Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Destructive botnet originating from Japan (fwd)

  • From: Barrett G. Lyon
  • Date: Sun Dec 25 00:55:42 2005


Rob,

You made a good point on the duration of the attacks, I neglected to notice the attack command was set to 99999. One of our engineers logged the bot master issuing the attack command:

man!~man@127.0.0.1 PRIVMSG $127.0.0.1 :.dos 99999 s| xxx.xxx.xxx.xxx|80

99999 is the number of the seconds and its 86400 seconds is 24 hours and slightly over that we saw the bots stop attacking. So they were not running forever, but they did run on their own for about 27 hours. It made our NOC guys happy to see Christmas eve with a clean network.

You are also very correct on the force levels, Linux web servers are usually more connected than a cable modem user, so the bandwidth levels are much higher. In the latest round of attack we have seen, the attack rates are growing near the 10 Gig range. The PPS rates are also getting much higher seeing the fragmented UDP attacks getting packet sizes much smaller than a 64-byte SYN packet.

What I find shocking is that machines that should be more secured or at least monitored better appear to run for long periods going unnoticed. It seems that some system administrators are just not paying attention to large outbound bursts from their networks.


-Barrett



Discussion Communities


About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home


Merit Network, Inc.