Fwd: John McAfee: Massive DDoS attack on the internet was from smartphone botnet on popular app

[Jonathan Hall <jhall () futuresouth us>]

Stupid me forgot to CC the NANOG list.

Begin forwarded message:

From: Jonathan Hall <jhall () futuresouth us<mailto:jhall () futuresouth us>>
Date: 13 December 2015 at 11:13:31 GMT+1
To: Jay Ashworth <jra () baylink com<mailto:jra () baylink com>>
Subject: Re: John McAfee: Massive DDoS attack on the internet was from smartphone botnet on popular app

DDoS attacks launched from massive botnets are not unusual, and mobile phones being used as participants of said 
botnets has been a well known thing since android came to market.

People seem to have forgotten about AgoBot/PhatBot/GaoBot. Once upon a time, it was dubbed “The Swiss Army Knife of The 
Internet,” being fully cross-platform. It compiled on Linux, BSD and Windows with no problem, and as such, had 
spreading capabilities to infect cross-platform just the same. It was purely P2P at core, but also supported IRC. The 
P2P portion was for the developers. Anyone who had botnets generally only used and knew of the the IRC control point, 
and the code was watermarked originally to prevent any random Joe Blow from compiling. The botnets of those who had the 
code from Ago, Phatty and Wonk (the originators of the first release) were able to be controlled by a select group of 
friends of the developers.

This put more than 4 million bots at the disposal of that group.

Examining the synflood code that was contained within would show that the spoofing had multiple options, one of which 
was 100% completely random spoofed address per a packet.

My personal favourite is the 0.0.0.0 source spoof, which spoofs from various random hosts in 0.0.0.0/8 . Good luck 
filtering those out with ACL’s and mitigation techniques… I’m not certain that would work today, but it most certainly 
did in 2004.

Concepts like this do not die off and just fade away into /dev/null land. People simply get smarter and quieter about 
it. Ago/Phatty/Wonk got hit in Operation Cyber Slam in 2004 and the bulk of it all was kept very quiet. Coincidentally, 
Ago’s young brother, Nills, was the developer of msblaster, too. But, alas, I digress...

Considering all of that, why would anyone be shocked to find massive attacks being launched from what is technically 
the easiest point of infection: phones? In this case, all that’s done is an app gets put up and the users download it. 
And with thinks such as android roots and iPhone jailbreaks being common knowledge and point-and-click easy to do? More 
and more people are unlocking their devices just for the sake of saying, “My phone is rooted.” And as phones become 
more and more powerful, as well as bandwidth climbing to record highs on mobile platforms, you can only be assured that 
this sort of attack vector will continue to increase in popularity.

I do think that jumping up and saying, “ISIS is taking over US phones!” is a bit of a wild leap. But at the same time, 
why would anyone think they aren’t already using this method to fund themselves? Botnets = money, period. Do you have 
any idea how much money people pay for usage of botnets to launch attacks? Just pure chance says there are members of 
ISIL as well as present and potentially future supporters of ISIL that have botnets. After all, twelve year old kids 
with Guy Fawkes masks in their mothers basements have botnets these days…

On 12 Dec 2015, at 07:18, Jay Ashworth <jra () baylink com<mailto:jra () baylink com>> wrote:

Is McAfee just talking to dry his teeth here? This isn't actually practical, is it? Carriers would notice, right?

http://www.ibtimes.co.uk/john-mcafee-massive-ddos-attack-internet-was-smartphone-botnet-popular-app-1532993
--
Sent from my Android device with K-9 Mail. Please excuse my brevity.