[unisog] DDoS IRC bots

Bill McCarty bmccarty at apu.edu
Thu Mar 6 06:20:44 GMT 2003

Hi all,

In January, I asked the help of list members in gaining access to a DDOS
botnet. Partly as a result of help I received in response to my request,
I've succeeded in entering a botnet that hosts almost 5,000 zombies. This
opportunity to forensically examine the attacker's tools and observe the
botnet in action may improve understanding of DDOS attacks and lead to ways
of thwarting or mitigating them. My thanks to those who responded.

For those interested in replicating this work, my Windows 2000 honeypot has
been repeatedly compromised over only several days of operation. Most
attacks target the Unicode directory traversal vulnerability of (unpatched)
IIS servers. I've also seen one instance of an IDA buffer overflow. 

Despite opinions that compromises commonly result from null passwords, I've
so far been unable to verify that attack vector. I do have TCP 445 traffic
that might have taken advantage of the lack of a password. However, my
primitive honeypot is not well instrumented, so it's hard to determine the
attackers' actions. I'm currently developing tools to remedy this lack.
Meanwhile, I plan to deploy honeypots with and without passwords and
thereby hope to determine if the absence of a password is an important

Thanks again for the help!

Bill McCarty, Ph.D.
Associate Professor of Web & Information Technology
School of Business and Management 
Azusa Pacific University

More information about the unisog mailing list