North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re:Destructive botnet originating from Japan

  • From: Barrett G. Lyon
  • Date: Sat Dec 24 13:45:38 2005

Here is a little update:

As of last night authorities were able to seize the IRC server from the ISP in Japan and there will be extensive follow-up it. The DDoS attack is now running headless in the happy range of about 3+ Gbps at around 7-9M PPS. The bots will continue attacking us until they receive the stop command from the bot master, there will never be a stop command, so we will continue to see packet love for a few months while people find that they are attacking us. We will publish a new list of the bots on Monday as we idle with this low traffic rate over the weekend.

The attacker was targeting a couple customers that came into our environment after other solutions failed to work for them. After reviewing and comparing notes, it is obvious that the attacks were assassination attempts from a competitor. There was no extortion involved.

If you want to get the bots off your network, watch flow data destined to AS32787 with SYN floods to TCP 80 as the destination.

Sites that use a PHP include (without validating the strings) to pull- up different web sections and pages are at risk, a lot of people are reporting infection via "$section.php" and "$page.php", the attacker appears to have used Google to locate sites that use includes in that fashion (searching "index.php?page=" or "index.php?section=").

Reviewing infected machines for logs related to would be easy to locate a past infection but may not be reliable if the attacker starts a new botnet. An example of the log data looks something like this:
grep access_log - - [23/Dec/2005:11:45:37 +0000] "GET /index.php? section=http%3A// HTTP/1.0" 200 8010 "-" "Wget/1.6"

Happy hunting and have nice holidays!


Barrett Lyon
CTO and founder
Prolexic Technologies, Inc