In the referenced message, Clayton Fiske said:
> > Hmm, not according to the data I collect. I track numerous botnets and
> > DoSnets, and a bit over 80% of them use the real IPs as the source of
> > the floods. Then again, with 500 - 18000 bots, it isn't all that
> > necessary to mask the source IPs.
>
> There are only two situations where a DoS uses its real IP, 1) the network
> filters spoofed source addresses, 2) they havn't compromised root.Don't forget 3) the machine compromised isn't capable of spoofing.
In Win95/98/ME/NT, there is no raw socket functionality. I don't
know the breakdown of botnets in terms of which platform they
typically harvest for hosts, but I'd imagine Windows represents a
significant portion of non-spoofed attacks.-c
I believe it is fairly trivial to add this functionality to these machines.
Even if the addons weren't part of the payload, the worm could go
snag it off the public internet and install it.