Eskimo North


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Internet Denial of Service attack that affected plans A/B/D/E




     The Internet Denial of Service attack that affected dial plans A, B, D,
and E, was still going strong at 6AM pacific time when I finally went to bed,
but had stopped by 5PM, or at least had dropped off to a low enough level that
it wasn't affecting service.

     Our own dial plan L remained functional during the attack except that at
times hostname resolution was problematic owing to attacks against the root
name servers on the Internet.

     I want to state that what the popular media is reporting as the cause of
this attack is not the whole story; it might be related but it's not all that
was happening.

     The media reported this as a Virus similiar to Code Red that attacked
MsSQL servers.  It is entirely possible that a virus was used to subvert these
machines that were then later used for a distributed denial of service attack,
but it was not virus traffic itself that brought the net to it's knees.

     With Code Red, the onset was gradual and then it took months to wind down.
This is to be expected as it takes time for the virus to propogate and the
number of infected machines to grow, and then time for system administrators to
install fixes and rid their machines of the virus.

     But with this attack, and that is what this was, a huge scale distributed
denial of service attack, it started abruptly just before 10pm, and ended in
less than 24 hours.

     Further, during the attack, some of our machines were under attack and
what we saw here were SYN floods aimed at our web server, ftp server, and name
servers.  Again, not the hallmark of virus traffic.

     The attacks were heavy enough that they put substantial strain on various
backbone networks.  Our own backbone connectivity and hosts withstood the
attack but the port aggregator we used for plans A/B/D/E, YNP, did not.  While
the networks used for our host backbone, Sprint, and our dialup backbone, ELI,
were both under attack, they had sufficient capacity and redundancy in their
network to weather it.  But some other national backbone networks did not.

     Also, the attack was in part aimed at the Internet root name servers, this
caused problems resolving hostnames to IP addresses at times.  Again, NOT the
hallmark of a virus.

     This was a massive distributed denial of service attack, and I'm inclined
to believe it was not the typical bored teenager inspired attack, both because
of the scope and the targets.  The root name servers were attacked which
cripples all of the Internet, and the network that Bank America uses for their
cash machines was sufficiently crippled to render most of them inoperable.