nanog mailing list archives
RE: mitigating botnet C&Cs has become useless
From: "Scott Weeks" <surfer () mauigateway com>
Date: Thu, 03 Aug 2006 12:22:31 -1000
----- Original Message Follows ----- From: "Barry Greene (bgreene)" <bgreene () cisco com>
What? That's what I'm trying to find out, but I'm not as smart as most, so I can only point out the things that I believe definitely won't work and why I think that. Hopefully by the application of flame to my butt by smart people for saying what I do will spark somethought toward the goal. Start with: http://www.nanog.org/mtg-0602/greene.html
I didn't see anything in there relating to bot brains. Also, with regard to 'cyberspace is just a meatspace overlay' I considered whay would I do to troubleshoot an overlay network. I'd work on the layer where the problem exists. (Duh! :) Here, the problem exists at two layers: Technically it's allowed and meat-wise there're those kinds of people in this world. So, the solution must be at both layers; meatspace and cyberspace. That makes us all correct, yes? (again, I'm putting on my flame-proof underpants... ;-) One thing someone mentioned offline:
The goal, as noted, shouldn't be to shut these things down. It should be to keep them operating, not interfered with, so that the C&C channels remain detectable
Shutting down C&C's is a direct action. More fun? Monitor those C&C's. In real time, update your filtering to tag attack packets as a QoS that is rate-limited at your borders. This would be hard for a botherder to detect, but would limit damage against remote sites. You don't actually want to *block* them; blocking them lets the botherder know that you're on to them. But this has to be done fairly cleverly (much moreso than I suggest), so that they can't easily figure it out. This is just an example for the sake of conveying the overall idea.
But shutting them down, that's like the police arresting all the informants. It doesn't stop the crime, it just eradicates all your easy leads.
What're folk's thoughts on that? scott
Current thread:
- Re: gated communities - was Re: mitigating botnet, (continued)
- Re: gated communities - was Re: mitigating botnet Edward Lewis (Aug 02)
- Re: mitigating botnet C&Cs has become useless Fergie (Aug 01)
- Re: mitigating botnet C&Cs has become useless Scott Weeks (Aug 01)
- Re: mitigating botnet C&Cs has become useless Scott Weeks (Aug 02)
- RE: mitigating botnet C&Cs has become useless Fergie (Aug 02)
- RE: mitigating botnet C&Cs has become useless Barry Greene (bgreene) (Aug 02)
- RE: mitigating botnet C&Cs has become useless Fergie (Aug 02)
- Re: mitigating botnet C&Cs has become useless Danny McPherson (Aug 03)
- Re: mitigating botnet C&Cs has become useless Fergie (Aug 03)
- RE: mitigating botnet C&Cs has become useless Bora Akyol (Aug 03)
- RE: mitigating botnet C&Cs has become useless Scott Weeks (Aug 03)
- Re: mitigating botnet C&Cs has become useless John Kristoff (Aug 03)
- Re: mitigating botnet C&Cs has become useless Danny McPherson (Aug 03)
- Re: mitigating botnet C&Cs has become useless bmanning (Aug 03)
- Re: mitigating botnet C&Cs has become useless Danny McPherson (Aug 05)
- Re: mitigating botnet C&Cs has become useless Sean Donelan (Aug 05)
- Re: mitigating botnet C&Cs has become useless Danny McPherson (Aug 05)
- Re: mitigating botnet C&Cs has become useless Aaron Glenn (Aug 08)
- Re: mitigating botnet C&Cs has become useless Barry Shein (Aug 03)
- RE: mitigating botnet C&Cs has become useless Bora Akyol (Aug 03)