RE: [Full-disclosure] what can be done with botnet C&C's?

["Jordan Medlen" <jmedlen () sagonet com>]

Thanks for the info. I will pass this to our abuse department to get rid of
those. We are still tweaking our system and is only about 90% deployed, but
after all of the efforts to deploy the system, it should pay-off many many
times over.

Thanks again,

Jordan 

-----Original Message-----
From: owner-nanog () merit edu [mailto:owner-nanog () merit edu] On Behalf Of Gadi
Evron
Sent: Thursday, August 17, 2006 1:37 PM
To: Jordan Medlen
Cc: nanog () nanog org
Subject: RE: [Full-disclosure] what can be done with botnet C&C's?


On Thu, 17 Aug 2006, Jordan Medlen wrote:
> I'm sure most people on this list have heard of or use snort. There is 
> an add-on package called snortsam. This package allows automation of 
> blocking traffic deemed malicious via a null route statement or ACL 
> statement. We have been in the process over the last month of 
> implementing this on our network with much success. I think the only 
> problem that we have had with it thus far is underestimating just how 
> well it was actually going to work. As with any snort implementation, 
> it takes time to tweak and tune the rule sets, however we have managed 
> to kill a huge amount of traffic either coming from our customers or 
> destined to our customers. While this is not a perfect system, it is 
> much better than idly sitting there and letting the abuse continue.

Hi Jordan, I am very happy to see Sago changing from one of the worst nets
on the net when it comes to botnets to being, apparently, one of the most
pro-active.

That said, when I last checked (a week ago) you had 4 botnet C&C's still
open and active on your AS.

As always, you and anyone else here can email us directly for the
information on your network.

        Gadi.

> ---
> Jordan Medlen
> Chief Technology Officer and Architect Sago Networks
>
> -----Original Message-----
> From: owner-nanog () merit edu [mailto:owner-nanog () merit edu] On Behalf 
> Of Michael Nicks
> Sent: Sunday, August 13, 2006 2:07 PM
> To: nanog () nanog org
> Subject: Re: [Full-disclosure] what can be done with botnet C&C's?
>
>
> I hate to stir the flames again, but this idea sounds a lot like RBLs.  
> :)
>
> All kidding aside, I'm curious as to when we will reach the point 
> where the devices of our networks will be able to share information 
> regarding sporadic bursts or predefined traffic patterns in network 
> traffic within a certain time frame, determine it is a related 
> outgoing (or incoming) attack, and mitigate/stop the traffic. I think 
> it certainly is possible to accomplish this on a per-router level, but 
> being able to have the devices communicate and share information between
one another is a completely separate thing.
> (New protocol perhaps.)
>
> The only real method that I really have in my toolkit to stop incoming 
> DDoS on a AS-wide perspective is originating a /32 within an AS with a 
> next-hop of a discard interface.
>
> Something similar to that nature but more flexible and designed for 
> the sole purpose of preventing/stopping abuse would be a very nice
feature.
> Cheers.
> -Michael
>
> --
> Michael Nicks
> Network Engineer
> KanREN
> e: mtnicks () kanren net
> o: +1-785-856-9800 x221
> m: +1-913-378-6516
>
> Payam Tarverdyan Chychi wrote:
> >  I've been reading on this subject for the last several weeks and it 
> > seems as if everyone just like to come up with out of the box ideas 
> > that are not realistic for today's network environments
> >
> > > > J.Oquendo, thanks for the Smurf example . as there are still
> > admins/engineers at large networks that have no clue as to what they 
> > are doing. so QoS is for sure out of the question.. at least at this 
> > time.
> >
> > Depending on agents to take actions and protecting our networks is 
> > even a bigger joke. Back in late 90s where kiddies were using the 
> > simplest types of C&C, open wide irc networks with visible Channels 
> > and no encryptions. and agents couldn't do anything unless the 
> > attack was big enough to take down Amazon, yahoo, Microsoft or some 
> > other major provider with enough $$$ to start an investigation.
> >
> > So what makes you think that agents are of any help in today's world 
> > where c&c have gotten so much more sophisticated, use backup private 
> > servers, encryption, tunneling and much much more..
> >
> > In my opinion, the only way to really start cracking down on c&c and 
> > put an end to it is the cooperation of major ISP's. I realize that 
> > most isp's cant/wont setup a security team to just investigate c&c / 
> > attacks (would this really fall under the Abuse team?) but perhaps 
> > If all major networks worked together and created a active db list 
> > of c&c found either on their networks or attacking ones network. 
> > then it would be much much easier to trace back c&c and dispose of them.
> >
> > Unfortunately, we don't live in a perfect world and most isp's hate 
> > sharing any information. I guess its better for them to have a 
> > bigger ego than a safer / more stable network.
> >
> > Please feel free to correct me if I am wrong.
> >
> > -Payam