Full Disclosure mailing list archives
Re: what can be done with botnet C&C's? (fwd)
From: "Dude VanWinkle" <dudevanwinkle () gmail com>
Date: Sun, 13 Aug 2006 08:32:16 -0400
On 8/13/06, Gadi Evron <ge () linuxbox org> wrote:
Hi guys, here is a forward of my follow-up to the previous message.
Gadi.
---------- Forwarded message ----------
Date: Sat, 12 Aug 2006 13:12:30 -0500 (CDT)
From: Gadi Evron <ge () linuxbox org>
To: botnets () whitestar linuxbox org
Subject: what can be done with botnet C&C's?
It doesnt seem like there is a lot that ISP's can do in regaurds to securing the clients. When I worked at a university, the students were always getting compromised till we implemented sandboxing. People DHCP'ing into the network were placed in a subnet by themselves till a scan revealed that they had: 1: up to date AV 2: up to date patches 3: a Functioning firewall If any of these were not detected to be current or functioning, they were left in the restricted subnet, which only allowed them access to windows update, and the software download page for the AV\FW applications. This worked really well for stopping infections, but its not something an ISP could do. 1: Their clients are often running windows 98 or some legacy OS that cannot be secured 2: No amount of patching, antivirus, or firewalling will clean a well infected computer 3: as you said, every call loses them money. draconian measures would cause a huge influx of calls, no matter how well implemented. So if securing the clients is not an option, from an ISP's point of view, we must rely on network measures that the clients wont notice. First, you have to separate your "end users" from your "IT guys". Find out who just uses the web for browsing and email/p2p and put these in a group/ASN of thier own. This way you can block extraneous traffic with some amount of assurance you wont be interfering with an experiment or interfere with legitimate traffic. After you separate your users from your power users, then pattern analysis takes over: Blocking SSL connections to machines without A records. (phishing, C&C) Blocking IRC connections that appear to be C&C. Limiting outbound port 25 traffic. Limiting http gets (how many pages can a human visit in one day by clicking on links?) For stopping botnets, you have to analyse the numbers. We are talking about massive numbers of clients and even more massive amounts of traffic, so its all about pattern analysis. Divide up your clients into statistically similar groupings and look for anomalies. And hire a bunch of SAS programmers to work on the issue ;-) -JP _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- what can be done with botnet C&C's? (fwd) Gadi Evron (Aug 13)
- Re: what can be done with botnet C&C's? (fwd) Dude VanWinkle (Aug 13)
- Re: what can be done with botnet C&C's? (fwd) Valdis . Kletnieks (Aug 14)
- Re: what can be done with botnet C&C's? (fwd) Dude VanWinkle (Aug 14)
- Re: what can be done with botnet C&C's? (fwd) Valdis . Kletnieks (Aug 14)
- Re: what can be done with botnet C&C's? J. Oquendo (Aug 13)
- <Possible follow-ups>
- Re: what can be done with botnet C&C's? (fwd) Peter Besenbruch (Aug 14)
- Re: what can be done with botnet C&C's? (fwd) Dude VanWinkle (Aug 14)
- Re: what can be done with botnet C&C's? (fwd) Jonathan Glass (gm) (Aug 14)
- Re: what can be done with botnet C&C's? (fwd) Dude VanWinkle (Aug 14)
- Re: what can be done with botnet C&C's? (fwd) Dude VanWinkle (Aug 13)