Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: DDoS attacks via other sites execution tool (DAVOSET)

From: "Dobbins, Roland" <rdobbins () arbor net>
Date: Wed, 14 Jul 2010 11:51:16 +0000

On Jul 14, 2010, at 6:28 PM, MustLive wrote:


In which I wrote particularly about creating of botnet from zombie-servers
(which is a new type of botnets).



A more appropriate name for this sort of attack might be an 'application reflection attack', as it's similar in concept 
to making use of open DNS recursors in the same vein.  The servers themselves aren't botted, so they don't compromise a 
new form of botnet, per se.

The question then becomes whether this particular form of attack offers any advantages over a more conventional layer-7 
DDoS attacks launched via botnets.

One advantage is obvious - it may prove problematic to block the attack traffic via conventional means such as S/RTBH, 
given that the servers being abused to launch the application reflection attack are legitimate servers which users on 
the targeted networks may well have the desire to access.  However, as IDMSes can readily handle this sort of attack, 
while interesting, it's unclear whether it's worth the effort required to do this, given the prevalence of untold 
millions of botted hosts which can launch layer-7 attacks via existing command-and-control mechanisms which render said 
botnets completely under the control of the attacker, and since the sites being abused can in fact take measures to 
render themselves unsuitable for such abuse.

The question then becomes, is there an amplification factor to be gained by doing so?  The reason that DNS reflection 
attacks are of interest to the attackers is that they gain a considerable amplification effect from doing so - do you 
see an amplification resulting from this mode of attack?

-----------------------------------------------------------------------
Roland Dobbins <rdobbins () arbor net> // <http://www.arbornetworks.com>

    Injustice is relatively easy to bear; what stings is justice.

                        -- H.L. Mencken



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: