Slashdot Mirror

← Back to Stories (view on slashdot.org)

Forum: The Yahoo Denial of Service

Posted by ryuzaki0 on from the stuff-to-think-about dept.

It's one of the larger news items of the day, but we've sorta avoided mentioning it here because it is really "just another Denial of Service Attack." But it's the biggest one ever. It took down Ya- 'we serve half a billion pages a day' -hoo. And they were taken down for several hours from a distributed DOS attack. What does this mean? I honestly don't know, but I figure you guys might have some opinions.

5 of 619 comments (clear)

  1. Can I sue you for negligence? by Rommel · · Score: 5

    If your system is cracked, and then used to attack me, can I sue you for negligence? How else do we get companies to put proper practices in place?

    Like IP spoofing, for example. IP spoofing would more or less come to a halt if ISPs, Universities, and corporations would put some simple filters into place, preventing packets with impossible source addresses from leaving their networks.

    This distributed DOS stuff can be stopped only if *all* of the sites in the community engage in sound security practices.

  2. Re:Any suspects? by jimm · · Score: 5

    Wired claims in Routers Blamed for Yahoo Outage that it was not a DoS attack; rather, it was a misconfigured router at their ISP. Anonymous source 'n everything.

    --
    Transcript show: self sigs atRandom.
  3. Re:What about prevention? by PhiRatE · · Score: 5

    There are no defenses. Trust me, as someone who is deeply concerned about it and has spent a considerable amount of time investigating.

    The attack doesn't attack your firewall, it doesn't attack your boxes, it very simply attacks your bandwidth, it fills it up, completely, leaving no room for other traffic.

    It doesn't matter if your firewall drops every single packet it sees, for that matter it doesn't matter if you unplug your box, it isn't going to help at all.

    The vast number of machines that have been compromised, especially on university campuses where attention to security is limited on many boxes, and a crack can go unnoticed for months or years, give these flood networks more bandwidth than a medium-large sized ISP. If they are willing to take the risk that someone tracks them down, they can knock out most companies and for that matter, often their upstream.

    So, as an administrator, there is little you can do. Some things can help slightly, (see following) but if you get one of the larger networks pointed at you, you call your provider, get them to call their provider, and hope that they can implement some kind of filtering on their router as a temporary solution. You probably won't get far with that however.

    Things to do:

    1. log log log log log. Strange packets coming in should be logged. If you can do this, theres a chance the guy can be traced back to source if one of the IPs is on a network with a competent admin and the source of the network control packets can be found.

    2. Alert whoever you have to. If you're getting hammered, its a crime, tell the police, look on the CERT site for more details about who you can contact if you're in this situation.

    3. close up all ports that aren't critical, from any replies. These guys function best when they can hit a wide range of ports and get replies from your box, effectively doubling the load generated by each packet. If you drop 98% of the ports on your box, that leaves most of the packet hits out in the cold, making them have to work harder. Don't be scared to start dropping whole class A/B networks if a large number of hits are coming through from them.

    4. For those using unix based firewall solutions, have a couple of scripts handy which you can use to turn off all ICMP (you should already be filtering bad ICMP, this just goes the next step), and all non-essential ports.

    5. Have syncookies on your system if available, this will help keep you working during small TCP floods

    6. Make sure that you, as admin, have on your firewall the necessary rules to deny spoofed IPs from within your own network. If you don't, you are irresponsible and quite possibly a contributing cause to this whole mess. An internet connected network needs monitoring, no matter how well set up. Take the time to do it.

    The final verdict is there is no individual solution to this problem. If everyone implemented #6, we'd be in a lot better shape, still not brilliant but certainly a vast improvement. On the positive side, there are many brilliant minds who have observed this problem and are working on infrastructure solutions (see BOF recently etc).

    No matter how good your firewall software, script kids these days have the capability to flood your entire link. Proactive and constant vigilance is the only thing that could possibly minimise the damage.

    --
    You can't win a fight.
  4. Links by interiot · · Score: 5
    Here's some links since none were posted:

    Cyberattack Cripples Yahoo (APBNews)
    Who's Behing Yahoo Attack? (ZDNet)
    FBI talks with Yahoo! about attack (ZDNet)
    How a basic attack crippled Yahoo (CNet) (with stupid protocol animations too!)

    And in other news: A different type of DoS attack is being carried out against Yahoo. At least 40 web articles have been written so far, showing evidence of how many reporters must be calling Yahoo right now. Once the second round of DoS attacks are stopped, the techies can finally get some work done beefing up the site.

  5. Re:Packet Monkeys by evilpenguin · · Score: 5

    I said it in my earlier post, but I'm going to say it again here (so, yes, mark me redundant if you must): Certainly a DoS attack can be a legitimate form of civil diobedience, but if you are going to do it as such, have the courage of your convictions and launch the attack directly from your own machines on your own network, using your real IP address. Then its civil disobedience.

    My attitude towards Greenpeace protests would be quite a bit different if they went down to local nursing home, yanked old people out of their beds (they're easier to handle than say, rading a gymnasium), and chained them to the gates of a nuclear power plant.

    When you sneak through other people's accounts, machines, and networks to both hide your identity and launch your attack, then you are effectively chaining up the elderly (metaphorically speaking, of course). For an act of civil disobedience to be an honourable act, one must openly reveal one's identity and run the risk of arrest and imprisionment. I'm not impressed if someone comes up to me and says "I told my girldfriend to chain herself to the gate. I stayed home. I had the sniffles."

    Civil disobedience by proxy is the act of a coward. A sniveling little spineless coward.

    My account info has my real name and my real primary e-mail address. I stand up for what I say. I don't lay booby-traps or hide behind other people.