DOS attack from PANAMSAT

Rizzo_Frank · July 6, 2002, 4:44pm

Roy wrote:
> Their NOC is clueless. Anyone have a better number?

Your upstreams, who will help you back-track. Nobody DoS'es with their real IP's anymore.

Frank

Rabbi_Rob_Thomas · July 6, 2002, 11:24pm

Hello, Frank.

] Your upstreams, who will help you back-track. Nobody DoS'es with their
] real IP's anymore.

Hmm, not according to the data I collect. I track numerous botnets and
DoSnets, and a bit over 80% of them use the real IPs as the source of
the floods. Then again, with 500 - 18000 bots, it isn't all that
necessary to mask the source IPs.

Just my $.02, of course.

Thanks,
Rob.

Richard_A_Steenbegen · July 7, 2002, 7:08pm

There are only two situations where a DoS uses its real IP, 1) the network
filters spoofed source addresses, 2) they havn't compromised root.

In the case of number 1, VERY few networks manage to restrict it to a
specific IP, only a common routed block. Most DDoS networks can detect
this, and only spoof the last octet.

In the case of number 2, there are still a lot of hosts out there which
can be compromised via something seemingly innocent (like say an Apache
exploit), and be used in a udp sendto() flood without ever getting root.

A common technique is to mix the two, or intentionally have nodes which
can fully spoof limit themselves to something random and then a per-packet
spoofed last octet. This does a fairly effective job of discouraging the
victem from sending complaints, since they assume that either everything
is spoofed, or nothing will be done since it will never be traced back to
the actual originating machine.

Clay_Fiske · July 7, 2002, 7:45pm

Don't forget 3) the machine compromised isn't capable of spoofing.
In Win95/98/ME/NT, there is no raw socket functionality. I don't
know the breakdown of botnets in terms of which platform they
typically harvest for hosts, but I'd imagine Windows represents a
significant portion of non-spoofed attacks.

-c

Valdis_Kletnieks · July 7, 2002, 8:16pm

The fact that there is no raw socket *API* doesn't mean it's that much
more difficult to convince the device driver to send a packet that isn't
strictly kosher.

Clay_Fiske · July 7, 2002, 8:27pm

Sure, but the idea that the kids doing the harvesting a) know how to
do such a thing and b) care if the compromised machine is traced is
a stretch in my mind. As a previous poster said, if a DDoS comes
from enough different sources, it doesn't matter if they're really
spoofed or not.

-c

Valdis_Kletnieks · July 7, 2002, 8:40pm

If the perpetrator actually understood the exploit, they'd not be called
a 'script kiddie'.