tag:blogger.com,1999:blog-8616610987649128333.post8327079410451422495..comments2024-03-07T18:07:32.939+01:00Comments on That grumpy BSD guy: DDOS Bots Are People! (Or Manned By Some, At Least)Peter N. M. Hansteenhttp://www.blogger.com/profile/12852746787621165833noreply@blogger.comBlogger7125tag:blogger.com,1999:blog-8616610987649128333.post-90209140408813673962012-12-27T19:25:29.566+01:002012-12-27T19:25:29.566+01:00Contacting whoever is listed in whois when there i...Contacting whoever is listed in whois when there is no way to be sure whether the IP address is spoofed or not is likely to be less useful than otherwise, that's true. <br /><br />But then in a general 'incident response' context, contacting people listed as responsible is more useful, so I left it in, mainly because responses may be useful if only for seeing the problem from a slightly different perspective.Peter N. M. Hansteenhttps://www.blogger.com/profile/12852746787621165833noreply@blogger.comtag:blogger.com,1999:blog-8616610987649128333.post-52035454132590545252012-12-27T19:06:37.865+01:002012-12-27T19:06:37.865+01:00Stéphane is correct and you've not fully compr...Stéphane is correct and you've not fully comprehended your condition. If you are the target of DNS ANY queries, then you are party TO the larger attack; if you are seeing answers to DNS ANY queries, than you are the target of the attack; in the later case it can be worthwhile to contact source of the unrequested DNS answers; often open resolvers or folks with sizable ANY returns. <br /><br />(Stéphane, BTWs, wonderful blog; has come in handy on a few occasions!)<br />Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-8616610987649128333.post-32033838564052951412012-12-26T22:27:52.266+01:002012-12-26T22:27:52.266+01:00You note correctly that, in the typical DNS-based ...You note correctly that, in the typical DNS-based attack, the source IP address is spoofed (it is a reflection attack). Therefore, what is the point of publishing it? It is the address of the victim, not of the attacker! For the same reason, whois and writing at abuse is quite useless.Stéphane Bortzmeyerhttp://www.bortzmeyer.org/noreply@blogger.comtag:blogger.com,1999:blog-8616610987649128333.post-20288315675725400152012-12-26T11:35:46.470+01:002012-12-26T11:35:46.470+01:00You'll find this one interesting/similar:
http...You'll find this one interesting/similar:<br />http://www.slideshare.net/mayhemspp/bakeca-ddos-hope<br /><br />Michele Baldessarihttp://acksyn.orgnoreply@blogger.comtag:blogger.com,1999:blog-8616610987649128333.post-81894581175038626652012-12-26T07:29:14.422+01:002012-12-26T07:29:14.422+01:00One whole internets to you!
Great read and very in...One whole internets to you!<br />Great read and very informativeAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-8616610987649128333.post-73824434646623628792012-12-26T07:07:21.136+01:002012-12-26T07:07:21.136+01:00The -t ANY query is a valid means to generate a re...The -t ANY query is a valid means to generate a reflection attack. <br /><br /> dig @SKAPET.BSDLY.NET bsdly.net -t ANY<br /><br />Returns about 500 bytes on a 50 byte query. <br /><br />The source of the ANY query is nearly always the spoofed target(s) IP address. Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-8616610987649128333.post-50551281309729819892012-12-26T06:47:37.025+01:002012-12-26T06:47:37.025+01:00Good post. FYI, flow telemetry is utilized by ISP...Good post. FYI, flow telemetry is utilized by ISPs all over the world, including Europe, for many purposes, including DDoS detection/classification/traceback. EU privacy/data retention regulations do not preclude the use of flow telemetry.<br /><br />Here are some links to presentations and annual security reports which are focused on DDoS:<br /><br />https://www.box.com/s/4h2l6f4m8is6jnwk28cg<br /><br />https://www.box.com/s/llwlaowbthppliyze2uw<br /><br />Thanks for taking the time to share your experiences!Roland Dobbinshttp://www.arbornetworks.comnoreply@blogger.com