On 10/29/2016 9:43 PM, Eric S. Raymond wrote:
I in turn have to call BS on this. If it were really that easy, we'd
be inundated by Mirais -- we'd have several attacks a*day*.
Some of us are seeing many significant attacks a day.
That's because botnets are frequently used to hit game servers and game
players. In fact, the Mirai-targeted devices were not newly-seen;
easily-exploited devices like older DVRs have been observed for years in
attacks on game servers. The main difference in the recent botnet
attacks (mostly, 2016) is that they have been larger and more frequent,
likely because of incremental improvements to scanners (including in
time-to-exploitation, which is important to building the botnet because
these devices are so frequently rebooted) and payloads (to better block
further exploitation by competitors). If you run a honeypot and take a
look at what happens to one of these devices over time, you'll see an
interesting tug-of-war between many different actors that are
compromising them and running their own binaries.
Reflection attacks are still common, as well, of course. Previously,
those were the ones that created the largest flows. But, the
higher-amplification-factor reflection attacks can be mostly mitigated
upstream with basic ACLs (as long as the upstream is willing to help,
and has the internal capacity to do it; many NSPs do not). It is not
uncommon to see a botnet attack at the same time as a reflection attack.
-John
