[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] DDoS attacks via other sites execution tool (DAVOSET)
- To: "full-disclosure@xxxxxxxxxxxxxxxxx" <full-disclosure@xxxxxxxxxxxxxxxxx>
- Subject: Re: [Full-disclosure] DDoS attacks via other sites execution tool (DAVOSET)
- From: "Dobbins, Roland" <rdobbins@xxxxxxxxx>
- Date: Wed, 14 Jul 2010 11:51:16 +0000
On Jul 14, 2010, at 6:28 PM, MustLive wrote:
> In which I wrote particularly about creating of botnet from zombie-servers
> (which is a new type of botnets).
A more appropriate name for this sort of attack might be an 'application
reflection attack', as it's similar in concept to making use of open DNS
recursors in the same vein. The servers themselves aren't botted, so they
don't compromise a new form of botnet, per se.
The question then becomes whether this particular form of attack offers any
advantages over a more conventional layer-7 DDoS attacks launched via botnets.
One advantage is obvious - it may prove problematic to block the attack traffic
via conventional means such as S/RTBH, given that the servers being abused to
launch the application reflection attack are legitimate servers which users on
the targeted networks may well have the desire to access. However, as IDMSes
can readily handle this sort of attack, while interesting, it's unclear whether
it's worth the effort required to do this, given the prevalence of untold
millions of botted hosts which can launch layer-7 attacks via existing
command-and-control mechanisms which render said botnets completely under the
control of the attacker, and since the sites being abused can in fact take
measures to render themselves unsuitable for such abuse.
The question then becomes, is there an amplification factor to be gained by
doing so? The reason that DNS reflection attacks are of interest to the
attackers is that they gain a considerable amplification effect from doing so -
do you see an amplification resulting from this mode of attack?
-----------------------------------------------------------------------
Roland Dobbins <rdobbins@xxxxxxxxx> // <http://www.arbornetworks.com>
Injustice is relatively easy to bear; what stings is justice.
-- H.L. Mencken
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/