Re: no ip forged-source-address

["David Howe" <DaveHowe () gmx co uk>]

at Thursday, October 31, 2002 1:22 PM, Randy Bush <randy () psg com> was
seen to say:
> > analogy games are fun, but it boils down to this... If I know the
> > real source of an attack, I can stop it within minutes.
>
> the real source of the attack is the skript kitty who zombied the
> 10,000 hosts which are sourcing packets at you.  the intermediate
> sources are the 10,000 zombies, and trying to deal with them at the
> source just does not scale.
really you only need four or five though - if you can monitor the tcp/ip
links each have, you should find a common node that is the control node
(assuming the current situation where the bots remain connected during
the attack; a simple change could alter this to disconnect immediately
after orders are issued and not reconnect for a random time spanning
hours or days, but even then, unless the kiddie wishes to discard his
entire botnet after a single attack, they should eventually reconnect to
a control channel (probably an irc channel or similar) - at least
theoretically, an irc server network could be tapped to determine who is
the controller in a bot room, or the bot room could be discontinued
(which again, would only halt the current state of the art; the bots
could easily have a different network or a distributed networking
capability to recover the botnet after loss of a control room; actually,
I would be surprised if bots didn't already have some similar provision
now)