Stupid me forgot to CC the NANOG list. Begin forwarded message: From: Jonathan Hall <jhall@futuresouth.us<mailto:jhall@futuresouth.us>> Date: 13 December 2015 at 11:13:31 GMT+1 To: Jay Ashworth <jra@baylink.com<mailto:jra@baylink.com>> Subject: Re: John McAfee: Massive DDoS attack on the internet was from smartphone botnet on popular app DDoS attacks launched from massive botnets are not unusual, and mobile phones being used as participants of said botnets has been a well known thing since android came to market. People seem to have forgotten about AgoBot/PhatBot/GaoBot. Once upon a time, it was dubbed “The Swiss Army Knife of The Internet,” being fully cross-platform. It compiled on Linux, BSD and Windows with no problem, and as such, had spreading capabilities to infect cross-platform just the same. It was purely P2P at core, but also supported IRC. The P2P portion was for the developers. Anyone who had botnets generally only used and knew of the the IRC control point, and the code was watermarked originally to prevent any random Joe Blow from compiling. The botnets of those who had the code from Ago, Phatty and Wonk (the originators of the first release) were able to be controlled by a select group of friends of the developers. This put more than 4 million bots at the disposal of that group. Examining the synflood code that was contained within would show that the spoofing had multiple options, one of which was 100% completely random spoofed address per a packet. My personal favourite is the 0.0.0.0 source spoof, which spoofs from various random hosts in 0.0.0.0/8 . Good luck filtering those out with ACL’s and mitigation techniques… I’m not certain that would work today, but it most certainly did in 2004. Concepts like this do not die off and just fade away into /dev/null land. People simply get smarter and quieter about it. Ago/Phatty/Wonk got hit in Operation Cyber Slam in 2004 and the bulk of it all was kept very quiet. Coincidentally, Ago’s young brother, Nills, was the developer of msblaster, too. But, alas, I digress... Considering all of that, why would anyone be shocked to find massive attacks being launched from what is technically the easiest point of infection: phones? In this case, all that’s done is an app gets put up and the users download it. And with thinks such as android roots and iPhone jailbreaks being common knowledge and point-and-click easy to do? More and more people are unlocking their devices just for the sake of saying, “My phone is rooted.” And as phones become more and more powerful, as well as bandwidth climbing to record highs on mobile platforms, you can only be assured that this sort of attack vector will continue to increase in popularity. I do think that jumping up and saying, “ISIS is taking over US phones!” is a bit of a wild leap. But at the same time, why would anyone think they aren’t already using this method to fund themselves? Botnets = money, period. Do you have any idea how much money people pay for usage of botnets to launch attacks? Just pure chance says there are members of ISIL as well as present and potentially future supporters of ISIL that have botnets. After all, twelve year old kids with Guy Fawkes masks in their mothers basements have botnets these days… On 12 Dec 2015, at 07:18, Jay Ashworth <jra@baylink.com<mailto:jra@baylink.com>> wrote: Is McAfee just talking to dry his teeth here? This isn't actually practical, is it? Carriers would notice, right? http://www.ibtimes.co.uk/john-mcafee-massive-ddos-attack-internet-was-smartp... -- Sent from my Android device with K-9 Mail. Please excuse my brevity.