[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: ALL: PARANOID from /etc/hosts.deny Should be Commented by default

On 20 Apr 2001, Ullrich Jans wrote:

> I think it is not too difficult to write a tool that scans the IP
> ranges of the big providers and roots every box it finds,
> automatically. The problem here is not the individual bandwidth of the
> machine, but the bandwidth of all the rooted boxes combined!

> Imagine that: some script kiddie cracks 10 boxes, somewhere on the
> internet. He installs that scanning software, sets each up to randomly
> scan a couple of providers. He finds 1000 boxes and uses them for some
> DDoS-attack. Just imagine: alle those boxes are ISDN. So he has 64
> MBits to play with. But the Deutsche Telekom alone has approximately
> 500k IPs, of which (just a wild guess) 400k are in use at all
> times. So he likely finds more than 1000 open boxes. 10k? 100k?

> What if he scans one of the big cable modem providers and finds 1000
> boxes sitting behind 512kBit pipes? All of a sudden, he has 512 MBits
> to play with!

* Most cable providers here in the US bandwidth-limit their customers'
  uploads.  No cable customer I know gets 512Kbps upload speeds.

* The idea of getting 512Mbps of bandwidth from a cable ISP with which to
  launch an attack against anyone but that ISP itself is laughable.  Cable
  ISPs take oversubscription to a whole new level.  You might be able to find
  a cable ISP that has a T3 uplink for those 1000 customers; two T3's if
  you're lucky.  That's 90Mbps max, not 512Mbps.

A T3 used as a DDoS weapon is still nothing to sniff at, true; but around here
at least, it takes quite a bit more work to squeeze a T3's-worth of bandwidth
out of a cable provider.

Steve Langasek
postmodern programmer

Reply to: