[Full-disclosure] what can be done with botnet C&C's?

virendra rode // virendra.rode at gmail.com
Thu Aug 17 18:37:32 UTC 2006


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

in-line:

Jordan Medlen wrote:
> I'm sure most people on this list have heard of or use snort. There is an
> add-on package called snortsam. This package allows automation of blocking
> traffic deemed malicious via a null route statement or ACL statement. We
> have been in the process over the last month of implementing this on our
> network with much success. I think the only problem that we have had with it
> thus far is underestimating just how well it was actually going to work. As
> with any snort implementation, it takes time to tweak and tune the rule
> sets, however we have managed to kill a huge amount of traffic either coming
> from our customers or destined to our customers. While this is not a perfect
> system, it is much better than idly sitting there and letting the abuse
> continue.
- -------------------------
One thing would be nice (maybe a wish-list) if snortsam could send an
e-mail notification (similar to other proactive tools) rather than
pushing for ACL change which could possibly break something due to FP.
This could lead to a headless chicken syndrome scenario. Also where I
come from, we cannot implement change(s) to any P1/P2 (business
critical) devices w/o a change management request except for emergencies.



regards,
/virendra


> 
> ---
> Jordan Medlen
> Chief Technology Officer and Architect
> Sago Networks 
> 
> -----Original Message-----
> From: owner-nanog at merit.edu [mailto:owner-nanog at merit.edu] On Behalf Of
> Michael Nicks
> Sent: Sunday, August 13, 2006 2:07 PM
> To: nanog at nanog.org
> Subject: Re: [Full-disclosure] what can be done with botnet C&C's?
> 
> 
> I hate to stir the flames again, but this idea sounds a lot like RBLs.  :)
> 
> All kidding aside, I'm curious as to when we will reach the point where the
> devices of our networks will be able to share information regarding sporadic
> bursts or predefined traffic patterns in network traffic within a certain
> time frame, determine it is a related outgoing (or incoming) attack, and
> mitigate/stop the traffic. I think it certainly is possible to accomplish
> this on a per-router level, but being able to have the devices communicate
> and share information between one another is a completely separate thing.
> (New protocol perhaps.)
> 
> The only real method that I really have in my toolkit to stop incoming DDoS
> on a AS-wide perspective is originating a /32 within an AS with a next-hop
> of a discard interface.
> 
> Something similar to that nature but more flexible and designed for the sole
> purpose of preventing/stopping abuse would be a very nice feature.
> 
> Cheers.
> -Michael
> 
> --
> Michael Nicks
> Network Engineer
> KanREN
> e: mtnicks at kanren.net
> o: +1-785-856-9800 x221
> m: +1-913-378-6516
> 
> Payam Tarverdyan Chychi wrote:
>>  I've been reading on this subject for the last several weeks and it 
>> seems as if everyone just like to come up with out of the box ideas 
>> that are not realistic for today's network environments
>>
>>>> J.Oquendo, thanks for the Smurf example . as there are still
>> admins/engineers at large networks that have no clue as to what they 
>> are doing. so QoS is for sure out of the question.. at least at this 
>> time.
>>
>> Depending on agents to take actions and protecting our networks is 
>> even a bigger joke. Back in late 90s where kiddies were using the 
>> simplest types of C&C, open wide irc networks with visible Channels 
>> and no encryptions. and agents couldn't do anything unless the attack 
>> was big enough to take down Amazon, yahoo, Microsoft or some other 
>> major provider with enough $$$ to start an investigation.
>>
>> So what makes you think that agents are of any help in today's world 
>> where c&c have gotten so much more sophisticated, use backup private 
>> servers, encryption, tunneling and much much more..
>>
>> In my opinion, the only way to really start cracking down on c&c and 
>> put an end to it is the cooperation of major ISP's. I realize that 
>> most isp's cant/wont setup a security team to just investigate c&c / 
>> attacks (would this really fall under the Abuse team?) but perhaps If 
>> all major networks worked together and created a active db list of c&c 
>> found either on their networks or attacking ones network. then it 
>> would be much much easier to trace back c&c and dispose of them.
>>
>> Unfortunately, we don't live in a perfect world and most isp's hate 
>> sharing any information. I guess its better for them to have a bigger 
>> ego than a safer / more stable network.
>>
>> Please feel free to correct me if I am wrong.
>>
>> -Payam
> 
> 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFE5LdspbZvCIJx1bcRAk04AJ9bsdHfeGY/8bo+CFFyPCNBIYLAxwCaAqv/
0v8mDACXHUBiSQAtBgZ0p0g=
=yOnO
-----END PGP SIGNATURE-----



More information about the NANOG mailing list