[191683] in North American Network Operators' Group
Re: Krebs on Security booted off Akamai network after DDoS attack
daemon@ATHENA.MIT.EDU (Alexander Lyamin)
Sun Sep 25 16:46:31 2016
X-Original-To: nanog@nanog.org
In-Reply-To: <20160925120021.79280a95@p50.localdomain>
From: Alexander Lyamin <la@qrator.net>
Date: Sun, 25 Sep 2016 20:48:53 +0200
To: jtk@aharp.iorc.depaul.edu
Cc: nanog@nanog.org
Errors-To: nanog-bounces@nanog.org
This time around its not about spoofing.
I presume this is development of the same botnet/worm that we seen day2 of
Shellshock public disclosure - its was pretty hightech - golang,
arm/mips/x86 support, multiple attack vectors - inlcuding (surprisingly)
very effective password guessing.
It counted ~100k heads on day2, and i suppose they did grew quite a bit.
Thats part of a problem why cause that much havoc - they do have real IP
addresses and reasonably well conected - so they can wreck a havoc in
bandwidth and tcp stack.
They most likely do not have enough resources to do Full Browser Stack,
thats why I think L7 capabilities of the botnet will be very basic.
On Sun, Sep 25, 2016 at 7:00 PM, John Kristoff <jtk@depaul.edu> wrote:
> On Sun, 25 Sep 2016 14:36:18 +0000
> Ca By <cb.list6@gmail.com> wrote:
>
> > As long as their is one spoof capable network on the net, the problem
> will
> > not be solved.
>
> This is not strictly true. If it could be determined where a large
> bulk of the spoofing came from, public pressure could be applied. This
> may not have been the issue in this case, but in many amplification and
> reflection attacks, the originating spoof-enabled networks were from a
> limited set of networks. De-peering, service termination, shaming, etc
> could have an effect.
>
> John
>
--
Alexander Lyamin
CEO | Qrator <http://qrator.net/>* Labs*
office: 8-800-3333-LAB (522)
mob: +7-916-9086122
skype: melanor9
mailto: la@qrator.net
