- To: outages-list@eskimo.com
- Subject: Outage - Denial of Service Attack
- From: Robert Dinse <nanook@eskimo.com>
- Date: Thu, 16 Mar 2000 01:47:54 -0800 (PST)
- Newsgroups: lobby
- Resent-Date: Thu, 16 Mar 2000 01:48:03 -0800
- Resent-From: outages-list@eskimo.com
- Resent-Message-ID: <"TdBGF1.0.s9.ItAqu"@mx1>
- Resent-Sender: outages-list-request@eskimo.com
- Prev by Date: 56k/ISDN authentication Monday night
- Next by Date: Eskimo Reboot 4am 3/17/2000
- Prev by thread: Eskimo Reboot 4am 3/17/2000
- Next by thread: 56k/ISDN authentication Monday night
- Index(es):
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Outage - Denial of Service Attack
The outage the evening of 3/15/2000 was caused by a denial of service
attack aimed at eskimo and mx1.
The volume of this attack was the worst I've ever seen, it absolutely
completely saturated both T1's, to the point where the data lights on the
DSU/CSU's were blinking, and I've never seen it that bad.
I do not know the form of the attack, it could have been ICMP, UDP, or
SYN flood since the machines attacked were by way of the services they provide,
vunerable to all three types of attacks. Usually attacks target IRC related
systems so this was unusual.
It looked like a SYN flood because it exhaused eskimo's mbuf's, something
that can be done with a high volume SYN flood, and it caused mx1 to lock-up
with no error at all.
The fact that the severity was such that it rendered both machines
inoperable made it difficult to determine the type of attack.
The attack itself lasted about fifteen minutes but we had to reboot
servers because of it and Eskimo didn't run right after initially booted. One
file system on mx1 was corrupted and it took some time to clean that up.
The volume of packets leads me to think this was probably one of the
distributed denial of service attacks of the same genré as those which were
launched against Yahoo, E-Bay, and other similar sites.