mitigating botnet C&Cs has become useless

Scott Weeks surfer at mauigateway.com
Thu Aug 3 22:22:31 UTC 2006 

----- Original Message Follows -----
From: "Barry Greene (bgreene)" <bgreene at cisco.com>

> > What?  That's what I'm trying to find out, but I'm not
> > as  smart as most, so I can only point out the things
> > that I  believe definitely won't work and why I think
> > that.  Hopefully by the application of flame to my butt
> > by smart  people for saying what I do will spark some
> thought toward the goal.
> 
> Start with:
> 
> http://www.nanog.org/mtg-0602/greene.html 


I didn't see anything in there relating to bot brains. 
Also, with regard to 'cyberspace is just a meatspace
overlay' I considered whay would I do to troubleshoot an
overlay network.  I'd work on the layer where the problem
exists.  (Duh! :)  Here, the problem exists at two layers: 
Technically it's allowed and meat-wise there're those kinds
of people in this world.  So, the solution must be at both
layers; meatspace and cyberspace.  That makes us all
correct, yes?  (again, I'm putting on my flame-proof
underpants... ;-)

One thing someone mentioned offline:

> The goal, as noted, shouldn't be to shut these things
> down.  It should be to keep them operating, not interfered
> with, so that the C&C channels remain detectable 

> Shutting down C&C's is a direct action.
> 
> More fun?  Monitor those C&C's.  In real time, update your
> filtering to tag attack packets as a QoS that is
> rate-limited at your borders.  This would be hard for a
> botherder to detect, but would limit damage against remote
> sites.  You don't actually want to *block* them; blocking
> them lets the botherder know that you're on to them.  But
> this has to be done fairly cleverly (much moreso than I
> suggest), so that they can't easily  figure it out.  This
> is just an example for the sake of conveying the  overall
> idea.

> But shutting them down, that's like the police arresting
> all the informants.  It doesn't stop the crime, it just
> eradicates all your easy leads. 

What're folk's thoughts on that?

scott

More information about the NANOG mailing list