[nsp-sec] Revisiting the DDOS Route Server project
Chris Morrow
morrowc at ops-netman.net
Thu Aug 13 02:10:58 EDT 2009
On Thu, 13 Aug 2009, Hank Nussbacher wrote:
> ----------- nsp-security Confidential --------
>
> At 00:52 13/08/2009 -0400, Seth Hall wrote:
>
>> On Aug 13, 2009, at 12:31 AM, Hank Nussbacher wrote:
>>
>>> But for UDP, if the botmaster realizes what we are doing (and I
>>> would assume that by now - after years of all of us null routing
>>> many of their C&C), all they need do is switch to UDP and send their
>>> instructions out to their bots via UDP, which we do not have any
>>> tools yet to stop.
>>
>> I assume that some HTTP/IRC botnet transformed into a UDP botnet would
>> still need to do the initial checkin which would still be stopped by
>> the route server as long as the checkin server was being announced.
>> No bots check in, no commands sent out.
>
> The botherder doesn't care for the bots to check-in. He knows they are out
> there, some listening, some not, and waiting for his wake-up call. One
> simple UDP packet and he instructs them all to attack.
without putting words in seth's mouth: "How does the botherder know where
to send his packets?"
I presume some second party could be used... 'poke http-thing -> there'
which updates shared data-store 'here', start spewing forth UDP pkts.
Why would they not already be doing this under the fairly prevalent
udp/1025|6 windows-messenger-type data being shoveled all over today? (or
maybe that gives them the perfect cover to send to 1027 from spoofed
sources... devilish you are!!)
-chris
More information about the nsp-security
mailing list