Am Wed, 07 Aug 2013 21:45:08 +0200 schrieb ZUGERNET NOC noc@zugernet.ch:
Dear all
We are memeber on this list since many years now, but not so chatty, more listening.
But today I feel a strong necessity to contact the community, since we (ISP ZUGERNET, AS 28859) are being attacked many times over the last 24 hours with huge traffic disabling our network completely. The attack is really very damaging: to ourselves, to our customers and to their customers and partners. You can imagine...
If someone of you can give me a hint on how to track down, WHO is causing this, I would really appreciate any help and may it be very small. I know, that technically such attacks are not trackable - but what I mean is more: if someone can share some "underground knowledge" with me to possibly finding out which bot-net is used (under the control of whom etc; we can share some netflow capture with a huge amount of source-ip-addresses) and possibly has "underground-contacts" to find out more about them...?
Thank you in advance! Feel free to answer me off-list if you feel more appropriate.
If it's really distributed, then it will be pretty much impossible to track down - unless one of the zombies is on a network where you can listen to the traffic and track down the c&c host - but that will only reveal the c&c host for that zombie for that particular time - and chances are, it's in some other country at an ISP that wants to see a court-order...
AFAIK, botnets are really a "resource for hire" - just google for the word "booter" and you'll find the semi-legal ones (word is they're all passing your data straight to the FBI....). The operators of the botnet that attacks you have no qualm with you, usually.
It might be easier to locate the target in your network and move it somewhere else. From the target, you can often deduce the source much easier than vice-versa.
Popular targets: - adult hosting (incl. websites of brothels, escort-services etc.pp.) - gambling - root-servers with IRC servers or game-servers or forums - websites of political parties - websites with other "controversial" content