analogy games are fun, but it boils down to this... If I know the real source of an attack, I can stop it within minutes.
the real source of the attack is the skript kitty who zombied the 10,000 hosts which are sourcing packets at you. the intermediate sources are the 10,000 zombies, and trying to deal with them at the source just does not scale. really you only need four or five though - if you can monitor the tcp/ip
at Thursday, October 31, 2002 1:22 PM, Randy Bush <randy@psg.com> was seen to say: links each have, you should find a common node that is the control node (assuming the current situation where the bots remain connected during the attack; a simple change could alter this to disconnect immediately after orders are issued and not reconnect for a random time spanning hours or days, but even then, unless the kiddie wishes to discard his entire botnet after a single attack, they should eventually reconnect to a control channel (probably an irc channel or similar) - at least theoretically, an irc server network could be tapped to determine who is the controller in a bot room, or the bot room could be discontinued (which again, would only halt the current state of the art; the bots could easily have a different network or a distributed networking capability to recover the botnet after loss of a control room; actually, I would be surprised if bots didn't already have some similar provision now)