Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re:Destructive botnet originating from Japan

  • From: Rob Thomas
  • Date: Sat Dec 24 15:50:47 2005

Hi, NANOGers.

We've seen these PHP-built botnets for about two years now.  They have
recently become more popular.  This is due to the fact that a very few
of these bots can send out far more packet love than a large collection
of broadband (generally Windows) bots.  Return on investment and all

Most bots don't attack "forever."  The typical bot commands give an
attack duration in either packets or time.  I suspect that'll be the
case with this botnet, so the attack may not last for months.  In other
words, it would be wise to check those flows sooner rather than later.

Folks shouldn't focus solely on PHP, though that is the rage du jour.
Even the venerable PhatBot family, generally used to compromise hosts
running Windows, had a Linux spreader in it.  Increasingly Unix
systems and Cisco routers are the primary targets.

Keep in mind that botnets are but one facet of the threat.  There are
a plethora of just-in-time DoSnets built off of the same
vulnerabilities.  In this case there is no central command and control
making mitigation even more challenging.  It's fairly easy to run a
command on a vulnerable host through the same exploit that will permit
one to install a bot.  Just-in-time DoSnets are readily built and used
in amplification attacks as well.

Bots have never been solely a Windows problem.

Rob Thomas
Team Cymru
ASSERT(coffee != empty);

Discussion Communities

About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home

Merit Network, Inc.