GoFuckYourself.com - Adult Webmaster Forum - View Single Post

Shog · 07-04-2003, 04:24 AM

The attacks can vary, you can't have complete protection against this type of attack.

Distributed denial of service attacks, are very powerful, and much more widespread these days, because windows computers can now participate in them, which wasn't always the case.

Windows now has 'raw sockets' support which makes IP spoofing possible, so if a 2,000 windows botnet is all pumping garbage packets to a single server with fake source IPs, you pretty much are out of options for tracing, the only way of tracing is by tracking a single stream of data to the router they are coming from, 1 hop at a time, which is virtually impossible to get that kind of cooperation with every hop unless your the FBI.

The attack a while back that went against ebay and yahoo was the same type of attack, using a unix variant, called trinoo, which is the same type of attack, except required rooted unix boxes to orcestrate since unix has had raw socket support forever, though required less servers because unix servers tend to be well connected.

The tools available to create these types of attacks now days are much easier to get into windows boxes then unix boxes.

http://grc.com/dos/grcdos.htm is a very good resource for info.

I have been receiving distributed denial of service attacks for about 9 months to a small site of my own off and on. After getting the server to be able to detect and cope with the volume of traffic to survive the hit, I still had a extreme volume of traffic coming into the server, which costs in bandwidth, so what I have done is setup round-robin DNS for my site, and when a attack comes in, block my own IP that is getting hit at the ISP, and legitimate traffic will flow to the other IPs. With a low DNS TTL this has been very effective. I also remove the attacked IP out of round-robin DNS when an attack is detected to minimize round-robin connect failures until the TTL's expire.

Routers at ISPs have a setting they can set that would prohibit a spoofed packet to leave the ISP, packets could only be spoofed within the subnets they are routing for, many many many ISPs don't have this 'egress filtering' turned on. If a attack could be traced back to a real IP, the victim can get ahold of a botnet client on a infected computer, disassemble it to find out what central resource it's connecting to, then go to the provider of that central resource and get it shut down. Many botnets are coded with hostnames hosted off free web based DNS services so the botnets can be administrated easier, giving the attacker the ability to move the bots to different IRC servers. Getting that central hostname out of a single attack bot will disable a botnet assuming they don't have a alternative way into the drone computers.

Josh

07-04-2003, 04:24 AM
Shog Registered User Join Date: Jul 2003 Location: Rocklin, CA Posts: 14	The attacks can vary, you can't have complete protection against this type of attack. Distributed denial of service attacks, are very powerful, and much more widespread these days, because windows computers can now participate in them, which wasn't always the case. Windows now has 'raw sockets' support which makes IP spoofing possible, so if a 2,000 windows botnet is all pumping garbage packets to a single server with fake source IPs, you pretty much are out of options for tracing, the only way of tracing is by tracking a single stream of data to the router they are coming from, 1 hop at a time, which is virtually impossible to get that kind of cooperation with every hop unless your the FBI. The attack a while back that went against ebay and yahoo was the same type of attack, using a unix variant, called trinoo, which is the same type of attack, except required rooted unix boxes to orcestrate since unix has had raw socket support forever, though required less servers because unix servers tend to be well connected. The tools available to create these types of attacks now days are much easier to get into windows boxes then unix boxes. http://grc.com/dos/grcdos.htm is a very good resource for info. I have been receiving distributed denial of service attacks for about 9 months to a small site of my own off and on. After getting the server to be able to detect and cope with the volume of traffic to survive the hit, I still had a extreme volume of traffic coming into the server, which costs in bandwidth, so what I have done is setup round-robin DNS for my site, and when a attack comes in, block my own IP that is getting hit at the ISP, and legitimate traffic will flow to the other IPs. With a low DNS TTL this has been very effective. I also remove the attacked IP out of round-robin DNS when an attack is detected to minimize round-robin connect failures until the TTL's expire. Routers at ISPs have a setting they can set that would prohibit a spoofed packet to leave the ISP, packets could only be spoofed within the subnets they are routing for, many many many ISPs don't have this 'egress filtering' turned on. If a attack could be traced back to a real IP, the victim can get ahold of a botnet client on a infected computer, disassemble it to find out what central resource it's connecting to, then go to the provider of that central resource and get it shut down. Many botnets are coded with hostnames hosted off free web based DNS services so the botnets can be administrated easier, giving the attacker the ability to move the bots to different IRC servers. Getting that central hostname out of a single attack bot will disable a botnet assuming they don't have a alternative way into the drone computers. Josh