virgins...@vfemail.net wrote:
>From http://www.honeynet.org/node/54:Yes, but the number of compromised hosts isn't critical - it's the number of unique scan queues which is important to evading tarpits. If a botnet has 50,000,000 nodes, is vulnerable to tarpitting, and scans every IP address on the Internet in exactly the same order, then a single tarpit would still save 1/2 the hosts on the Internet from ever being probed.The crucial element is the *order* in which prospective hosts are scanned. Assuming the bot is deterministic, hosts are likely to be scanned in the same order by every copy of the bot. Most botnets use a topic command like: Scans are almost always random nowadays. The bots download their commands from an IRC channel or some other command-and-control channel, so they don't have the same list of addresses to scan as the others. The C&C spreads the address ranges for scans around to reduce visibility to behavioral analysis tools. There are a number of articles, white papers, research topics available on distributed scanning, address partitioning and management at the C&C end. Bots are not deterministic. They get new addresses often. They are updated with new payloads and new behaviors. Portions of them are rented out to others who have differing needs (DDOS, spamming, etc.). Their updates often come from varied sources as those channels are fast fluxed and thus change constantly & continually. No two bots are likely to be completely the same. Why would they have them all scan the same addresses or behave in a strictly predictable fashion? Brownian motion provides adequate coverage. Spread the address ranges around to gain greater coverage. Adjust behavior based on success or failure. Delaying a single mind-controlled foot soldier, or even destroying such a soldier, does not prevent, or even slow, the battle from continuing as the swarm is chaotic. It does not need to be lock-step to accomplish its goals. |
_______________________________________________ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/