nanog mailing list archives
Re: DOS attack from PANAMSAT
From: Stephen Griffin <stephen.griffin () rcn com>
Date: Sun, 7 Jul 2002 21:04:52 -0400 (EDT)
In the referenced message, Clayton Fiske said:
On Sun, Jul 07, 2002 at 03:08:14PM -0400, Richard A Steenbergen wrote:On Sat, Jul 06, 2002 at 06:24:40PM -0500, Rob Thomas wrote:Hmm, not according to the data I collect. I track numerous botnets and DoSnets, and a bit over 80% of them use the real IPs as the source of the floods. Then again, with 500 - 18000 bots, it isn't all that necessary to mask the source IPs. :/There are only two situations where a DoS uses its real IP, 1) the network filters spoofed source addresses, 2) they havn't compromised root.Don't forget 3) the machine compromised isn't capable of spoofing. In Win95/98/ME/NT, there is no raw socket functionality. I don't know the breakdown of botnets in terms of which platform they typically harvest for hosts, but I'd imagine Windows represents a significant portion of non-spoofed attacks. -c
I believe it is fairly trivial to add this functionality to these machines. Even if the addons weren't part of the payload, the worm could go snag it off the public internet and install it.
Current thread:
- DOS attack from PANAMSAT Roy (Jul 06)
- Re: DOS attack from PANAMSAT Christopher L. Morrow (Jul 06)
- <Possible follow-ups>
- Re: DOS attack from PANAMSAT Rizzo Frank (Jul 06)
- Re: DOS attack from PANAMSAT Rob Thomas (Jul 06)
- Re: DOS attack from PANAMSAT Richard A Steenbergen (Jul 07)
- Re: DOS attack from PANAMSAT Clayton Fiske (Jul 07)
- Re: DOS attack from PANAMSAT Valdis . Kletnieks (Jul 07)
- Re: DOS attack from PANAMSAT Clayton Fiske (Jul 07)
- Re: DOS attack from PANAMSAT Valdis . Kletnieks (Jul 07)
- Re: DOS attack from PANAMSAT Rob Thomas (Jul 06)
- Re: DOS attack from PANAMSAT Stephen Griffin (Jul 07)