Roy wrote:
Their NOC is clueless. Anyone have a better number?
Your upstreams, who will help you back-track. Nobody DoS'es with their real IP's anymore. Frank
Hello, Frank. ] Your upstreams, who will help you back-track. Nobody DoS'es with their ] real IP's anymore. Hmm, not according to the data I collect. I track numerous botnets and DoSnets, and a bit over 80% of them use the real IPs as the source of the floods. Then again, with 500 - 18000 bots, it isn't all that necessary to mask the source IPs. :/ Just my $.02, of course. Thanks, Rob. -- Rob Thomas http://www.cymru.com ASSERT(coffee != empty);
On Sat, Jul 06, 2002 at 06:24:40PM -0500, Rob Thomas wrote:
Hello, Frank.
] Your upstreams, who will help you back-track. Nobody DoS'es with their ] real IP's anymore.
Hmm, not according to the data I collect. I track numerous botnets and DoSnets, and a bit over 80% of them use the real IPs as the source of the floods. Then again, with 500 - 18000 bots, it isn't all that necessary to mask the source IPs. :/
There are only two situations where a DoS uses its real IP, 1) the network filters spoofed source addresses, 2) they havn't compromised root. In the case of number 1, VERY few networks manage to restrict it to a specific IP, only a common routed block. Most DDoS networks can detect this, and only spoof the last octet. In the case of number 2, there are still a lot of hosts out there which can be compromised via something seemingly innocent (like say an Apache exploit), and be used in a udp sendto() flood without ever getting root. A common technique is to mix the two, or intentionally have nodes which can fully spoof limit themselves to something random and then a per-packet spoofed last octet. This does a fairly effective job of discouraging the victem from sending complaints, since they assume that either everything is spoofed, or nothing will be done since it will never be traced back to the actual originating machine. -- Richard A Steenbergen <ras@e-gerbil.net> http://www.e-gerbil.net/ras PGP Key ID: 0x138EA177 (67 29 D7 BC E8 18 3E DA B2 46 B3 D8 14 36 FE B6)
On Sun, Jul 07, 2002 at 03:08:14PM -0400, Richard A Steenbergen wrote:
On Sat, Jul 06, 2002 at 06:24:40PM -0500, Rob Thomas wrote:
Hmm, not according to the data I collect. I track numerous botnets and DoSnets, and a bit over 80% of them use the real IPs as the source of the floods. Then again, with 500 - 18000 bots, it isn't all that necessary to mask the source IPs. :/
There are only two situations where a DoS uses its real IP, 1) the network filters spoofed source addresses, 2) they havn't compromised root.
Don't forget 3) the machine compromised isn't capable of spoofing. In Win95/98/ME/NT, there is no raw socket functionality. I don't know the breakdown of botnets in terms of which platform they typically harvest for hosts, but I'd imagine Windows represents a significant portion of non-spoofed attacks. -c
On Sun, 07 Jul 2002 12:45:13 PDT, Clayton Fiske <clay@bloomcounty.org> said:
Don't forget 3) the machine compromised isn't capable of spoofing. In Win95/98/ME/NT, there is no raw socket functionality. I don't
The fact that there is no raw socket *API* doesn't mean it's that much more difficult to convince the device driver to send a packet that isn't strictly kosher. -- Valdis Kletnieks Computer Systems Senior Engineer Virginia Tech
On Sun, Jul 07, 2002 at 04:16:12PM -0400, Valdis.Kletnieks@vt.edu wrote:
On Sun, 07 Jul 2002 12:45:13 PDT, Clayton Fiske <clay@bloomcounty.org> said:
Don't forget 3) the machine compromised isn't capable of spoofing. In Win95/98/ME/NT, there is no raw socket functionality. I don't
The fact that there is no raw socket *API* doesn't mean it's that much more difficult to convince the device driver to send a packet that isn't strictly kosher.
Sure, but the idea that the kids doing the harvesting a) know how to do such a thing and b) care if the compromised machine is traced is a stretch in my mind. As a previous poster said, if a DDoS comes from enough different sources, it doesn't matter if they're really spoofed or not. -c
On Sun, 07 Jul 2002 13:27:52 PDT, Clayton Fiske <clay@bloomcounty.org> said:
Sure, but the idea that the kids doing the harvesting a) know how to do such a thing and b) care if the compromised machine is traced is
If the perpetrator actually understood the exploit, they'd not be called a 'script kiddie'. -- Valdis Kletnieks Computer Systems Senior Engineer Virginia Tech
In the referenced message, Clayton Fiske said:
On Sun, Jul 07, 2002 at 03:08:14PM -0400, Richard A Steenbergen wrote:
On Sat, Jul 06, 2002 at 06:24:40PM -0500, Rob Thomas wrote:
Hmm, not according to the data I collect. I track numerous botnets and DoSnets, and a bit over 80% of them use the real IPs as the source of the floods. Then again, with 500 - 18000 bots, it isn't all that necessary to mask the source IPs. :/
There are only two situations where a DoS uses its real IP, 1) the network filters spoofed source addresses, 2) they havn't compromised root.
Don't forget 3) the machine compromised isn't capable of spoofing. In Win95/98/ME/NT, there is no raw socket functionality. I don't know the breakdown of botnets in terms of which platform they typically harvest for hosts, but I'd imagine Windows represents a significant portion of non-spoofed attacks.
-c
I believe it is fairly trivial to add this functionality to these machines. Even if the addons weren't part of the payload, the worm could go snag it off the public internet and install it.
participants (6)
-
Clayton Fiske -
Richard A Steenbergen -
Rizzo Frank -
Rob Thomas -
Stephen Griffin -
Valdis.Kletnieks@vt.edu