North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical RE: mitigating botnet C&Cs has become useless
----- Original Message Follows ----- From: "Barry Greene (bgreene)" <[email protected]> > > What? That's what I'm trying to find out, but I'm not > > as smart as most, so I can only point out the things > > that I believe definitely won't work and why I think > > that. Hopefully by the application of flame to my butt > > by smart people for saying what I do will spark some > thought toward the goal. > > Start with: > > http://www.nanog.org/mtg-0602/greene.html I didn't see anything in there relating to bot brains. Also, with regard to 'cyberspace is just a meatspace overlay' I considered whay would I do to troubleshoot an overlay network. I'd work on the layer where the problem exists. (Duh! :) Here, the problem exists at two layers: Technically it's allowed and meat-wise there're those kinds of people in this world. So, the solution must be at both layers; meatspace and cyberspace. That makes us all correct, yes? (again, I'm putting on my flame-proof underpants... ;-) One thing someone mentioned offline: > The goal, as noted, shouldn't be to shut these things > down. It should be to keep them operating, not interfered > with, so that the C&C channels remain detectable > Shutting down C&C's is a direct action. > > More fun? Monitor those C&C's. In real time, update your > filtering to tag attack packets as a QoS that is > rate-limited at your borders. This would be hard for a > botherder to detect, but would limit damage against remote > sites. You don't actually want to *block* them; blocking > them lets the botherder know that you're on to them. But > this has to be done fairly cleverly (much moreso than I > suggest), so that they can't easily figure it out. This > is just an example for the sake of conveying the overall > idea. > But shutting them down, that's like the police arresting > all the informants. It doesn't stop the crime, it just > eradicates all your easy leads. What're folk's thoughts on that? scott
|