On Sat, Jul 06, 2002 at 06:24:40PM -0500, Rob Thomas wrote:
Hello, Frank.
] Your upstreams, who will help you back-track. Nobody DoS'es with their ] real IP's anymore.
Hmm, not according to the data I collect. I track numerous botnets and DoSnets, and a bit over 80% of them use the real IPs as the source of the floods. Then again, with 500 - 18000 bots, it isn't all that necessary to mask the source IPs. :/
There are only two situations where a DoS uses its real IP, 1) the network filters spoofed source addresses, 2) they havn't compromised root. In the case of number 1, VERY few networks manage to restrict it to a specific IP, only a common routed block. Most DDoS networks can detect this, and only spoof the last octet. In the case of number 2, there are still a lot of hosts out there which can be compromised via something seemingly innocent (like say an Apache exploit), and be used in a udp sendto() flood without ever getting root. A common technique is to mix the two, or intentionally have nodes which can fully spoof limit themselves to something random and then a per-packet spoofed last octet. This does a fairly effective job of discouraging the victem from sending complaints, since they assume that either everything is spoofed, or nothing will be done since it will never be traced back to the actual originating machine. -- Richard A Steenbergen <ras@e-gerbil.net> http://www.e-gerbil.net/ras PGP Key ID: 0x138EA177 (67 29 D7 BC E8 18 3E DA B2 46 B3 D8 14 36 FE B6)