To report a botnet PRIVATELY please email: [EMAIL PROTECTED] ---------- > "I work on this [C&C] for 30 days, only to find out one of > you took it down." -- US Federal Agent, two days ago, ISOI > (DA Workshop).
If the LEO is only working on the C&C, why wouldn't the hosting company be informed not to remove the net? If the LEO is working on the ISP and the C&C then the mitigation efforts of network admins around the world shouldn't hamper the investigation -- only bring new nets to the rogue ISP. > And still, sticking to networking issues, as obviously we > cannot yet depend on law enforcement to protect our networks > for us, how do we handle C&C's? > > When we kill them (and by "kill" I naturally mean "report our > suspicion to the responsible authority so they can > investigate, confirm and proceed according to their AUP") we > kill them, but only to our knowledge. They immediately move > elsewhere we do not know about in our space or someone > else's, maybe misplacing an extremely smallish percentage of > their population while they are at it. I'd hope that if your going to the effort of reporting them that you have the latest binary, and a monitor on the net already. If they move - you should be able to find them. My personal experience has taught me never to trust that a hosting company won't tip off the C&C owner. > Okay, say I am right [snip] No. > We can take advantage: > [snip all the standard infection solutions (1-4)] I like them all - I would hope all large ISPs are already keenly aware of them. But rarely are any of us seeing them implemented. Particularly my favorite, #3. So the question becomes... Who among us is going to ballsy enough to start to publishhoneynet/darknet statistics revolving around the ISPs we see generating the largest amount of malicious traffic? See, I'm not in the ISP business -- I get to think these things. > All these come to show that although responsiveness to C&C's > is important (rather than shutting them down), on the scale > of the Internet, what will actually help the Internet is if > you take care of it on your own network. > > You don't have to do any of these, or all of these. Just to > wake up to the fact that killing C&C's will mostly not help > anyone, and if anything, will do harm. Using them to deal > with problematic users, even if only to block them from > acessing that C&C is more to the point. Please keep in mind you are addressing two audiences. The ISP operators, and the non-ISP operators. I sincerely doubt you are educating any sizable ISPs with these solutions. They already know about them, and consider them too costly to implement. The real enemy in your argument is the relatively low cost of bandwidth. Those of us outside the fray, who don't run ISPs, or hosting companies, but still do real business on the Internet -- continually have to pay for the shoddy operational management of ISPs and hosting companies, and frankly we're tired of it. So we act on the central location of the problem because everything else is distributed. When herders get clever enough to distribute their C&C ala peer-to-peer we'll deal with it another way. > You can choose how to handle these issues, but if you want to > stop harming the Internet, stop your users from > participating, DDoSing, etc. while not harming your business > (no one can handle that tech support load). Monitor the C&C's > running on your network - contact law enforcement. These are > compromises that will keep happening, you are aware of, and > cause millions of dollars in damages. > > "So, are we supposed to leave these compromised boxes up?" > > My answer is this, if you fail to remove a spy, as another > would just take his place, wouldn't you rather know where > that spy is and work to take him down for good? > > The answer to that is NO, as most of us won't and can't. That > said, if you must kill the C&C, be aware, it is nothing more > than sweeping the problem, localy on your network, as well as > on your friends', under the rag. If your local field office doesn't consider the value of your hacked (or legitimately purchased) machine worth taking an interest in. And, you've taken the time to educate him that it is controlling 1000+ hacked computers. Well, then we are well and truly fucked and you may as well take the bull by the horns and tackle the problem yourself -- because it isn't going to go away by itself. This concept of playing hot potato hacker having effect only on the hosters/isps is bogus -- it effects the hacker as well. > You can limit P2P traffic yet you won't limit scanning > traffic? Outgoing email traffic from port 25 on dynamic > hosts? Bandwidth to compromised users? Port 80, or sny, > traffic not through your proxy? > > Consider what other tools are in your arsenal. My ideas may > be completely wrong for you, yet that does not change the > fact that killing the C&C will just mean you are kept in the dark. Blocking inbound 135-139/445 does help and requires very little in the form of operational overhead. Everything else does require operational overhead. So my question is, what are you going to do when someone does finally start gathering statistics from 20-30 honeypots spread across the net and starts publishing them? -pheh Not x-posted. _______________________________________________ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
