In article <_fydnWjhYKSK-(E-Mail Removed)>,
Andy Champ <(E-Mail Removed)> wrote:
>On 05/11/2010 12:49, The Natural Philosopher wrote:
>> Mike Civil wrote:
>>> In article <iauc1g$opb$(E-Mail Removed)>,
>>> The Natural Philosopher <(E-Mail Removed)> wrote:
>>>> http://www.bbc.co.uk/news/technology-11693214
>>>> NOW ypu now why ISPs sometimes block pings..
>>>>
>>>> And why some of us feel MS windows should be banned from the internet
>>>> ;-)
>>>
>>> S'funny. While the BBC is as usual a paragon of non-content, other
>>> sources don't mention ICMP at all and at least one describes TCP based
>>> attacks.
>>>
>>> No mentions anywhere of MS products (or any other OS come to that)
>>> either as source, destination or intermediary.
>> Botnet.
>>
>> Show me one botnet that isn't hosted on MS machines.
>>
>
>Why would a Botnet writer target some obscure OS with less than 10% of
>the installed base?
One particular OS probably has over 50% of the installed base - for it's
type of functionality - and that's Linux - in the role of a web server.
And there is botnet like code for Linux boxes that works in exactly the
same way as some of their Windows cousins. (Connects to an IRC server
and listens for commands) Often better becasue they're in data centres
with large bandwidth capacity.
The trick with Linux, as with other systems is to get that code into
the target server in the first place. Fortunately for the botnet
owners, there are now 1000's of open source applications that they can
investigate and almost all big packages have had vulnerabilities at
one point or another. e.g. vBulletin, phpBB, phpMyAdmin and who knows
what else. Essentially while the basic Operating System and utilities
(Linux, Apache, *SQL, Perl/Php) are themselves relatively secure, it's
the additional packages that may not be.
>I still don't see the pings BTW. DOS (that's denial, not disc) can
>happen many ways.
One type of ping attack involves the server hosting the attacking code
sending a ping to a random address, but forging it's source address to
be that of the victim. The innocent third party then sends it's reply
back to the victim. This way the bandwidth usage of the attacking host is
minimised, and it's identity is anonomised. Now imagine 1000 compromised
servers sending a ping - each second - to 1000 different 3rd partys
who're relaying to a single victim.... Then 10,000...
And a while back, some hosts, networks would respond to a ping to the
networks broadcast address - so send one ping, get 100 back. See:
http://en.wikipedia.org/wiki/Smurf_attack
One ping is fine, a million pings a second is bad.
On the TCP front, sending TCP SYN packets to a host will clog up their
input stack - and until fixes were posted, that would have disasterous
results. with as little as 5 SYNs sent to a host you could block a
particular function.
See
http://en.wikipedia.org/wiki/SYN_flood
There are many other ways to perform a remote DDoS attack on a host.
In the case of the attack on Burma, if their ISPs in Burma blocked pings,
it really wouldn't help - the ping packets would still come down the
wires only to be rejected at the Burma end of the wire - which by then
is too late. If the upstream ISPs blocked the pings, that would be fine
for Burma, but not fine for the ISPs as they'll still have to weather
the storm. Tracing and tracking these things is really hard and requires
co-operation of all the ISPs in the chain.
Gordon
Similar Threads
Linear Mode
