-----Original Message----- From: Bill Nash [mailto:billn@billn.net] Sent: Monday, December 20, 2004 3:33 PM To: Hannigan, Martin Cc: John Kristoff; nanog@merit.edu Subject: RE: Anycast 101
On Mon, 20 Dec 2004, Hannigan, Martin wrote:
there are some million-bot drone armies out there. with enough attackers
I know I haven't seen any 1MM+ zombie armies out there and I'm looking for them. Why spend all that time getting 1MM bots when you only need 100K?
Dormant reinforcements. Multiple operational floodnets in smaller cells. Rapid reconfiguration of a cell, cycling in new hosts, removing hosts that have sustained functional losses to reactive routing changes. Having those kinds of resources on hand allows an attacker to use a 'Captain Tripps'[1] style of attack to maintain a sustained assault on single, or even multiple targets.
We aren't dealing with stupid people. If 1/10th of the bots will do the trick, that's 1/10th of the work. A larger botnet would expose the controllers much more rapidly with focused traffic flows towards the controllers. No controller = no $$. You'd also have more people involved to speed up the process and now you're spending money that you don't have to when 100K will suffice nicely. Whether you buy the botnets or you build them yourself, you need time to generate revenue. Survival and greed are factors here. Aggregating botnets is possible, sure. But that means you're paying someone for their use. They aren't just giving them away. Of course, you could buy a botnet, but again, why buy when you can build 100K botnet in short order and for free? Discussing botnet sizes is irrelevant though except in the case of mitigation and deciding where to spend time working *80/20*. Look at how the discussions surrounding SPAM have evolved. It went from "damn abusers", to "damn software", to "where's the money coming from?". The BotNet problem has already evolved to "where's the money". Botnets are a new phenomenon. [ Gadi!?] [ SNIP ]