nanog mailing list archives
Re: On the back of other 'security' posts....
From: Richard Cox <Richard () mandarin com>
Date: Sat, 30 Aug 2003 19:14:05 +0100
On Sat, 30 Aug 2003 17:36 UTC Jack Bates <jbates () brightok net> wrote: | The person responsible is the bot maintainer. Finding the controller | medium (probably irc) is the hard part, but once done, monitoring who | controls the bots isn't near as hard. For various values of "control". In the cases where we've tracked down bot-masters, they have themselves been throw-away trojaned machines in countries like Taiwan, Korea, etc. The bots found their master through DNS - and the person controlling the DNS had effective control of the botnetwork. If the trojaned site was taken down or tampered with, the human controller would just point the DNS at a different trojaned box. In those cases. the most valuable evidence can therefore be got just by seeing who makes the changes to the DNS for the domain being used. (Of course, different bot-maintainers will have different approaches; I'm not suggesting this is the only system out there!) Co-operation from the LE authorities in the country involved would be a prerequisite to tracking which machines connected to that botmaster and I'm sure the trojaned boxes used were chosen with thought for the likely level of co-operation from the country they were in! | A few media enriched prison sentences would be good. Some interest from law enforcement authorities in "friendly" countries (like, the ones we live and work in) would be a good way to start. More commonly they won't get involved because it's too difficult, plus they don't understand the technology properly, they're under-resourced (particularly in terms of handling the international relationships) and there are no guarantees of brownie-points from the effort anyway! Without law-enforcement interest and adduceable evidence you don't get any prosecutions, and without prosecutions you don't get any prison sentences, media-enriched or otherwise. It's a hard world (for us). -- Richard Cox RC1500-RIPE %% HELO - the first word of every Email transaction - is in Welsh! %%
Current thread:
- On the back of other 'security' posts.... Matthew Sullivan (Aug 30)
- Re: On the back of other 'security' posts.... cowie (Aug 30)
- Re: On the back of other 'security' posts.... Owen DeLong (Aug 30)
- Re: On the back of other 'security' posts.... Jack Bates (Aug 30)
- Re: On the back of other 'security' posts.... Richard Cox (Aug 30)
- Re: On the back of other 'security' posts.... Matthew Sullivan (Aug 30)
- RE: On the back of other 'security' posts.... Terry Baranski (Aug 30)
- RE: On the back of other 'security' posts.... Christopher L. Morrow (Aug 30)
- Re: On the back of other 'security' posts.... Matthew Crocker (Aug 31)
- Re: On the back of other 'security' posts.... Owen DeLong (Aug 31)
- Re: On the back of other 'security' posts.... Jack Bates (Aug 30)
- RE: On the back of other 'security' posts.... Owen DeLong (Aug 30)
- Re: On the back of other 'security' posts.... Richard Cox (Aug 31)
- Re: On the back of other 'security' posts.... Mans Nilsson (Aug 31)
- Re: On the back of other 'security' posts.... Paul Vixie (Aug 31)
- RE: On the back of other 'security' posts.... Stephen J. Wilcox (Aug 31)