Over a decade of DDOS--any progress yet?

Rich Kulawiec rsk at gsp.org
Thu Dec 9 11:45:45 UTC 2010


On Wed, Dec 08, 2010 at 07:43:52AM -0800, JC Dill wrote:
> ISPs are not the source.  The source is Microsoft.  The source is
> their buggy OS that is easily compromised to enable the computers to
> be taken over as part of the botnet.

I often disagree vehemently with JC, but not this time.

I've been studying bot-generated spam for most of the last decade, and to
about 6 nine's, it's all been from Windows boxes.  (The rest?  A smattering
of "indeterminate" and various 'nix systems including MacOS.)

The botnet problem is a Microsoft problem.

Now...whether the botnet problem will still be a Microsoft problem in 2015:
can't say.  Clearly attackers have plenty of reasons to attack other systems
and in some cases, they'll be successful.  But it appears that to date,
the advantages they might accrue from owning a box running one of the
superior operating systems are outweighed by the costs of the effort
to do so.  (With a few rare exceptions, of course.)

But you don't have to take my word for this.  Turn on passive OS
fingerprinting on your MX's and start recording data, including DNS
and rDNS, putative sender, recipient, etc.  Accumulate a couple
years' worth and analyze.

This is why some rather effective defensive techniques (not just for
spam) can be constructed by differentiating traffic based on the
operating system of the host originating that traffic.

---rsk




More information about the NANOG mailing list