To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
----------
Jose Nazario wrote:
> To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
> ----------
> On Wed, 5 Apr 2006, Georg Wicherski wrote:
>
>
>>one of the key protocols to observe here is DNS, I would say. All C&C
>>protocols except for P2P protocols usually rely on DNS to resolve the
>>address of the C&C server(s).
>
>
> so, in the absence of knowing that dns name, or it using a direct IP
> assignment ... how would one do this? if you know the dns name you can
> look for flows to the IP (or list of IP addresses) it (currently) resolves
> to.
>
>
>>Additionally, you should observe anomalities in TCP session
>>etablishment. A computer sending out a lot of SYN .. RST sequences is
>>probably portscanning the network for other vulnerable hosts.
>
>
> because only botnet hosts scan?
>
>
> i don't see how either of these detection methodologies you propose is
> robust or able to detect a botnet in the absence of significant prior
> knowledge.
We often agree, so I think we are not talking on the same wave-length.
Bots are not nice netizens (David has a good preso on it). They
repeatedly ask for DNS RR's, and also ask for them long before the exist
which may, for example, cause a situation of negative caching (i.e.
caching of NXDOMAIN).
Also, watching what IP addresses on your network keep connection to
multiple IP addresses, on or off your network, may indicate a bot. It
can also be someone running nmap but hey..
Gadi.
_______________________________________________
To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
All list and server information are public and available to law enforcement
upon request.
http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
