Destructive botnet originating from Japan (fwd)

• Previous message (by thread): Destructive botnet originating from Japan (fwd)
• Next message (by thread): Destructive botnet originating from Japan (fwd)
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Rob,

You made a good point on the duration of the attacks, I neglected to  
notice the attack command was set to 99999.  One of our engineers  
logged the bot master issuing the attack command:

     man!~man at 127.0.0.1 PRIVMSG $127.0.0.1 :.dos 99999 s| 
xxx.xxx.xxx.xxx|80

99999 is the number of the seconds and its 86400 seconds is 24 hours  
and slightly over that we saw the bots stop attacking.  So they were  
not running forever, but they did run on their own for about 27  
hours.  It made our NOC guys happy to see Christmas eve with a clean  
network.

You are also very correct on the force levels, Linux web servers are  
usually more connected than a cable modem user, so the bandwidth  
levels are much higher.  In the latest round of attack we have seen,  
the attack rates are growing near the 10 Gig range.  The PPS rates  
are also getting much higher seeing the fragmented UDP attacks  
getting packet sizes much smaller than a 64-byte SYN packet.

What I find shocking is that machines that should be more secured or  
at least monitored better appear to run for long periods going  
unnoticed.  It seems that some system administrators are just not  
paying attention to large outbound bursts from their networks.


-Barrett 

• Previous message (by thread): Destructive botnet originating from Japan (fwd)
• Next message (by thread): Destructive botnet originating from Japan (fwd)
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]