cfile4.uf18258D244AC19FA0276CA5.pdf (6 MB)

Cisco Systems Korea’s July 2009 briefing describes four waves of 7.7 DDoS attacks against U.S. and South Korean government, financial, media, portal, and security sites from July 5-10. The presentation estimates roughly 100,000-200,000 zombie PCs, with Cisco Guard telemetry at one bank identifying about 188,000 zombie IPs and around 30,000 hosts sustaining high-rate HTTP GET activity. It characterizes the traffic as a mix of HTTP GET and CC-style requests, TCP port 80 connection floods, UDP port 80 floods, and ICMP floods, with per-zombie low-rate traffic designed to evade conventional defenses. The material notes the malware used embedded *.nls target lists rather than a conventional C2 channel, making command-channel takedown ineffective and forcing defenders to rely on network filtering, DDoS guard policies, GSLB, and server-side controls.