Re: ALL: PARANOID from /etc/hosts.deny Should be Commented by default
On 20 Apr 2001, Ullrich Jans wrote:
> I think it is not too difficult to write a tool that scans the IP
> ranges of the big providers and roots every box it finds,
> automatically. The problem here is not the individual bandwidth of the
> machine, but the bandwidth of all the rooted boxes combined!
> Imagine that: some script kiddie cracks 10 boxes, somewhere on the
> internet. He installs that scanning software, sets each up to randomly
> scan a couple of providers. He finds 1000 boxes and uses them for some
> DDoS-attack. Just imagine: alle those boxes are ISDN. So he has 64
> MBits to play with. But the Deutsche Telekom alone has approximately
> 500k IPs, of which (just a wild guess) 400k are in use at all
> times. So he likely finds more than 1000 open boxes. 10k? 100k?
> What if he scans one of the big cable modem providers and finds 1000
> boxes sitting behind 512kBit pipes? All of a sudden, he has 512 MBits
> to play with!
* Most cable providers here in the US bandwidth-limit their customers'
uploads. No cable customer I know gets 512Kbps upload speeds.
* The idea of getting 512Mbps of bandwidth from a cable ISP with which to
launch an attack against anyone but that ISP itself is laughable. Cable
ISPs take oversubscription to a whole new level. You might be able to find
a cable ISP that has a T3 uplink for those 1000 customers; two T3's if
you're lucky. That's 90Mbps max, not 512Mbps.
A T3 used as a DDoS weapon is still nothing to sniff at, true; but around here
at least, it takes quite a bit more work to squeeze a T3's-worth of bandwidth
out of a cable provider.