January 30, 2004
MyDoom, SCO, and the effect on the Internet at large
A kinda funny article over at Netcraft - www.sco.com is a weapon of mass destruction. Although part of the purpose of the article seems to be fun, still it does bring up an interesting point: with the number of MyDoom-infected PC's out there, tomorrow may be a Bad Day for whatever IP address www.sco.com points at. And yes, it does use DNS to resolve the 'www.sco.com' hostname, at least according to the analysis summarized in the Trojan Horses Research digest of messages related to this virus.
Now.. how long before someone writes an Apache, Squid, or IDS module, which detects several HTTP GET requests for www.sco.com and blocks the sender, just in case? :)
Posted by roam at January 30, 2004 04:28 PM
Or could SCO just put a layer 7 switch or content switch or http server load-balancer, or whatever the name of these is these days, and filter the atack in hardware, or even better direct all requests without a browser id to a tcp tarpit machine. (remember there are relatively cheap boxes out there, which can handle quite a lot of HTTP traffic) I bet that they have already implemented something like that.
It is funny that content switch vendors are still not advertising their products as security devices :).
so what if sco filters that at their own side? the bandwidth will still be utilized. this seems pointless to me, like filtering icmp flood at victim machine's interface :) may be just point www.sco.com to 127.0.0.1 for the duration of the attack is one of the practical solutions ...
Posted by: Delwin at January 31, 2004 05:24 PMSo, Delwin, nice to hear from you... erm, again
What you are forgeting is that
1. The atacking program is not a packet flooder, but a connection flooder, and it calls the OS to do its job
2. Unlike ICMP or UDP, TCP a statefull protocol. Which means that it has state-machine and there are certain conditions for the tcp state-machine to change from one state to another. It also means that the sending machine (if it is a real TCP/IP implementation and not a packet flooder) will obey the TCP state rules, and blindly "trust" that it talks with another TCP stack implementation on our (receiving) side.
If we twist the rules of the game a little we can make the sending machine wait for quite some time before making a new connection. We can in fact slow down each single atacker to less than one packet per minute. Even with 300000 atackers, this is only 5000 packets per second - some mere 2 megabit/s of 40byte packets. Too much for you?
Well I'm guessing several things here:
The atacker does not spawn multiple threads to DoS SCO. It only uses one thread, which repeatedly connects, sends, closes.
The atacker uses OS calls to do its job.
Do you think my assumptions were wrong?
Do you think that tarpiting a tcp connection is impossible?
There's a brief discussion over at Neurotech of a CNN article about the MyDoom virus DoS on SCO's website. What really bothers me about the CNN article is the implied connection between SCO's judicial pursuits, the open-source community, and the...
(read more...)
February 2, 2004 02:25 PM