All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Building a DDOS 'Botnet' is easy isn't it?
randvegeta
Member, Host Rep
This is just a general discussion, not a proposal to build a botnet.
Everyone these days are now expecting Gbit connectivity, and many VPS, and practically all dedicated server providers now offer this at very affordable prices. So is it not terribly easy and not that expensive to build a small botnet with a relatively large capacity for sending DDOS traffic?
Most servers would probably keel over at 1G given it would probably saturate their interface, so with just 5 - 10 VPS or dedicated servers pushing a modest 100 - 200Mbit, it could quite easily take down a server that is not protected.
People are talking about Botnets getting larger and larger, with attack sizes more than doubling every year, but is it really from infected home/office computers? Could there really be such a growth in infected computers and servers?
There are a lot of DDOS for hire 'services' out there, presumably using bot that are essentially infected computers/servers. But perhaps it is actually economical to actually pay for the bandwidth? Why go through the trouble of creating and trying to spread a 'virus' when you can simply buy your DDOS capacity 'legally' from hosting providers, and use those for sending out attack traffic? With a monetary incentive, it may easily recoup it's cost and certainly provide a whole lot of flexibility to the attacker.
It is interesting to note that in Asia, where we do most of our business, bandwidth is extremely expensive compared to Europe or USA. It is common for hosting companies to have just a few 10 or hundred meg of international connectivity. A single server with a Gbit line in Europe or USA (which are cheap) can easily use up the entire capacity of most Asian providers.
Given this, I'm surprised DDOS are not more common an much larger than they are today. Or maybe it explains why the growth in DDOS has been as large as it is.
Comments
I think if people on this board stopped playing with teenagers and 1x year olds, at least the majority of their ddos problems would go away.
I'm not sure about that. For years we turned down clients who were at risk of DDOS attacks, and these weren't kids or teenagers. Although I suppose many of THEIR clients were.
I think there are many areas of business at risk of DDOS. And the cheaper it becomes to do, the bigger and more frequent the attacks will be.
Most servers would probably keel over at 1G given it would probably saturate their interface, so with just 5 - 10 VPS or dedicated servers pushing a modest 100 - 200Mbit, it could quite easily take down a server that is not protected.
This is true, but then again couldn't you just block those IPs if its only 5-10
Are you quoting some old outdated info?
https://blog.cloudflare.com/technical-details-behind-a-400gbps-ntp-amplification-ddos-attack/
No you can't. First of all, IP spoofing is terribly easy. A lot of providers don't filter by IP address so you can't rely on the IP you see in the attack.
But even if you do see the real IP of the attacker, it still hits the server. You can stop people coming into your house, but you cant stop people driving up to your door. You have no control over the roads outside your house. The attack is intended to flood your network, not your server's processing capacity.
What do you mean? Attacks are getting pretty big these days. 30Gbit + is I think pretty common. But to have 30Gbit of attack capacity and not use infected computers, you can simply buy dedicated servers from 30 different providers in various locations around the world. If they all have 1G of connectivity, you've got a good amount of attack power.
These days. with VPS providers offering VPS for $5 - $10 and offering Gbit connections, it doesnt seem that expensive.
Why build your own? Just buy it.
Today you can buy every crap you want.
Buy what? It's not always easy to buy 'criminal' services. You need to find them, pay them in bitcoins probably, and after you've paid them, you dont know if you'll get what you paid for. And probably it would cost a few 10 dollars any way. Depending on who you are attacking, it might easier, faster and cheaper to just do it yourself.
As a hosting provider, it certainly seems easy to buy the bandwidth capacity needed.
oh boy.
BTC + Google (Option DuckDuckGo) is all you need for all your illegal needs nowadays, really.
DDoS is easy to sell/buy, no shipping involved.
Sorry but did you missed the BCP38 thing? aka Egress filtering?
Most of the famous provider, DO/Linode/Vultr disallows such actions in terms of ToS, but however they also disallows from Layer 3/4, making spoofing hard to archive.
