Dailydave mailing list archives
Re: Beyond Fast Flux
From: "matthew wollenweber" <mwollenweber () gmail com>
Date: Fri, 14 Dec 2007 23:20:30 -0500
Having spent some time writing network sensors for the government and time trying to get tools to connect outbound during pen tests I've seen nothing more effective than clever HTTP traffic embedded in real webpages using tags and simple encoding. Abusing DNS whether with tunnels, fastflux, or open resolvers sticks out as anomalous behaviour -- it's not all too difficult to detect. Yes it's costs money and labor but it can be done. What can you do about PINK type communication? I'm not going to claim to have all the answers, but I spent about 9 months writing network sensors and I can't fathom how you can detect that traffic on any scale. Fast flux is the current sexy thing but Trickler (govt software) and Tenable's PVS can be tweaked to pick it up (even on large OC-3+) pipes. On Dec 14, 2007 9:44 PM, Paul Ferguson <fergdawg () netzero net> wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - -- Brandon Enright <bmenrigh () ucsd edu> wrote:If you're going to attack something you should back your argument up with a little evidence. The C&C methods mentioned in the paper are: * IRC * HTTP to single server * Fast-Flux of DNS Servers * Storm P2P protocols * PINK About the only thing they missed was DHT, which is arguably covered by Storm. PINK is a good idea. If it really is light-years behind the criminals show us the papers, presentations, and discussions of more advanced >C&C. If your argument is that PINK is primitive or that it won't work, respond with a paper, a countermeasure, or at the very least a detailed email of possible flaws in it. C'mon, Gadi, you know better.What about Open DNS resolvers, using double-flux, combined with the Storm Overnet? :-) - - ferg -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.3 (Build 3017) wj8DBQFHYz+Nq1pz9mNUZTMRAv6HAJ9ImdXXvj2bFKn3g45Mo236RjAF3QCg8ohH yTozjLY3oGFre6ntmOtKwQs= =8fSS -----END PGP SIGNATURE----- -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg(at)netzero.net ferg's tech blog: http://fergdawg.blogspot.com/ _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
-- Matthew Wollenweber mwollenweber () gmail com | mjw () cyberwart com www.cyberwart.com
_______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Beyond Fast Flux Dave Aitel (Dec 14)
- Re: Beyond Fast Flux Gadi Evron (Dec 14)
- Re: Beyond Fast Flux Brandon Enright (Dec 14)
- Re: Beyond Fast Flux ChromeSilver (Dec 15)
- Re: Beyond Fast Flux Lance M. Havok (Dec 16)
- Re: Beyond Fast Flux Dude VanWinkle (Dec 17)
- Re: Beyond Fast Flux Fosforo (Dec 14)
- <Possible follow-ups>
- Re: Beyond Fast Flux Paul Ferguson (Dec 14)
- Re: Beyond Fast Flux matthew wollenweber (Dec 15)
- Re: Beyond Fast Flux Dave Aitel (Dec 17)
- Re: Beyond Fast Flux matthew wollenweber (Dec 15)
- Re: Beyond Fast Flux Gadi Evron (Dec 14)