Re:Destructive botnet originating from Japan (fwd)
Hi again, NANOGers. :) I shouldn't have focused solely on the bot issue, sorry. When miscreants obtain access to a server through some PHP exploit, they generally take a look around. If the web server is also a database server (eek!), then the real fun begins. There won't be a noisome bot placed on that server, oh no. One crew installed a cron script to run a SQL query for the new customer data collected in the past 24 hours, then email the query results to the miscreants. :( DDoS can be very painful, and it has the side benefit of being very overt. It is the more subtle attacks and abuses that might concern you even more. It is generally the case that the tools and techniques for both are the same. Thanks, Rob. -- Rob Thomas Team Cymru http://www.cymru.com/ ASSERT(coffee != empty);
Rob, You made a good point on the duration of the attacks, I neglected to notice the attack command was set to 99999. One of our engineers logged the bot master issuing the attack command: man!~man@127.0.0.1 PRIVMSG $127.0.0.1 :.dos 99999 s| xxx.xxx.xxx.xxx|80 99999 is the number of the seconds and its 86400 seconds is 24 hours and slightly over that we saw the bots stop attacking. So they were not running forever, but they did run on their own for about 27 hours. It made our NOC guys happy to see Christmas eve with a clean network. You are also very correct on the force levels, Linux web servers are usually more connected than a cable modem user, so the bandwidth levels are much higher. In the latest round of attack we have seen, the attack rates are growing near the 10 Gig range. The PPS rates are also getting much higher seeing the fragmented UDP attacks getting packet sizes much smaller than a 64-byte SYN packet. What I find shocking is that machines that should be more secured or at least monitored better appear to run for long periods going unnoticed. It seems that some system administrators are just not paying attention to large outbound bursts from their networks. -Barrett
What I find shocking is that machines that should be more secured or at least monitored better appear to run for long periods going unnoticed. It seems that some system administrators are just not paying attention to large outbound bursts from their networks.
Sadly: s/paying attention/able to detect/ at least in real time, versus when the monthly bandwidth bill comes. Stephen
On Sat, 24 Dec 2005, Rob Thomas wrote:
Hi again, NANOGers. :)
I shouldn't have focused solely on the bot issue, sorry. When miscreants obtain access to a server through some PHP exploit, they generally take a look around. If the web server is also a database server (eek!), then the real fun begins. There won't be a noisome bot placed on that server, oh no. One crew installed a cron script to run a SQL query for the new customer data collected in the past 24 hours, then email the query results to the miscreants. :(
DDoS can be very painful, and it has the side benefit of being very overt. It is the more subtle attacks and abuses that might concern you even more. It is generally the case that the tools and techniques for both are the same.
Amen.. main thing is that the problem is not going to go away, and by "killing C&C's" we just ignore the problem. I am not saying killing C&C's as a stop-gap is bad, but that stop-gap is now 6 years too old and 12 years since we should have thought of something different. Why? Because like you said in your earlier email.. the Bad Guys have smarter ways and get smarter de-centralized ways of doing things. That's why cooperation, especially with other industries, is also critical. But as I said, cooperation, as critical as it is, is yesterday's news.. time for the next stage. Gadi.
participants (4)
-
Barrett G. Lyon -
Gadi Evron -
Rob Thomas -
Stephen Stuart