what can be done with botnet C&C's?
In my last email message I addressed some of the issues related to botnet C&C's and their mitigation. As mentioned, I waited to see what other experiences told other people, as well as glimpse the opinion of others here. In this message I will try and address some of the questions asked, but once again limiting myself mostly to JUST networking rather than the whole realm of botnet fighting. "I work on this [C&C] for 30 days, only to find out one of you took it down." -- US Federal Agent, two days ago, ISOI (DA Workshop). And still, sticking to networking issues, as obviously we cannot yet depend on law enforcement to protect our networks for us, how do we handle C&C's? When we kill them (and by "kill" I naturally mean "report our suspicion to the responsible authority so they can investigate, confirm and proceed according to their AUP") we kill them, but only to our knowledge. They immediately move elsewhere we do not know about in our space or someone else's, maybe misplacing an extremely smallish percentage of their population while they are at it. Okay, say I am right... What *can* we do? We can take advantage: 1. QoS and traffic limiting tools. Many tools created in recent years, and used exstensively by many ISP's, regardless of any Net Neutrality legislation, are at our disposal and already implemented on our networks. Much like, for business reasons, many of us would limit P2P, how about limiting the traffic to compromised users? How, what and when is up to you. You can know who your compromised users are by watching flows to C&C's. 2. Blocking communication to C&C's. Watch the flows, block the users from communicating out to them. Watch these users and see where else they are communicating in comparison to other users, en-masse. It's a matter of doing the same thing, for a different purpose. 3. Walled garden and tech support costs. Obviously, if any of these users call you (and they VERY OFTEN do), you lose money on them for a long time to come.. only they will call again. A combination of quarantine, complete or partial, might work. Combine that with what some already do, such as sell users Anti Virus products, and you get a nice deal. Add to that a support company to lend help to users, unrelated to tech support, by subscription, and you may just have more business avenues to explore. 4. Stop internal network infections. It is unbelievable how the networks with the most bots are the networks that allow internal users to connect wherever they want within the network. All these come to show that although responsiveness to C&C's is important (rather than shutting them down), on the scale of the Internet, what will actually help the Internet is if you take care of it on your own network. You don't have to do any of these, or all of these. Just to wake up to the fact that killing C&C's will mostly not help anyone, and if anything, will do harm. Using them to deal with problematic users, even if only to block them from acessing that C&C is more to the point. You can choose how to handle these issues, but if you want to stop harming the Internet, stop your users from participating, DDoSing, etc. while not harming your business (no one can handle that tech support load). Monitor the C&C's running on your network - contact law enforcement. These are compromises that will keep happening, you are aware of, and cause millions of dollars in damages. "So, are we supposed to leave these compromised boxes up?" My answer is this, if you fail to remove a spy, as another would just take his place, wouldn't you rather know where that spy is and work to take him down for good? The answer to that is NO, as most of us won't and can't. That said, if you must kill the C&C, be aware, it is nothing more than sweeping the problem, localy on your network, as well as on your friends', under the rag. Do you know who your local fed is? See if he can help, he most likely can't and if he could, without a much wider cooperation between everybody, he or she would be extremely limited by looking just at your C&C's. That said, I doubt you would want that fed's attension. You can limit P2P traffic yet you won't limit scanning traffic? Outgoing email traffic from port 25 on dynamic hosts? Bandwidth to compromised users? Port 80, or sny, traffic not through your proxy? Consider what other tools are in your arsenal. My ideas may be completely wrong for you, yet that does not change the fact that killing the C&C will just mean you are kept in the dark. Some large carriers do many of these already, run honey-nets, and what not. Do you? I would like to hear some opinions on what networks can do, ecnomically, from people here. Please stick to network operations issues. Gadi. This is being X-posted to the botnets list.
participants (1)
-
Gadi Evron