Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: no ip forged-source-address

  • From: David Howe
  • Date: Thu Oct 31 08:46:34 2002

at Thursday, October 31, 2002 1:22 PM, Randy Bush <> was
seen to say:
>> analogy games are fun, but it boils down to this... If I know the
>> real source of an attack, I can stop it within minutes.
> the real source of the attack is the skript kitty who zombied the
> 10,000 hosts which are sourcing packets at you.  the intermediate
> sources are the 10,000 zombies, and trying to deal with them at the
> source just does not scale.
really you only need four or five though - if you can monitor the tcp/ip
links each have, you should find a common node that is the control node
(assuming the current situation where the bots remain connected during
the attack; a simple change could alter this to disconnect immediately
after orders are issued and not reconnect for a random time spanning
hours or days, but even then, unless the kiddie wishes to discard his
entire botnet after a single attack, they should eventually reconnect to
a control channel (probably an irc channel or similar) - at least
theoretically, an irc server network could be tapped to determine who is
the controller in a bot room, or the bot room could be discontinued
(which again, would only halt the current state of the art; the bots
could easily have a different network or a distributed networking
capability to recover the botnet after loss of a control room; actually,
I would be surprised if bots didn't already have some similar provision

Discussion Communities

About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home

Merit Network, Inc.