This is such a golden opportunity for each of you to find compromised hosts on your network or your customer's network. The number of genuine lookups of the blog vs the number of botted machine would make it almost certain that anything directed at the blog is a compromised machine. A phone call to the customer / further analysis would reduce the false positive rate. Mark In message <CALoKGd2oN=mq_Gn75UrugUPDKfGPeD6cfq_AY+f-M1XUaCo46Q@mail.gmail.com>, Alexander Lyamin writes:
This time around its not about spoofing.
I presume this is development of the same botnet/worm that we seen day2 of Shellshock public disclosure - its was pretty hightech - golang, arm/mips/x86 support, multiple attack vectors - inlcuding (surprisingly) very effective password guessing. It counted ~100k heads on day2, and i suppose they did grew quite a bit.
Thats part of a problem why cause that much havoc - they do have real IP addresses and reasonably well conected - so they can wreck a havoc in bandwidth and tcp stack.
They most likely do not have enough resources to do Full Browser Stack, thats why I think L7 capabilities of the botnet will be very basic.
On Sun, Sep 25, 2016 at 7:00 PM, John Kristoff <jtk@depaul.edu> wrote:
On Sun, 25 Sep 2016 14:36:18 +0000 Ca By <cb.list6@gmail.com> wrote:
As long as their is one spoof capable network on the net, the problem will not be solved.
This is not strictly true. If it could be determined where a large bulk of the spoofing came from, public pressure could be applied. This may not have been the issue in this case, but in many amplification and reflection attacks, the originating spoof-enabled networks were from a limited set of networks. De-peering, service termination, shaming, etc could have an effect.
John
--
Alexander Lyamin
CEO | Qrator <http://qrator.net/>* Labs*
office: 8-800-3333-LAB (522)
mob: +7-916-9086122
skype: melanor9
mailto: la@qrator.net -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org