lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Wed, 14 Jul 2010 11:51:16 +0000
From: "Dobbins, Roland" <rdobbins@...or.net>
To: "full-disclosure@...ts.grok.org.uk" <full-disclosure@...ts.grok.org.uk>
Subject: Re: DDoS attacks via other sites execution
	tool	(DAVOSET)


On Jul 14, 2010, at 6:28 PM, MustLive wrote:

> In which I wrote particularly about creating of botnet from zombie-servers
> (which is a new type of botnets).


A more appropriate name for this sort of attack might be an 'application reflection attack', as it's similar in concept to making use of open DNS recursors in the same vein.  The servers themselves aren't botted, so they don't compromise a new form of botnet, per se.

The question then becomes whether this particular form of attack offers any advantages over a more conventional layer-7 DDoS attacks launched via botnets.

One advantage is obvious - it may prove problematic to block the attack traffic via conventional means such as S/RTBH, given that the servers being abused to launch the application reflection attack are legitimate servers which users on the targeted networks may well have the desire to access.  However, as IDMSes can readily handle this sort of attack, while interesting, it's unclear whether it's worth the effort required to do this, given the prevalence of untold millions of botted hosts which can launch layer-7 attacks via existing command-and-control mechanisms which render said botnets completely under the control of the attacker, and since the sites being abused can in fact take measures to render themselves unsuitable for such abuse.

The question then becomes, is there an amplification factor to be gained by doing so?  The reason that DNS reflection attacks are of interest to the attackers is that they gain a considerable amplification effect from doing so - do you see an amplification resulting from this mode of attack?

-----------------------------------------------------------------------
Roland Dobbins <rdobbins@...or.net> // <http://www.arbornetworks.com>

    Injustice is relatively easy to bear; what stings is justice.

                        -- H.L. Mencken



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists