DOS attack from PANAMSAT
Richard A Steenbergen
ras at e-gerbil.net
Sun Jul 7 19:08:14 UTC 2002
On Sat, Jul 06, 2002 at 06:24:40PM -0500, Rob Thomas wrote:
>
> Hello, Frank.
>
> ] Your upstreams, who will help you back-track. Nobody DoS'es with their
> ] real IP's anymore.
>
> Hmm, not according to the data I collect. I track numerous botnets and
> DoSnets, and a bit over 80% of them use the real IPs as the source of
> the floods. Then again, with 500 - 18000 bots, it isn't all that
> necessary to mask the source IPs. :/
There are only two situations where a DoS uses its real IP, 1) the network
filters spoofed source addresses, 2) they havn't compromised root.
In the case of number 1, VERY few networks manage to restrict it to a
specific IP, only a common routed block. Most DDoS networks can detect
this, and only spoof the last octet.
In the case of number 2, there are still a lot of hosts out there which
can be compromised via something seemingly innocent (like say an Apache
exploit), and be used in a udp sendto() flood without ever getting root.
A common technique is to mix the two, or intentionally have nodes which
can fully spoof limit themselves to something random and then a per-packet
spoofed last octet. This does a fairly effective job of discouraging the
victem from sending complaints, since they assume that either everything
is spoofed, or nothing will be done since it will never be traced back to
the actual originating machine.
--
Richard A Steenbergen <ras at e-gerbil.net> http://www.e-gerbil.net/ras
PGP Key ID: 0x138EA177 (67 29 D7 BC E8 18 3E DA B2 46 B3 D8 14 36 FE B6)
More information about the NANOG
mailing list