----- Original Message Follows ----- From: "Barry Greene (bgreene)" <bgreene@cisco.com>
What? That's what I'm trying to find out, but I'm not as smart as most, so I can only point out the things that I believe definitely won't work and why I think that. Hopefully by the application of flame to my butt by smart people for saying what I do will spark some thought toward the goal.
Start with:
I didn't see anything in there relating to bot brains. Also, with regard to 'cyberspace is just a meatspace overlay' I considered whay would I do to troubleshoot an overlay network. I'd work on the layer where the problem exists. (Duh! :) Here, the problem exists at two layers: Technically it's allowed and meat-wise there're those kinds of people in this world. So, the solution must be at both layers; meatspace and cyberspace. That makes us all correct, yes? (again, I'm putting on my flame-proof underpants... ;-) One thing someone mentioned offline:
The goal, as noted, shouldn't be to shut these things down. It should be to keep them operating, not interfered with, so that the C&C channels remain detectable
Shutting down C&C's is a direct action.
More fun? Monitor those C&C's. In real time, update your filtering to tag attack packets as a QoS that is rate-limited at your borders. This would be hard for a botherder to detect, but would limit damage against remote sites. You don't actually want to *block* them; blocking them lets the botherder know that you're on to them. But this has to be done fairly cleverly (much moreso than I suggest), so that they can't easily figure it out. This is just an example for the sake of conveying the overall idea.
But shutting them down, that's like the police arresting all the informants. It doesn't stop the crime, it just eradicates all your easy leads.
What're folk's thoughts on that? scott