DOS attack from PANAMSAT

• Previous message (by thread): DOS attack from PANAMSAT
• Next message (by thread): DOS attack from PANAMSAT
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Sat, Jul 06, 2002 at 06:24:40PM -0500, Rob Thomas wrote:
> 
> Hello, Frank.
> 
> ] Your upstreams, who will help you back-track.  Nobody DoS'es with their
> ] real IP's anymore.
> 
> Hmm, not according to the data I collect.  I track numerous botnets and
> DoSnets, and a bit over 80% of them use the real IPs as the source of
> the floods.  Then again, with 500 - 18000 bots, it isn't all that
> necessary to mask the source IPs.  :/

There are only two situations where a DoS uses its real IP, 1) the network 
filters spoofed source addresses, 2) they havn't compromised root.

In the case of number 1, VERY few networks manage to restrict it to a
specific IP, only a common routed block. Most DDoS networks can detect 
this, and only spoof the last octet.

In the case of number 2, there are still a lot of hosts out there which 
can be compromised via something seemingly innocent (like say an Apache 
exploit), and be used in a udp sendto() flood without ever getting root.

A common technique is to mix the two, or intentionally have nodes which 
can fully spoof limit themselves to something random and then a per-packet 
spoofed last octet. This does a fairly effective job of discouraging the 
victem from sending complaints, since they assume that either everything 
is spoofed, or nothing will be done since it will never be traced back to 
the actual originating machine.

-- 
Richard A Steenbergen <ras at e-gerbil.net>       http://www.e-gerbil.net/ras
PGP Key ID: 0x138EA177  (67 29 D7 BC E8 18 3E DA  B2 46 B3 D8 14 36 FE B6)

• Previous message (by thread): DOS attack from PANAMSAT
• Next message (by thread): DOS attack from PANAMSAT
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]