[Outages-discussion] NeuStar UltraDNS ? ** Why DDOS Neustar?

Patrick W. Gilmore patrick at ianai.net
Thu Jul 12 12:29:45 EDT 2012


On Jul 12, 2012, at 12:22 , David Conrad wrote:
> On Jul 12, 2012, at 9:01 AM, Patrick W. Gilmore wrote:

>> Also, related to David's comments: The attacker almost certainly does not have bots in every eyeball network.  
> 
> Hard to say without more information. I have been surprised in the past at how effectively botnets have penetrated networks, particularly ones with lots of end users at the end.

Everyone's experience is different.  I see 1000s of networks with non-trivial eyeballs on them, yet serious traffic rarely comes from more than a handful per attack.


>> If China Telecom is attacking you and you have a widely distributed deployment, then only the node close to CT is affected. The rest of the world doesn't know an attack is happening.  
> 
> I haven't heard of bots that care that the traffic they are originating only comes from particular ASes, but I'm not in the secret cabals where that sort of information is shared so I may be surprised (again).

Bothearders frequently sell/rent bots from a single network, or by the network.  There are reasons why, which are likely not relevant (or appropriate) to this list.  That doesn't mean you can't get a botnet across networks, just that it is not common to have enough bots to matter in 100s or 1000s of networks for a single attack.

The last part is the most relevant here.  You are correct, every significant eyeball network has bots on it.  But not every bot will be used in every attack.

And despite all that I've said, there are exceptions to every rule. :)

-- 
TTFN,
patrick




More information about the Outages-discussion mailing list