On Sun, Jul 07, 2002 at 03:08:14PM -0400, Richard A Steenbergen wrote: > On Sat, Jul 06, 2002 at 06:24:40PM -0500, Rob Thomas wrote: > > Hmm, not according to the data I collect. I track numerous botnets and > > DoSnets, and a bit over 80% of them use the real IPs as the source of > > the floods. Then again, with 500 - 18000 bots, it isn't all that > > necessary to mask the source IPs. :/ > > There are only two situations where a DoS uses its real IP, 1) the network > filters spoofed source addresses, 2) they havn't compromised root.
Don't forget 3) the machine compromised isn't capable of spoofing. In Win95/98/ME/NT, there is no raw socket functionality. I don't know the breakdown of botnets in terms of which platform they typically harvest for hosts, but I'd imagine Windows represents a significant portion of non-spoofed attacks. -c