To report a botnet PRIVATELY please email: [EMAIL PROTECTED] ---------- On Tue, 30 May 2006, Craig Holmes wrote: > On Tuesday 30 May 2006 04:55, Gadi Evron wrote: > > Public IRC servers on IRC networks have been used for botnets extensively > > in the past. Even though they were in denial, the situation in around > > 2002-2003 was that 20 to 50 per cent of the big networks were drones. > In my experience, a lot of the reason that public IRC servers tolerate drones > & drone farmers is not by choice. There are (or were) few IRC servers that > could withstand a full-out DDoS attack by large scale drone network. Waltzing > into a drone channel and k-lining 10,000+ drones can have many effects: > 1) This much traffic could cause the IRC server to lag to desync (on legacy > IRC servers, anyway) > 2) Poorly configured bots would hammer the IRC port day and night (times > 10,000) > 3) A well-designed drone could use a dynamic dns service to update and use a > different server. The then angry farmer would DDoS the crap out of the public > IRC server he was just k-lined from. > > > I personall support them, but I believe the days of "botnet hunting" their > > way are over since about 2000. Still, I've been wrong before, and I've > > never seen any better way of learning about botnets. > > Could you elaborate a little on this point? I feel that the shadowserver > people are doing a good job, and I feel their methods are most effective. > Fact is, I can think of no better way to do what they're doing.
They are not doing just a good job, they are doing amazing an job. Plus, they are good people and under a very good leadership. That's how most of us who are in this thing since the start indeed started. I am saying though that in my opinion it is more of a starting point for them to learn and move to mitigating from hunting. Projects take time and they are taking good and firm steps, but they are still new in this. I have no issues with their activities or they would have heard from me directly, as they are coleagues and friends. This is not about them, it's about interacting with the Bad Guys, snooping their servers and how these are eventually mitigated. These have been misconcieved as far as I am concerned on this list so I am elaborating on these points. In my opinion, most of what ISP's as an example are concerned with, which is mitigating the C&C's is no longer even working. The C&C's are much moire robust and distributed, not to mention with backup control channels. Mitigating them has become close to useless other than moving the localized trouble to someone else's back yard. Further, by just killing C&C's, which was a very good idea originally, ISP's have caused the Bad Guys to learn, evolve and invent new technologies. Killing C&C's was still useful though, to hold back the tide. Today, it is no more than a means of making it a bit more painful for the Bad Guys to operate, and a huge waste of abuse-handling resources is done alone. Shadowserver, much like the ISP's and many of us concentrates mostly onb that point. Further, they are evolving and learning as they go. Thery had some mistakes like all of us, and they are fast becoming far better at what they do. That's just my general opinion of the activity of hunting boitnets in general. Interacting with bad guys, etc. Nicholas can help me better articulate my thoughts on his project, perhaps, but this is not criticism toward him or them. Just how we, all of us, generally do things these days. This is an economic problem and we are no longer causing this to be more costly or risky for the bad guys by killing their C&C's. That's ancient tech. The fact that brand new groups like Shadowserver emerge, join the fight and learn new things is critical, as unlike most of us, they actually see that what most of us do these days is useless, just like we did back when we got started. Our lessons back then have become set values and traditions, looking at some things as even inherently wrong. They are re-learning our original "art" and re-inventing the scene. I hope this is a better explanation. They are new and inexperienced, but I don't see it as a problem as they are serious. Being young is something you grow out of (as I once answered in a job interview). > > > Craig > _______________________________________________ > To report a botnet PRIVATELY please email: [EMAIL PROTECTED] > All list and server information are public and available to law enforcement > upon request. > http://www.whitestar.linuxbox.org/mailman/listinfo/botnets > _______________________________________________ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
