Monday, September 17, 2007

Storm Worm's DDoS Attitude - Part Two

After commenting on Storm Worm's logical connection with the recent DDoS attacks against anti-scam web sites, SecureWorks timely released details of what actions could trigger a DDoS attack from Storm back at the researcher's host and what type of DDoS attacks are launched exactly :

"The attacks do show signs of being automated. Certain actions reliably trigger attacks. Investigators who can withstand the onslaught and have decided to test their theories (with cooperation from their ISPs, of course) can reliably trigger DDoS attacks on themselves. In one case, probing more than four unique Peacomm botnet HTTP proxies within ten seconds results in a flood of TCP SYN and ICMP packets, which last for about two hours. That’s all fairly regular."

To me, this tactic is more of a "hey our situational awareness on your actions to shut us down is fairly food enough" type of statement, but why would the botnet masters risk exposing infected hosts compared to the opportunity to have them act like nothing's in fact wrong with them? Mainly because if infected hosts were a scarce resource perhaps they would, but in Storm Worm's case the oversupply of infected hosts is allowing them to dedicate resources for automatic self-defensive DDoS.