Re: AW: mitigating botnet C&Cs has become useless
On Mon, 31 Jul 2006, Dean Anderson wrote:
You are approaching the problem the wrong way. Many failover systems work very well when the primary fails entirely--when the salesman pulls the plug. Few work well when the primary doesn't entirely fail, but just doesn't work correctly, as is usually the case in the real world.
Such as? How does it apply to the network world?
Try that approach on the C&Cs: infiltrate and use the C&C to the botnets' disadvantage. Probably, you can cause an "upgrade" to be distributed to the infected hosts that doesn't have a secondary control channel, but that doesn't overly alert the human bot operators until its too late.
Infiltration is intelligence, not network.. uploading a file is illegal and unethical... Good solid ideas, but unfortunately failed in the past.
Of course, Nanog seems not to appreciate my contributions, so I won't be sharing anything else I know about the problem. Good luck.
--Dean
On Mon, 31 Jul 2006, Gadi Evron wrote:
On Sun, 30 Jul 2006, Gunther Stammwitz wrote:
The really interesting question is when botnets are going to use p2p-technologies since one wouldn't know how to stop them then. Please let that never happen....
I am not sayin gyou are wrong, or that dynamic channels won't happen far more widely. Currently they are not widely used as they are not needed. Web, IRC, etc. are quite efficient.
That said, there is one problem to solve with every evolved C&C, the more complex it is the easier it is to follow.
Gadi.
-- Av8 Internet Prepared to pay a premium for better service? www.av8.net faster, more reliable, better service 617 344 9000
On Mon, 31 Jul 2006 12:30:48 CDT, Gadi Evron said:
On Mon, 31 Jul 2006, Dean Anderson wrote:
You are approaching the problem the wrong way. Many failover systems work very well when the primary fails entirely--when the salesman pulls the plug. Few work well when the primary doesn't entirely fail, but just doesn't work correctly, as is usually the case in the real world.
Such as? How does it apply to the network world?
What, you never had a BGP session to a peer router that lied through its teeth about its other interfaces being up, so you didn't fallover to an alternate route? :)
participants (2)
-
Gadi Evron
-
Valdis.Kletnieks@vt.edu