[nsp-sec] Revisiting the DDOS Route Server project
Chris Morrow
morrowc at ops-netman.net
Thu Aug 13 10:11:52 EDT 2009
On Thu, 13 Aug 2009, Hank Nussbacher wrote:
> ----------- nsp-security Confidential --------
>
> At 02:06 13/08/2009 -0400, Seth Hall wrote:
>
>> On Aug 13, 2009, at 12:59 AM, Hank Nussbacher wrote:
>>
>>> The botherder doesn't care for the bots to check-in. He knows they
>>> are out there, some listening, some not, and waiting for his wake-up
>>> call. One simple UDP packet and he instructs them all to attack.
>>
>> Are you thinking that they might send that single UDP packet to every
>> IPv4 address to compensate for not doing checkins?
>
> Spraying a single UDP packet to every IP out there (not the full
> 0.0.0.0-255.255.255.255 - but rather knowing which /8s to hit), could easily
> be done in a very short period of time, won't require much b/w and probably
> won't be detected if using a Chris Morrow selected UDP port :-)
^(tm)
I'm not sure this would go completely unnoticed unless the src-ip was
changed on a fairly regylar basis, and I'm not sure how long it'd take you
to make 3,355,443,200 packets (and not get noticed on your local lan)...
that said, split the 3.5b packets across 20-30 hosts and do it 1xhour
(start time) and you might get slid under the radar at a decent sized
hosting company :(
3.5bp/hr split over 30 hosts ~= 31kpps/host.
-Chris
More information about the nsp-security
mailing list