On 9/5/07, Dude VanWinkle <[EMAIL PROTECTED]> wrote: > ... What ever happened to looking at the C&C for > incoming connections and ngrepping out the IP's ?
the C&C for storm and other advanced botnets has moved into distributed hash tables and dns fast flux reached via multiple hops (where each hop is monitored upstream as well, to know when to cut and run...) this is actually the most interesting aspect of these modern botnets, the decentralized and anonymized control structures pulling the strings. more details would be excellent, but seem sparse for some reason. (researchers don't want to encourage more adoption of effective countermeasures?) > Is there no programmatic way to use the detection methods in place to > generate a list of currently controlled bots? it would require constantly scanning a large DHT ring (overnet) with a fair amount of node churn. perhaps someone is doing this (CAIDA?) but it would take a good amount of bandwidth, honeypots, and effort. and even if they are, they're not publishing the data, and even if they did, i bet you money they'd disappear under a DDoS flood within hours... :) best regards, _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
