North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: no ip forged-source-address
at Thursday, October 31, 2002 1:22 PM, Randy Bush <[email protected]> was seen to say: >> analogy games are fun, but it boils down to this... If I know the >> real source of an attack, I can stop it within minutes. > > the real source of the attack is the skript kitty who zombied the > 10,000 hosts which are sourcing packets at you. the intermediate > sources are the 10,000 zombies, and trying to deal with them at the > source just does not scale. really you only need four or five though - if you can monitor the tcp/ip links each have, you should find a common node that is the control node (assuming the current situation where the bots remain connected during the attack; a simple change could alter this to disconnect immediately after orders are issued and not reconnect for a random time spanning hours or days, but even then, unless the kiddie wishes to discard his entire botnet after a single attack, they should eventually reconnect to a control channel (probably an irc channel or similar) - at least theoretically, an irc server network could be tapped to determine who is the controller in a bot room, or the bot room could be discontinued (which again, would only halt the current state of the art; the bots could easily have a different network or a distributed networking capability to recover the botnet after loss of a control room; actually, I would be surprised if bots didn't already have some similar provision now)
|