IDS mailing list archives
Re: detecting network crowd surges
From: "Eric Hacker" <focus () erichacker com>
Date: Thu, 2 Nov 2006 20:12:28 -0500
On 10/31/06, Greg Martin <gregm () econet com> wrote:
The second factor is available zombie management. A pure pull method with http would make it hard for the bot herder to track his available zombies, rather than just looking how many users are in an IRC channel. Common sense tell us botnets will continue to use IRC less as detection efforts such as the one described in the thread become more common. The real challenge will be when they go to covert tunneling capabilities for C&C such icmp and dns packets.
There are so many ways for botnets to hide their traffic that the ones that are may be so well hidden it would be difficult to find them. As bit torrent, IM and VoIP become more popular, it will be easy to hide in the noise. Also, pull does not present a problem for bots during the gathering phase where the need to manage the majority of the bot herd is minimal. At least one bot herder was using a web traffic analyser to keep count of the bots. Then, when a gig comes in, the bot herder can redirect the bots to a push-pull command channel. -- Eric Hacker, CISSP aptronym (AP-troh-NIM) noun A name that is especially suited to the profession of its owner I _can_ leave well enough alone, but my criteria for well enough is pretty darn high. ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly?Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more.
------------------------------------------------------------------------
Current thread:
- Re: detecting network crowd surges Greg Martin (Nov 01)
- Re: detecting network crowd surges Eric Hacker (Nov 03)