[Full-disclosure] what can be done with botnet C&C's?
Jordan Medlen
jmedlen at sagonet.com
Thu Aug 17 18:18:51 UTC 2006
Gadi,
I am unable to find the list in the archives or my email client. Can you
send me anything that you have so I can get it taken care of?
Thanks,
Jordan
-----Original Message-----
From: owner-nanog at merit.edu [mailto:owner-nanog at merit.edu] On Behalf Of Gadi
Evron
Sent: Thursday, August 17, 2006 1:37 PM
To: Jordan Medlen
Cc: nanog at nanog.org
Subject: RE: [Full-disclosure] what can be done with botnet C&C's?
On Thu, 17 Aug 2006, Jordan Medlen wrote:
>
> I'm sure most people on this list have heard of or use snort. There is
> an add-on package called snortsam. This package allows automation of
> blocking traffic deemed malicious via a null route statement or ACL
> statement. We have been in the process over the last month of
> implementing this on our network with much success. I think the only
> problem that we have had with it thus far is underestimating just how
> well it was actually going to work. As with any snort implementation,
> it takes time to tweak and tune the rule sets, however we have managed
> to kill a huge amount of traffic either coming from our customers or
> destined to our customers. While this is not a perfect system, it is
> much better than idly sitting there and letting the abuse continue.
Hi Jordan, I am very happy to see Sago changing from one of the worst nets
on the net when it comes to botnets to being, apparently, one of the most
pro-active.
That said, when I last checked (a week ago) you had 4 botnet C&C's still
open and active on your AS.
As always, you and anyone else here can email us directly for the
information on your network.
Gadi.
>
> ---
> Jordan Medlen
> Chief Technology Officer and Architect Sago Networks
>
> -----Original Message-----
> From: owner-nanog at merit.edu [mailto:owner-nanog at merit.edu] On Behalf
> Of Michael Nicks
> Sent: Sunday, August 13, 2006 2:07 PM
> To: nanog at nanog.org
> Subject: Re: [Full-disclosure] what can be done with botnet C&C's?
>
>
> I hate to stir the flames again, but this idea sounds a lot like RBLs.
> :)
>
> All kidding aside, I'm curious as to when we will reach the point
> where the devices of our networks will be able to share information
> regarding sporadic bursts or predefined traffic patterns in network
> traffic within a certain time frame, determine it is a related
> outgoing (or incoming) attack, and mitigate/stop the traffic. I think
> it certainly is possible to accomplish this on a per-router level, but
> being able to have the devices communicate and share information between
one another is a completely separate thing.
> (New protocol perhaps.)
>
> The only real method that I really have in my toolkit to stop incoming
> DDoS on a AS-wide perspective is originating a /32 within an AS with a
> next-hop of a discard interface.
>
> Something similar to that nature but more flexible and designed for
> the sole purpose of preventing/stopping abuse would be a very nice
feature.
>
> Cheers.
> -Michael
>
> --
> Michael Nicks
> Network Engineer
> KanREN
> e: mtnicks at kanren.net
> o: +1-785-856-9800 x221
> m: +1-913-378-6516
>
> Payam Tarverdyan Chychi wrote:
> > I've been reading on this subject for the last several weeks and it
> > seems as if everyone just like to come up with out of the box ideas
> > that are not realistic for today's network environments
> >
> >>> J.Oquendo, thanks for the Smurf example . as there are still
> > admins/engineers at large networks that have no clue as to what they
> > are doing. so QoS is for sure out of the question.. at least at this
> > time.
> >
> > Depending on agents to take actions and protecting our networks is
> > even a bigger joke. Back in late 90s where kiddies were using the
> > simplest types of C&C, open wide irc networks with visible Channels
> > and no encryptions. and agents couldn't do anything unless the
> > attack was big enough to take down Amazon, yahoo, Microsoft or some
> > other major provider with enough $$$ to start an investigation.
> >
> > So what makes you think that agents are of any help in today's world
> > where c&c have gotten so much more sophisticated, use backup private
> > servers, encryption, tunneling and much much more..
> >
> > In my opinion, the only way to really start cracking down on c&c and
> > put an end to it is the cooperation of major ISP's. I realize that
> > most isp's cant/wont setup a security team to just investigate c&c /
> > attacks (would this really fall under the Abuse team?) but perhaps
> > If all major networks worked together and created a active db list
> > of c&c found either on their networks or attacking ones network.
> > then it would be much much easier to trace back c&c and dispose of them.
> >
> > Unfortunately, we don't live in a perfect world and most isp's hate
> > sharing any information. I guess its better for them to have a
> > bigger ego than a safer / more stable network.
> >
> > Please feel free to correct me if I am wrong.
> >
> > -Payam
>
More information about the NANOG
mailing list