As much as I hate to derail a rollicking good Bob Allisat conversation, I was wondering whether anyone has some insight into what happened with Yahoo. The main site (although not all properties) has been offline since 10:30 am pt Monday. It doesn't *appear* to be Global Crossing's problem, though I can't be sure. GC is mum on the phone. -Declan
To Quote my Noc:
I just got off the phone with Global Center NOC GlobalCenter Sunnyvale Router is down. Both Yahoo! and Global Center are working on the problem at this time. No ETA for repair
Declan McCullagh wrote:
As much as I hate to derail a rollicking good Bob Allisat conversation, I was wondering whether anyone has some insight into what happened with Yahoo. The main site (although not all properties) has been offline since 10:30 am pt Monday.
It doesn't *appear* to be Global Crossing's problem, though I can't be sure. GC is mum on the phone.
-Declan
At Monday 04:22 PM 2/7/00 , Declan McCullagh wrote:
As much as I hate to derail a rollicking good Bob Allisat conversation, I was wondering whether anyone has some insight into what happened with Yahoo. The main site (although not all properties) has been offline since 10:30 am pt Monday.
It doesn't *appear* to be Global Crossing's problem, though I can't be sure. GC is mum on the phone.
-Declan
Yahoo seems to be down by itself, but GC (The former Exodus?) was majorly hosed for a couple of hours today, at least when seen from UUnet. This has cleared up since. The way it looked, they must have lost a larger circuit and traffic was falling back onto something smaller. I certainly heard about it from customers today. traceroute to www.zagat.com (208.49.149.212) from XXXXXXXXXXXXX [...] 3 104.ATM3-0.XR1.NYC1.ALTER.NET (146.188.177.138) 3.712 ms 3.145 ms 3.052 ms 4 195.ATM8-0-0.BR1.NYC1.ALTER.NET (146.188.177.145) 4.212 ms 5.174 ms 4.813 ms 5 s5-0-1.ar2.JFK.gblx.net (206.132.150.129) 1122.873 ms 1073.231 ms 1101.993 ms 6 pos3-1-155M.cr2.JFK.gblx.net (206.132.253.105) 1168.070 ms 1123.118 ms 1201.008 ms 7 pos7-0-622M.wr2.NYC2.gblx.net (206.132.253.90) 1154.076 ms 1178.267 ms 1283.370 ms 8 pos5-0-622M.cr1.LGA2.gblx.net (208.48.234.110) 1305.236 ms 1211.578 ms 1160.075 ms 9 pos0-0-0-155M.hr1.LGA2.gblx.net (206.41.19.82) 1163.316 ms 1113.633 ms 1141.507 ms 10 208.49.149.212 (208.49.149.212) 1205.369 ms 1145.163 ms 1174.641 ms traceroute to www.redhat.com (206.132.41.203) from XXXXXXXXXXXXX [...] 3 104.ATM3-0.XR1.NYC1.ALTER.NET (146.188.177.138) 3.720 ms 5.132 ms 4.813 ms 4 195.ATM11-0-0.BR1.NYC1.ALTER.NET (146.188.177.153) 5.397 ms 5.801 ms 5.140 ms 5 s5-0-1.ar2.JFK.gblx.net (206.132.150.129) 1431.172 ms 1367.087 ms * 6 pos3-1-155M.cr1.JFK.gblx.net (206.132.253.97) 1422.397 ms 1414.411 ms 1436.914 ms 7 pos4-0-622M.cr2.SNV2.gblx.net (206.132.254.58) 1447.231 ms 1435.575 ms 1513.114 ms 8 pos12-0-0-155M.hr2.SNV2.gblx.net (206.132.151.70) 1436.062 ms 1471.972 ms 1484.755 m s 9 206.132.41.203 (206.132.41.203) 1488.684 ms * 1456.976 ms traceroute www.yahoo.com traceroute to www.yahoo.com (204.71.200.75) from XXXXXXXXXXXXX [...] 3 104.ATM1-0.XR1.NYC1.ALTER.NET (146.188.177.130) 5.068 ms 4.354 ms 3.666 ms 4 195.ATM11-0-0.BR1.NYC1.ALTER.NET (146.188.177.153) 4.744 ms 7.307 ms 4.936 ms 5 s5-0-1.ar2.JFK.gblx.net (206.132.150.129) 1394.909 ms 1411.402 ms 1440.205 ms 6 pos3-1-155M.cr1.JFK.gblx.net (206.132.253.97) 1384.353 ms 1430.991 ms 1379.290 ms 7 * * * 8 * * * 9 *^C
I don't know what happen but it just came back online.
