Re:Destructive botnet originating from Japan (fwd)

[Gadi Evron <ge () linuxbox org>]

On Sat, 24 Dec 2005, Rob Thomas wrote:

> Hi again, NANOGers.  :)
>
> I shouldn't have focused solely on the bot issue, sorry.  When
> miscreants obtain access to a server through some PHP exploit, they
> generally take a look around.  If the web server is also a database
> server (eek!), then the real fun begins.  There won't be a noisome
> bot placed on that server, oh no.  One crew installed a cron script
> to run a SQL query for the new customer data collected in the past
> 24 hours, then email the query results to the miscreants.  :(
>
> DDoS can be very painful, and it has the side benefit of being very
> overt.  It is the more subtle attacks and abuses that might concern
> you even more.  It is generally the case that the tools and
> techniques for both are the same.

Amen.. main thing is that the problem is not going to go away, and by
"killing C&C's" we just ignore the problem. I am not saying killing C&C's 
as a stop-gap is bad, but that stop-gap is now 6 years too old and 12
years since we should have thought of something different.

Why? Because like you said in your earlier email.. the Bad Guys have
smarter ways and get smarter de-centralized ways of doing things.

That's why cooperation, especially with other industries, is also
critical.

But as I said, cooperation, as critical as it is, is yesterday's
news.. time for the next stage.

        Gadi.