[Full-disclosure] what can be done with botnet C&C's?

Gadi Evron ge at linuxbox.org
Thu Aug 17 17:37:11 UTC 2006


On Thu, 17 Aug 2006, Jordan Medlen wrote:
> 
> I'm sure most people on this list have heard of or use snort. There is an
> add-on package called snortsam. This package allows automation of blocking
> traffic deemed malicious via a null route statement or ACL statement. We
> have been in the process over the last month of implementing this on our
> network with much success. I think the only problem that we have had with it
> thus far is underestimating just how well it was actually going to work. As
> with any snort implementation, it takes time to tweak and tune the rule
> sets, however we have managed to kill a huge amount of traffic either coming
> from our customers or destined to our customers. While this is not a perfect
> system, it is much better than idly sitting there and letting the abuse
> continue.

Hi Jordan, I am very happy to see Sago changing from one of the worst nets
on the net when it comes to botnets to being, apparently, one of the most
pro-active.

That said, when I last checked (a week ago) you had 4 botnet C&C's still
open and active on your AS.

As always, you and anyone else here can email us directly for the
information on your network.

	Gadi.

> 
> ---
> Jordan Medlen
> Chief Technology Officer and Architect
> Sago Networks 
> 
> -----Original Message-----
> From: owner-nanog at merit.edu [mailto:owner-nanog at merit.edu] On Behalf Of
> Michael Nicks
> Sent: Sunday, August 13, 2006 2:07 PM
> To: nanog at nanog.org
> Subject: Re: [Full-disclosure] what can be done with botnet C&C's?
> 
> 
> I hate to stir the flames again, but this idea sounds a lot like RBLs.  :)
> 
> All kidding aside, I'm curious as to when we will reach the point where the
> devices of our networks will be able to share information regarding sporadic
> bursts or predefined traffic patterns in network traffic within a certain
> time frame, determine it is a related outgoing (or incoming) attack, and
> mitigate/stop the traffic. I think it certainly is possible to accomplish
> this on a per-router level, but being able to have the devices communicate
> and share information between one another is a completely separate thing.
> (New protocol perhaps.)
> 
> The only real method that I really have in my toolkit to stop incoming DDoS
> on a AS-wide perspective is originating a /32 within an AS with a next-hop
> of a discard interface.
> 
> Something similar to that nature but more flexible and designed for the sole
> purpose of preventing/stopping abuse would be a very nice feature.
> 
> Cheers.
> -Michael
> 
> --
> Michael Nicks
> Network Engineer
> KanREN
> e: mtnicks at kanren.net
> o: +1-785-856-9800 x221
> m: +1-913-378-6516
> 
> Payam Tarverdyan Chychi wrote:
> >  I've been reading on this subject for the last several weeks and it 
> > seems as if everyone just like to come up with out of the box ideas 
> > that are not realistic for today's network environments
> > 
> >>> J.Oquendo, thanks for the Smurf example . as there are still
> > admins/engineers at large networks that have no clue as to what they 
> > are doing. so QoS is for sure out of the question.. at least at this 
> > time.
> > 
> > Depending on agents to take actions and protecting our networks is 
> > even a bigger joke. Back in late 90s where kiddies were using the 
> > simplest types of C&C, open wide irc networks with visible Channels 
> > and no encryptions. and agents couldn't do anything unless the attack 
> > was big enough to take down Amazon, yahoo, Microsoft or some other 
> > major provider with enough $$$ to start an investigation.
> > 
> > So what makes you think that agents are of any help in today's world 
> > where c&c have gotten so much more sophisticated, use backup private 
> > servers, encryption, tunneling and much much more..
> > 
> > In my opinion, the only way to really start cracking down on c&c and 
> > put an end to it is the cooperation of major ISP's. I realize that 
> > most isp's cant/wont setup a security team to just investigate c&c / 
> > attacks (would this really fall under the Abuse team?) but perhaps If 
> > all major networks worked together and created a active db list of c&c 
> > found either on their networks or attacking ones network. then it 
> > would be much much easier to trace back c&c and dispose of them.
> > 
> > Unfortunately, we don't live in a perfect world and most isp's hate 
> > sharing any information. I guess its better for them to have a bigger 
> > ego than a safer / more stable network.
> > 
> > Please feel free to correct me if I am wrong.
> > 
> > -Payam
> 




More information about the NANOG mailing list