nanog mailing list archives

Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey

From: Alexander Maassen <outsider () scarynet org>
Date: Wed, 28 Sep 2016 08:17:34 +0200

If those where in fact non-spoofed sources, then i am surely interested in getting that list in order to put it into my 
dnsbl (dronebl). So if someone has it, or can tell me who to contact. Feel free to provide me with it offlist.
Especially if this botnet uses one of the many irc networks (like undernet) that is utilizing the dnsbl list and the cc 
is harbored there, it might help. 
Also, most 'admins' only start realizing something is wrong in their network once their precious bizmail won't arrive 
at clients because their infected ip is listed and the remote mx refuses the mail because of the listing.

Kind regards,
Alexander Maassen
- Technical Maintenance Engineer Parkstad Support BV- Maintainer DroneBL- Peplink Certified Engineer

-------- Oorspronkelijk bericht --------Van: Hugo Slabbert <hugo () slabnet com> Datum: 26-09-16  05:54  (GMT+01:00) 
Aan: "John R. Levine" <johnl () iecc com> Cc: nanog () nanog org Onderwerp: Re: Krebs on Security booted off Akamai 
network after DDoS attack proves pricey 

On Sun 2016-Sep-25 17:01:55 -0400, John R. Levine <johnl () iecc com> wrote:

https://www.internetsociety.org/sites/default/files/01_5.pdf

The attack is triggered by a few spoofs somewhere in the world. It is not
feasible to stop this.


That paper is about reflection attacks.  From what I've read, this was 
not a reflection attack.  The IoT devices are infected with botware 
which sends attack traffic directly.  Address spoofing is not particularly 
useful for controlling botnets.


But that's not only remaining use of source address spoofing in direct 
attacks, no?  Even if reflection and amplification are not used, spoofing 
can still be used for obfuscation.

For example, the Conficker botnet generated pseudo-random domain names 
where the bots looked for control traffic.

Please see https://www.ietf.org/rfc/rfc6561.txt


Uh, yes, we're familiar with that.  We even know the people who wrote 
it. It could use an update for IoT since I get the impression that in 
many cases the only way for a nontechnical user to fix the infection 
is to throw the device away.

Regards,
John Levine, johnl () iecc com, Primary Perpetrator of "The Internet for Dummies",
Please consider the environment before reading this e-mail. https://jl.ly


-- 
Hugo Slabbert       | email, xmpp/jabber: hugo () slabnet com
pgp key: B178313E   | also on Signal

Current thread:

Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey, (continued)
- - Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey Mike (Sep 23)
    - Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey Sven-Haegar Koch (Sep 23)
    - Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey Hugo Slabbert (Sep 23)
    - Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey Jared Mauch (Sep 23)
    - Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey Hugo Slabbert (Sep 23)
    - Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey Mel Beckman (Sep 23)
    - Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey Jared Mauch (Sep 23)
- Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey Brandon Butterworth (Sep 25)
  - Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey jim deleskie (Sep 25)
- Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey Brandon Butterworth (Sep 25)
- Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey Alexander Maassen (Sep 27)