Man Gets 3 Years for Botnet Attack

Vobbo writes "Weeks after NANOG subscribers argued whether or not mitigating botnet command and control systems was a worthwhile endeavor, the LA Times reports that the old fashioned method of arresting and prosecuting criminals still works. Prosecutors successfully prosecuted a 21 year old who had conspired to create botnets that attacked the Department of Defense, a California school district, and a Seattle hospital before being arrested. He plead guilty and was sentenced to 3 years of 'supervised release.'"

Re:More sensationalism

"Man Gets 3 Years' Probation for Botnet Attack

"Editors", feel free to cut and paste."

FTA: "A man was sentenced to three years in prison Friday for launching a computer attack that hit tens of thousands of computers, including some belonging to the Department of Defense, a Seattle hospital and a California school district.

Christopher Maxwell, 21, of Vacaville, Calif., was also sentenced to three years of supervised release. "

I would say the 3 years in prison is more significant than the probation afterwards. Perhaps you should be informed before you start criticizing.

Re:Remind me again, why do we need all these new l

[Bert64]

Disabling raw sockets in the OS won't get you anywhere, not so long as users are running with full privileges.
If you disable raw sockets, the backdoors will just start re-enabling them, sending raw ethernet frame instead of raw tcp, or even installing a replacement tcp stack which supports raw sockets properly.

Re:Remind me again, why do we need all these new l

[tomstdenis]

That's not what a raw socket is...

A raw socket is basically an IP socket where you get to form the IP header and payload however you want. You can then send things like ICMP packets with the incorrect src address. Or you can issue TCP connect requests with the wrong address, etc...

Running httpd on port 81 is still a TCP/IP socket. You'd be sending out a valid src address and the like.

Tom

Re:Remind me again, why do we need all these new l

[tomstdenis]

No, ***ISP***es should disable raw sockets.

E.g. your address is 70.3.44.8, if your IP packets don't have that in the src address then null-route the sucker. Boom, no more anonymous DDoS as the zombies will be trackable and then can be held accountable.

Tom

Re:Remind me again, why do we need all these new l

[tomstdenis]

ISP. It's actually a really simple iptables or PF filter. On the gateway that serves [say] 70.8.4.0/24, you just reject all packets where the src address doesn't match.

If you want to get more fancy you could make sure ip associates with the MAC address. But generally if you can track a DDoS participant to an ISP gateway you can narrow it down from there if it's still active [or if you keep stats].

Tom

Re:More sensationalism

[curebox]

Actually, this is a supervised release deal. He will have to report to his probation officer, submit financial information each month, possibly take random drug tests, and in general stay out of trouble. If he causes mayhem again, they can (but don't have to) impose that 3 year prison sentence.

So assuming that he stays out of trouble, then yes, the sentence is probation.

Re:More sensationalism

[Master+of+Transhuman]

Meanwhile he can do whatever the hell he wants, as he is likely to see his PO maybe once every three months.

I was in for armed bank robbery and rarely saw my PO. Fill out the form once a month and that's it. If you have no history of drugs, you won't even take drug tests. Oh, yeah, he might have to go to a bottom of the barrel shrink once a week for "therapy" - that's the biggest annoyance.

In essence, he got away with it. Supervised release is an annoyance, nothing more.