[Full-disclosure] what can be done with botnet C&C's?
billn at billn.net
billn at billn.net
Thu Aug 17 21:44:01 UTC 2006
On Thu, 17 Aug 2006, Jordan Medlen wrote:
>
> I'm sure most people on this list have heard of or use snort. There is an
> add-on package called snortsam. This package allows automation of blocking
> traffic deemed malicious via a null route statement or ACL statement. We
> have been in the process over the last month of implementing this on our
> network with much success. I think the only problem that we have had with it
> thus far is underestimating just how well it was actually going to work. As
> with any snort implementation, it takes time to tweak and tune the rule
> sets, however we have managed to kill a huge amount of traffic either coming
> from our customers or destined to our customers. While this is not a perfect
> system, it is much better than idly sitting there and letting the abuse
> continue.
>
> ---
> Jordan Medlen
> Chief Technology Officer and Architect
> Sago Networks
Is this the kind of thing that could get a boost from projects like
ThreatNet (http://www.ali.as/threatnet/)?
I've been peripherally involved with the project, mostly in chasing
conceptual issues and hammering out the trust relationship details, in
addition to being an rabid, er, avid developer of network management
tools, right down to near-real time log analyzers. I think that if you're
to a point that you trust your tools enough to make an informed decision
and automate your null routes, why not expand on that and use the same
networked intelligence the C&C's embody?
- billn
More information about the NANOG
mailing list