-----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu]On Behalf Of Declan McCullagh Sent: Monday, February 07, 2000 4:23 PM To: nanog@merit.edu Subject: Yahoo network outage
As much as I hate to derail a rollicking good Bob Allisat conversation, I was wondering whether anyone has some insight into what happened with Yahoo. The main site (although not all properties) has been offline since 10:30 am pt Monday.
It doesn't *appear* to be Global Crossing's problem, though I can't be sure. GC is mum on the phone.
-Declan
Yahoo told me on the phone that it's a malicious attack, and Global Center says the same thing. In Yahoo's words: "a coordinated distributed denial of service attack." We've got a brief story up at: http://www.wired.com/news/business/0,1367,34178,00.html The problem apparently originated with a router. But what kind of attack could have taken the network offline for that period of time and not affected other Global Center customers? I mean, there had to have been a gaping security hole somewhere: It looks like the routes got lost for (nearly) all of the Yahoo network, but no other non-Yahoo sites... -Declan
Declan, This is a very complex issue, and made the DDoS BoF last night even more lively. ;-) Read RFC2267. More people should be doing it, and most of these silly problems will go away. - paul At 08:31 PM 02/07/2000 -0500, Declan McCullagh wrote:
Yahoo told me on the phone that it's a malicious attack, and Global Center says the same thing. In Yahoo's words: "a coordinated distributed denial of service attack."
We've got a brief story up at: http://www.wired.com/news/business/0,1367,34178,00.html
The problem apparently originated with a router. But what kind of attack could have taken the network offline for that period of time and not affected other Global Center customers? I mean, there had to have been a gaping security hole somewhere: It looks like the routes got lost for (nearly) all of the Yahoo network, but no other non-Yahoo sites...
-Declan
http://www.sunworld.com/sunworldonline/swol-01-2000/swol-01-attacks.html here hope that the links here help some Paul Ferguson wrote:
Declan,
This is a very complex issue, and made the DDoS BoF last night even more lively. ;-)
Read RFC2267. More people should be doing it, and most of these silly problems will go away.
- paul
At 08:31 PM 02/07/2000 -0500, Declan McCullagh wrote:
Yahoo told me on the phone that it's a malicious attack, and Global Center says the same thing. In Yahoo's words: "a coordinated distributed denial of service attack."
We've got a brief story up at: http://www.wired.com/news/business/0,1367,34178,00.html
The problem apparently originated with a router. But what kind of attack could have taken the network offline for that period of time and not affected other Global Center customers? I mean, there had to have been a gaping security hole somewhere: It looks like the routes got lost for (nearly) all of the Yahoo network, but no other non-Yahoo sites...
-Declan
-- Thank you; |--------------------------------------------| | Thinking is a learned process so is UNIX | |--------------------------------------------| Henry R. Linneweh
I'd be one to argue that implementing egress filtering, as opposed to ingress filtering, would do more to stop DDoS attacks since one of the most crippling attacks uses forged valid source addresses to start the attack (smurf/fraggle). If you stop forged packets from leaving the offending networks (which you mention in your RFC, but only to say it's impractical to do both ingress and egress filtering and advocate ingress) and the need to track attacks goes no farther than the people in Company X's dialup pool who's causing the CPU on the router to go up. However, neither ingress or egress filtering helps stop any of the latest "seen in the wild" DDos attacks like trinoo, tribe, etc. because the floods are all unforged packets. Though they've been sketchy on details, it sounds like these or their decendants are the likey candidates for both Yahoo and Buy.com. Also, ingress filtering certainly doesn't help Tier3.net when their 4 inverse-muxed T1's are clogged with 20Mbps of traffic, forged or otherwise. Sure, the router is dropping the traffic like mad, but it's not going to help them unless their upstream will block the traffic as well once the attack starts. Egress filtering would stop the attack before it started if the traffic were forged. If it's just unforged traffic, you'd expect the attacking sites to notice the spike in bandwidth utilization and increased traffic flows from one or several machines to one destination, but that may be asking too much. Unfortunately, the rush to .COM riches has brought with it a lot of people who have only half a clue as to what they're doing if we, as the Internet community, are lucky, making the Internet landscape even more dangerous with the amount of ignorance that's out there when it comes to security issues. It should also be said that some established educational institutions seem to be having issues stopping attacks like smurf and fraggle as well. The media certainly isn't helping, classifying all DoS attacks as packet flooding attacks, which is not the case either, though all DDos attacks are (if you're a journalist, please feel free to ask what the difference is; I'll be more than happy to explain it). I wish I could have made NANOG and the DDoS BoF session, but I was unable to attend due to employment issues. -- Joseph W. Shaw - jshaw@insync.net Computer Security Consultant and Programmer Free UNIX advocate - "I hack, therefore I am." On Tue, 8 Feb 2000, Paul Ferguson wrote:
Declan,
This is a very complex issue, and made the DDoS BoF last night even more lively. ;-)
Read RFC2267. More people should be doing it, and most of these silly problems will go away.
On Tue, 8 Feb 2000, Joe Shaw wrote:
Also, ingress filtering certainly doesn't help Tier3.net when their 4 inverse-muxed T1's are clogged with 20Mbps of traffic, forged or otherwise. Sure, the router is dropping the traffic like mad, but it's
As I've seen it, Tier1.net and Tier2.net don't really care until it burns up all of their available exchange/peering bandwidth with the outside world. They're too profit driven to notice the impact they're making on others. If it were not so, or they actually had the headroom in bandwidth *AND* router CPU, they (AS174 for example!) would implement ingress filtering when at minimum, a peer asked them to. AS174, look back to 1995 when I was (stupid for being your customer to start with) taking 45Mb/s at each of your borders and you *REFUSED* to block it there AND/OR at the router we peered with!
From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu]On Behalf Of Joe Shaw Sent: Tuesday, February 08, 2000 9:20 PM To: Paul Ferguson
I'd be one to argue that implementing egress filtering, as opposed to ingress filtering, would do more to stop DDoS attacks since one of the
X's dialup pool who's causing the CPU on the router to go up. However, neither ingress or egress filtering helps stop any of the latest "seen in the wild" DDos attacks like trinoo, tribe, etc. because the floods are all unforged packets. Though they've been sketchy on details, it sounds
You've nailed the heart of the problem right here and never noticed. It is significant that the packets were NOT forged. IOW, they were legitimate packets of sufficient number to cap those very large pipes. I recently performed the Platform Architect role in a large .COM deployment. As part of site evaluation I had a chance to visit the facility where eBay is hosted. In fact, that is the same facility that I wound up using. Lots of dark-fiber capacity and over 20 Gbps capacity at the facility and they support 10000baseSX back planes. I swear that I saw a few Cat 6509's in eBay's racks. This means 1 Gbps pipes, scalable in 1 Gbps increments, using gig-Ether link aggregation.
before it started if the traffic were forged. If it's just unforged traffic, you'd expect the attacking sites to notice the spike in bandwidth utilization and increased traffic flows from one or several machines to one destination, but that may be asking too much.
Gentlemen, this is a very large site, with plenty of spare capacity. It is significant that those pipes were capped, via excessive, non-forged, traffic. Although it speaks well for the infrastructure that delivered that traffic, it also scares the shit out of me. There are a very large number of very large systems, sitting behind some very large pipes, that are compromised. Think about that for a moment. These are not small machines deployed by college kids and internet newbies. No one trusts the operation of a $1.5M Sun e6500 by a group of rookies. They can probably afford to hire the best SA's that they can find and no one running equipment behind anything larger than a T1 can afford to hire the ignorant. Not at the prices charged for that size of a pipe. Just the same, those systems were compromised.
Unfortunately, the rush to .COM riches has brought with it a lot of people who have only half a clue as to what they're doing if we, as the Internet community, are lucky, making the Internet landscape even more dangerous with the amount of ignorance that's out there when it comes to security issues. It should also be said that some established educational institutions seem to be having issues stopping attacks like smurf and fraggle as well. The media certainly isn't helping, classifying all DoS attacks as packet flooding attacks, which is not the case either, though all DDos attacks are (if you're a journalist, please feel free to ask what the difference is; I'll be more than happy to explain it).
I smell denial here. The compromised systems (only 52?) had to have access to pipes at least 1 Gbps in size, in order to carry out this attack (do the math yourself). Either there were many more systems participating (in itself a scarey thought) or many of these large and professionally run systems are owned and their operators don't know it. The only other alternative is the conspiracy theory from hell. I suspect that this is not a kiddie-cracker activity. It is too well planned and carried out with too much discipline, over too long a time. I suspect that whomever is doing this has been silently "owning" systems for the past 18 months. I suggest that everyone start looking for signs of mwsh and its cousins. Because, I further suspect that the perpretrators have NOT used all of their assets. There are still a good many systems that are compromised, and not taking part in the current fracas, we just haven't found them yet.
