nanog mailing list archives

RE: mitigating botnet C&Cs has become useless

From: "Scott Weeks" <surfer () mauigateway com>
Date: Thu, 03 Aug 2006 12:22:31 -1000


----- Original Message Follows -----
From: "Barry Greene (bgreene)" <bgreene () cisco com>

What?  That's what I'm trying to find out, but I'm not
as  smart as most, so I can only point out the things
that I  believe definitely won't work and why I think
that.  Hopefully by the application of flame to my butt
by smart  people for saying what I do will spark some

thought toward the goal.

Start with:

http://www.nanog.org/mtg-0602/greene.html



I didn't see anything in there relating to bot brains. 
Also, with regard to 'cyberspace is just a meatspace
overlay' I considered whay would I do to troubleshoot an
overlay network.  I'd work on the layer where the problem
exists.  (Duh! :)  Here, the problem exists at two layers: 
Technically it's allowed and meat-wise there're those kinds
of people in this world.  So, the solution must be at both
layers; meatspace and cyberspace.  That makes us all
correct, yes?  (again, I'm putting on my flame-proof
underpants... ;-)

One thing someone mentioned offline:

The goal, as noted, shouldn't be to shut these things
down.  It should be to keep them operating, not interfered
with, so that the C&C channels remain detectable

Shutting down C&C's is a direct action.

More fun?  Monitor those C&C's.  In real time, update your
filtering to tag attack packets as a QoS that is
rate-limited at your borders.  This would be hard for a
botherder to detect, but would limit damage against remote
sites.  You don't actually want to *block* them; blocking
them lets the botherder know that you're on to them.  But
this has to be done fairly cleverly (much moreso than I
suggest), so that they can't easily  figure it out.  This
is just an example for the sake of conveying the  overall
idea.

But shutting them down, that's like the police arresting
all the informants.  It doesn't stop the crime, it just
eradicates all your easy leads.


What're folk's thoughts on that?

scott

Current thread:

Re: gated communities - was Re: mitigating botnet, (continued)
- - - Re: gated communities - was Re: mitigating botnet Edward Lewis (Aug 02)
- Re: mitigating botnet C&Cs has become useless Fergie (Aug 01)
- Re: mitigating botnet C&Cs has become useless Scott Weeks (Aug 01)
- Re: mitigating botnet C&Cs has become useless Scott Weeks (Aug 02)
- RE: mitigating botnet C&Cs has become useless Fergie (Aug 02)
- RE: mitigating botnet C&Cs has become useless Barry Greene (bgreene) (Aug 02)
- RE: mitigating botnet C&Cs has become useless Fergie (Aug 02)
- Re: mitigating botnet C&Cs has become useless Danny McPherson (Aug 03)
- Re: mitigating botnet C&Cs has become useless Fergie (Aug 03)
  - RE: mitigating botnet C&Cs has become useless Bora Akyol (Aug 03)
- RE: mitigating botnet C&Cs has become useless Scott Weeks (Aug 03)
  - Re: mitigating botnet C&Cs has become useless John Kristoff (Aug 03)
  - Re: mitigating botnet C&Cs has become useless Danny McPherson (Aug 03)
    - Re: mitigating botnet C&Cs has become useless bmanning (Aug 03)
    - Re: mitigating botnet C&Cs has become useless Danny McPherson (Aug 05)
    - Re: mitigating botnet C&Cs has become useless Sean Donelan (Aug 05)
    - Re: mitigating botnet C&Cs has become useless Danny McPherson (Aug 05)
    - Re: mitigating botnet C&Cs has become useless Aaron Glenn (Aug 08)
    - Re: mitigating botnet C&Cs has become useless Barry Shein (Aug 03)
- RE: mitigating botnet C&Cs has become useless Fergie (Aug 03)
  - RE: mitigating botnet C&Cs has become useless Bora Akyol (Aug 03)

(Thread continues...)