Re: [Full-disclosure] what can be done with botnet C&C's?

[virendra rode // <virendra.rode () gmail com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

in-line:

Jordan Medlen wrote:
> I'm sure most people on this list have heard of or use snort. There is an
> add-on package called snortsam. This package allows automation of blocking
> traffic deemed malicious via a null route statement or ACL statement. We
> have been in the process over the last month of implementing this on our
> network with much success. I think the only problem that we have had with it
> thus far is underestimating just how well it was actually going to work. As
> with any snort implementation, it takes time to tweak and tune the rule
> sets, however we have managed to kill a huge amount of traffic either coming
> from our customers or destined to our customers. While this is not a perfect
> system, it is much better than idly sitting there and letting the abuse
> continue.
- -------------------------
One thing would be nice (maybe a wish-list) if snortsam could send an
e-mail notification (similar to other proactive tools) rather than
pushing for ACL change which could possibly break something due to FP.
This could lead to a headless chicken syndrome scenario. Also where I
come from, we cannot implement change(s) to any P1/P2 (business
critical) devices w/o a change management request except for emergencies.



regards,
/virendra


> ---
> Jordan Medlen
> Chief Technology Officer and Architect
> Sago Networks 
>
> -----Original Message-----
> From: owner-nanog () merit edu [mailto:owner-nanog () merit edu] On Behalf Of
> Michael Nicks
> Sent: Sunday, August 13, 2006 2:07 PM
> To: nanog () nanog org
> Subject: Re: [Full-disclosure] what can be done with botnet C&C's?
>
>
> I hate to stir the flames again, but this idea sounds a lot like RBLs.  :)
>
> All kidding aside, I'm curious as to when we will reach the point where the
> devices of our networks will be able to share information regarding sporadic
> bursts or predefined traffic patterns in network traffic within a certain
> time frame, determine it is a related outgoing (or incoming) attack, and
> mitigate/stop the traffic. I think it certainly is possible to accomplish
> this on a per-router level, but being able to have the devices communicate
> and share information between one another is a completely separate thing.
> (New protocol perhaps.)
>
> The only real method that I really have in my toolkit to stop incoming DDoS
> on a AS-wide perspective is originating a /32 within an AS with a next-hop
> of a discard interface.
>
> Something similar to that nature but more flexible and designed for the sole
> purpose of preventing/stopping abuse would be a very nice feature.
>
> Cheers.
> -Michael
>
> --
> Michael Nicks
> Network Engineer
> KanREN
> e: mtnicks () kanren net
> o: +1-785-856-9800 x221
> m: +1-913-378-6516
>
> Payam Tarverdyan Chychi wrote:
> >  I've been reading on this subject for the last several weeks and it 
> > seems as if everyone just like to come up with out of the box ideas 
> > that are not realistic for today's network environments
> >
> > > > J.Oquendo, thanks for the Smurf example . as there are still
> > admins/engineers at large networks that have no clue as to what they 
> > are doing. so QoS is for sure out of the question.. at least at this 
> > time.
> >
> > Depending on agents to take actions and protecting our networks is 
> > even a bigger joke. Back in late 90s where kiddies were using the 
> > simplest types of C&C, open wide irc networks with visible Channels 
> > and no encryptions. and agents couldn't do anything unless the attack 
> > was big enough to take down Amazon, yahoo, Microsoft or some other 
> > major provider with enough $$$ to start an investigation.
> >
> > So what makes you think that agents are of any help in today's world 
> > where c&c have gotten so much more sophisticated, use backup private 
> > servers, encryption, tunneling and much much more..
> >
> > In my opinion, the only way to really start cracking down on c&c and 
> > put an end to it is the cooperation of major ISP's. I realize that 
> > most isp's cant/wont setup a security team to just investigate c&c / 
> > attacks (would this really fall under the Abuse team?) but perhaps If 
> > all major networks worked together and created a active db list of c&c 
> > found either on their networks or attacking ones network. then it 
> > would be much much easier to trace back c&c and dispose of them.
> >
> > Unfortunately, we don't live in a perfect world and most isp's hate 
> > sharing any information. I guess its better for them to have a bigger 
> > ego than a safer / more stable network.
> >
> > Please feel free to correct me if I am wrong.
> >
> > -Payam
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFE5LdspbZvCIJx1bcRAk04AJ9bsdHfeGY/8bo+CFFyPCNBIYLAxwCaAqv/
0v8mDACXHUBiSQAtBgZ0p0g=
=yOnO
-----END PGP SIGNATURE-----