| |||||||||||||
|
| |||||||||||||
Spam Sites Crippled by Lycos Screensaver DDoS (Netcraft)Spam Sites Crippled by Lycos Screensaver DDoS (Netcraft)Posted Dec 2, 2004 18:36 UTC (Thu) by ncm (subscriber, #165)Parent article: Spam Sites Crippled by Lycos Screensaver DDoS (Netcraft)
The netcraft report seems to confuse matters. In the original announcement, it was carefully noted that the purpose of the screen saver was not to knock out the sites, but to cost them more money (for bandwidth) than they could recoup from the, er, customers. It said clearly that they meant to throttle the activity so as not to make the target sites entirely inaccessible. Maybe they failed, in the cases netcraft cites, or maybe they were successful and exceeded the sites' prepaid bandwidth caps. In the latter case, the owners would have declined to pay for more bandwidth, and thus might reasonably be said, by Lycos, to have taken their own sites down. (An ISP that bills a spammer site "net 30" deserves to be stiffed.)
I doubt that spammers can make the screen saver attack Lycos by straightforward means. However, it seems likely that a spammer's zombie network might end up hosting several thousand copies of the screen saver, which would then be subject to compromise and be made to attack other targets, and Lycos would be blamed. Or, the zombies might just be made to pretend to be running the screensaver, regardless of whether it has been loaded, and attack targets of the spammers' choice, with blame falling again on Lycos.
(Log in to post comments)
Spam Sites Crippled by Lycos Screensaver DDoS (Netcraft) Posted Dec 2, 2004 19:05 UTC (Thu) by dskoll (subscriber, #1630) [Link] Or, the zombies might just be made to pretend to be running the screensaver...Or the spammers will install Web servers on the zombies to serve their content, giving them a vast distributed network of Web servers that is extremely robust against a DDoS attack.
Spam Sites Crippled by Lycos Screensaver DDoS (Netcraft) Posted Dec 2, 2004 19:14 UTC (Thu) by keithw (guest, #3127) [Link] And thus avoid paying for their regular bandwidth as well... Lycos' screensaver ends up saving spammers money...
Spam Sites Crippled by Lycos Screensaver DDoS (Netcraft) Posted Dec 2, 2004 20:02 UTC (Thu) by ncm (subscriber, #165) [Link] It would be fun to make some convenient zombie box that was also serving web pages enter fake orders. Lots and lots of fake orders. How long does it take for an unprotected SP1 to get "recruited"? Four minutes, now?
Spam Sites Crippled by Lycos Screensaver DDoS (Netcraft) Posted Dec 2, 2004 22:36 UTC (Thu) by NapalmLlama (guest, #26327) [Link] Yeah, that's pretty much what I said earlier. It is the obvious step for spammers to take - take the partnership with virus writers that one stage further.All wars have collateral damage, and the only difference with the internet's wars is that the damage is to innocent consumer's monthly bills.
Spam Sites Crippled by Lycos Screensaver DDoS (Netcraft) Posted Dec 2, 2004 22:57 UTC (Thu) by pflugstad (subscriber, #224) [Link] I think they're doing this already. I recall reading on NANOG about spammers advertising sites that are "unkillable" or some such. Some NANOGers looked into it and essentially the spammers are using the zombies either as web servers or web proxies - DNS name for target gets updated on a minute by minute basis or some such (long list of alternate IPs for web site, each is a zombie). It was fairly sophisticated and would be quite difficult to stop.
Spam Sites Crippled by Lycos Screensaver DDoS (Netcraft) Posted Dec 3, 2004 21:48 UTC (Fri) by rmini (subscriber, #4991) [Link] DNS DDOS, then.
Spam Sites Crippled by Lycos Screensaver DDoS (Netcraft) Posted Dec 9, 2004 13:19 UTC (Thu) by copsewood (subscriber, #199) [Link] No. Not the way to do it. DNS enquiries are cached all over the world. Todefeat a DDOS on a DNS server for a domain, all the spammer has to do is increase the TTL until the content server can handle the load.
Spam Sites Crippled by Lycos Screensaver DDoS (Netcraft) Posted Dec 9, 2004 13:26 UTC (Thu) by copsewood (subscriber, #199) [Link] >It was fairly sophisticated and would be quite difficult to stop.
To stop it you would have to get the ISP handling the IP for the spammers DNS server to pull that DNS server off the network, or get the ISPs upstream provider to block that IP address if the ISP takes too long to respond. If the spammer running this DNS server sent out responses to all enquiries prior to the DNS server being shut down with a long TTL, this would determine a window of opportunity for this crack to continue working. Does DNS have a maximum value for TTL on A records ? The problem is then the cached copies of these records and how long it takes for these to be dropped by the DNS caches.
|
|
||||||||||||