[unisog] DDoS IRC bots

Bill McCarty bmccarty at apu.edu
Tue Jan 21 21:57:24 GMT 2003


Hi Mark,

Actually, I run several honeynets, including some Windows 2000 hosts.
But, the Windows hosts are rarely compromised and haven't yet been
involved in a DDoS attack. I see a lot more action on the Linux/Unix
honeypots. Apparently, our university's address blocks are relatively
quiet. Perhaps this is because our pipes aren't all that big. 

Maybe the results would be different if I included some Windows 9x
hosts in the honeypot mix. What do you think?

I concede that, if I heard someone else tell the same tale, I'd suspect
that their hosts had been compromised without their knowledge. But, I
personally review each SYN packet entering and leaving my honeynets.
So, our production hosts may be owned <grin>, but our honeynets are
compromised only rarely.

Thanks for your thoughts!

--On Tuesday, January 21, 2003 11:17 AM -0500 Mark Kimble
<mjkits at rit.edu> wrote:

> too easy.  put a windows box on the open internet - you'll get your
> chance.
> 
> Mark J Kimble
> mjkits at rit.edu
> Information & Technology Services
> Rochester Institute of Technology
> PGP: 80FC 8C3E 3F5B 4797 E4B4  3221 E994 2D22 1AB2 DE04
> 
> -----Original Message-----
> From: Bill McCarty [mailto:bmccarty at apu.edu]
> Sent: Tuesday, January 21, 2003 10:46 AM
> To: Jeff Bollinger
> Cc: unisog at sans.org
> Subject: Re: [unisog] DDoS IRC bots
> 
> 
> Hi Jeff,
> 
> Actually <grin>, it was re-reading Gibson's account that got me
> started on this. He got started when someone anonymously emailed him
> a copy of a working bot. I'm interested in replicating his study,
> with a few twists of my own.
> 
> Cheers,
> 
> --On Tuesday, January 21, 2003 10:41 AM -0500 Jeff Bollinger
> <jeff01 at email.unc.edu> wrote:
> 
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>> 
>> This site has got a lot of great info:
>> 
>> http://grc.com/dos/grcdos.htm
>> 
>> Jeff
>> 
>> - --
>> Jeff Bollinger, CISSP
>> University of North Carolina
>> IT Security Analyst
>> 105 Abernethy Hall
>> mailto: jeff_bollinger at unc dot edu
>> 
>> Bill McCarty wrote:
>>| Hi all,
>>| 
>>| I'm a security researcher affliliated with the Honeynet Research
>>| Alliance (www.honeynet.org) and have recently developed an interest
>>| in IRC bots involved in DDoS attacks. To learn more about them, I'm
>>| interested in dissecting one or more specimens.
>>| 
>>| Can anyone provide me with a specimen or point me to an Internet
>>| site that might provide one? So far, my cursory googling has not
>>| led to any firm leads.
>>| 
>>| Thanks!
>>| 
>>| ---------------------------------------------------
>>| Bill McCarty, Ph.D.
>>| Associate Professor of Web & Information Technology
>>| School of Business and Management
>>| Azusa Pacific University
>> 
>> 
>> 
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v1.2.0 (GNU/Linux)
>> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>> 
>> iD8DBQE+LWo1voVlxVBmgsURAtP1AKCybvz61L9zA2hHB8g1A/MZPdm6sgCePrIB
>> u0Erm/8JtdzDnznd40o6y6I=
>> =GM3b
>> -----END PGP SIGNATURE-----
>> 
>> 
> 
> 
> 
> ---------------------------------------------------
> Bill McCarty, Ph.D.
> Associate Professor of Web & Information Technology
> School of Business and Management 
> Azusa Pacific University
> 



---------------------------------------------------
Bill McCarty, Ph.D.
Associate Professor of Web & Information Technology
School of Business and Management 
Azusa Pacific University



More information about the unisog mailing list