On 2017 Aug 16 17:12:28, you wrote to me:

 KQ>>> and exactly WHERE does he say it is ddos?

 ML>> he didn't say it was a DDOS... DDOS is more than one attacker... this
 ML>> was only one attacker...

 KQ> AH, My bad, I though the two were one in the same, My ignorance.

not a problem... DoS, DDoS and DRDoS are all basically the same thing...
they're all Denial of Service... DDoS is Distributed Denial of Service which
means the attacks come from several vectors... DRDoS is Distributed Reflective
Denial of Service which means that someone is targetting a site by spoofing
their address in UDP packets sent to other sites... those other sites will send
their responses to the site whose address is spoofed and there's the DoS if
there's enough traffic...

 ML>> and these days, we also have DRDoS, Distributed Reflective Denial of
 ML>> Service, which is based on udp attacks...

 KQ> too many idiots with too much time on their hands I presume.. I don't
 KQ> see what if anyything a person could gain by compromising port 17

they're not compromising port 17... they're using systemA's port 17 to flood
systemB by spoofing systemB's address in the UDP requests they're sending to
systemA... systemA thinks it is systemB doing the requesting... by using a lot
of systems like systemA to flood systemB, they're DoSing systemB and no one
knows where the real attackers are coming from...

the original report we read in here was about that health site... it wasn't the
health site that was sending all those requests... the health site was the one
under attack by the unknows generating those faked packets that looked like
they were from the health site...

 KQ>>> from what he has posted it could be regular Mirai.

 ML>> not hitting the QOTD port, it likely isn't... Mirai and its variants
 ML>> hit 22, 23, 2222, 5555, and 7547... now the variants have expanded to
 ML>> numerous other ports... 135 (DCE/RPC), 445 (Active Directory), 1433
 ML>> (MSSQL), 3306 (MySQL), and 3389 (RDP).

 KQ> How about the constant garbage that acts just like Mirai trying to hit
 KQ> my mailservers?

you mean the ones trying all kinds of names and passwords?? those are average
dictionary attacks... they're not Mirai or a variant of Mirai... they're
looking for existing accounts with poor passwords... if they find one, they can
use that info on other sites with similar accounts OR they may use that info to
hijack someone's twitter, facebook or apple accounts or any other accounts
where someone reused their password...

 KQ> They are either expanding their horizons, or Skynet is taking over :)

nah... they've been doing this stuff for years before Mirai came around...

 ML>> then you have the Hajime worm which appears to be the work of a
 ML>> whitehat... it looks like Mirai from the attacked side but its goal
 ML>> is to stop and prevent Mirai and variants from getting in to IoT
 ML>> devices...

 KQ> Good on it then.. if thats it's true intention it needs to be added to
 KQ> our exepmt ips lists.

the thing is, you can't tell it from Mirai from this side of the screen...
besides, it can't help your BBS any more than Mirai can harm it... other than
tying up your terminal nodes and giving you a little DoS...

)\/(ark

Always Mount a Scratch Monkey
Do you manage your own servers? If you are not running an IDS/IPS yer doin' it
wrong...
... Does 'virgin wool' come from sheep the shepherd hasn't caught yet?
---