mitigating botnet C&Cs has become useless
Scott Weeks
surfer at mauigateway.com
Thu Aug 3 22:22:31 UTC 2006
----- Original Message Follows -----
From: "Barry Greene (bgreene)" <bgreene at cisco.com>
> > What? That's what I'm trying to find out, but I'm not
> > as smart as most, so I can only point out the things
> > that I believe definitely won't work and why I think
> > that. Hopefully by the application of flame to my butt
> > by smart people for saying what I do will spark some
> thought toward the goal.
>
> Start with:
>
> http://www.nanog.org/mtg-0602/greene.html
I didn't see anything in there relating to bot brains.
Also, with regard to 'cyberspace is just a meatspace
overlay' I considered whay would I do to troubleshoot an
overlay network. I'd work on the layer where the problem
exists. (Duh! :) Here, the problem exists at two layers:
Technically it's allowed and meat-wise there're those kinds
of people in this world. So, the solution must be at both
layers; meatspace and cyberspace. That makes us all
correct, yes? (again, I'm putting on my flame-proof
underpants... ;-)
One thing someone mentioned offline:
> The goal, as noted, shouldn't be to shut these things
> down. It should be to keep them operating, not interfered
> with, so that the C&C channels remain detectable
> Shutting down C&C's is a direct action.
>
> More fun? Monitor those C&C's. In real time, update your
> filtering to tag attack packets as a QoS that is
> rate-limited at your borders. This would be hard for a
> botherder to detect, but would limit damage against remote
> sites. You don't actually want to *block* them; blocking
> them lets the botherder know that you're on to them. But
> this has to be done fairly cleverly (much moreso than I
> suggest), so that they can't easily figure it out. This
> is just an example for the sake of conveying the overall
> idea.
> But shutting them down, that's like the police arresting
> all the informants. It doesn't stop the crime, it just
> eradicates all your easy leads.
What're folk's thoughts on that?
scott
More information about the NANOG
mailing list