#1 2007-10-18 20:18:37

Sorry for the interruption. We need to move over to Dreamhost soon.

Offline

 

#2 2007-10-18 20:27:29

Already there. Give them through the weekend, at least. I had a server load over 300 this afternoon.

Offline

 

#3 2007-10-18 21:09:27

All my 1and1 sites were down temporarily, so it was a major burp.

DDOS attacks suck, but worse things are a brewin'.

Offline

 

#4 2007-10-29 06:21:11

opsec wrote:

DDOS attacks suck, but worse things are a brewin'.

Thanks for that link, I really enjoyed the article.  So I grabbed the first URL spam that was smart enough to get past my spam filter and

Code:

watch -n 1 -d dig abovevoice.cn

sure enough, a fast-flux on a 300 second rotation.  I don't quite agree that they are so hard to spot as the article implies but they are certainly hard on the 1st pass, and require monitoring to collect the zombie pool.  Then of course the real question is what to use to blackball or wall off the pool once you have it, without bringing your apps to a crawl.  The up side of the issue is that if you collect these zombie IP's and have a method to benefit from the data, who knows how many attacks you can ward off?

Offline

 

#5 2007-10-29 10:50:04

Most of this is over my head, but it seemed that the gist of the article was that the "mothership" nodes were hard to ferret out. 

Another problem would seem to be that any ips you record as infected wouldn't necessarily be static... couldn't an infected machine simply renew it's ip often and reregister with the "mothership"? This may be an ignorant question as I only partially understand this shit.

There are conflicting reports about the size of the zombie mob, some researchers insist that newer AV has caught and cleaned some 90% of the infected machines.  Others insist on up to 50 million infected machines and rising.  As usual there's little consensus.

What scares me is how open the whole TCP-IP network schema is to this sort of chicanery, and how technically savvy the criminal element has become.

Offline

 

#6 2007-10-29 11:02:18

opsec wrote:

What scares me is how open the whole TCP-IP network schema is to this sort of chicanery, and how technically savvy the criminal element has become.

You shouldn't be. Think of IP v4 as Disney World if designed and built by extremely smart 12 year olds for their own amusement. Somebody's bound to get hurt, and they'll probably forget to put locks on a lot of doors. Don't worry, the Chinamen and the Hindoos will force us into IP v6 before too long.

Offline

 

#7 2007-10-29 11:32:37

IPv6.  UGH.

Offline

 

#8 2007-10-29 11:33:06

opsec wrote:

Most of this is over my head, but it seemed that the gist of the article was that the "mothership" nodes were hard to ferret out.

True enough, but once you have the domain name that's being invoked you could step on it when your users call out for DNS.

opsec wrote:

Another problem would seem to be that any ips you record as infected wouldn't necessarily be static... couldn't an infected machine simply renew it's ip often and reregister with the "mothership"? This may be an ignorant question as I only partially understand this shit.

No, you're absolutely right.  I was forgetting that just because you're on a fast connection doesn't mean you have a static IP.

opsec wrote:

There are conflicting reports about the size of the zombie mob, some researchers insist that newer AV has caught and cleaned some 90% of the infected machines.

Maybe that's true for that subset of machines actually -running- recent AV. :(

opsec wrote:

What scares me is how open the whole TCP-IP network schema is to this sort of chicanery, and how technically savvy the criminal element has become.

Open is good, but this is indeed impressive technology.  At least for someone as easily impressed as me...

Offline

 

Board footer

cruelery.com