On Wed, 16 Jan 2002, Jared Mauch wrote:
I think the point is that (despite everyones thoughts that use it) IRC is not considered a super-important network service these days. If the irc server is dampened or the attack can't reach it it just penalizes the compromised host(s) network(s) more than the person who hosts the irc server.
I don't know if I can totally agree with that :) I have run an IRC server, and have been the subject of a variety of DoS and DDoS attacks in the past. Some of the attacks have had almost an intellegence behind them. When a server's immediate uplink is a T1(or equiv), there has been just enough traffic to flood it (eg, T1+1mb). When the server's uplink has been a 155Mb link, there's again been just enough traffic to flood that (eg, 155+10Mb). In each case, turning off the ircd, or blocking ICMP / TCP / UDP / whatever packets going to that server upstream have stopped the floods in seconds. This leads me to believe there are at least 2 types of flooders our there: Flooders who are careful how much of their resource their use, and flooders who don't care and would try to cram 1Gb/s down your tiny T1 given the chance. In either case I believe IRC can be considered an important service, if only for the reason, that it can keep the attackers attracted. If there was no IRC I'm sure they'd go after more critical services! -- Avleen Vig Network Security Officer Smurf Amplifier Finding Executive: http://www.ircnetops.org/smurf