Full Disclosure mailing list archives
unsubscribe
From: "mailing lists" <bofn () irq org>
Date: Mon, 14 Aug 2006 09:20:49 +0200
unsubscribe On Sun, 13 Aug 2006 12:00:10 +0100 (BST) full-disclosure-request () lists grok org uk wrote
Send Full-Disclosure mailing list submissions to full-disclosure () lists grok org uk To subscribe or unsubscribe via the World Wide Web, visit https://lists.grok.org.uk/mailman/listinfo/full-disclosure or, via email, send a message with subject or body 'help' to full-disclosure-request () lists grok org uk You can reach the person managing the list at full-disclosure-owner () lists grok org uk When replying, please edit your Subject line so it is more specific than "Re: Contents of Full-Disclosure digest..." Note to digest recipients - when replying to digest posts, please trim your post appropriately. Thank you. Today's Topics: 1. Re: Getting rid of Gadi Evron and Dude VanWinkle (Aaron Gray) 2. Re: Server Redundancy (wac) 3. what can be done with botnet C&C's? (fwd) (Gadi Evron) ---------------------------------------------------------------------- Message: 1 Date: Sun, 13 Aug 2006 01:25:18 +0100 From: Aaron Gray <angray () beeb net> Subject: Re: [Full-disclosure] Getting rid of Gadi Evron and Dude VanWinkle To: full-disclosure () lists grok org uk Message-ID: <44DE716E.8020600 () beeb net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed l4m3r vodka hooch wrote:hi for months now we've had to put up now its time to shut up how do i setup my gmail? i know this is unmoderated list but im pulling my hair out to sift through the real email please dont turn full dis into symantec trolltraq, hlp me! :) -gs ------------------------------------------------------------------------ Yahoo! Messenger with Voice. Make PC-to-Phone Calls
<http://us.rd.yahoo.com/mail_us/taglines/postman1/*http://us.rd.yahoo.com/evt=39663/*http://voice.yahoo.com>
to the US (and 30+ countries) for 2ยข/min or less. ------------------------------------------------------------------------ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ------------------------------------------------------------------------ No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.1.405 / Virus Database: 268.10.9/417 - Release Date: 11/08/2006------------------------------ Message: 2 Date: Sat, 12 Aug 2006 22:39:16 -0400 From: wac <waldoalvarez00 () gmail com> Subject: Re: [Full-disclosure] Server Redundancy To: "Tim Hecktor" <th () domainbox de> Cc: full-disclosure () lists grok org uk Message-ID: <be950f350608121939k48bcaf2ex7d3de004b36bc643 () mail gmail com> Content-Type: text/plain; charset="iso-8859-1" Hi: Thanks I'll check ipvs. Regards Waldo On 8/10/06, Tim Hecktor <th () domainbox de> wrote:Hello, <Isn't there a way to map a name to several IPs? <Or use aliases? Maybe this is what you are looking for: pandora:~# dig ftp.freenet.de ; <<>> DiG 9.2.1 <<>> ftp.freenet.de ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59136 ;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 3, ADDITIONAL: 3 ;; QUESTION SECTION: ;ftp.freenet.de. IN A ;; ANSWER SECTION: ftp.freenet.de. 1457 IN CNAME ftp-0.freenet.de. ftp-0.freenet.de. 600 IN A 194.97.2.69 ftp-0.freenet.de. 600 IN A 194.97.2.70 ftp-0.freenet.de. 600 IN A 194.97.2.67 ftp-0.freenet.de. 600 IN A 194.97.2.68 This will map a name to more than one ip and will give you load-balancing this way, but not real redundancy. To map a service to different hosts redundant you can use a box running ipvs. This box can be made redundant with a identical box using mon and heartbeat to do ip failover. Best regards, Tim Hecktor-------------- next part -------------- An HTML attachment was scrubbed... URL:
http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20060812/3579b5dd/attachment-0001.html
------------------------------ Message: 3 Date: Sun, 13 Aug 2006 01:43:35 -0500 (CDT) From: Gadi Evron <ge () linuxbox org> Subject: [Full-disclosure] what can be done with botnet C&C's? (fwd) To: full-disclosure () lists grok org uk Message-ID: <Pine.LNX.4.21.0608130142220.11492-100000 () linuxbox org> Content-Type: TEXT/PLAIN; charset=US-ASCII Hi guys, here is a forward of my follow-up to the previous message. Gadi. ---------- Forwarded message ---------- Date: Sat, 12 Aug 2006 13:12:30 -0500 (CDT) From: Gadi Evron <ge () linuxbox org> To: botnets () whitestar linuxbox org Subject: what can be done with botnet C&C's? In my last email message I addressed some of the issues related to botnet C&C's and their mitigation. As mentioned, I waited to see what other experiences told other people, as well as glimpse the opinion of others here. In this message I will try and address some of the questions asked, but once again limiting myself mostly to JUST