On Tue, 8 Feb 2000, Paul Ferguson wrote:
Declan,
This is a very complex issue, and made the DDoS BoF last night even more lively. ;-)
Read RFC2267. More people should be doing it, and most of these silly problems will go away.
recent finds on backbones are multipliers that seem to add to the problem. "Roeland M.J. Meyer" wrote:
From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu]On Behalf Of Joe Shaw Sent: Tuesday, February 08, 2000 9:20 PM To: Paul Ferguson
I'd be one to argue that implementing egress filtering, as opposed to ingress filtering, would do more to stop DDoS attacks since one of the
X's dialup pool who's causing the CPU on the router to go up. However, neither ingress or egress filtering helps stop any of the latest "seen in the wild" DDos attacks like trinoo, tribe, etc. because the floods are all unforged packets. Though they've been sketchy on details, it sounds
You've nailed the heart of the problem right here and never noticed. It is significant that the packets were NOT forged. IOW, they were legitimate packets of sufficient number to cap those very large pipes. I recently performed the Platform Architect role in a large .COM deployment. As part of site evaluation I had a chance to visit the facility where eBay is hosted. In fact, that is the same facility that I wound up using. Lots of dark-fiber capacity and over 20 Gbps capacity at the facility and they support 10000baseSX back planes. I swear that I saw a few Cat 6509's in eBay's racks. This means 1 Gbps pipes, scalable in 1 Gbps increments, using gig-Ether link aggregation.
before it started if the traffic were forged. If it's just unforged traffic, you'd expect the attacking sites to notice the spike in bandwidth utilization and increased traffic flows from one or several machines to one destination, but that may be asking too much.
Gentlemen, this is a very large site, with plenty of spare capacity. It is significant that those pipes were capped, via excessive, non-forged, traffic. Although it speaks well for the infrastructure that delivered that traffic, it also scares the shit out of me. There are a very large number of very large systems, sitting behind some very large pipes, that are compromised. Think about that for a moment. These are not small machines deployed by college kids and internet newbies. No one trusts the operation of a $1.5M Sun e6500 by a group of rookies. They can probably afford to hire the best SA's that they can find and no one running equipment behind anything larger than a T1 can afford to hire the ignorant. Not at the prices charged for that size of a pipe. Just the same, those systems were compromised.
Unfortunately, the rush to .COM riches has brought with it a lot of people who have only half a clue as to what they're doing if we, as the Internet community, are lucky, making the Internet landscape even more dangerous with the amount of ignorance that's out there when it comes to security issues. It should also be said that some established educational institutions seem to be having issues stopping attacks like smurf and fraggle as well. The media certainly isn't helping, classifying all DoS attacks as packet flooding attacks, which is not the case either, though all DDos attacks are (if you're a journalist, please feel free to ask what the difference is; I'll be more than happy to explain it).
I smell denial here. The compromised systems (only 52?) had to have access to pipes at least 1 Gbps in size, in order to carry out this attack (do the math yourself). Either there were many more systems participating (in itself a scarey thought) or many of these large and professionally run systems are owned and their operators don't know it. The only other alternative is the conspiracy theory from hell.
I suspect that this is not a kiddie-cracker activity. It is too well planned and carried out with too much discipline, over too long a time. I suspect that whomever is doing this has been silently "owning" systems for the past 18 months. I suggest that everyone start looking for signs of mwsh and its cousins. Because, I further suspect that the perpretrators have NOT used all of their assets. There are still a good many systems that are compromised, and not taking part in the current fracas, we just haven't found them yet.
On Tue, 8 Feb 2000, Paul Ferguson wrote:
Declan,
This is a very complex issue, and made the DDoS BoF last night even more lively. ;-)
Read RFC2267. More people should be doing it, and most of these silly problems will go away.
-- Thank you; |--------------------------------------------| | Thinking is a learned process so is UNIX | |--------------------------------------------| Henry R. Linneweh
On Wed, Feb 09, 2000 at 12:02:34AM -0800, Roeland M.J. Meyer wrote:
No one trusts the operation of a $1.5M Sun e6500 by a group of rookies. They can probably afford to hire the best SA's that they can find and no one running equipment behind anything larger than a T1 can afford to hire the ignorant. Not at the prices charged for that size of a pipe.
