ONS - The few the proud ... the sleeping

Thu Aug 16 16:30:42 UTC 2007

Maybe I shouldn't have made a blanket statement considering the 
audience, my bad.  My point was more that for most attacks not 
specifically directed at the network gear itself, meaning packets 
traversing the network, can potentially be managed.  Shutting down an 
interface if you can find where it enters your network, and maybe if 
there is a pattern that can be matched on and null routing that traffic, 
etc.  Short of terrorism (disruption without any purpose other than 
disruption itself) most bot nets were designed to accomplish something, 
usually that something isn't taking out the highway that earns them 
income.  Maybe a target on the highway that causes them problems earning 
said income being knocked offline.

Stephen Wilcox wrote:
> So if someone had a moderately large botnet (100k hosts) and these had an average broadband speed of say 2Mbps .. you are saying that 200Gb of traffic can be handled?
>
> Given that the fastest edge connections (outside of Peter Lothbergs bathroom) are 10Gb this traffic can easily be directed to take out multiple parts of a networks critical connectivity.
>
> Steve
>
> On Thu, Aug 16, 2007 at 09:58:11AM -0400, Jason LeBlanc wrote:
>   
>> If anyone is running a large enough network that they can't mitigate 
>> this it would suprise me, and they would deserve to be taken out.  
>> Unless all these bots are directly connected (direct customer) and 
>> concentrated on one portion of the network (not spread across the entire 
>> access layer) I can't imagine with the tools, features, products, etc 
>> that are available today (that can almost manage dDoS attacks for you) 
>> that it couldn't be mitigated.  5-6 years ago this would have been a lot 
>> tougher, but it was still doable. 
>>
>> It would be interesting to get into a really technical architectural 
>> discussion.  I have my ideas as to how to manage it, I'm sure others do 
>> as well, and differently.  And ASN701 as mentioned specifically has 
>> someone who was able to manage these things 5-6 years ago in Chris 
>> Morrow (assuming you're still there).  He helped us quite a bit back in 
>> those days, and without all the toys that are out there today.
>>
>> J. Oquendo wrote:
>>     
>>> Valdis.Kletnieks at vt.edu wrote:
>>>
>>>  
>>>       
>>>> I doubt if anybody would notice a DDoS attack against MAE-East. ;)
>>>>    
>>>>         
>>> Who was it that doubted anyone would need more then 1024k of memory?
>>>
>>>  
>>>       
>>>> 1) You need a pretty big hose, or a *lot* of computers to do it.
>>>>    
>>>>         
>>> I would hope some have been reading news reports where its alleged this
>>> particular botnet is over 1.7 million machines deep.
>>>
>>>
>>>  
>>>       
>>>> 2a) The ankle-biters don't hose down backbones because (1) they don't 
>>>> usually
>>>> even know what a backbone is, and (2) they're usually too busy pointing 
>>>> their
>>>> DDoS tools at some other ankle-biter or IRC admin that cheesed them off.  
>>>> Yes,
>>>> these guys have taken out a few mid-tiers, but it's accidental collateral
>>>> damage, not the intended target.
>>>>    
>>>>         
>>> Come on now surely you don't believe this to be the only cases where
>>> idiots us botnets. Have you not read the reports of morons hosing a
>>> network for randsom.
>>>
>>>  
>>>       
>>>> 2b) The pros don't hose down backbones, because if a backbone is down, 
>>>> they
>>>> can't make money from their now-disconnected botnet.
>>>>    
>>>>         
>>> Re-read above statement
>>>
>>>  
>>>       
>>>> Yeah, a concerted effort probably *would* take out AS701 or similar.  But 
>>>> we
>>>> don't see it happen often, because the people who have the ability to do 
>>>> it
>>>> also realize that while AS701 is out napping, their other business 
>>>> ventures
>>>> are taking a hit from the lost connectivity...
>>>>    
>>>>         
>>> For years now I contemplated how long would it be before someone created
>>> the ultimate botnet/backbone killer. I've always wondered "Hrmm... How
>>> would I COUNTER this if x happened." I've rambled on about it for I
>>> don't know 8 years now, starting with "Theories in DoS" before DDoS was
>>> really even pimped out by Dave Dittrich... People thought (probably
>>> still do think) I was (am) looney. My guess is, give or take a few years
>>> and you will get that one pissed off person to lay the smack down on
>>> peers worldwide.
>>>
>>> When this happens (hopefully it won't), I'll sit back and ramble on some
>>> more with "that's so yesterday... I predicted it a "real long time ago"
>>> (www.infiltrated.net/chappelle.mp3) then go back to rambling on as I
>>> always do.
>>>
>>>
>>>  
>>>       