This is the transcript of an email from a member of a Cert team regarding a particular real incident. I think it demonstrates some of the problems a cracked box can cause - imparticular the temporary loss of the University's internet connectivity. It was particually relevant as it happened just a few days before I gave the talk hence it's inclusion. I have removed the email headers and signature file for publication on the web.
Just an update on the events of last friday. (I was 'on holiday' so only had a chance to look at things towards the end of the afternoon). There were several aspects to this a) A student run Linux box was not up to date and was hacked. The intruder really had very little in the way of a clue judging by the bash_history left behind. b) The hacked box was used to abuse IRC and sent a DoS at a remote IP, the attack in this case was rather ineffective c) The remote IRC 'victim' on the other hand seems to have had access to a very substantial DDoS network (mostly US .edu's which were probably pumping out on Internet-2) which completely flooded our JANET connectivity. The floods were (in the main) SYN floods which would have saturated various routers and firewalls along the way. d) The local hacked box IP was blocked at the router but this is, of course, totally ineffective at stopping the flood which would have required intervention at the US end of the pipes (and tcp-ip being what it is would have tried to route around any blocks!) e) Eventually the flood stopped at the generator end. Moral: It just takes one poorly administered machine to bring down the entire network.