[mdlug] It's about time.

Joseph C. Bender jcbender at bendorius.com
Sat Oct 10 16:22:56 EDT 2009 

Aaron Kulkis wrote:
> Jeff Hanson wrote:
>> I wonder how it will treat anonymous P-P traffic like Freenet and Tor.
> 
> You have to remember, with a bot-net, the problem isn't
> the receipt of instructions via whatever devious or abused
> protocols (or even channels on IRC servers), the problem
> is the subsequent e-mail storm or DDoS attack.
> 
	It's all part of the problem.  If the host is actively participating in 
the attack, it's a much larger problem than a merely compromised host.

	That being said, one of the bigger issues with botnets is that not all 
the hosts are actively attacking things at once.  A smart botnet 
operator will leave hosts in reserve, letting them idle most of the time 
and only spam or DDoS part of the time, they tend to not stick out that 
way.  The thing that keeps chugging along is the command and control 
traffic.  Just like any battle, if I can interrupt C&C traffic to the 
bad guys' assets, that asset just became ineffective.

> For identifying botnet members, they don't need to look
> at the whole world of protocols.. only those used for
> creating lots of spam or DDoS attack.
> 
	If that's all anyone is looking at, they're not doing their jobs 
correctly.  If you wait for something to start spamming or attacking, 
you're a bit too late.  Thankfully, those of us who deal with stuff like 
this on a daily basis *are* looking at all possible means of detection, 
including identifying C&C traffic before the asset goes active.

	It's about patterns, really.  You look at your whole network and your 
whole system.  If certain hosts are acting in certain patterns that are 
associated with bot behavior, hey, they're probably compromised.  If I'm 
only looking at one particular part of the problem (launched attacks), 
it actually makes detection much less effective.  If I see certain 
patterns of traffic and system behavior *before* the attack happens, I 
can shut it down before it even starts.  That is why looking for 
control/pre-attack traffic is critical.

> Once they identify a bot, THEN they can might want to
> start looking at the whole panopoly of protocols, so
> as to identify the control nodes.
> 
	If I'm looking for patterns and sigatures of C&C traffic, I already 
know the upstream control nodes merely by IP address.

-JCB

More information about the mdlug mailing list