Re: DDoS tracking WG
- Date: Wed, 5 Feb 2003 09:34:45 +0100
> While we don't track DDoS attacks, SAFE is commited to removing smurf
> amplifiers, still one of the most abused forms of DoS, from the
> internet.
I do not agree as smurf attacks being the most used. Actually trojans with
an irc robot in it seems to be the most used. The "Script Kiddies" control
them over an IRC channel. They control the IRC server/network where those
trojans connect using DNS entries (CNAME to whatever they want). Some of
them control around 20k infected workstations (most of them are CATV and
ADSL users).
Imagine..... if each infected user only has 100k of upstream.... 20k *
100kbps ....2gbps... ?!? which medium size ISP can so something against
that? none. For sure those 20k infected users arent online at the same
time... but still...
I know some "kiddies groups" on IRC networks (like Rectum Crew from .ca),
they use some kind of "trojan template" where they can add whatever software
they want. Once they control the machine, they can do upgrades of their
software etc... and the worst thing is when such groups fight against each
other....trying to take control of the other group robots....
They also propagate their trojans using FAKE sex websites saying you need to
download a dialer.... which is the IRC trojan.... + mail spam... they get
quickly many infected users.
Most of the big IRC networks (at least Undernet and DALnet has) have a
special team fighting against trojans, but most of the time we cannot do
anything, cause the ISPs do not contact the customer to tell him to install
an anti-virus or a trojan remover...
See what happened to the IRC network DALnet... since months they are getting
a non-stop attack against most of their servers. Even the servers which are
actually shutdown still get attacked.... the overall bandwith used against
DALnet server is still over 1gbps at the moment....
For sure, there are still some hacked *nix servers from where the "kiddies"
run TCP_SYN floods, (source == random for sure)....
P.