[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <Pine.LNX.4.21.0608130142220.11492-100000@linuxbox.org>
Date: Sun, 13 Aug 2006 01:43:35 -0500 (CDT)
From: Gadi Evron <ge@...uxbox.org>
To: full-disclosure@...ts.grok.org.uk
Subject: what can be done with botnet C&C's? (fwd)
Hi guys, here is a forward of my follow-up to the previous message.
Gadi.
---------- Forwarded message ----------
Date: Sat, 12 Aug 2006 13:12:30 -0500 (CDT)
From: Gadi Evron <ge@...uxbox.org>
To: botnets@...testar.linuxbox.org
Subject: what can be done with botnet C&C's?
In my last email message I addressed some of the issues related to botnet
C&C's and their mitigation. As mentioned, I waited to see what other
experiences told other people, as well as glimpse the opinion of others here.
In this message I will try and address some of the questions asked, but
once again limiting myself mostly to JUST networking rather than the whole
realm of botnet fighting.
"I work on this [C&C] for 30 days, only to find out one of you took it
down." -- US Federal Agent, two days ago, ISOI (DA Workshop).
And still, sticking to networking issues, as obviously we cannot yet
depend on law enforcement to protect our networks for us, how do we handle
C&C's?
When we kill them (and by "kill" I naturally mean "report our suspicion
to the responsible authority so they can investigate, confirm and proceed
according to their AUP") we kill them, but only to our knowledge. They
immediately move elsewhere we do not know about in our space or someone
else's, maybe misplacing an extremely smallish percentage of their
population while they are at it.
Okay, say I am right... What *can* we do?
We can take advantage:
1. QoS and traffic limiting tools.
Many tools created in recent years, and used exstensively by many ISP's,
regardless of any Net Neutrality legislation, are at our disposal and
already implemented on our networks.
Much like, for business reasons, many of us would limit P2P, how about
limiting the traffic to compromised users?
How, what and when is up to you.
You can know who your compromised users are by watching flows to C&C's.
2. Blocking communication to C&C's.
Watch the flows, block the users from communicating out to them. Watch
these users and see where else they are communicating in comparison to
other users, en-masse.
It's a matter of doing the same thing, for a different purpose.
3. Walled garden and tech support costs.
Obviously, if any of these users call you (and they VERY OFTEN do), you
lose money on them for a long time to come.. only they will call again.
A combination of quarantine, complete or partial, might work.
Combine that with what some already do, such as sell users Anti Virus
products, and you get a nice deal. Add to that a support company to lend
help to users, unrelated to tech support, by subscription, and you may
just have more business avenues to explore.
4. Stop internal network infections. It is unbelievable how the networks
with the most bots are the networks that allow internal users to connect
wherever they want within the network.
All these come to show that although responsiveness to C&C's is important
(rather than shutting them down), on the scale of the Internet, what
will actually help the Internet is if you take care of it on your own
network.
You don't have to do any of these, or all of these. Just to wake up to the
fact that killing C&C's will mostly not help anyone, and if anything, will
do harm. Using them to deal with problematic users, even if only to block
them from acessing that C&C is more to the point.
You can choose how to handle these issues, but if you want to stop harming
the Internet, stop your users from participating, DDoSing,
etc. while not harming your business (no one can handle that tech
support load). Monitor the C&C's running on your network - contact law
enforcement. These are compromises that will keep happening, you are aware
of, and cause millions of dollars in damages.
"So, are we supposed to leave these compromised boxes up?"
My answer is this, if you fail to remove a spy, as another would just take
his place, wouldn't you rather know where that spy is and work to take
him down for good?
The answer to that is NO, as most of us won't and can't. That said, if you
must kill the C&C, be aware, it is nothing more than sweeping the
problem, localy on your network, as well as on your friends', under the
rag.
Do you know who your local fed is? See if he can help, he most likely
can't and if he could, without a much wider cooperation between everybody,
he or she would be extremely limited by looking just at your C&C's. That
said, I doubt you would want that fed's attension.
You can limit P2P traffic yet you won't limit scanning traffic? Outgoing
email traffic from port 25 on dynamic hosts? Bandwidth to
compromised users? Port 80, or sny, traffic not through your proxy?
Consider what other tools are in your arsenal. My ideas may be completely
wrong for you, yet that does not change the fact that killing the C&C will
just mean you are kept in the dark.
Some large carriers do many of these already, run honey-nets, and what
not. Do you?
I would like to hear some opinions on what networks can do, ecnomically,
from people here. Please stick to network operations issues.
Gadi.
This is being X-posted to NANOG.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists