nanog mailing list archives

Re: Over a decade of DDOS--any progress yet?

From: Rich Kulawiec <rsk () gsp org>
Date: Thu, 9 Dec 2010 06:45:45 -0500

On Wed, Dec 08, 2010 at 07:43:52AM -0800, JC Dill wrote:

ISPs are not the source.  The source is Microsoft.  The source is
their buggy OS that is easily compromised to enable the computers to
be taken over as part of the botnet.


I often disagree vehemently with JC, but not this time.

I've been studying bot-generated spam for most of the last decade, and to
about 6 nine's, it's all been from Windows boxes.  (The rest?  A smattering
of "indeterminate" and various 'nix systems including MacOS.)

The botnet problem is a Microsoft problem.

Now...whether the botnet problem will still be a Microsoft problem in 2015:
can't say.  Clearly attackers have plenty of reasons to attack other systems
and in some cases, they'll be successful.  But it appears that to date,
the advantages they might accrue from owning a box running one of the
superior operating systems are outweighed by the costs of the effort
to do so.  (With a few rare exceptions, of course.)

But you don't have to take my word for this.  Turn on passive OS
fingerprinting on your MX's and start recording data, including DNS
and rDNS, putative sender, recipient, etc.  Accumulate a couple
years' worth and analyze.

This is why some rather effective defensive techniques (not just for
spam) can be constructed by differentiating traffic based on the
operating system of the host originating that traffic.

---rsk

Current thread:

Re: Over a decade of DDOS--any progress yet?, (continued)
- - - Re: Over a decade of DDOS--any progress yet? Seth Mattinen (Dec 08)
    - Re: Over a decade of DDOS--any progress yet? Curtis Maurand (Dec 09)
    - Re: Over a decade of DDOS--any progress yet? Greg Whynott (Dec 09)
    - Re: Over a decade of DDOS--any progress yet? Simon Leinen (Dec 11)
    - Re: [nanog] Re: Over a decade of DDOS--any progress yet? Aaron Peterson (Dec 08)
    - Re: Over a decade of DDOS--any progress yet? Valdis . Kletnieks (Dec 08)
    - Re: Over a decade of DDOS--any progress yet? JC Dill (Dec 08)
    - Re: Over a decade of DDOS--any progress yet? Matthew Petach (Dec 09)
    - RE: Over a decade of DDOS--any progress yet? George Bonser (Dec 09)
    - Re: Over a decade of DDOS--any progress yet? Lamar Owen (Dec 09)
    - Re: Over a decade of DDOS--any progress yet? Rich Kulawiec (Dec 09)
    - Re: Over a decade of DDOS--any progress yet? Matthew Petach (Dec 09)
    - Re: Over a decade of DDOS--any progress yet? Valdis . Kletnieks (Dec 09)
- Re: Over a decade of DDOS--any progress yet? alvaro.sanchez () adinet com uy (Dec 08)
  - RE: Over a decade of DDOS--any progress yet? Drew Weaver (Dec 08)
    - Re: Over a decade of DDOS--any progress yet? jim deleskie (Dec 08)
    - Re: Over a decade of DDOS--any progress yet? Joel Jaeggli (Dec 14)
  - Re: Over a decade of DDOS--any progress yet? Thomas Mangin (Dec 08)
    - Re: Over a decade of DDOS--any progress yet? Dobbins, Roland (Dec 08)
    - Re: Over a decade of DDOS--any progress yet? Thomas Mangin (Dec 08)
    - Re: Over a decade of DDOS--any progress yet? Dobbins, Roland (Dec 08)

(Thread continues...)