mitigating botnet C&Cs has become useless

Thu Aug 3 20:02:58 UTC 2006

On Jul 30, 2006, at 10:37 AM, Gadi Evron wrote:

>
> The few hundred *new* IRC-based C&Cs a month (and change), have been
> around and static (somewhat) for a while now. At a steady rate of  
> change which
> maintains the status quo, plus a bit of new blood.
>
> In this post I ask the community about what you see, against what  
> we have
> observed, and try and test my conclusions and numbers against your
> findings.

Gadi,
*SPs* today deal with command and control infrastructure on a
very tactical basis, and as for specific bots themselves, even
more tactically (i.e., usually when some incident requires that
they take some response action).

They're very incident driven from that respect, and with an attempt
to focus on revenue and services profitability, it just amplifies the
problem.  That is, they're busy turning the steam valves and putting
out fires - who has the time for strategizing and waging a global
war on organized crime and it's employment of botnets that yields a
negligible return on a considerable investment, just cutting deeper
into their losses?

[disclaimer: the above is a gross oversimplification and many SPs
do far more, but it's largely applicable across a broad spectrum of
SPs]

Heck, they rarely have time to chase DOS attack sources past their
network perimeter and today report less than 2% of *actionable*
attacks to LEOs.

It's an ROI game...

While you could spin botnet resurrection a hundred ways, taking out
the bots themselves, even if it's often times only as temporal function,
is the low hanging fruit and something SPs can understand and
instrument.

I agree that the root of the problem is the miscreants perpetrating
these crimes, and they need to be prosecuted, but the responsibility
falls far wider than the SPs.

I also accept the references provided by Paul and others, but what's
the near-term alternative?

-danny