North American Network Operators Group|
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical
RE: [Full-disclosure] what can be done with botnet C&C's?
Thanks for the info. I will pass this to our abuse department to get rid of those. We are still tweaking our system and is only about 90% deployed, but after all of the efforts to deploy the system, it should pay-off many many times over. Thanks again, Jordan -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Gadi Evron Sent: Thursday, August 17, 2006 1:37 PM To: Jordan Medlen Cc: [email protected] Subject: RE: [Full-disclosure] what can be done with botnet C&C's? On Thu, 17 Aug 2006, Jordan Medlen wrote: > > I'm sure most people on this list have heard of or use snort. There is > an add-on package called snortsam. This package allows automation of > blocking traffic deemed malicious via a null route statement or ACL > statement. We have been in the process over the last month of > implementing this on our network with much success. I think the only > problem that we have had with it thus far is underestimating just how > well it was actually going to work. As with any snort implementation, > it takes time to tweak and tune the rule sets, however we have managed > to kill a huge amount of traffic either coming from our customers or > destined to our customers. While this is not a perfect system, it is > much better than idly sitting there and letting the abuse continue. Hi Jordan, I am very happy to see Sago changing from one of the worst nets on the net when it comes to botnets to being, apparently, one of the most pro-active. That said, when I last checked (a week ago) you had 4 botnet C&C's still open and active on your AS. As always, you and anyone else here can email us directly for the information on your network. Gadi. > > --- > Jordan Medlen > Chief Technology Officer and Architect Sago Networks > > -----Original Message----- > From: [email protected] [mailto:[email protected]] On Behalf > Of Michael Nicks > Sent: Sunday, August 13, 2006 2:07 PM > To: [email protected] > Subject: Re: [Full-disclosure] what can be done with botnet C&C's? > > > I hate to stir the flames again, but this idea sounds a lot like RBLs. > :) > > All kidding aside, I'm curious as to when we will reach the point > where the devices of our networks will be able to share information > regarding sporadic bursts or predefined traffic patterns in network > traffic within a certain time frame, determine it is a related > outgoing (or incoming) attack, and mitigate/stop the traffic. I think > it certainly is possible to accomplish this on a per-router level, but > being able to have the devices communicate and share information between one another is a completely separate thing. > (New protocol perhaps.) > > The only real method that I really have in my toolkit to stop incoming > DDoS on a AS-wide perspective is originating a /32 within an AS with a > next-hop of a discard interface. > > Something similar to that nature but more flexible and designed for > the sole purpose of preventing/stopping abuse would be a very nice feature. > > Cheers. > -Michael > > -- > Michael Nicks > Network Engineer > KanREN > e: [email protected] > o: +1-785-856-9800 x221 > m: +1-913-378-6516 > > Payam Tarverdyan Chychi wrote: > > I've been reading on this subject for the last several weeks and it > > seems as if everyone just like to come up with out of the box ideas > > that are not realistic for today's network environments > > > >>> J.Oquendo, thanks for the Smurf example . as there are still > > admins/engineers at large networks that have no clue as to what they > > are doing. so QoS is for sure out of the question.. at least at this > > time. > > > > Depending on agents to take actions and protecting our networks is > > even a bigger joke. Back in late 90s where kiddies were using the > > simplest types of C&C, open wide irc networks with visible Channels > > and no encryptions. and agents couldn't do anything unless the > > attack was big enough to take down Amazon, yahoo, Microsoft or some > > other major provider with enough $$$ to start an investigation. > > > > So what makes you think that agents are of any help in today's world > > where c&c have gotten so much more sophisticated, use backup private > > servers, encryption, tunneling and much much more.. > > > > In my opinion, the only way to really start cracking down on c&c and > > put an end to it is the cooperation of major ISP's. I realize that > > most isp's cant/wont setup a security team to just investigate c&c / > > attacks (would this really fall under the Abuse team?) but perhaps > > If all major networks worked together and created a active db list > > of c&c found either on their networks or attacking ones network. > > then it would be much much easier to trace back c&c and dispose of them. > > > > Unfortunately, we don't live in a perfect world and most isp's hate > > sharing any information. I guess its better for them to have a > > bigger ego than a safer / more stable network. > > > > Please feel free to correct me if I am wrong. > > > > -Payam >