On 12/8/2010 2:37 PM, Olof Johansson wrote:
On 2010-12-08 14:06 -0600, Philip Dorr wrote:
The problem is that they were also slashdotted. The logs would also have a large number of unrelated.
"so... the loic tool uses the host's local address, the attacks are all HTTP based, or tcp/80 with malformed HTTP..."
That should be easy to grep by...?
Of course, it's debatable if use of LOIC is enough to convict. You'd have to first prove the person installed it themselves, and then you'd have to prove that they knew it would be used for illegal purposes. The hive controller, and the actual operator(s) are who they want, and that's a little more work. This has been an issue in the past, even when we knew exactly where botnet controllers were, concerning the legality of taking control to shut it down. Jack