No, this DDoS was from different IPs in 40-50 countries, so it was performed
by zombies. As far as I can tell it was performed with Agressor2.0 botnet,
successor of DirtyJump3.0. This botnet is constructed to let even 3 y.o.
attacker to make serious imact. Each bot not only performs 'http-flood', but
also tries to SYN-flood ssh, and all other open ports. And by opening lot's
of connections it makes any Cisco ASA completely unusable, as these devices
are tracking tcp connections and there are limits, for example Cisco ASA
5510 don't allow for more then 130k connections (so we can say it supports
~100-200 bots).

This is why haproxy seems to be the best choice - it allows to control all
aspects of communication - swiss army knife.

2011/7/27 Craig <>

> Hi,
> > We've tested from the outside. In fact that was a real attack. Botnet
> > consisted of ~10-12k bots each opening 1000 connections/second.
> This kind of DDoS seems popular lately. Did it originate from a specific
> AS, did you try to nullroute? I'm curious because mostly when I see
> botnet attacks, they are not widely spread throughout the internet but
> mostly come from <10 AS.
> Nice to see that AWS performed here, thanks for sharing. :)
> - Craig

Reply via email to