DDOS attacks.

secret_squirrel

The DDOS attack on the register.com today got me thinking. Given that these usually come from a botnet or similar - how come it is possible for the same compromised machines to be used for multiple attacks over a period of time?

Surely its not an insurmountable task to trace the compromised PC's and get them blocked by their isp's? I realise of course that is possible to spoof and obscure the originating IP but I understood it wasnt foolproof? Surely with enough time and energy it would become very easy for an ISP to spot a compromised machine? Dont they have a responisibilty to do that?

Also a related article on phishing and spamming suggests that the same networks were being used time and again, and it was mentioned that although the IP addresses were changing the nature and quantity of attacks suggested that it was the same botnets responsible. Again I dont really understand how the IP of a compromised machine can be changed. Or were they talking about some kind of relay points being used - presumably where all those dodgy chunks of IP ranges were allocated years ago?

tck

It is a botnet, there can be hundred's of thousands of zombies from all over the world contributing to the bandwidth without them even knowing.

Alot of ISP's don't play ball ; imagine trying to ring every customer to say that they have a trojan on their pc - nigh on impossible.

That's even if it was the right ip - most these days of spoof the origin, there's definitely a shortage of people that can track down spoofed dDoS attacks ; most just block it off and hope they get bored.

New machines are compromised all the time, you can control so many now with a few commands from IRC or even an IM, i can't see any quick fix in the future either, unless your on some switched backbone.