ONS - The few the proud ... the sleeping

J. Oquendo sil at infiltrated.net
Thu Aug 16 15:22:06 UTC 2007


Stephen Wilcox wrote:

> 
> Given that the fastest edge connections (outside of Peter Lothbergs bathroom) are 10Gb this traffic can easily be directed to take out multiple parts of a networks critical connectivity.

(removed annoying cc's)

Well I was actually hoping Mrs. Lothberg would be the next
MAE-Scandanavia backbone provider. Do the math (anyone):

// SNIP

“The number of unique, infected hosts (bots), from which the attack is
being launched by email, has also increased dramatically,” said Stewart.
“They went from 2,815 in the beginning of 2007 through the end of May to
a total of 1.7 million for the months of June and July.”

http://www.darkreading.com/document.asp?doc_id=130745

// END SNIP

Let's say its exaggerated and say this botnet is 1/4 of this size:
425,000 hosts waiting for a C&C dumbarse to launch a command. Something
simple ping... 64bytes * 425,000 hosts = 25MB ... ping -s 128 or higher?
A GET|HEAD|POST|etc would kill my server before the majority of traffic
even eeked its way through. Bad scenario ... Cause a flap between two
heavy peers (see Randy Bush's take on dampening/flapping). I could see
this become a problem no matter what you think you can throw at it.

Somewhere, someone down the line, will have something a bit
misconfigured/*oops I forgot to place tcp intercept here*/etc and will
cause some "could have been avoided if one woke up and smelled the
coffee" scenario which will cause a major outage. Poop happens when you
let it, why not open ones eyes now and be alert/aware of what's out
there and make sure solutions are in place before its too late.

Then again, I wonder what outside of massive filtering on fwsm's can one
do in a situation like this. Its not like these are spoofed connections
which something like tcp intercept would be able to mitigate against.
RFC1918 filtering... Useless. Different story if there was filtering on
provider side that says "Hey gee... This botnet that's 1.7 million
strong is connecting on port xxxxx, let me take a pre-emptive strike and
monitor this"

http://atlas.arbor.net/

+207.0 % Slammer variant as of yesterday... School is what one two weeks
away. Synonymous with all sorts of new improved crap... I can't for the
life of me figure out why some of the best engineers in the world who
are on this and other networking lists shrug these things off. Makes me
wonder who profits via bandwidth sales from this. Someone obviously will
irrespective of how rude, condescending it sounds.



-- 
====================================================
J. Oquendo
"Excusatio non petita, accusatio manifesta"

http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xF684C42E
sil . infiltrated @ net http://www.infiltrated.net


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5157 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20070816/5f24c249/attachment.bin>


More information about the NANOG mailing list