Re: detecting network crowd surges

["Eric Hacker" <focus () erichacker com>]

On 10/31/06, Greg Martin <gregm () econet com> wrote:
> The second factor is available zombie management.  A pure pull method
> with http would make it hard for the bot herder to track his available
> zombies, rather than just looking how many users are in an IRC
> channel.
>
> Common sense tell us botnets will continue to use IRC less as detection
> efforts such as the one described in the thread become more common.  The
> real challenge will be when they go to covert tunneling capabilities for
> C&C such icmp and dns packets.

There are so many ways for botnets to hide their traffic that the ones
that are may be so well hidden it would be difficult to find them. As
bit torrent, IM and VoIP become more popular, it will be easy to hide
in the noise.

Also, pull does not present a problem for bots during the gathering
phase where the need to manage the majority of the bot herd is
minimal. At least one bot herder was using a web traffic analyser to
keep count of the bots. Then, when a gig comes in, the bot herder can
redirect the bots to a push-pull command channel.

--
Eric Hacker, CISSP

aptronym (AP-troh-NIM) noun
A name that is especially suited to the profession of its owner

I _can_ leave well enough alone, but my criteria for well enough is
pretty darn high.

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw 
to learn more.
------------------------------------------------------------------------