[Full-disclosure] what can be done with botnet C&C's?

• Previous message (by thread): [Full-disclosure] what can be done with botnet C&C's?
• Next message (by thread): [Full-disclosure] what can be done with botnet C&C's?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, 17 Aug 2006, Jordan Medlen wrote:
> Gadi,
> 
> I am unable to find the list in the archives or my email client. Can you
> send me anything that you have so I can get it taken care of?

Of course.

	Gadi.

> 
> Thanks,
> 
> Jordan 
> 
> -----Original Message-----
> From: owner-nanog at merit.edu [mailto:owner-nanog at merit.edu] On Behalf Of Gadi
> Evron
> Sent: Thursday, August 17, 2006 1:37 PM
> To: Jordan Medlen
> Cc: nanog at nanog.org
> Subject: RE: [Full-disclosure] what can be done with botnet C&C's?
> 
> 
> On Thu, 17 Aug 2006, Jordan Medlen wrote:
> > 
> > I'm sure most people on this list have heard of or use snort. There is 
> > an add-on package called snortsam. This package allows automation of 
> > blocking traffic deemed malicious via a null route statement or ACL 
> > statement. We have been in the process over the last month of 
> > implementing this on our network with much success. I think the only 
> > problem that we have had with it thus far is underestimating just how 
> > well it was actually going to work. As with any snort implementation, 
> > it takes time to tweak and tune the rule sets, however we have managed 
> > to kill a huge amount of traffic either coming from our customers or 
> > destined to our customers. While this is not a perfect system, it is 
> > much better than idly sitting there and letting the abuse continue.
> 
> Hi Jordan, I am very happy to see Sago changing from one of the worst nets
> on the net when it comes to botnets to being, apparently, one of the most
> pro-active.
> 
> That said, when I last checked (a week ago) you had 4 botnet C&C's still
> open and active on your AS.
> 
> As always, you and anyone else here can email us directly for the
> information on your network.
> 
> 	Gadi.
> 
> > 
> > ---
> > Jordan Medlen
> > Chief Technology Officer and Architect Sago Networks
> > 
> > -----Original Message-----
> > From: owner-nanog at merit.edu [mailto:owner-nanog at merit.edu] On Behalf 
> > Of Michael Nicks
> > Sent: Sunday, August 13, 2006 2:07 PM
> > To: nanog at nanog.org
> > Subject: Re: [Full-disclosure] what can be done with botnet C&C's?
> > 
> > 
> > I hate to stir the flames again, but this idea sounds a lot like RBLs.  
> > :)
> > 
> > All kidding aside, I'm curious as to when we will reach the point 
> > where the devices of our networks will be able to share information 
> > regarding sporadic bursts or predefined traffic patterns in network 
> > traffic within a certain time frame, determine it is a related 
> > outgoing (or incoming) attack, and mitigate/stop the traffic. I think 
> > it certainly is possible to accomplish this on a per-router level, but 
> > being able to have the devices communicate and share information between
> one another is a completely separate thing.
> > (New protocol perhaps.)
> > 
> > The only real method that I really have in my toolkit to stop incoming 
> > DDoS on a AS-wide perspective is originating a /32 within an AS with a 
> > next-hop of a discard interface.
> > 
> > Something similar to that nature but more flexible and designed for 
> > the sole purpose of preventing/stopping abuse would be a very nice
> feature.
> > 
> > Cheers.
> > -Michael
> > 
> > --
> > Michael Nicks
> > Network Engineer
> > KanREN
> > e: mtnicks at kanren.net
> > o: +1-785-856-9800 x221
> > m: +1-913-378-6516
> > 
> > Payam Tarverdyan Chychi wrote:
> > >  I've been reading on this subject for the last several weeks and it 
> > > seems as if everyone just like to come up with out of the box ideas 
> > > that are not realistic for today's network environments
> > > 
> > >>> J.Oquendo, thanks for the Smurf example . as there are still
> > > admins/engineers at large networks that have no clue as to what they 
> > > are doing. so QoS is for sure out of the question.. at least at this 
> > > time.
> > > 
> > > Depending on agents to take actions and protecting our networks is 
> > > even a bigger joke. Back in late 90s where kiddies were using the 
> > > simplest types of C&C, open wide irc networks with visible Channels 
> > > and no encryptions. and agents couldn't do anything unless the 
> > > attack was big enough to take down Amazon, yahoo, Microsoft or some 
> > > other major provider with enough $$$ to start an investigation.
> > > 
> > > So what makes you think that agents are of any help in today's world 
> > > where c&c have gotten so much more sophisticated, use backup private 
> > > servers, encryption, tunneling and much much more..
> > > 
> > > In my opinion, the only way to really start cracking down on c&c and 
> > > put an end to it is the cooperation of major ISP's. I realize that 
> > > most isp's cant/wont setup a security team to just investigate c&c / 
> > > attacks (would this really fall under the Abuse team?) but perhaps 
> > > If all major networks worked together and created a active db list 
> > > of c&c found either on their networks or attacking ones network. 
> > > then it would be much much easier to trace back c&c and dispose of them.
> > > 
> > > Unfortunately, we don't live in a perfect world and most isp's hate 
> > > sharing any information. I guess its better for them to have a 
> > > bigger ego than a safer / more stable network.
> > > 
> > > Please feel free to correct me if I am wrong.
> > > 
> > > -Payam
> > 
> 

• Previous message (by thread): [Full-disclosure] what can be done with botnet C&C's?
• Next message (by thread): [Full-disclosure] what can be done with botnet C&C's?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]