I was talking to an old friend today. She spends a lot of her time helping run the Undernet IRC network, and is really worried about how many trojanned clients are hanging around.

For those of you who don't IRC, here's a quick description of the problem. Joe Loser writes a trojan or virus, and uses it to backdoor a bunch of people with cable modems. Part of the effect of this trojan is to have all the backdoored clients turn up on an IRC network and sit on a particular channel. This way, the perpetrator need not keep track of who is or is not infected, they all come to see him, and he can command them all at once over IRC.

When these bots are ordered to flood a host, they're almost unstoppable. It used to be that packet storms came from a single host, or in the case of smurfing, a single subnet. With distributed denial of service, there are potentially thousands of different hosts the attacks can be coming from, and they all have to be shut off. To quote what I was told:

Remember [person]? One guy caught him cleaning [disinfecting compromised hosts] and launched what his provider called the most vicious attack they have ever seen. They had to get their uplink - Sprint to filter everything, and Sprint almost couldn't handle the attack. [person] was taken out for almost a week. The oper helping [person] had her access cancelled by her ISP the attack was so bad.

The problem is, these compromised hosts are showing up in the thousands, and these days Undernet is probably the smallest of the "big four" networks. My friend is convinced that something big is on the way, that sooner or later, all these people are going to stop using their floodnets to hack ops on IRC servers, and band together to hit some major network infrastructure.

When it happens, it's not going to be pretty.