« DDoS II | Main | Mike Riley »

24 October 2004

botnet

[Security] 

So a DDoS attack is made up of DoS attacks launched simultaneously by many computers from all over. What are these computers? Invariably they are poorly secured home computers connected via "always-on" broadband. These machines are penetrated and owned surreptitiously. A variety of malware may be installed; the new "owner" has been known to patch these machines so that other would-be "owners" may not get in and take over.

The "owner" also installs software to connect a machine to some pre-determined IRC channel. The owned machine then lies in wait for commands transmitted over that IRC channel. This machine has become a bot, and many such machines form a botnet. When a command comes in to DDoS such and such a target, say, the botnet blasts away.

According to the Internet Storm Centre (I like that name), in Sep 2004, the Norwegian ISP Telenor shut down a botnet containing over ten thousand clients. To quote, "If you have network traffic logs, you may want to check for connections from your hosts/network to the IRC server - it was listening on 203.81.40.172 tcp port 10009."

Googling for "largest ddos botnet" throws up the number 140,415. That's right, a botnet containing over one hundred forty thousand machines - surely a weapon of mass disruption. Another "largest" number is a staggering 40Gbps worth of aggregated attack traffic.

I reckon botnets will appear on p2p networks anytime now, if they haven't already.

Supposedly there is a black market that trades botnets. Hollywood movies can't be far away...


Posted by ngps at 23:42 | Comments (0) | Trackbacks (0)
Comments
There is no comment.
Trackbacks
Please send trackback to:http://sandbox.rulemaker.net/ngps/145/tbping
There is no trackback.