I know some HF vendor do provide spoofed machines for lowend price, but that's a whole different thing as you aren't proposing to build one. X)
Most of the famous provider, DO/Linode/Vultr disallows such actions in terms of ToS, but however they also disallows from Layer 3/4, making spoofing hard to archive.
What is HF?
Many providers do filter, but many more do not, meaning spoofing is easy. But even if you cannot spoof, you can still send junk traffic to your target and it's not always easy to block.
It's not always easy to get BTC :-) You can lease servers with a credit card or Paypal. I still have no idea where I'm supposed to get BTC from.
Hackforums....
By now a very large chunk filters, i'd even say 90%+.
90%+ are filtering or are NOT filtering? In either case, unspoofed DOS traffic can still go through.
Anyone can build a botnet, simply save up your lunch money mommy gives you, and then get a prepaid visa, convert into PayPal, buy BTC, buy malware, then rent a setup service for botnet, get 100 bots free to start you off, and your e-penis level increases.
In my country you do a bank transfer to same country seller and you get your bitcoins about instant. Very easy.
If you need bitcoins hit me up. I can sell you some.
Have you tried? There are literally tons of places where you can get BTC easily.
Did you click the link I provided?
mom only gives me $2/week for cleaning my room and won't give me permission to become an elite hacker though
Yes but I'm not sure what you are trying to say. 400Gbit attacks would seem to be larger than typical... Typical would be less than 10x that. But setting up a botnet with 30gbit capacity seems not too difficult is what I mean.
Hackers are rebels, join the rebel (s)kid army!!!!!!!! l0ad up eeeeeeeeem b00t3rzzzzzzzz y0
I'm not saying it's hard. It's just not as easy as using a credit card or Paypal to directly purchase something online. And you cant just use your credit card or Paypal funds to freely buy BTC unless the person selling the BTC really trusts you.
Which country? I don't really need BTC. I tend to get rid of the ones I accumulate. But how do you do the exchange? Do you do Paypal/Credit Card exchanges?
One of the ideas behind a distributed attack is for the source addresses to be numerous and distributed across a large range of IP address space as well as being low enough in volume from each address to make it hard to distinguish from legitimate traffic.
A few dozen source addresses does not make the cut. In addition if the source address is not being forged in some way the traffic traces back to the source server and a likely termination due to not following the TOS for any legit provider.
If you're just throwing packets and not caring about making it hard to filter, IP spoofing is irrelevant, just bounce your bandwidth off DNS / NTP servers (and amplify it at the same time!).
Edit: to be clear, I meant although it is still easy to filter since you can just firewall based on source port, it is more difficult than source IP. And also it's harder to trace the source of the attack.
Also, I think more and more providers are adding automated systems to block outgoing attacks, which is much easier than blocking incoming attacks.
Right, now you have the providers that willingly don't filter because it leads to a lot of sales.
You can find some popular brands marked as 'spoofing enabled' and the likes on hackforums and even though many people, myself included, has been shining a big light on them for doing it they don't seem to care.
Francisco
But if all the sales are for people who are doing malicious things, doesn't that mess with their network connectivity (due to constant packet flooding) / IP reputation.
cough Has ColoCrossing implemented filtering yet?
hey, could you post more details on that part? im interested in how attacks like this get initiated in order to learn how to prevent them, thanks alot man!
i thought that the ddos attacks always get initiated from around 3 dedicated servers that push their traffic through proxies or exploitable q3 server lists to spoof the origin.
Thanks alot!
IP reputation doesn't matter with the providers that 'forget' to block spoofing, and if they apply rate limits or do 100mbit ports it won't do matter too much. Even a 100mbit box reflecting off NTP boxes can hit well past 10gbit. If anything, the 100mbit port is a way to just sell more boxes.
Well.... we'd hope so given they've posted a handful of image of big Juniper units in 2 of their locations now, so if they aren't implementing it, it's due to incompetence, or worse, selling point, and not because "the technology just isn't there".
Francisco
It was good knowing you.