[unisog] DDoS IRC bots

Mark Kimble mjkits at rit.edu
Wed Jan 22 16:12:42 GMT 2003


Bill,

hmm.. I think the number of attempts at the 9x boxes has decreased.. and
most win attacks still aimed at 2k boxes.. (unpatched no admin passwd
generally)  Funny you should not have been lucky enough to see one yet on
honeynet.  maybe not rich enough target - Get an OC3.  That should change
your luck! ;)

oh.. are the honeynet nets wide open to the Internet?

This is a new twist.. a discussion on how to get hacked.

Mark J Kimble
mjkits at rit.edu
Information & Technology Services
Rochester Institute of Technology
PGP: 80FC 8C3E 3F5B 4797 E4B4  3221 E994 2D22 1AB2 DE04

-----Original Message-----
From: Bill McCarty [mailto:bmccarty at apu.edu]
Sent: Tuesday, January 21, 2003 4:57 PM
To: unisog at sans.org
Subject: RE: [unisog] DDoS IRC bots


Hi Mark,

Actually, I run several honeynets, including some Windows 2000 hosts.
But, the Windows hosts are rarely compromised and haven't yet been
involved in a DDoS attack. I see a lot more action on the Linux/Unix
honeypots. Apparently, our university's address blocks are relatively
quiet. Perhaps this is because our pipes aren't all that big.

Maybe the results would be different if I included some Windows 9x
hosts in the honeypot mix. What do you think?

I concede that, if I heard someone else tell the same tale, I'd suspect
that their hosts had been compromised without their knowledge. But, I
personally review each SYN packet entering and leaving my honeynets.
So, our production hosts may be owned <grin>, but our honeynets are
compromised only rarely.

Thanks for your thoughts!

--On Tuesday, January 21, 2003 11:17 AM -0500 Mark Kimble
<mjkits at rit.edu> wrote:

> too easy.  put a windows box on the open internet - you'll get your
> chance.
>
> Mark J Kimble
> mjkits at rit.edu
> Information & Technology Services
> Rochester Institute of Technology
> PGP: 80FC 8C3E 3F5B 4797 E4B4  3221 E994 2D22 1AB2 DE04
>
> -----Original Message-----
> From: Bill McCarty [mailto:bmccarty at apu.edu]
> Sent: Tuesday, January 21, 2003 10:46 AM
> To: Jeff Bollinger
> Cc: unisog at sans.org
> Subject: Re: [unisog] DDoS IRC bots
>
>
> Hi Jeff,
>
> Actually <grin>, it was re-reading Gibson's account that got me
> started on this. He got started when someone anonymously emailed him
> a copy of a working bot. I'm interested in replicating his study,
> with a few twists of my own.
>
> Cheers,
>
> --On Tuesday, January 21, 2003 10:41 AM -0500 Jeff Bollinger
> <jeff01 at email.unc.edu> wrote:
>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> This site has got a lot of great info:
>>
>> http://grc.com/dos/grcdos.htm
>>
>> Jeff
>>
>> - --
>> Jeff Bollinger, CISSP
>> University of North Carolina
>> IT Security Analyst
>> 105 Abernethy Hall
>> mailto: jeff_bollinger at unc dot edu
>>
>> Bill McCarty wrote:
>>| Hi all,
>>|
>>| I'm a security researcher affliliated with the Honeynet Research
>>| Alliance (www.honeynet.org) and have recently developed an interest
>>| in IRC bots involved in DDoS attacks. To learn more about them, I'm
>>| interested in dissecting one or more specimens.
>>|
>>| Can anyone provide me with a specimen or point me to an Internet
>>| site that might provide one? So far, my cursory googling has not
>>| led to any firm leads.
>>|
>>| Thanks!
>>|
>>| ---------------------------------------------------
>>| Bill McCarty, Ph.D.
>>| Associate Professor of Web & Information Technology
>>| School of Business and Management
>>| Azusa Pacific University
>>
>>
>>
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v1.2.0 (GNU/Linux)
>> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>>
>> iD8DBQE+LWo1voVlxVBmgsURAtP1AKCybvz61L9zA2hHB8g1A/MZPdm6sgCePrIB
>> u0Erm/8JtdzDnznd40o6y6I=
>> =GM3b
>> -----END PGP SIGNATURE-----
>>
>>
>
>
>
> ---------------------------------------------------
> Bill McCarty, Ph.D.
> Associate Professor of Web & Information Technology
> School of Business and Management
> Azusa Pacific University
>



---------------------------------------------------
Bill McCarty, Ph.D.
Associate Professor of Web & Information Technology
School of Business and Management
Azusa Pacific University



More information about the unisog mailing list