nanog mailing list archives
Re: mitigating botnet C&Cs has become useless
From: Danny McPherson <danny () tcb net>
Date: Thu, 3 Aug 2006 14:02:58 -0600
On Jul 30, 2006, at 10:37 AM, Gadi Evron wrote:
The few hundred *new* IRC-based C&Cs a month (and change), have beenaround and static (somewhat) for a while now. At a steady rate of change whichmaintains the status quo, plus a bit of new blood.In this post I ask the community about what you see, against what we haveobserved, and try and test my conclusions and numbers against your findings.
Gadi, *SPs* today deal with command and control infrastructure on a very tactical basis, and as for specific bots themselves, even more tactically (i.e., usually when some incident requires that they take some response action). They're very incident driven from that respect, and with an attempt to focus on revenue and services profitability, it just amplifies the problem. That is, they're busy turning the steam valves and putting out fires - who has the time for strategizing and waging a global war on organized crime and it's employment of botnets that yields a negligible return on a considerable investment, just cutting deeper into their losses? [disclaimer: the above is a gross oversimplification and many SPs do far more, but it's largely applicable across a broad spectrum of SPs] Heck, they rarely have time to chase DOS attack sources past their network perimeter and today report less than 2% of *actionable* attacks to LEOs. It's an ROI game... While you could spin botnet resurrection a hundred ways, taking out the bots themselves, even if it's often times only as temporal function, is the low hanging fruit and something SPs can understand and instrument. I agree that the root of the problem is the miscreants perpetrating these crimes, and they need to be prosecuted, but the responsibility falls far wider than the SPs. I also accept the references provided by Paul and others, but what's the near-term alternative? -danny
Current thread:
- RE: mitigating botnet C&Cs has become useless, (continued)
- RE: mitigating botnet C&Cs has become useless Jamie Bowden (Aug 02)
- RE: mitigating botnet C&Cs has become useless Barry Shein (Aug 02)
- gated communities - was Re: mitigating botnet Edward Lewis (Aug 02)
- Re: gated communities - was Re: mitigating botnet Edward Lewis (Aug 02)
- RE: mitigating botnet C&Cs has become useless Bora Akyol (Aug 03)
- Re: mitigating botnet C&Cs has become useless John Kristoff (Aug 03)
- Re: mitigating botnet C&Cs has become useless Danny McPherson (Aug 03)
- Re: mitigating botnet C&Cs has become useless bmanning (Aug 03)
- Re: mitigating botnet C&Cs has become useless Danny McPherson (Aug 05)
- Re: mitigating botnet C&Cs has become useless Sean Donelan (Aug 05)
- Re: mitigating botnet C&Cs has become useless Danny McPherson (Aug 05)
- Re: mitigating botnet C&Cs has become useless Aaron Glenn (Aug 08)