[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <e024ccca0608130532m31ce8550m13399e554b66a524@mail.gmail.com>
Date: Sun, 13 Aug 2006 08:32:16 -0400
From: "Dude VanWinkle" <dudevanwinkle@...il.com>
To: "Gadi Evron" <ge@...uxbox.org>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: what can be done with botnet C&C's? (fwd)
On 8/13/06, Gadi Evron <ge@...uxbox.org> wrote:
> Hi guys, here is a forward of my follow-up to the previous message.
>
> Gadi.
>
> ---------- Forwarded message ----------
> Date: Sat, 12 Aug 2006 13:12:30 -0500 (CDT)
> From: Gadi Evron <ge@...uxbox.org>
> To: botnets@...testar.linuxbox.org
> Subject: what can be done with botnet C&C's?
It doesnt seem like there is a lot that ISP's can do in regaurds to
securing the clients.
When I worked at a university, the students were always getting
compromised till we implemented sandboxing. People DHCP'ing into the
network were placed in a subnet by themselves till a scan revealed
that they had:
1: up to date AV
2: up to date patches
3: a Functioning firewall
If any of these were not detected to be current or functioning, they
were left in the restricted subnet, which only allowed them access to
windows update, and the software download page for the AV\FW
applications.
This worked really well for stopping infections, but its not something
an ISP could do.
1: Their clients are often running windows 98 or some legacy OS that
cannot be secured
2: No amount of patching, antivirus, or firewalling will clean a well
infected computer
3: as you said, every call loses them money. draconian measures would
cause a huge influx of calls, no matter how well implemented.
So if securing the clients is not an option, from an ISP's point of
view, we must rely on network measures that the clients wont notice.
First, you have to separate your "end users" from your "IT guys". Find
out who just uses the web for browsing and email/p2p and put these in
a group/ASN of thier own. This way you can block extraneous traffic
with some amount of assurance you wont be interfering with an
experiment or interfere with legitimate traffic.
After you separate your users from your power users, then pattern
analysis takes over:
Blocking SSL connections to machines without A records. (phishing, C&C)
Blocking IRC connections that appear to be C&C.
Limiting outbound port 25 traffic.
Limiting http gets (how many pages can a human visit in one day by
clicking on links?)
For stopping botnets, you have to analyse the numbers. We are talking
about massive numbers of clients and even more massive amounts of
traffic, so its all about pattern analysis. Divide up your clients
into statistically similar groupings and look for anomalies.
And hire a bunch of SAS programmers to work on the issue ;-)
-JP
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists