Krebs on Security booted off Akamai network after DDoS attack proves pricey
outsider at scarynet.org
Wed Sep 28 06:17:34 UTC 2016
If those where in fact non-spoofed sources, then i am surely interested in getting that list in order to put it into my dnsbl (dronebl). So if someone has it, or can tell me who to contact. Feel free to provide me with it offlist.
Especially if this botnet uses one of the many irc networks (like undernet) that is utilizing the dnsbl list and the cc is harbored there, it might help.
Also, most 'admins' only start realizing something is wrong in their network once their precious bizmail won't arrive at clients because their infected ip is listed and the remote mx refuses the mail because of the listing.
- Technical Maintenance Engineer Parkstad Support BV- Maintainer DroneBL- Peplink Certified Engineer
-------- Oorspronkelijk bericht --------Van: Hugo Slabbert <hugo at slabnet.com> Datum: 26-09-16 05:54 (GMT+01:00) Aan: "John R. Levine" <johnl at iecc.com> Cc: nanog at nanog.org Onderwerp: Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey
On Sun 2016-Sep-25 17:01:55 -0400, John R. Levine <johnl at iecc.com> wrote:
>>The attack is triggered by a few spoofs somewhere in the world. It is not
>>feasible to stop this.
>That paper is about reflection attacks. From what I've read, this was
>not a reflection attack. The IoT devices are infected with botware
>which sends attack traffic directly. Address spoofing is not particularly
>useful for controlling botnets.
But that's not only remaining use of source address spoofing in direct
attacks, no? Even if reflection and amplification are not used, spoofing
can still be used for obfuscation.
>For example, the Conficker botnet generated pseudo-random domain names
>where the bots looked for control traffic.
>>Please see https://www.ietf.org/rfc/rfc6561.txt
>Uh, yes, we're familiar with that. We even know the people who wrote
>it. It could use an update for IoT since I get the impression that in
>many cases the only way for a nontechnical user to fix the infection
>is to throw the device away.
>John Levine, johnl at iecc.com, Primary Perpetrator of "The Internet for Dummies",
>Please consider the environment before reading this e-mail. https://jl.ly
Hugo Slabbert | email, xmpp/jabber: hugo at slabnet.com
pgp key: B178313E | also on Signal
More information about the NANOG