Destructive botnet originating from Japan

• Previous message (by thread): Destructive botnet originating from Japan
• Next message (by thread): Destructive botnet originating from Japan
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi, NANOGers.

We've seen these PHP-built botnets for about two years now.  They have
recently become more popular.  This is due to the fact that a very few
of these bots can send out far more packet love than a large collection
of broadband (generally Windows) bots.  Return on investment and all
that.

Most bots don't attack "forever."  The typical bot commands give an
attack duration in either packets or time.  I suspect that'll be the
case with this botnet, so the attack may not last for months.  In other
words, it would be wise to check those flows sooner rather than later.

Folks shouldn't focus solely on PHP, though that is the rage du jour.
Even the venerable PhatBot family, generally used to compromise hosts
running Windows, had a Linux spreader in it.  Increasingly Unix
systems and Cisco routers are the primary targets.

Keep in mind that botnets are but one facet of the threat.  There are
a plethora of just-in-time DoSnets built off of the same
vulnerabilities.  In this case there is no central command and control
making mitigation even more challenging.  It's fairly easy to run a
command on a vulnerable host through the same exploit that will permit
one to install a bot.  Just-in-time DoSnets are readily built and used
in amplification attacks as well.

Bots have never been solely a Windows problem.

Thanks,
Rob.
-- 
Rob Thomas
Team Cymru
http://www.cymru.com/
ASSERT(coffee != empty);

• Previous message (by thread): Destructive botnet originating from Japan
• Next message (by thread): Destructive botnet originating from Japan
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]