AW: mitigating botnet C&Cs has become useless
ge at linuxbox.org
Mon Jul 31 17:30:48 UTC 2006
On Mon, 31 Jul 2006, Dean Anderson wrote:
> You are approaching the problem the wrong way. Many failover systems
> work very well when the primary fails entirely--when the salesman pulls
> the plug. Few work well when the primary doesn't entirely fail, but
> just doesn't work correctly, as is usually the case in the real world.
Such as? How does it apply to the network world?
> Try that approach on the C&Cs: infiltrate and use the C&C to the
> botnets' disadvantage. Probably, you can cause an "upgrade" to be
> distributed to the infected hosts that doesn't have a secondary control
> channel, but that doesn't overly alert the human bot operators until its
> too late.
Infiltration is intelligence, not network.. uploading a file is illegal
Good solid ideas, but unfortunately failed in the past.
> Of course, Nanog seems not to appreciate my contributions, so I won't be
> sharing anything else I know about the problem. Good luck.
> On Mon, 31 Jul 2006, Gadi Evron wrote:
> > On Sun, 30 Jul 2006, Gunther Stammwitz wrote:
> > > The really interesting question is when botnets are going to use
> > > p2p-technologies since one wouldn't know how to stop them then.
> > > Please let that never happen....
> > >
> > I am not sayin gyou are wrong, or that dynamic channels won't happen far
> > more widely. Currently they are not widely used as they are not
> > needed. Web, IRC, etc. are quite efficient.
> > That said, there is one problem to solve with every evolved C&C, the more
> > complex it is the easier it is to follow.
> > Gadi.
> Av8 Internet Prepared to pay a premium for better service?
> www.av8.net faster, more reliable, better service
> 617 344 9000
More information about the NANOG