mSQL Attack/Peering/OBGP/Optical exchange

Rubens Kuhl Jr. rkjnanog at ieg.com.br
Mon Jan 27 00:33:24 UTC 2003



----- Original Message -----
| One other considerations is that optical IXs will have a greater
| impact on the internet, possibly good and bad.  With larger circuit
| sizes of OC48 and OC192 for peering.  An attack would have a greater
| ability to flood more traffic.  A failure of a peering session here
| would cause a reroute of greater traffic.  A possible benfit might be
| that larger circuit sizes might mean that an attack might not be able
| to overwhelm the larger capacities especially if backbone sizes are
| the constricting factor, not peering circuits or optical VPN circuits
| at the optical IX.

Although this MS-SQL worm used a lot of bandwidth because of the embedded
exploit code, usually worms scan first and try exploiting after. Such scan
requires few bytes, so even a T-3 would carry a lot of host scans per
second, and could case many routers to die on the receiving end because of
packets-per-second or news-arps-per-second or syslogs-per-second
limitations.

I think the worst danger of large circuits would be the uplink capacity; a
bunch of infected hosts would easily fill up a T-3 trying to scan for new
hosts to attack, limiting the worm propagations speed, but an OC-192 might
end up carrying all of the scan traffic and infect more hosts faster.


Rubens





More information about the NANOG mailing list