networking rather than the whole realm of botnet fighting. "I work on this [C&C] for 30 days, only to find out one of you took it down." -- US Federal Agent, two days ago, ISOI (DA Workshop). And still, sticking to networking issues, as obviously we cannot yet depend on law enforcement to protect our networks for us, how do we handle C&C's? When we kill them (and by "kill" I naturally mean "report our suspicion to the responsible authority so they can investigate, confirm and proceed according to their AUP") we kill them, but only to our knowledge. They immediately move elsewhere we do not know about in our space or someone else's, maybe misplacing an extremely smallish percentage of their population while they are at it. Okay, say I am right... What *can* we do? We can take advantage: 1. QoS and traffic limiting tools. Many tools created in recent years, and used exstensively by many ISP's, regardless of any Net Neutrality legislation, are at our disposal and already implemented on our networks. Much like, for business reasons, many of us would limit P2P, how about limiting the traffic to compromised users? How, what and when is up to you. You can know who your compromised users are by watching flows to C&C's. 2. Blocking communication to C&C's. Watch the flows, block the users from communicating out to them. Watch these users and see where else they are communicating in comparison to other users, en-masse. It's a matter of doing the same thing, for a different purpose. 3. Walled garden and tech support costs. Obviously, if any of these users call you (and they VERY OFTEN do), you lose money on them for a long time to come.. only they will call again. A combination of quarantine, complete or partial, might work. Combine that with what some already do, such as sell users Anti Virus products, and you get a nice deal. Add to that a support company to lend help to users, unrelated to tech support, by subscription, and you may just have more business avenues to explore. 4. Stop internal network infections. It is unbelievable how the networks with the most bots are the networks that allow internal users to connect wherever they want within the network. All these come to show that although responsiveness to C&C's is important (rather than shutting them down), on the scale of the Internet, what will actually help the Internet is if you take care of it on your own network. You don't have to do any of these, or all of these. Just to wake up to the fact that killing C&C's will mostly not help anyone, and if anything, will do harm. Using them to deal with problematic users, even if only to block them from acessing that C&C is more to the point. You can choose how to handle these issues, but if you want to stop harming the Internet, stop your users from participating, DDoSing, etc. while not harming your business (no one can handle that tech support load). Monitor the C&C's running on your network - contact law enforcement. These are compromises that will keep happening, you are aware of, and cause millions of dollars in damages. "So, are we supposed to leave these compromised boxes up?" My answer is this, if you fail to remove a spy, as another would just take his place, wouldn't you rather know where that spy is and work to take him down for good? The answer to that is NO, as most of us won't and can't. That said, if you must kill the C&C, be aware, it is nothing more than sweeping the problem, localy on your network, as well as on your friends', under the rag. Do you know who your local fed is? See if he can help, he most likely can't and if he could, without a much wider cooperation between everybody, he or she would be extremely limited by looking just at your C&C's. That said, I doubt you would want that fed's attension. You can limit P2P traffic yet you won't limit scanning traffic? Outgoing email traffic from port 25 on dynamic hosts? Bandwidth to compromised users? Port 80, or sny, traffic not through your proxy? Consider what other tools are in your arsenal. My ideas may be completely wrong for you, yet that does not change the fact that killing the C&C will just mean you are kept in the dark. Some large carriers do many of these already, run honey-nets, and what not. Do you? I would like to hear some opinions on what networks can do, ecnomically, from people here. Please stick to network operations issues. Gadi. This is being X-posted to NANOG. ------------------------------ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ End of Full-Disclosure Digest, Vol 18, Issue 24 ***********************************************
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Unsubscribe Stephen Walker (Aug 01)
- <Possible follow-ups>
- unsubscribe mailing lists (Aug 14)