[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <70B0C8ED-0293-4CC9-8F45-AE32238D462D@arbor.net>
Date: Wed, 14 Jul 2010 11:51:16 +0000
From: "Dobbins, Roland" <rdobbins@...or.net>
To: "full-disclosure@...ts.grok.org.uk" <full-disclosure@...ts.grok.org.uk>
Subject: Re: DDoS attacks via other sites execution
tool (DAVOSET)
On Jul 14, 2010, at 6:28 PM, MustLive wrote:
> In which I wrote particularly about creating of botnet from zombie-servers
> (which is a new type of botnets).
A more appropriate name for this sort of attack might be an 'application reflection attack', as it's similar in concept to making use of open DNS recursors in the same vein. The servers themselves aren't botted, so they don't compromise a new form of botnet, per se.
The question then becomes whether this particular form of attack offers any advantages over a more conventional layer-7 DDoS attacks launched via botnets.
One advantage is obvious - it may prove problematic to block the attack traffic via conventional means such as S/RTBH, given that the servers being abused to launch the application reflection attack are legitimate servers which users on the targeted networks may well have the desire to access. However, as IDMSes can readily handle this sort of attack, while interesting, it's unclear whether it's worth the effort required to do this, given the prevalence of untold millions of botted hosts which can launch layer-7 attacks via existing command-and-control mechanisms which render said botnets completely under the control of the attacker, and since the sites being abused can in fact take measures to render themselves unsuitable for such abuse.
The question then becomes, is there an amplification factor to be gained by doing so? The reason that DNS reflection attacks are of interest to the attackers is that they gain a considerable amplification effect from doing so - do you see an amplification resulting from this mode of attack?
-----------------------------------------------------------------------
Roland Dobbins <rdobbins@...or.net> // <http://www.arbornetworks.com>
Injustice is relatively easy to bear; what stings is justice.
-- H.L. Mencken
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists