On Jul 30, 2006, at 10:37 AM, Gadi Evron wrote:
The few hundred *new* IRC-based C&Cs a month (and change), have been around and static (somewhat) for a while now. At a steady rate of change which maintains the status quo, plus a bit of new blood.
In this post I ask the community about what you see, against what we have observed, and try and test my conclusions and numbers against your findings.
Gadi, *SPs* today deal with command and control infrastructure on a very tactical basis, and as for specific bots themselves, even more tactically (i.e., usually when some incident requires that they take some response action). They're very incident driven from that respect, and with an attempt to focus on revenue and services profitability, it just amplifies the problem. That is, they're busy turning the steam valves and putting out fires - who has the time for strategizing and waging a global war on organized crime and it's employment of botnets that yields a negligible return on a considerable investment, just cutting deeper into their losses? [disclaimer: the above is a gross oversimplification and many SPs do far more, but it's largely applicable across a broad spectrum of SPs] Heck, they rarely have time to chase DOS attack sources past their network perimeter and today report less than 2% of *actionable* attacks to LEOs. It's an ROI game... While you could spin botnet resurrection a hundred ways, taking out the bots themselves, even if it's often times only as temporal function, is the low hanging fruit and something SPs can understand and instrument. I agree that the root of the problem is the miscreants perpetrating these crimes, and they need to be prosecuted, but the responsibility falls far wider than the SPs. I also accept the references provided by Paul and others, but what's the near-term alternative? -danny