------------------------------------------------------------- Wayne Bouchard [Immagine Your ] web@typo.org [Company Name Here] Network Engineer ----------------------------------------------------------------------
participants (2)
-
Shawn McMahon
-
Wayne Bouchard