Steve
I'm a PC, so shut up
Consultant
join:2001-03-10
Yorba Linda, CA
| "not usually capable of such precision" ?
My understanding is that these bot networks are highly precise: they're controlled by IRC, and they can be remotely controlled to attack anything on cue.
???
--
Stephen J. Friedl * Security Consultant * Tustin, California USA * my web site |
|
onin
Premium
join:2004-06-02
North York, ON | yes it is.  |
|
Flizesh
Premium
join:2003-08-16
Staten Island, NY
clubs: | CNET knows jack  |
|
pnosker
Premium
join:2003-03-26
Stockton, NJ
clubs:
| reply to Steve
Not necessarily. I have friends (ones who claim to have done this, which I doubt) who tell me that they target a set of ips, given to the bots with something like !ddos IPRANGE (ie. 111.111.111.***). They don't target one site, but I guess you could do a dnslookup on each site and get their exact ips. I'm sure 20,000 bots or so could do this much damage, and I know people with more than that.
Most people with botnets don't waste their time with corporate websites though, they target others who piss them off, like for instance if an IRC network splits, they attack the other network's shells. |
|
gruggni
Oxygen Gets You High
join:2003-07-28
Corpus Christi, TX
1 edit | shut down?
I doubted they really shut it down. They were shut down for about 2hrs. Zombies don't reside on the same ip blocks. If they block access to networks then they stop all access. Stopping zombies means stopping all traffic from sed ip block.
Thus they prevent legit traffic as well. |
|
ced06
join:2004-03-12
Towanda, PA | reply to pnosker
Re: "not usually capable of such precision" ?
I've seen people DDoS websites before...usually they just do !ddos riaa.org (the guy ddosed the riaa website), not bothering to mess with an IP range. :| |
|
Redbaron2
join:2004-06-14
Tacoma, WA
| Bot-nets are small
I also very highly doubt that they stopped the bot-net they more than likely just changed to hosts that used other ip numbers. If you take a look at altavista's site it still isn't back to normal, and yahoo's site didn't update for sevral hours afterward. The total of sites affected is more then just the handful mentioned in the news articles. Symantec, Macafee, and Gmail just to name a few more were also hit. These bot programs could just have been a test run for a complete Internet attack. A person posted before that they knew people that had a few thousand bots at there command. Just look at it this way a bot sending data from a infected machine has over 4000 ports to send out data onto the net. All those ports are not normally used by the computer for anything besides just being there really. I think that more companies should make spyware and the like software available to scan for such bots. Then again I wonder how long it will take AV makers to make software for smart phones? |
|
Zunger
join:2003-08-24
Fayetteville, AR | netstat -a |
|
fractalspher
join:2001-07-17
Chicago, IL
clubs:
|  DNS servers
This particular attack actually effected me!
Our public DNS server is (we now know) part of the Yahoo DNS servers. So at 7:am that morning I got a bunch of DNS alerts on my cellphone and in emails for servers on the west coast. I thought there had been an earthquake in San Francisco! 
Ultimately it didn't kill our service, but did manage to give us about 100 DNS timeout errors all morning. 
As for the actual attack, they seemed to get it shut down fairly quickly... Less than a few hours.
Also, this was the day my yahoo email account was getting upgraded and I couldn't get email all morning either! 
--
FractalSphere - "Maybe it's in the basement, I'll go upstairs and check" - M.C. Escher |
|
beowulf9
join:2004-06-07
Lovettsville, VA
| 'bot net', really?
Is there any outside verification of the existence of this bot not or do we just have Akamai's word for it? Given the events of the last year and a half there's little reason to believe that corporations tell the truth.
Also, how, exactly, would Akamai "shut down" a distributed bot network? Maybe they have a huge distributed anti-bot bot net. |
|
keith2468
Premium,MVM
join:2001-02-03
Winnipeg, MB | Is this the first you have heard of bot nets?
They are widely known to exist and have been used to attack less well defended companies. |
|
keith2468
Premium,MVM
join:2001-02-03
Winnipeg, MB | reply to fractalspher
Re: DNS servers
Comcast uses Yahoo DNS servers?
Doesn't Comcast have its own?
Wouldn't they only be referring to the Yahoo ones when their last resolution of Yahoo domains had expired? |
|
keith2468
Premium,MVM
join:2001-02-03
Winnipeg, MB
1 edit | reply to Redbaron2
Re: Bot-nets are small
Such software for finding trojans is available, although not foolproof.
Because there are no effective legal restraints on Internet criminals, they are able to act like private armies and build up attack tools faster than volunteers can write free tools.
Visit the BBR Security Forum for and follow the link "Before you post a HijackThis log follow these steps".
»Security »I think my computer is infected or hijacked. What should I do?
The real solution is either to make owners of computer security companies rich, with bandaid solution after bandaid solution, or to bring the rule of law to the Internet.
As for victim companies paying to make security software available for free -- maybe Internet users who were victimized by being unable to access Google, Yahoo, etc. should shell out the money to create such free software tools.
And then they can pay for the hardware upgrades to run the software. |
|
bigbadtvfan
join:2004-06-18
| SBC bounces your mail with reverse DNS check!
We've been hearing from some of our customers that their email to us in bouncing back with a message No reverse DNS. Checked with SBC to find that a few days ago they were attacked by email bombs and to solve the problem, implemented a 100% reverse DNS check on all email.
While I hate spam, suddenly anyone using SBC as a domain provider connot recieve email from companies like BES Systems, Deustch Bank, and Phillip Morris. Tech support will tell you to call you clients and tell them to fix their DNS lookups. Sure!
I've tried to explain that clients just move on to another vendor if they have too much trouble with someone, but SBC can't understand this. Only monopoly thinking at SBC! |
|
TRiXinMO
@ezdigitalnetwork.net
| reply to beowulf9
Re: 'bot net', really?
www.grc.com.... its easy to shut it down if you are infected. The hardest problem was probably tracing down the ips of the infected server and allowing some one to look at it. You toss on a packet sniffer. Disable the NIC, ENABLE the nic. then you have the irc server name, channel, password, AND bot naming convention.
I did this before when a machine i had got infected ( the roommate put the machine on the dmz zone for some reason)
you get the cooperation of the irc server operator. problem fixed. |
|
devrandom
I got a pot, full of random stuff here
Premium
join:2003-06-28 | reply to Steve
Re: "not usually capable of such precision" ?
They probably mean the preciseness of the actual strike. I hear Akamai's network is pretty hard to take down. Must have been some attack.. |
|
beowulf9
join:2004-06-07
Lovettsville, VA | reply to keith2468
Re: 'bot net', really?
Yes, I know what bot nets are. I'm not a clueless newbie.
My skepticism is directed at Akamai. Has there been any third-party confirmation that the outage was actually caused by a bot net rather than their own incompetence? |
|
