Re: [Clips] Finger points to British intelligence as al-Qaeda websites are wiped out
On Mon, Aug 01, 2005 at 05:12:38PM -0400, Dan McDonald wrote: I'm surprised that the target node has that much INBOUND bandwidth, quite frankly. The node itself has only a Fast Ethernet port, but there's some 4 GBit available outside of the router. I'm genuinely glad the node has been taken offline as soon as the traffic started coming in in buckets, and I didn't have to foot the entire bill (the whole incident only cost me 20-30 GByte overall as far as I can tell). -- Eugen* Leitl a href=http://leitl.org;leitl/a __ ICBM: 48.07100, 11.36820http://www.leitl.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE signature.asc Description: Digital signature
Re: [Clips] Finger points to British intelligence as al-Qaeda websites are wiped out
On Mon, Aug 01, 2005 at 01:51:57PM -0400, Tyler Durden wrote: What?!! 300MB/s for a Tor node? OK, I'm a telecom guy and not a data guy but that sounds suspiciously like someone loaded up an OC-3's worth of traffic and then slammed your node. Ain't no hacker gonna do that. Any indication the ostensible originating IP addresses are faked? No, it looked like a vanilla DDoS. According to the hoster, I've only seen a small piece of the log, which looked like this: 09:21:54.322650 IP 67.9.36.207 213.239.210.243: icmp 09:21:54.322776 IP 218.102.186.215 213.239.210.243: icmp 09:21:54.322895 IP 24.242.31.137 213.239.210.243: icmp 09:21:54.323017 IP 61.62.83.208 213.239.210.243: icmp 09:21:54.323140 IP 68.197.59.153 213.239.210.243: icmp 09:21:54.323263 IP 202.138.17.65 213.239.210.243: icmp 09:21:54.323375 IP 221.171.34.81 213.239.210.243: icmp 1376: echo request seq 23306 09:21:54.323500 IP 150.199.172.221 213.239.210.243: icmp 09:21:54.323623 IP 62.150.154.191 213.239.210.243: icmp 09:21:54.323741 IP 221.231.54.152 213.239.210.243: icmp 09:21:54.323863 IP 222.241.149.165 213.239.210.243: icmp 1456: echo request seq 24842 09:21:54.323984 IP 61.81.134.200 213.239.210.243: icmp 09:21:54.324105 IP 60.20.101.125 213.239.210.243: icmp 09:21:54.324227 IP 219.77.117.204 213.239.210.243: icmp 09:21:54.324229 IP 85.98.134.51 213.239.210.243: icmp 09:21:54.324355 IP 61.149.3.249 213.239.210.243: icmp 09:21:54.324475 IP 218.9.240.32 213.239.210.243: icmp 1456: echo request seq 29962 09:21:54.324598 IP 24.115.79.52 213.239.210.243: icmp 09:21:54.324720 IP 12.217.75.61 213.239.210.243: icmp 09:21:54.324844 IP 202.161.4.210 213.239.210.243: icmp 09:21:54.324847 IP 139.4.150.122.14238 213.239.209.107.80: R 2598318330:2598318330(0) win 0 09:21:54.324973 IP 211.203.38.29 213.239.210.243: icmp 09:21:54.325101 IP 68.74.58.171 213.239.210.243: icmp 09:21:54.325240 IP 211.214.159.102 213.239.210.243: icmp 09:21:54.325341 IP 221.231.53.52 213.239.210.243: icmp 09:21:54.325465 IP 24.20.194.42 213.239.210.243: icmp -- Eugen* Leitl a href=http://leitl.org;leitl/a __ ICBM: 48.07100, 11.36820http://www.leitl.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE signature.asc Description: Digital signature
Re: [Clips] Finger points to British intelligence as al-Qaeda websites are wiped out
Actually, I did know that 300Mb/sec isn't super-huge for Denial of Service attacks at least, but this is an obscure Tor node. Someone attacking it at this stage in the game has a real agenda (perhaps they want to see if certain websites get disrupted? Does Tor work that way for short-ish periods of time?) At 4Gb/s into the router, I'd guess that router is hooked up to 2 GbEs mapped over a pair of OC-48s (Sounds a lot like the architecture Cisco has sold certain GbE-centered Datapipe providers.) Your attacker might actually be interested in pre-stressing the infrastructure in front of that router. Just a guess, but I'm stupid after all. -TD From: Eugen Leitl [EMAIL PROTECTED] To: Dan McDonald [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED] Subject: Re: [Clips] Finger points to British intelligence as al-Qaeda websites are wiped out Date: Tue, 2 Aug 2005 10:15:49 +0200 On Mon, Aug 01, 2005 at 05:12:38PM -0400, Dan McDonald wrote: I'm surprised that the target node has that much INBOUND bandwidth, quite frankly. The node itself has only a Fast Ethernet port, but there's some 4 GBit available outside of the router. I'm genuinely glad the node has been taken offline as soon as the traffic started coming in in buckets, and I didn't have to foot the entire bill (the whole incident only cost me 20-30 GByte overall as far as I can tell). -- Eugen* Leitl a href=http://leitl.org;leitl/a __ ICBM: 48.07100, 11.36820http://www.leitl.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]