On Sun, Jul 07, 2002 at 03:08:14PM -0400, Richard A Steenbergen wrote:
On Sat, Jul 06, 2002 at 06:24:40PM -0500, Rob Thomas wrote:
Hmm, not according to the data I collect. I track numerous botnets and DoSnets, and a bit over 80% of them use the real IPs as the source of the floods. Then again, with 500 - 18000 bots, it isn't all that necessary to mask the source IPs. :/
There are only two situations where a DoS uses its real IP, 1) the network filters spoofed source addresses, 2) they havn't compromised root.
Don't forget 3) the machine compromised isn't capable of spoofing. In Win95/98/ME/NT, there is no raw socket functionality. I don't know the breakdown of botnets in terms of which platform they typically harvest for hosts, but I'd imagine Windows represents a significant portion of non-spoofed attacks. -c