Dailydave mailing list archives

Re: Beyond Fast Flux

From: "matthew wollenweber" <mwollenweber () gmail com>
Date: Fri, 14 Dec 2007 23:20:30 -0500

Having spent some time writing network sensors for the government and time
trying to get tools to connect outbound during pen tests I've seen nothing
more effective than clever HTTP traffic embedded in real webpages using tags
and simple encoding. Abusing DNS whether with tunnels, fastflux, or open
resolvers sticks out as anomalous behaviour -- it's not all too difficult to
detect. Yes it's costs money and labor but it can be done. What can you do
about PINK type communication?

I'm not going to claim to have all the answers, but I spent about 9 months
writing network sensors and I can't fathom how you can detect that traffic
on any scale. Fast flux is the current sexy thing but Trickler (govt
software) and Tenable's PVS can be tweaked to pick it up (even on large
OC-3+) pipes.

On Dec 14, 2007 9:44 PM, Paul Ferguson <fergdawg () netzero net> wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- -- Brandon Enright <bmenrigh () ucsd edu> wrote:

If you're going to attack something you should back your argument up
with a little evidence.  The C&C methods mentioned in the paper are:

* IRC
* HTTP to single server
* Fast-Flux of DNS Servers
* Storm P2P protocols
* PINK

About the only thing they missed was DHT, which is arguably covered by
Storm.

PINK is a good idea.  If it really is light-years behind the criminals
show us the papers, presentations, and discussions of more advanced >C&C.
If your argument is that PINK is primitive or that it won't work,
respond with a paper, a countermeasure, or at the very least a detailed
email of possible flaws in it.  C'mon, Gadi, you know better.


What about Open DNS resolvers, using double-flux, combined with the
Storm Overnet?

:-)

- - ferg

-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.6.3 (Build 3017)

wj8DBQFHYz+Nq1pz9mNUZTMRAv6HAJ9ImdXXvj2bFKn3g45Mo236RjAF3QCg8ohH
yTozjLY3oGFre6ntmOtKwQs=
=8fSS
-----END PGP SIGNATURE-----



--
"Fergie", a.k.a. Paul Ferguson
 Engineering Architecture for the Internet
 fergdawg(at)netzero.net
 ferg's tech blog: http://fergdawg.blogspot.com/

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave




-- 
Matthew  Wollenweber
mwollenweber () gmail com | mjw () cyberwart com
www.cyberwart.com

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave

Current thread:

Beyond Fast Flux Dave Aitel (Dec 14)
- Re: Beyond Fast Flux Gadi Evron (Dec 14)
  - Re: Beyond Fast Flux Brandon Enright (Dec 14)
  - Re: Beyond Fast Flux ChromeSilver (Dec 15)
  - Re: Beyond Fast Flux Lance M. Havok (Dec 16)
  - Re: Beyond Fast Flux Dude VanWinkle (Dec 17)
- Re: Beyond Fast Flux Fosforo (Dec 14)
- <Possible follow-ups>
- Re: Beyond Fast Flux Paul Ferguson (Dec 14)
  - Re: Beyond Fast Flux matthew wollenweber (Dec 15)
    - Re: Beyond Fast Flux Dave Aitel (Dec 17)