RE: mitigating botnet C&Cs has become useless
----- Original Message Follows ----- From: "Barry Greene (bgreene)" <bgreene@cisco.com>
What? That's what I'm trying to find out, but I'm not as smart as most, so I can only point out the things that I believe definitely won't work and why I think that. Hopefully by the application of flame to my butt by smart people for saying what I do will spark some thought toward the goal.
Start with:
I didn't see anything in there relating to bot brains. Also, with regard to 'cyberspace is just a meatspace overlay' I considered whay would I do to troubleshoot an overlay network. I'd work on the layer where the problem exists. (Duh! :) Here, the problem exists at two layers: Technically it's allowed and meat-wise there're those kinds of people in this world. So, the solution must be at both layers; meatspace and cyberspace. That makes us all correct, yes? (again, I'm putting on my flame-proof underpants... ;-) One thing someone mentioned offline:
The goal, as noted, shouldn't be to shut these things down. It should be to keep them operating, not interfered with, so that the C&C channels remain detectable
Shutting down C&C's is a direct action.
More fun? Monitor those C&C's. In real time, update your filtering to tag attack packets as a QoS that is rate-limited at your borders. This would be hard for a botherder to detect, but would limit damage against remote sites. You don't actually want to *block* them; blocking them lets the botherder know that you're on to them. But this has to be done fairly cleverly (much moreso than I suggest), so that they can't easily figure it out. This is just an example for the sake of conveying the overall idea.
But shutting them down, that's like the police arresting all the informants. It doesn't stop the crime, it just eradicates all your easy leads.
What're folk's thoughts on that? scott
On Thu, 03 Aug 2006 12:22:31 -1000 "Scott Weeks" <surfer@mauigateway.com> wrote:
But shutting them down, that's like the police arresting all the informants. It doesn't stop the crime, it just eradicates all your easy leads.
What're folk's thoughts on that?
Well that's one perspective. I love the bit about tagging the packets and using QoS (whatever that means) though, that would be a hoot. Keep in mind bots are not just for DoS. They spam, they capture keystrokes and mouseclicks, they can be proxies and so on. If in the name of botnets QoS gets widely deployed I'll put print out this email, puree it in a blender and humbly chug it down at a future NANOG. John
On Aug 3, 2006, at 4:22 PM, Scott Weeks wrote:
But shutting them down, that's like the police arresting all the informants. It doesn't stop the crime, it just eradicates all your easy leads.
What're folk's thoughts on that?
I'm not sure I'd liken shutting C&C infrastructure down to "arresting the informants". I think that's quite a bad analogy, actually, as informants are [often] third parties while C&C infrastructure is used to convey actual execution instructions - which are very often much more than DoS, as John pointed out. -danny
useless... perhaps. i'm partly of the mind that botnets, p2p networks, manets, and other self-organizing systems are the "wave" of the future (or even the present) and the technologies, per se, are not inherently "evil" or even bad. imho, it is short sighted to try and curtail, mitigate, and eradicate these types of technologies - its kind of like trying to kill off SMTP because it only sends spam, FTP because its only used to distribute PR0N... and HTTP because its only used by peadophiles stalking my daughters on MySpace... better to understand how these things are used and figure out how to determine INTENT and then filter on that instead of technological eradication. just my contrarian 0.02 rupias. --bill
On Aug 4, 2006, at 12:00 AM, bmanning@vacation.karoshi.com wrote:
useless...
perhaps. i'm partly of the mind that botnets, p2p networks, manets, and other self-organizing systems are the "wave" of the future (or even the present) and the technologies, per se, are not inherently "evil" or even bad.
Well, that clearly depends on your prescription for "self-organizing". I certainly wouldn't categorize the botnets I'm referring to as self- organizing, in particular when they're being employed in a _very organized manner - most always unbeknownst to each systems ultimate owner, and more and more often in such a way that allows A botherder to employ them for an ever-expanding array of malicious activities.
imho, it is short sighted to try and curtail, mitigate, and eradicate these types of technologies - its kind of like trying to kill off SMTP because it only sends spam, FTP because its only used to distribute PR0N... and HTTP because its only used by peadophiles stalking my daughters on MySpace...
better to understand how these things are used and figure out how to determine INTENT and then filter on that instead of technological eradication.
Right, hence my point. By and large, SPs don't have the time or resources to police the greater Internet, and therefore, they respond in a very reactive fashion when some malicious activity *that* warrants action dictates. Taking out known botnet C&C infrastructure is more proactive and at least from my perspective, continues to yield a discernible impact. It's all about ROI - and anything more than reactionary measures only moves them further from profitability. Putting solutions in place that allow the SPs to recoup costs associated with playing sysadmin for customers are the only way they'll be able to give dedicated focus to the problem.
just my contrarian 0.02 rupias.
I'd expect no less Bill :-) -danny
On Sat, 5 Aug 2006, Danny McPherson wrote:
Right, hence my point. By and large, SPs don't have the time or resources to police the greater Internet, and therefore, they respond in a very reactive fashion when some malicious activity *that* warrants action dictates. Taking out known botnet C&C infrastructure is more proactive and at least from my perspective, continues to yield a discernible impact.
Even assuming SPs had the time and the resources, its not always clear what actions should be considered acceptable for SPs to do. If resources were the only issue, making this another "War on X" and throwing lots of money at the problem would be the answer. But that's not the right answer. People/customers seem to get just as upset with "proactive" SPs as they do with "unactive" SPs. Even if it was possible to run the Internet like the most secure closed corporate network, is that what people actually want? I know lots of vendors that would be more than happy to sell SPs lots and lots of security stuff to achieve that ;-) Hopefully, by their nature SPs will always be a bit reactive. Unless I want them to, I don't want SPs messing with my traffic. Its my right to connect anything I want, send anything I want, do anything I want with my Internet connection. On the other hand, when I do complain I want the SP to instantly be able to stop anything I don't want, even when I don't know what it is, and be able to track every bad thing that every happened even before I knew it was bad but not keep records of what anyone has done. And of course, I don't think I should pay extra for it. Railroads have the railroad police. The Post Office has postal inspectors. Do we want to give ISP security the power to arrest people? There are probably some security officers at SPs that would love to bust some doors down and slap handcuffs on a few people.
