nanog mailing list archives
Re:Destructive botnet originating from Japan
From: Rob Thomas <robt () cymru com>
Date: Sat, 24 Dec 2005 14:49:40 -0600 (CST)
Hi, NANOGers. We've seen these PHP-built botnets for about two years now. They have recently become more popular. This is due to the fact that a very few of these bots can send out far more packet love than a large collection of broadband (generally Windows) bots. Return on investment and all that. Most bots don't attack "forever." The typical bot commands give an attack duration in either packets or time. I suspect that'll be the case with this botnet, so the attack may not last for months. In other words, it would be wise to check those flows sooner rather than later. Folks shouldn't focus solely on PHP, though that is the rage du jour. Even the venerable PhatBot family, generally used to compromise hosts running Windows, had a Linux spreader in it. Increasingly Unix systems and Cisco routers are the primary targets. Keep in mind that botnets are but one facet of the threat. There are a plethora of just-in-time DoSnets built off of the same vulnerabilities. In this case there is no central command and control making mitigation even more challenging. It's fairly easy to run a command on a vulnerable host through the same exploit that will permit one to install a bot. Just-in-time DoSnets are readily built and used in amplification attacks as well. Bots have never been solely a Windows problem. Thanks, Rob. -- Rob Thomas Team Cymru http://www.cymru.com/ ASSERT(coffee != empty);
Current thread:
- Destructive botnet originating from Japan Barrett G. Lyon (Dec 23)
- <Possible follow-ups>
- Re:Destructive botnet originating from Japan Barrett G. Lyon (Dec 23)
- Re:Destructive botnet originating from Japan chuck goolsbee (Dec 25)
- RE: Re:Destructive botnet originating from Japan Hannigan, Martin (Dec 23)
- Re:Destructive botnet originating from Japan Barrett G. Lyon (Dec 24)
- Re:Destructive botnet originating from Japan Rob Thomas (Dec 24)
- Re:Destructive botnet originating from Japan Gadi Evron (Dec 25)
- Re: Destructive botnet originating from Japan Richard A Steenbergen (Dec 25)
- Re: Destructive botnet originating from Japan Gadi Evron (Dec 25)
- Re:Destructive botnet originating from Japan Rob Thomas (Dec 24)
- Re: Destructive botnet originating from Japan Randy Bush (Dec 25)
- Re: Destructive botnet originating from Japan Rubens Kuhl Jr. (Dec 25)
- Re: Destructive botnet originating from Japan Jon Lewis (Dec 25)
- Re: Destructive botnet originating from California (was Japan) Barrett G. Lyon (Dec 25)
- Re: Destructive botnet originating from California (was Japan) Rob Thomas (Dec 25)
- Re: Destructive botnet originating from California (was Japan) Jon Lewis (Dec 25)