To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
----------
Obviously, identification of malicious traffic patterns for both drones and
C&C systems, be they drone-initiated (worm scanning, Trojan phoning home for
DLL's or stealing information, etc.) or direct inbound C&C communications to
existing drones (using known or unknown TCP/UDP service ports, service
masquerading or "other" IPV4 protocols) is simpler when an inbound or
outbound host deviates from "acceptable" behavior. The trick is defining
the "acceptable" part, but in practice I am finding it is simpler when you
have the ability to control access at the host level, either inbound or
outbound. Given that, I have developed a framework for a system that could
prove quite useful. Provided it can be given away that is...
You could consider what I have developed to be the basis of a distributed
firewall using a statistical model with "hints" regarding expected host
behavior and flags to indicate known or potentially hostile hosts, "cleared"
hosts and any other classification that fits. It could also gather other
information on hosts (DNS, WHOIS, etc.) for further classification, but
presently does not. My database isj granular to the host level, and
currently contains records for approximately 540 million hosts, increasing
by approximately 40,000 hosts daily. The initial database was constructed
using RIR Statistics from ARIN, RIPE, LACNIC, AFRNIC and APNIC and is fed in
real time with Netflow data. It is used to accept, classify and supply IPV4
information for hosts in our network running agents capable of dropping or
forwarding packets to higher levels of the IPV4 stack. It is basically a
UDP-based record manager with IPV4 addresses as the key field. Agents on
hosts communicate to the central server IP addresses, timestamps, hints and
counts of access.
For Linux I have an agent that make use of the Netfilter "queue" target
(similar to Packetbl but not focused on RBL lists) and for FreeBSD I use a
divert socket based agent. I do not support Windows systems at all but that
is only due to lack of interest on my part. Currently the "rules" must be
compiled into the agent for a particular host but that is because I haven't
decided on a suitable embedded classification language yet (Lua or some
YACC/Lex monster I write myself). There is a programmable PCAP agent as
well that behaves like tcpdump for collecting IPV4 hosts that trigger the
filter, but it's for collection only. I use the PCAP agent to flag as
hostile any hosts talking to allocated but "dark" IPV4 space on our network.
Work is already underway to implement DNS vectoring for captive
portal/walled garden functionality to isolate customers from the Internet
who have not paid their bills or have been determined to be virused. This
might be part of a distributed botnet database that could be deployed much
like RBL's, so that data travelling to or from a botnet could be flagged
based on IP and/or customer (based on Radius data). The system is written in
unix-portable 'C' using Berkeley DB 4.3 on the backend database and libpcap
for the PCAP-specific agent. There is a single file for functions to enable
any application to query the database and obtain records. In all honesty,
nothing I am doing is all that complicated and the same functionality could
be easily duplicated in the event my employer (who doesn't really know what
I am doing but is making use of it) does not allow me to open-source the
application suite. I'm discussing that with them within a week.
Jon Yarden, Senior Systems Administrator, BluegrassNet
--
Advertising is a valuable economic factor because it is the cheapest
way of selling goods, particularly if the goods are worthless.
-- Sinclair Lewis
_______________________________________________
To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
All list and server information are public and available to law enforcement
upon request.
http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
