North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: How should ISPs notify customers about Bots (Was Re: DNS Hijacking

  • From: Joe Greco
  • Date: Tue Jul 24 13:58:41 2007

> On 7/24/07, Joe Greco <[email protected]> wrote:
> > The problem is isolating the traffic in question.  Since you DO NOT HAVE
> > GIGABITS OF TRAFFIC destined for IRC servers, this becomes a Networking
> > 101-style question.  A /32 host route is going to be effective.
> > Manipulating DNS is definitely the less desirable method, because it has
> > the potential for breaking more things.  But, hey, it can be done, and
> > with an amount of effort that isn't substantially different from the
> > amount of work Cox would have had to do to accomplish what they did.
> Yup - though I still dont see much point in specialcasing IRC.  

This is probably true.  However, in this case, apparently Cox felt there
was some benefit to tackling this class of bot.

My guess would have been that they were abandoned, and as such, there
wouldn't have been much point to doing this.  However, maybe that wasn't
the case.

> It
> would probably be much more cost effective in the long run to have
> something rather more comprehensive.

Sure, but that actually *is* more difficult.  It isn't just a technical
solution.  It has to involve actual ongoing analysis of botnets, and how
they operate, plus technical countermeasures.  Are there ISP's who are
willing to devote resources to that?

> Yes there are a few bots around still using IRC but a lot of them have
> moved to other, better things (and there's fun "headless" bots too,
> hardcoded with instructions and let loose so there's no C&C, no
> centralized domain or dynamic dns for takedown.. you want to make a
> change? just release another bot into the wild).

Hardly unexpected.  The continuing evolution is likely to be pretty 
scary.  Disposables are nice, but the trouble and slowness in seeding 
makes them less valuable.  I'm expecting that we'll see 
compartmentalized bots, where each bot has a small number of neighbors,
a pseudo-scripting command language, extensible communication ABI to 
facilitate the latest in detection avoidance, and some basic logic to 
seed/pick neighbors that aren't local.  Build in some strong 
encryption, have them each repeat the encrypted orders to their 
neighbors, and you have a structure that would be exceedingly 
difficult to deal with.

Considering how long ago that sort of model was proposed, it is actually
remarkable that it doesn't seem to have been perfected by now, and that
we're still blocking IRC.

... JG
Joe Greco - Network Services - Milwaukee, WI -
"We call it the 'one bite at the apple' rule. Give me one chance [and] then I
won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN)
With 24 million small businesses in the US alone, that's way too many apples.