[49629] in North American Network Operators' Group
Re: DOS attack from PANAMSAT
daemon@ATHENA.MIT.EDU (Clayton Fiske)
Sun Jul 7 15:46:41 2002
Date: Sun, 7 Jul 2002 12:45:13 -0700
From: Clayton Fiske <clay@bloomcounty.org>
To: NANOG <nanog@merit.edu>
In-Reply-To: <20020707190813.GH99199@overlord.e-gerbil.net>; from ras@e-gerbil.net on Sun, Jul 07, 2002 at 03:08:14PM -0400
Errors-To: owner-nanog-outgoing@merit.edu
On Sun, Jul 07, 2002 at 03:08:14PM -0400, Richard A Steenbergen wrote:
> On Sat, Jul 06, 2002 at 06:24:40PM -0500, Rob Thomas wrote:
> > Hmm, not according to the data I collect. I track numerous botnets and
> > DoSnets, and a bit over 80% of them use the real IPs as the source of
> > the floods. Then again, with 500 - 18000 bots, it isn't all that
> > necessary to mask the source IPs. :/
>
> There are only two situations where a DoS uses its real IP, 1) the network
> filters spoofed source addresses, 2) they havn't compromised root.
Don't forget 3) the machine compromised isn't capable of spoofing.
In Win95/98/ME/NT, there is no raw socket functionality. I don't
know the breakdown of botnets in terms of which platform they
typically harvest for hosts, but I'd imagine Windows represents a
significant portion of non-spoofed attacks.
-c
