To report a botnet PRIVATELY please email: [EMAIL PROTECTED] ---------- Hello folks,
Gaid wrote: > "I work on this [C&C] for 30 days, only to find out one of > you took it down." -- US Federal Agent, two days ago, ISOI > (DA Workshop). This is interesting. Let's put the actual case aside and look at it from a different POV: A law-enforcement entity invests time and efforts into tracking a C&C server but does not inform the relevant ISP about it, so the ISP reacts on a complaint by a 3rd party? See, if I complain to an abuse department of an ISP about a security incident originating from their network I expect a reply, but gave up to hope for immidiate action long ago. If this ISP is fast-reacting enough to take down a C&C server due to a 3rd party complaint then I'm sorry but it's the FBI's agent fault entirely for not working with all relevant parties at the ISP in question. Looking at this from a different angle: If I host a C&C server controlling a nicely sized botnet I'd make pretty sure that it's rendered inoperable. Why? Because I do not feel at all inclined to be at the recieving end of whatever may come my way legal wise for knowing about and ignoring an obviously malicious server system. So, what d o you expect from ISPs, ignore 3rd party complaints? If there's a law enforcement entitiy working on the case, it should (or must, depending on your POV) work with the ISPs in question. In that case, a takedown can be organized and controlled. In all other cases I'd rather not have to explain to my CEO why DOSme, Inc. feels like going after us because someone felt an urge to point their zombies at them. > Much like, for business reasons, many of us would limit P2P, > how about limiting the traffic to compromised users? That's a very good approach and one some (we, for example) follow already. It just has one drawback: It is expensive. Depending on your network size, QoS, if it should be reliable and highly available, is expensive to implement and maintain. But yes, this works. You'd be amazed how quickly folks hosting spam-sending windows workstations begin to patch their systems once their SMTP sessions get rate limited. > Watch the flows, block the users from communicating out to > them. Watch these users and see where else they are > communicating in comparison to other users, en-masse. This is difficult, both from a technical and from a legal POV. Depending on your privacy laws, you might not even be allowed to gather extensive statistics about this type of communication. Plus: This gets really expensive. Anyone who ever had the fortune of doing netflow accouting will feel the pain, I'm sure. > 4. Stop internal network infections. It is unbelievable how > the networks with the most bots are the networks that allow > internal users to connect wherever they want within the network. Again, this depends on your POV and your position. As an ISP, you have little to no say about what's going on within a customer's network. Yes, you can argue that you can and should block outgoing worm scans, etc. But it's pretty difficult and -again- expensive to differntiate between normal (wanted) windows filesharing and illicit worm traffic on an ISP basis, with reasonable budget. Because noone will pay you for increased security of others. Weird, isn't it? > I would like to hear some opinions on what networks can do, > ecnomically, from people here. Please stick to network > operations issues. Well, I guess that everyone on this list has some interest in botnets, and I'd also guess that quite a few list members run honeypot infrastructure. We have good success with intelligence gathering from our honeypots and that far could make sure that out IP space is not connected to known C&C systems. Doing so is economically sensible and technically feasable while legaly unproblematic, ergo I like it. The human resources invested in honeypot maintenance are well worth it, IMO. Thanks for your time, Joerg -- Joerg Weber M. A. Teamleiter Netzwerk-Sicherheit/Netzwerk-Applikationen infoServe GmbH Nell-Breuning-Allee 6 D-66115 Saarbruecken T: (0681) 8 80 08 - 59 F: (0681) 8 80 08 - 33 www.infos.de mailto: [EMAIL PROTECTED] _______________________________________________ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
