Dailydave mailing list archives
Re: Beyond Fast Flux
From: Dave Aitel <dave () immunityinc com>
Date: Mon, 17 Dec 2007 10:56:12 -0500
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I uploaded a PDF version http://www.immunityinc.com/downloads/BeyondFastFlux.pdf for those of you without an ODF viewer installed. I agree - DNS doesn't normally change a lot. It's easy to find hosts where DNS is changing all the time, which is why we eschew any name service as our locater, essentially. In designing a covert C&C that's parasitic, you also have to consider the indexer. You don't want your entire network to go silent because an engineer on Google's search team has found a way to fingerprint your commands. It would probably be better to replace the <base64> with <babble-encrypt> because it's a lot harder to fingerprint, until Google starts doing expensive Bayesian signatures on every Blog posting in their index. At which point you switch to Technorati or something. The goal is to make it extremely expensive on their end, and cheap as dirt on your end. You could just have a link to a file, rather than embedding the commands in the post itself. A thousand options. But all of them better than messing with DNS all day, imho. I didn't do this design, of course. I'm just the VP of Marketing. People commented about stenography to me: You could steg into an image/video with a keyphrase in the comment field, for example. But images get indexed a lot less often than blog postings, and writing the unsteg code would be a pain in the rear. It's good to keep Dildog's Tao of Buffer Overflows comment in mind - "What are you writing, an MFC trojan?!?" Playing the steg game is expensive. It's likely someone else is better than you and will be able to hunt you out. __________________________ Dave Aitel VP Marketing and Publishing Immunity, Inc. matthew wollenweber wrote:
Having spent some time writing network sensors for the government and time trying to get tools to connect outbound during pen tests I've seen nothing more effective than clever HTTP traffic embedded in real webpages using tags and simple encoding. Abusing DNS whether with tunnels, fastflux, or open resolvers sticks out as anomalous behaviour -- it's not all too difficult to detect. Yes it's costs money and labor but it can be done. What can you do about PINK type communication? I'm not going to claim to have all the answers, but I spent about 9 months writing network sensors and I can't fathom how you can detect that traffic on any scale. Fast flux is the current sexy thing but Trickler (govt software) and Tenable's PVS can be tweaked to pick it up (even on large OC-3+) pipes. On Dec 14, 2007 9:44 PM, Paul Ferguson <fergdawg () netzero net> wrote: -- Brandon Enright <bmenrigh () ucsd edu> wrote:If you're going to attack something you should back your argument up with a little evidence. The C&C methods mentioned in the paper are: * IRC * HTTP to single server * Fast-Flux of DNS Servers * Storm P2P protocols * PINK About the only thing they missed was DHT, which is arguablycovered byStorm. PINK is a good idea. If it really is light-years behind thecriminalsshow us the papers, presentations, and discussions of moreadvanced >C&C.If your argument is that PINK is primitive or that it won't work, respond with a paper, a countermeasure, or at the very least adetailedemail of possible flaws in it. C'mon, Gadi, you know better.What about Open DNS resolvers, using double-flux, combined with the Storm Overnet? :-) - ferg
- -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg(at)netzero.net ferg's tech blog: http://fergdawg.blogspot.com/
_______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
-------------------------
_______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFHZpwaB8JNm+PA+iURAhd7AKC+KwgGeWfwchBmprNmJyAHYw8NAwCgzjxe qIFvJOynLsByBZ/8P2ZQ6mU= =YukG -----END PGP SIGNATURE----- _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Beyond Fast Flux Dave Aitel (Dec 14)
- Re: Beyond Fast Flux Gadi Evron (Dec 14)
- Re: Beyond Fast Flux Brandon Enright (Dec 14)
- Re: Beyond Fast Flux ChromeSilver (Dec 15)
- Re: Beyond Fast Flux Lance M. Havok (Dec 16)
- Re: Beyond Fast Flux Dude VanWinkle (Dec 17)
- Re: Beyond Fast Flux Fosforo (Dec 14)
- <Possible follow-ups>
- Re: Beyond Fast Flux Paul Ferguson (Dec 14)
- Re: Beyond Fast Flux matthew wollenweber (Dec 15)
- Re: Beyond Fast Flux Dave Aitel (Dec 17)
- Re: Beyond Fast Flux matthew wollenweber (Dec 15)
- Re: Beyond Fast Flux Gadi Evron (Dec 14)