Date: Fri, 21 Jan 2000 15:49:49 -0800 (PST) From: Matthew Dillon <dillon@apollo.backplane.com> To: Brad Guillory <round@baileylink.net> Cc: freebsd-security@FreeBSD.ORG Subject: Re: Some observations on stream.c and streamnt.c Message-ID: <200001212349.PAA64869@apollo.backplane.com> References: <Pine.BSF.4.10.10001211649440.4460-100000@tetron02.tetronsoftware.com> <200001212258.OAA64329@apollo.backplane.com> <20000121171759.D56672@baileylink.net>
next in thread | previous in thread | raw e-mail | index | archive | help
:> a single incoming T3 never had much of an effect, it was only those
:> attacks that came over multiple T3's (generally ping-broadcast attacks)
:> that we worried about.
:>
:> -Matt
:
:I don't understand how a "script kiddie" is going to garner the bandwidth
:to run an attack into the multi-megabit range. This is not a leveraged
:attack (right?). What kind of packet rate are we talking about to reboot
:a system, I understand that this will depend on the equipment, but I am
:interested in any numbers that would allow me to evaluate the real impact
:that this DOS will have. Most people that have enough bandwidth to launch
:a multi-megabit attack have better things to do than (or is it then) to pick
:on me. Thanx all, BMG
Ah, welcome to the shady world of the IRC hacker. While I was still at
BEST IRC weenies were able to mount 80+ MBit attacks on us fairly easily.
We recorded a number of 100 MBit+ attacks as well. In fact, in the last
two years I was there the high-bandwidth attacks became much more prevalent
as more and more rootable internet sites became better connected.
There are several ways to do it:
* First, ping-broadcast-response attacks. In this attack the IRC weenie
finds networks which have machines on them which accept broadcast pings.
All the machines on the network in question then respond to the ping. So
one spoofed packet can cause several dozen, even a hundred or more packets
to be directed to the victim.
* Second, compromised accounts. There are thousands of machines on the net
and hundreds of thousands of compromised accounts, and there are also a
lot of machines for which root has been broken.
Script kiddies pass around account logins and passwords and are generally
able to mount attacks from several well-connected machines simultaniously,
both spoofed attacks and non-spoofed attacks.
Universities and ISPs generally have rampant compromised machines and some
of these, such as MIT, have hundreds of megabits of bandwidth to the
internet. These are often the source of high-bandwidth attacks (not
perpetrated by students so much as perpetrated by IRC weenies who have
compromised the machines).
Accounts are compromised in any number of ways. The #1 problem is that a
user will telnet into a machine from another machine or network that has been
compromised, thus compromising his ISP account. For example, from a public
library. The #2 problem is that comrpomised accounts are used to obtain
encrypted password files, which are then decrypted. There are any number of
holes that allow script kiddies to get ahold of encrypted passwords without
necessarily breaking root. The #3 problem is that an ISP's machine will
wind up having its root compromised.
Every time a new hole is found, ISPs have to run to get it closed. The most
recent example is the bind/named hole. Even though I don't work at BEST any
more I still have friends there that do, and they covered that hole pretty
damn quick. But other ISPs and universities have probably not been so
fortunate. Each hole generally results in at least several hundred machines
across the U.S. (and the world) being broken into. Probably more. But an
even greater number of installations don't even bother keeping their machines
up to date. So there are always plenty of machines for IRC weenies to break
into.
-Matt
Matthew Dillon
<dillon@backplane.com>
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200001212349.PAA64869>