On 10/29/2016 9:43 PM, Eric S. Raymond wrote:
I in turn have to call BS on this. If it were really that easy, we'd be inundated by Mirais -- we'd have several attacks a*day*.
Some of us are seeing many significant attacks a day. That's because botnets are frequently used to hit game servers and game players. In fact, the Mirai-targeted devices were not newly-seen; easily-exploited devices like older DVRs have been observed for years in attacks on game servers. The main difference in the recent botnet attacks (mostly, 2016) is that they have been larger and more frequent, likely because of incremental improvements to scanners (including in time-to-exploitation, which is important to building the botnet because these devices are so frequently rebooted) and payloads (to better block further exploitation by competitors). If you run a honeypot and take a look at what happens to one of these devices over time, you'll see an interesting tug-of-war between many different actors that are compromising them and running their own binaries. Reflection attacks are still common, as well, of course. Previously, those were the ones that created the largest flows. But, the higher-amplification-factor reflection attacks can be mostly mitigated upstream with basic ACLs (as long as the upstream is willing to help, and has the internal capacity to do it; many NSPs do not). It is not uncommon to see a botnet attack at the same time as a reflection attack. -John