To report a botnet PRIVATELY please email: [EMAIL PROTECTED] ---------- On Wed, 5 Apr 2006, Georg Wicherski wrote:
> one of the key protocols to observe here is DNS, I would say. All C&C > protocols except for P2P protocols usually rely on DNS to resolve the > address of the C&C server(s). so, in the absence of knowing that dns name, or it using a direct IP assignment ... how would one do this? if you know the dns name you can look for flows to the IP (or list of IP addresses) it (currently) resolves to. > Additionally, you should observe anomalities in TCP session > etablishment. A computer sending out a lot of SYN .. RST sequences is > probably portscanning the network for other vulnerable hosts. because only botnet hosts scan? i don't see how either of these detection methodologies you propose is robust or able to detect a botnet in the absence of significant prior knowledge. ________ jose nazario, ph.d. [EMAIL PROTECTED] http://monkey.org/~jose/ http://infosecdaily.net/ http://www.wormblog.com/ _______________________________________________ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