i beg to differ. i've seen a large number of .com's which have mega gear, and minor-league SA's. the problem is that alot of .com's seem to think that the vendor will be able to solve their serious problems, or that they can just hire some "certified" SA's to do the job. -- [ Jim Mercer jim@reptiles.org +1 416 506-0654 ] [ Reptilian Research -- Longer Life through Colder Blood ] [ Don't be fooled by cheap Finnish imitations; BSD is the One True Code. ]
You can differ all you want, but I've never seen a large .COM deployment without at least one senior SA swinging the clue-bat, backed up by a network planner and a senior architect. How do you think they write all that code and have it work? DEsign is much more difficult than maintenance and takes more skilled personel
-----Original Message----- From: Jim Mercer [mailto:jim@reptiles.org] Sent: Wednesday, February 09, 2000 12:59 AM To: Roeland M.J. Meyer Cc: Joe Shaw; Paul Ferguson; Declan McCullagh; nanog@merit.edu Subject: Re: Yahoo offline because of attack (was: Yahoo network outage)
On Wed, Feb 09, 2000 at 12:02:34AM -0800, Roeland M.J. Meyer wrote:
No one trusts the operation of a $1.5M Sun e6500 by a group of rookies. They can probably afford to hire the best SA's that they can find and no one running equipment behind anything larger than a T1 can afford to hire the ignorant. Not at the prices charged for that size of a pipe.
i beg to differ.
i've seen a large number of .com's which have mega gear, and minor-league SA's.
the problem is that alot of .com's seem to think that the vendor will be able to solve their serious problems, or that they can just hire some "certified" SA's to do the job.
-- [ Jim Mercer jim@reptiles.org +1 416 506-0654 ] [ Reptilian Research -- Longer Life through Colder Blood ] [ Don't be fooled by cheap Finnish imitations; BSD is the One True Code. ]
On Wed, 9 Feb 2000 01:09:14 -0800 "Roeland M.J. Meyer" <rmeyer@mhsc.com> wrote:
You can differ all you want, but I've never seen a large .COM deployment without at least one senior SA swinging the clue-bat, backed up by a network planner and a senior architect. How do you think they write all that code and have it work? DEsign is much more difficult than maintenance and takes more skilled personel
Only if the design was a good one. If its a bad one, maintenance can be a nightmare. [and few designers want to do post-deployment maintenance, as its traditionally an operators job]. -- Neil J. McRae - Alive and Kicking neil@DOMINO.ORG
If anything, the more mega the gear, the more minor-leage the SAs. Dirk On Wed, Feb 09, 2000 at 03:59:27AM -0500, Jim Mercer wrote:
On Wed, Feb 09, 2000 at 12:02:34AM -0800, Roeland M.J. Meyer wrote:
No one trusts the operation of a $1.5M Sun e6500 by a group of rookies. They can probably afford to hire the best SA's that they can find and no one running equipment behind anything larger than a T1 can afford to hire the ignorant. Not at the prices charged for that size of a pipe.
i beg to differ.
i've seen a large number of .com's which have mega gear, and minor-league SA's.
the problem is that alot of .com's seem to think that the vendor will be able to solve their serious problems, or that they can just hire some "certified" SA's to do the job.
-- [ Jim Mercer jim@reptiles.org +1 416 506-0654 ] [ Reptilian Research -- Longer Life through Colder Blood ] [ Don't be fooled by cheap Finnish imitations; BSD is the One True Code. ]
I smell denial here. The compromised systems (only 52?) had to have access to pipes at least 1 Gbps in size, in order to carry out this attack (do the math yourself). Either there were many more systems participating (in itself a scarey thought) or many of these large and professionally run systems are owned and their operators don't know it. The only other alternative is the conspiracy theory from hell.
I've seen instances where workstations of experienced people had been compromised for considerable periods of time without their knowledge. This, to me, is not suprising. My view of security is that its all about trust. Major public servers are watched quite closely simply as a result of the attention that has to be given to the applications they support. However, those same administrators generally don't watch smaller, auxillary systems (ie, a 3rd nameserver several thousand miles away that serves no other function.) Consider the responsibility of a corporate security dude and IT guys who is trying to watch over the network used by 3 or 4 thousand employees, most of whom have desktop computers and few of which know how to do more than email 3 meg excel files to 30 or 40 people all over the corporate network several times a day. If the network is not kept absolutely tight, everything is a risk. I always work from the maxim (and those I work with have heard this at least a hundred times before) that "the easiest way to break into one computer is to break into another computer that it trusts." (eg. personal workstations... how many times have you looked at your process table this week?) ---------------------------------------------------------------------- Wayne Bouchard [Immagine Your ] web@typo.org [Company Name Here] Network Engineer ----------------------------------------------------------------------
participants (13)
-
Declan McCullagh -
Dirk Harms-Merbitz -
egentzler@va.rr.com -
Henry R. Linneweh -
Jim Mercer -
Joe Shaw -
Kai Schlichting -
NANOG Mailing List -
Neil J. McRae -
Paul Ferguson -
Richard Irving -
Roeland M.J. Meyer -
Wayne Bouchard