Re: Yahoo offline because of attack (was: Yahoo network outage)
Roeland wrote:
I smell denial here. The compromised systems (only 52?) had to have access to pipes at least 1 Gbps in size, in order to carry out this attack (do the math yourself). Either there were many more systems participating (in itself a scarey thought) or many of these large and professionally run systems are owned and their operators don't know it. The only other alternative is the conspiracy theory from hell.
No, they don't. Assume there's 40k of data in the homepage. How many bytes of SYN-SYNACK-ACK-GET / HTTP/1.0\n does it take to do a TCP connect and request? I just tested, I show 160 bytes. That's a 250:1 leverage for the attacker. To fill 1 GBPS worth of outbound trunking you only need to generate 4 MBPS (32 Mbps) worth of input. 50ish systems with T-1 connectivity gets there with margins. [Note that this is an a priori analysis; I haven't bothered to find the attack codes in question and see if that's what they're doing, nor am I involved in any of the current operational response] Back in Nov 1996 when Sun was pushing WebNFS initially with the Solaris 2.6 release, I wrote up a vulnerability analysis white paper using the UDP NFS functionality and this leverage approach and sent it in to Sun. I suspect the ultimate inability to secure against it was one reason WebNFS died on the vine. With full HTTP, you need more request bytes and a valid origionating IP address since it's TCP... you need the SYN, SYNACK, ACK to work before you send the request. But there's enough leverage anyways with modern pagesizes (8k was big then, it's nothing now... 40k worth of html is typical) for it to work anyways. The only downside to doing it in HTTP is that all the attacking systems are clearly identified since they have to use real routed IP addresses. -george william herbert gherbert@crl.com
From: George Herbert [mailto:gherbert@crl.com] Sent: Wednesday, February 09, 2000 12:52 AM To: Roeland M.J. Meyer
I smell denial here. The compromised systems (only 52?) had to have access to pipes at least 1 Gbps in size, in order to carry out this attack (do the math yourself). Either there were many more systems
Roeland wrote: participating (in itself
a scarey thought) or many of these large and professionally run systems are owned and their operators don't know it. The only other alternative is the conspiracy theory from hell.
No, they don't. Assume there's 40k of data in the homepage. How many bytes of SYN-SYNACK-ACK-GET / HTTP/1.0\n does it take to do a TCP connect and request? I just tested, I show 160 bytes. That's a 250:1 leverage for the attacker. To fill 1 GBPS worth of outbound trunking you only need to generate 4 MBPS (32 Mbps) worth of input. 50ish systems with T-1 connectivity gets there with margins.
Okay, but you've still missed the point. Even if I stipulate everything you said here, that's still 50 largish systems that are compromised. I would almost wager that the perpetrators didn't use all of their assets either. That's a shit-load of large compromised systems on the Internet. Doesn't that thought worry you in the slightest?
On Wed, Feb 09, 2000 at 01:20:13AM -0800, Roeland M.J. Meyer wrote:
From: George Herbert [mailto:gherbert@crl.com] Sent: Wednesday, February 09, 2000 12:52 AM To: Roeland M.J. Meyer
I smell denial here. The compromised systems (only 52?) had to have access to pipes at least 1 Gbps in size, in order to carry out this attack (do the math yourself). Either there were many more systems
Roeland wrote: participating (in itself
a scarey thought) or many of these large and professionally run systems are owned and their operators don't know it. The only other alternative is the conspiracy theory from hell.
No, they don't. Assume there's 40k of data in the homepage. How many bytes of SYN-SYNACK-ACK-GET / HTTP/1.0\n does it take to do a TCP connect and request? I just tested, I show 160 bytes. That's a 250:1 leverage for the attacker. To fill 1 GBPS worth of outbound trunking you only need to generate 4 MBPS (32 Mbps) worth of input. 50ish systems with T-1 connectivity gets there with margins.
Okay, but you've still missed the point. Even if I stipulate everything you said here, that's still 50 largish systems that are compromised. I would almost wager that the perpetrators didn't use all of their assets either. That's a shit-load of large compromised systems on the Internet. Doesn't that thought worry you in the slightest?
You've all missed the point. I've done a fair bit of research into this, and I would put my money on the numbers looking something like this: 75-200 compromised systems 90% on 10Mbps ethernet Around 75% on compromised university servers and dorm ethernets Around 24% on compromised commercial connections, 1% other Somewhere around 35-40% of these will be non-US, a large number of .fi and .se universities where gov't funding has produced large university backbones, and these are often the ones with the most direct bandwidth being applied to the victim. The compromises will be done through standard script kiddie methods (I highly suspect the recent influx of compromised attack hosts is directly linked to the discovery of more and more remote bind exploits which can be easily AXFR'd and scanned for script-kiddie style), bind imap qpopper anything that someone can write a scanner script for and they can fire off against fast places they think might net them more attack-shells. I suspect the numbers of the attack are closer to 600-800Mbps and people like to round up. I also suspect that are very few "real" numbers of the attacks since 5 minute averages and MRTG are very bad at getting these things accurately (especially when routers are bogged down or unreachable). You'll see some hosts putting out more bandwidth then others, but probably around 40 will be the primary smurf "bandwidth generators", doing about 6-8Mbps, and getting amplified. -- Richard A. Steenbergen <ras@above.net> http://users.quadrunner.com/humble PGP Key ID: 0x60AB0AD1 (E5 35 10 1D DE 7D 8C A7 09 1C 80 8B AF B9 77 BB) MFN / AboveNet Communications Inc - ISX Network Engineer, Vienna VA
participants (3)
-
George Herbert -
Richard Steenbergen -
Roeland M.J. Meyer