Zombies Attack AkamaiAdmins investigate 'bot net' attack ( old news - 10:29AM Thursday Jun 17 2004) tags: security · troubleAs Akamai investigates Tuesday's attack on their DNS servers, the company has discovered they were attacked by a large "bot net" - or network of infected PC's, reports CNET. The attacks blocked nearly all access to the websites of Apple, Google, Microsoft and Yahoo - who was trying to launch their improved webmail offering. "Working with our network partners, we were able to identify a bot network that appeared to be operating and managed to shut it down, which resulted in stopping the attack," says Akamai's founder Tom Leighton. The company is still trying to understand how the zombie network - usually not capable of such precision claims CNET - specifically targeted the Yahoo, Google, Microsoft and Apple sites.
Related:- Comcast Easily Duped Into Handing Out Customer Info
- Co-Location Center Robbed Again, and Again
- ISP Error Opens Security Holes in Web
- The Growing Impact of Website Crashes
- ICANN Domains Hijacked
- DNS Fix Knocks Zone Alarm Users Offline
- Major DNS Flaw Finally Publicized
- DNS Flaw Even Worse Than Predicted
|
 
Steve
SAS-70 is extortion
Consultant
join:2001-03-10
Tustin, CA
| "not usually capable of such precision" ? My understanding is that these bot networks are highly precise: they're controlled by IRC, and they can be remotely controlled to attack anything on cue.
???
--
Stephen J. Friedl * Security Consultant * Tustin, California USA * my web site | |
|  | onin
Premium
join:2004-06-02
North York, ON | Re: "not usually capable of such precision" ? yes it is.  | |
| | | Flizesh
Premium
join:2003-08-16
Staten Island, NY
clubs: | Re: "not usually capable of such precision" ? CNET knows jack  | |
| | pnosker
Premium
join:2003-03-26
Stockton, NJ
clubs:
| Not necessarily. I have friends (ones who claim to have done this, which I doubt) who tell me that they target a set of ips, given to the bots with something like !ddos IPRANGE (ie. 111.111.111.***). They don't target one site, but I guess you could do a dnslookup on each site and get their exact ips. I'm sure 20,000 bots or so could do this much damage, and I know people with more than that.
Most people with botnets don't waste their time with corporate websites though, they target others who piss them off, like for instance if an IRC network splits, they attack the other network's shells. | |
| | | ced06
join:2004-03-12
Towanda, PA | Re: "not usually capable of such precision" ? I've seen people DDoS websites before...usually they just do !ddos riaa.org (the guy ddosed the riaa website), not bothering to mess with an IP range. :| | |
| | 
devrandom
I got a pot, full of random stuff here
Premium
join:2003-06-28 | They probably mean the preciseness of the actual strike. I hear Akamai's network is pretty hard to take down. Must have been some attack.. | |
| 
gruggni
Oxygen Gets You High
join:2003-07-28
Corpus Christi, TX
edit:
June 17th, @12:05PM
| shut down? I doubted they really shut it down. They were shut down for about 2hrs. Zombies don't reside on the same ip blocks. If they block access to networks then they stop all access. Stopping zombies means stopping all traffic from sed ip block.
Thus they prevent legit traffic as well. | |
| Redbaron2
join:2004-06-14
Tacoma, WA
| Bot-nets are small I also very highly doubt that they stopped the bot-net they more than likely just changed to hosts that used other ip numbers. If you take a look at altavista's site it still isn't back to normal, and yahoo's site didn't update for sevral hours afterward. The total of sites affected is more then just the handful mentioned in the news articles. Symantec, Macafee, and Gmail just to name a few more were also hit. These bot programs could just have been a test run for a complete Internet attack. A person posted before that they knew people that had a few thousand bots at there command. Just look at it this way a bot sending data from a infected machine has over 4000 ports to send out data onto the net. All those ports are not normally used by the computer for anything besides just being there really. I think that more companies should make spyware and the like software available to scan for such bots. Then again I wonder how long it will take AV makers to make software for smart phones? | |
| | Zunger
join:2003-08-24
Gans, OK | Re: Bot-nets are small netstat -a | |
| | 
keith2468
Premium,MVM
join:2001-02-03
Winnipeg, MB
edit:
June 17th, @10:24PM
| Such software for finding trojans is available, although not foolproof.
Because there are no effective legal restraints on Internet criminals, they are able to act like private armies and build up attack tools faster than volunteers can write free tools.
Visit the BBR Security Forum for and follow the link "Before you post a HijackThis log follow these steps".
»Security »I think my computer is infected or hijacked. What should I do?
The real solution is either to make owners of computer security companies rich, with bandaid solution after bandaid solution, or to bring the rule of law to the Internet.
As for victim companies paying to make security software available for free -- maybe Internet users who were victimized by being unable to access Google, Yahoo, etc. should shell out the money to create such free software tools.
And then they can pay for the hardware upgrades to run the software. | |
| | |
keith2468
Premium,MVM
join:2001-02-03
Winnipeg, MB | Re: DNS servers Comcast uses Yahoo DNS servers?
Doesn't Comcast have its own?
Wouldn't they only be referring to the Yahoo ones when their last resolution of Yahoo domains had expired? | |
| beowulf9
join:2004-06-07
Lovettsville, VA
| 'bot net', really? Is there any outside verification of the existence of this bot not or do we just have Akamai's word for it? Given the events of the last year and a half there's little reason to believe that corporations tell the truth.
Also, how, exactly, would Akamai "shut down" a distributed bot network? Maybe they have a huge distributed anti-bot bot net. | |
| |
keith2468
Premium,MVM
join:2001-02-03
Winnipeg, MB | Re: 'bot net', really? Is this the first you have heard of bot nets?
They are widely known to exist and have been used to attack less well defended companies. | |
| | | beowulf9
join:2004-06-07
Lovettsville, VA | Re: 'bot net', really? Yes, I know what bot nets are. I'm not a clueless newbie.
My skepticism is directed at Akamai. Has there been any third-party confirmation that the outage was actually caused by a bot net rather than their own incompetence? | |
| | 
TRiXinMO
@ezdigitalnetwork.net
| www.grc.com.... its easy to shut it down if you are infected. The hardest problem was probably tracing down the ips of the infected server and allowing some one to look at it. You toss on a packet sniffer. Disable the NIC, ENABLE the nic. then you have the irc server name, channel, password, AND bot naming convention.
I did this before when a machine i had got infected ( the roommate put the machine on the dmz zone for some reason)
you get the cooperation of the irc server operator. problem fixed. | |
| bigbadtvfan
join:2004-06-18
| SBC bounces your mail with reverse DNS check! We've been hearing from some of our customers that their email to us in bouncing back with a message No reverse DNS. Checked with SBC to find that a few days ago they were attacked by email bombs and to solve the problem, implemented a 100% reverse DNS check on all email.
While I hate spam, suddenly anyone using SBC as a domain provider connot recieve email from companies like BES Systems, Deustch Bank, and Phillip Morris. Tech support will tell you to call you clients and tell them to fix their DNS lookups. Sure!
I've tried to explain that clients just move on to another vendor if they have too much trouble with someone, but SBC can't understand this. Only monopoly thinking at SBC! | |
| | | |
|
|
DNS servers