On Aug 5, 2006, at 3:17 PM, Sean Donelan wrote:
Hopefully, by their nature SPs will always be a bit reactive. Unless I want them to, I don't want SPs messing with my traffic. Its my right to connect anything I want, send anything I want, do anything I want with my Internet connection. On the other hand, when I do complain I want the SP to instantly be able to stop anything I don't want, even when I don't know what it is, and be able to track every bad thing that every happened even before I knew it was bad but not keep records of what anyone has done. And of course, I don't think I should pay extra for it.
I think I touched on this lightly in one of my previous posts on this topic - but yes, I completely agree.. -danny
On 8/5/06, Sean Donelan <sean@donelan.com> wrote:
Railroads have the railroad police. The Post Office has postal inspectors. Do we want to give ISP security the power to arrest people? There are probably some security officers at SPs that would love to bust some doors down and slap handcuffs on a few people.
There are plenty of (US) law enforcement agencies ready and willing to do just that.
On Wed, Aug 02, 2006 at 08:25:40AM +0200, Peter Dambier wrote: ...
Let me try to become Gadi. First of all block port 80 (http) :) Next block port 53 udp (dns).
Now you have got rid of amplification attacks because spoofing does no longer work and you have got rid of all those silly users that only know how to click the mouse. ...
I think it was the 1970s when I started telling people that the only truly secure computer was the one that was unplugged and buried under two miles of fused stone. Of course, this conflicts with usability. And, these days, with the all-worshipped network access. This level of security is, of course, not the solution. I trust that Peter D. was being sarcastic. On Wed, Aug 02, 2006 at 06:29:55AM +0000, Paul Vixie wrote:
surfer@mauigateway.com ("Scott Weeks") writes:
... I'm just saying that there has to be a better way than police-type actions on a global scale. ...
no, there doesn't have to be such a way. where the stakes are in meatspace (pun unintended), the remediation has to be in meatspace. cyberspace is just a meatspace overlay, it can only pretend to have different laws when nothing outside of cyberspace is at stake. i think that the days when botnets were mostly used for kiddie-on-kiddie violence or even gangster-on- gangster violence are permanently behind us. it's up to the real LEOs now, because it's on their turf now, which is to say, it's in the real world now.
as was true of spam when i said this about spam ten years ago, it is true now of botnets that the only technical solution is "gated communities". but the internet's culture, which merely mirrors the biases of those who use it, requires the ability for children to go door to door selling girl scout cookies, without necessarily having the key code to every one of the doors.
so the internet community has no appetite for the trappings of any technical solution to botnets. the meatspace community and their LEOs absolutely *do*.
I think it was Scott Weeks who pointed out that gated communities are for the rich, and only push the E-VIL out to the rest of the community, who then have to board up their windows and cower. How do we make our world less fearsome? As Barry Shein and others mentioned, we have to make this kind of action in general something which people are afraid to do because of its consequences. We also want to make it something which people are reluctant to do, not only because it's unprofitable, but because it's WRONG. I may sound like a fogy when I say this [OK, maybe I am one, but so are most of you that grew up along with me!], but it seems that in general many folks are worrying less about what is RIGHT and WRONG, but about what they can get away with, and what society feels permissive about. That's a general problem. It can be fixed only be educating folks from the time they're born (a) to CARE about "right" and "wrong", and (b) to understand that messing with another's packets is as wrong as messing with his bank account. To make it less profitable, we have to make it harder. That means making sure that protection on networks is as good as possible. I am less adept at elaborating on that than many who have already done so. To make sure that there are consequences, we need to work with local Law Enforcement Organizations [for those who didn't know what LEOs were] to get these folks punished somehow. If that means that we have to educate the LEOs and legislatures, then that's what it takes. Do we need special Internet police? I would hope not. But perhaps we need an educated CyberCrime division of existing LEOs. This will not happen tomorrow, and not at all if we don't both push and help. And why is it up to us to do these things? Because it's our job. And in some cases our vocation. It may cost us more, or we may volunteer more time to do some of these things. But if the ones who know what they are doing don't do this, then it will cost us all even more. -- Joe Yao ----------------------------------------------------------------------- This message is not an official statement of OSIS Center policies.
I promised myself I'd never, ever post three comments on the same topic here, but hey... What I think would be a good thing would be focusing on ONE miscreant, some low-hanging fruit for starters. Just one. And shut him/her/it down, hound him off the face of the earth, get him arrested, whatever, put him out of business. And then move on to #2. Not that it will, one by one, get them all. But it *will* raise the stakes, particularly as techniques are developed. IMHO part of the problem is that everyone is trying to solve the entire problem all at once with some magic bullet. It's whack-a-mole in a Hilbert space, too difficult. -- -Barry Shein The World | bzs@TheWorld.com | http://www.TheWorld.com Purveyors to the Trade | Voice: 800-THE-WRLD | Login: Nationwide Software Tool & Die | Public Access Internet | SINCE 1989 *oo*
participants (8)
-
Aaron Glenn
-
Barry Shein
-
bmanning@vacation.karoshi.com
-
Danny McPherson
-
John Kristoff
-
Joseph S D Yao
-
Scott Weeks
-
Sean Donelan