By incoming connections, do you mean web visitors who fell victim to CSRF/XSS exploits in their router management web panels? Or was he hijacking routers another way?
Then it is just a matter of figuring out where these routers are, and then writing a few scripts to exploit and command them in mass. I don't think CSRF/XSS would net him the vast numbers he'd need to make a significant ddos.
And to more specifically answer your question, by "incoming connections", I mean like monitoring the ddos via netstat on a box zee was actively attacking.
Well, problem is those vulns require either the attacker to share or control the victim's LAN in some way, or the router's management panel to be exposed to the Internet (which is usually not the default for the vast majority of consumer routers).
For cases where they're remotely exposed, just about anyone can scan the Internet and try to exploit these routers. I'm sure he was doing that, but I'm sure hundreds or thousands of other people were as well.
When combined with something like a CSRF, you can use those exploits against a victim even if their router is locked down (only listening on LAN, strong admin password). All they need to do is visit a site you control, without something like NoScript. If the admin password is not guessable, then they'd need to have an active login session. That can be circumvented if the router has an auth bypass vuln, which has been found in at least a few models.
Also, I believe a lot of routers can be used for DDoSing without exploiting or compromising them at all if they're exposing SSDP (UPnP). SSDP reflection, possibly combined with NTP reflection, is likely how Lizard Squad launched their DDoS attacks.
P.S. I know you and have talked to you (and Zee and some others), briefly, on some IRC networks long ago.
Of course. I was just speculating based on the comment about using routers to DDoS; I don't know if an uptick was actually observed during the outage. I know SSDP has been the hip new thing for the past few months though.
Majority of our bandwidth does not come from these so called "reflection attacks". But is in fact "real" bandwidth.
We are using actual 0days to compromise the (about 100k-150k) servers we have.
I'm actually rather excited for the eventual technical analysis of our net by someone with actual technical competence. It might end up causing quite a bit of noise.
Oh, that's pretty interesting, and a refreshing change from what you normally see in this space.
I seem to recall you guys (I think it was you guys, may be mixing up with another group; I also know you were supposedly kicked out of HTP at some point, which adds to my confusion) using one of the Rails YAML handling 0-days to acquire bots a while ago. I think someone was logging the IRC channel where they were being joined to.
Would it be fair to say the other bots are mostly a result of other web app vulns, or are you guys actually finding 0-days in native applications as well?
Do you actually have a full vulnerability research team, or is it just like 1-2 guys finding vulns? HTP's stuff like Coldfusion and MoinMoin was definitely pretty impressive.
So for example remote command injection vulns:
http://en.1337day.com/exploit/description/20598
http://en.1337day.com/exploit/description/20602
http://en.1337day.com/exploit/description/20671
Then it is just a matter of figuring out where these routers are, and then writing a few scripts to exploit and command them in mass. I don't think CSRF/XSS would net him the vast numbers he'd need to make a significant ddos.
And to more specifically answer your question, by "incoming connections", I mean like monitoring the ddos via netstat on a box zee was actively attacking.