From owner-freebsd-hackers Tue Feb 8 20: 2:55 2000 Delivered-To: freebsd-hackers@freebsd.org Received: from apollo.backplane.com (apollo.backplane.com [216.240.41.2]) by builder.freebsd.org (Postfix) with ESMTP id A6F32429E for ; Tue, 8 Feb 2000 15:53:25 -0800 (PST) Received: (from dillon@localhost) by apollo.backplane.com (8.9.3/8.9.1) id PAA60082; Tue, 8 Feb 2000 15:52:50 -0800 (PST) (envelope-from dillon) Date: Tue, 8 Feb 2000 15:52:50 -0800 (PST) From: Matthew Dillon Message-Id: <200002082352.PAA60082@apollo.backplane.com> To: Ed Hall Cc: Luoqi Chen , hackers@FreeBSD.ORG Subject: Re: Yahoo under attack References: <200002082046.MAA26424@screech.weirdnoise.com> Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG :If you want to read some more about this in the mainstream press, check :out: : : http://www.washingtonpost.com/wp-dyn/business/A23174-2000Feb7.html : http://news.cnet.com/news/0-1005-200-1544455.html : http://news.cnet.com/news/0-1005-200-1543918.html : :The NY Times coverage is reasonable as well (though you have to be :registered to view it on their site). : :The AP report (which you'll find in many newspapers) was fairly reasonable :to start, but sometime during the night the AP reporter decided to add :a bit from a self-proclaimed security expert about Yahoo!'s lack of :preparation and management. I'll let you decide if he's qualified to :comment (the security expert's website is at www.tscm.com). : :As a Yahoo! employee there isn't any more I can (or reasonably should) :say. But I'll say one more thing anyway: FreeBSD wasn't the problem, :here. It has been, and will continue to be, part of the solution. : : -Ed Over the years BEST was attacked quite often. The routers were attacked, the machines were attacked, and so forth, a couple of times a month. Most of the attacks were impossible to trace due to source IP spoofing, even when they went on for long periods of time (as in hours), neither MCI nor Alternet were ever able to track down the sources or even really tried very hard to do so. There is only one way to stop this sort of attack, and that is to get on the various backbone's asses (MCI, Alternet, SprintLink, and so forth) and tell them to friggin enforce source filtering on all their border gateways (i.e. so people inside can only spoof IP's that fall in their own address space, thus leaving them traceable). These sorts of attacks have been well understood for years but virtually no action has been taken to make them traceable. Cisco has a few tricks these days but the real problem is that source filtering on border routers is an option rather then a requirement. Yahoo is big enough that it should be able to apply the appropriate pressure to finally get some action on this problem. BEST was never big enough to apply any significant pressure. -Matt Matthew Dillon To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message