IDS mailing list archives
Re: detecting network crowd surges
From: "rgula () tenablesecurity com" <rgula () tenablesecurity com>
Date: Mon, 07 Aug 2006 21:08:50 -0400
Could be botnets, zombies, malware, .etc. We're observing surges on port 80 & 443 as well. For those, the threshold needs to be a bit higher than non-web stuff because by chance, you'll get a certain percentage of people happening to go to MySpace, Google, CNN, .etc. Also, if one were to send out an SSH worm, then SSH could be an ideal communication vector. The "common" way to control botnets seems to be IRC channels and AIM. Ron
I wonder, though, is this how real botnets are controlled? Surely it would be fair easier, and less obtrusive, to control your botnet via a updated http site. like http://<mikeiscool>/instructions.txt. Every day the bots would log on and receive their latest orders. Makes sense to hide in http rather then risk a protocol that might be blocked, doesn't it? -- mic
------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------
Current thread:
- detecting network crowd surges Ron Gula (Aug 04)
- Re: detecting network crowd surges mikeiscool (Aug 08)
- Re: detecting network crowd surges Jose Nazario (Aug 11)
- RE: detecting network crowd surges Craig Chamberlain (Aug 30)
- Re: detecting network crowd surges Jose Nazario (Aug 11)
- <Possible follow-ups>
- Re: detecting network crowd surges rgula () tenablesecurity com (Aug 08)
- Re: detecting network crowd surges mikeiscool (Aug 08)