Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: Ubisoft DDoS
From: Valdis.Kletnieks () vt edu
Date: Tue, 09 Mar 2010 10:12:24 -0500

On Tue, 09 Mar 2010 15:27:02 +0100, Adrenalin said:
I'm just wondering, even if it's under DDoS, isn't it as easy to block as to
collect the list of IP that send too much data, and just block them on the
upper level ISP ?

You *do* realize that a *small* botnet these days is 75,000 machines, and
there's a estimated 140 million compromised zombie boxes out there? There's
very few boxes that can handle an inbound ACL of 75K entries sanely - usually
what ends up happening is the upstream drops all traffic *to* the target node
just so all the *other* boxes at the site still get some bandwidth.

And "sending too much data" is hard to quantify - if you have enough bots,
you can thoroughly DDoS a site using far *less* bandwidth per host than a
normal user does.  If the site was designed to handle 10,000 clients each
sending 5 packets per second for 10 seconds during a login at game start,
it will likely fall over if you throw 100,000 bots at it, each sending
4 packets a second continuously...

Attachment: _bin

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]