[mdlug] It's about time.
Aaron Kulkis
akulkis00 at gmail.com
Sat Oct 10 15:41:22 EDT 2009
Jeff Hanson wrote:
> On Sat, Oct 10, 2009 at 12:35 PM, Joseph C. Bender
> <jcbender at bendorius.com> wrote:
>> Nope. Assuming a good IDS or IDP, botnet traffic sticks out like a
>> sore thumb. SSH traffic looks like, well, SSH traffic.
>>
>> There's also a pattern of traffic. Most ISP customers aren't in the
>> habit of connecting to random hosts in Brazil, China, Russia or
>> Bulgaria. Even if the traffic was destined to port 22 and "looked" like
>> SSH, chances are the end-user doesn't have shell accounts over there.
>>
>
> I wonder how it will treat anonymous P-P traffic like Freenet and Tor.
You have to remember, with a bot-net, the problem isn't
the receipt of instructions via whatever devious or abused
protocols (or even channels on IRC servers), the problem
is the subsequent e-mail storm or DDoS attack.
For identifying botnet members, they don't need to look
at the whole world of protocols.. only those used for
creating lots of spam or DDoS attack.
Once they identify a bot, THEN they can might want to
start looking at the whole panopoly of protocols, so
as to identify the control nodes.
More information about the mdlug
mailing list