Krebs on Security booted off Akamai network after DDoS attack proves pricey

Mark Andrews marka at isc.org
Sun Sep 25 21:07:25 UTC 2016


This is such a golden opportunity for each of you to find compromised
hosts on your network or your customer's network.  The number of
genuine lookups of the blog vs the number of botted machine would
make it almost certain that anything directed at the blog is a
compromised machine.  A phone call to the customer / further analysis
would reduce the false positive rate.

Mark

In message <CALoKGd2oN=mq_Gn75UrugUPDKfGPeD6cfq_AY+f-M1XUaCo46Q at mail.gmail.com>, Alexander Lyamin writes:
> This time around its not about spoofing.
> 
> I presume this is development of the same botnet/worm that we seen day2 of
> Shellshock public disclosure - its was pretty hightech - golang,
> arm/mips/x86 support, multiple attack vectors - inlcuding (surprisingly)
> very effective password guessing.
> It counted  ~100k heads on day2,  and i suppose they did grew quite a bit.
> 
> 
> Thats part of a problem why cause that much havoc - they do have real IP
> addresses and reasonably well conected - so they can wreck a havoc in
> bandwidth and tcp stack.
> 
> They most likely do not have enough resources to do Full Browser Stack,
> thats why I think  L7 capabilities of the botnet will be very basic.
> 
> 
> 
> On Sun, Sep 25, 2016 at 7:00 PM, John Kristoff <jtk at depaul.edu> wrote:
> 
> > On Sun, 25 Sep 2016 14:36:18 +0000
> > Ca By <cb.list6 at gmail.com> wrote:
> >
> > > As long as their is one spoof capable network on the net, the problem
> > will
> > > not be solved.
> >
> > This is not strictly true.  If it could be determined where a large
> > bulk of the spoofing came from, public pressure could be applied.  This
> > may not have been the issue in this case, but in many amplification and
> > reflection attacks, the originating spoof-enabled networks were from a
> > limited set of networks.  De-peering, service termination, shaming, etc
> > could have an effect.
> >
> > John
> >
> 
> 
> 
> -- 
> 
> Alexander Lyamin
> 
> CEO | Qrator <http://qrator.net/>* Labs*
> 
> office: 8-800-3333-LAB (522)
> 
> mob: +7-916-9086122
> 
> skype: melanor9
> 
> mailto:  la at qrator.net
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org



More information about the NANOG mailing list