First, I am one of the global opers on the AT&T Undernet Server newbunswick.nj.us.undernet.org (irc2.att.net). I wish to emphasize I am writing on a personal basis though (I just like to brag). As you know, the undernet was hammered by sysop for over eight days, and I followed the details of the attack extremely closely. His attacks were very unique, allowing us to know exactly when it was him and not one of the several copy-cats that jumped on the bandwagon as time went by. He likes to use syn floods rather than smurfs for the main part, and he likes to be hands on on his attacks. Normally, they last around 10 minutes, and each "burst" is aimed at a single point, usually an upstream router of the hub he is trying to take out. He hits one point with these bursts for several hours, with short breaks between bursts (I think he shuts down to brag online, and assess the damage done). Then he switches to another hub, or sometimes he would hit the server of an oper directly "harassing" (glining his current host) him. Overall, though, 90%+ of his attacks were directed at the Baltimore NAP, which, at the time of his attacks, were hosting most of our services. I do not know how much you guys got told about the details of the attacks, but that is a general description. Due to his attacks, we went from 39 to 27 active servers, and have temporarily shut down our channel services bots, while our coders and network management specialists plot (we have them locked in the closet of a whorehouse in the redlight district of Amsterdam, with orders to create the equivalant of a packet-seeking H-Bomb tipped missle, heheh).

But here is why I am writing. In every article I have read about these brute-strength, just overwhelm-em with packets, type attacks, I have read statements by the supposed "experts" where they are saying two things that irk me, as they are flat-out wrong. First is the fact that most of these attackers are geek teenage kids with no brains. Sure, a lot of them are. But the ones doing the serious hits? No way. They know exactly what they are doing, the best way to do it to ensure maximum results, and do serious planning before their attacks. Secondly, nobody seems to realize the sheer volume of bandwidth these kids now have. The Baltimore NAP was logging, AT THE ROUTER (ie we're just talking about the packets that actually got through, which is probably only a percetage of what was actually sent), of sustained FOURTY MEGABITS PER SECOND! Of course, for that much bandwidth to get through, the target has to be on a huge pipe or pipes in the first place. Sysop, for example, is using two main sources of bandwidth: 1) lots of edus, 2) an unbelievable number of cable and DSL boxes. I was told, as it was happening, while the Admin was watching the logs scroll madly, that he had given up trying to go back and manual count the number of hacked @home boxes sysop was using. So he installed a unique IP counter that filtered it down to a) packets of the type being used [syn flag set], and b) only IPs in @home's IP-space. He then showed over 400 unique IPs in a 5 minute period. He also told me that he estimated that was about 1/3 of the actual cable and DSL boxes sysop was using that night! So we are talking well over 1000 hacked boxes being used by one person alone.

I do not understand why Brian is not emphasizing this problem, and I do not understand why Brain is making out people like sysop to be so stupid that they could not glom onto the fact that MS was running all their DNS servers at one location, making it a great target to attack. I did - immediately! Especially after it had just been done; facts kind of spoke for themselves!

I urge you and your staff to tell these brainless reporters, in words they can understand, the scope of the problem being faced, and just how far out of hand it has become. Tell them that the "kiddies" causing most of the damage are very sharp individuals who have literally thousands of hacked boxes at their disposal. NOT ONCE have I ever heard a supposed expert state that these kids have thousands of hacked boxes at their disposal. Why? To me its like saying, in the middle of a theater fire, where the fire has consumed a quarter of the building, "We cannot tell people there is a fire. It would cause panic!"

So tell Brian to grow some hair and tell these reporters the scope of the problem. I know it won't do a damn bit of good, but still, my respect for attrition would return to normal. For the most part, I think you guys are great :-) You just need to grow some hair, is all, and not be afraid to tell them the truth.

Keep up the good work guys! People like me rely on you and we believe every word you say! Scary eh?

Not MReedB (maybe)