funsec mailing list archives
Re: The Criminal Underground: A Walk on the Dark Side
From: "Dude VanWinkle" <dudevanwinkle () gmail com>
Date: Wed, 5 Sep 2007 16:52:56 -0400
On 9/5/07, Valdis.Kletnieks () vt edu <Valdis.Kletnieks () vt edu> wrote:
On Wed, 05 Sep 2007 08:34:59 EDT, Dude VanWinkle said:If we have a way to detect them, we should be able to tell when they get a new lease on life, or ipv4.59.112.229.83 at Aug 17 01:19:39 UTC-0400. Still same IP, or no? Note that this is a *serious* question - it can take 2 weeks for a hacked box to get a new IP, and the *new* owner of that IP then gets mystified why nothing works. 125.1.71.140 at Sep 3 15:59:28. Still same IP, or no? 201.250.52.183 at Sep 4 14:59:26. Is that the same IP still, or no? Let me know if I should blacklist those 3. Then we'll only have 139,999,997 to go.
So you are saying that this 7-10 million number for the botnet was generated by hand? What ever happened to looking at the C&C for incoming connections and ngrepping out the IP's ? If we have a way to determine that these bots are controlled by X bad guys, I assumed there was a detection method. I could be wrong and these guys just pulled a number out of there @$$ (maybe they went to the Gartner School of Statistics), and please correct me if I am. Is there no programmatic way to use the detection methods in place to generate a list of currently controlled bots? If we have a detection method we should be able to generate a living botlist from packets sent out that day. I can take other arguments as a reason not to do this like: Maybe we would be showing our detection methods to the bot herders (am I on the list? yes? what if I do this: am I still on the list?, no? then I beat their detection methods, etc) (this can be semi-vetted by only allowing trusted sources access to the list)
So, according to your theory, we can only blacklist people if we know everyone who is compromised, else its completely useless? I disagree.No, I'm saying that it's almost completely useless, because you can't make enough blacklist entries for it to *matter*.
If I only blocked Robert Soloway's botnet (20-40k at most IIRC) I would have stopped a major portion of spam from even hitting my spam filters (and some from making it through). Thats a paltry percentage of the total bots, but a major portion of spam. Same thing goes for Pharmamasters 10k botnet.. (even if rented)
How much time and effort are you willing to put in to maintaining this blacklist, and how do you intend to keep it up to date?
I will report all the activity that is definitely botnet-related on my subnets up to a central server that can host the list. Should take a few hours/days to set up..
Remember - each time a legitimate visitor doesn't get to your website because of a false positive, it's at *least* a bad PR event for you, probably a lost customer, and possibly the cost of a tech support call to find out they're a FP (and note that if you're using a 3rd-party blacklist, the fun and games of getting them unlisted can be a problem too).
Well what if the list was generated daily from the traffic generated by botnets (snort sig, irc to the c&c servers, etc.). You dont want to blacklist someone, and then have the consumer spend a few hundred dollars to get their computer cleaned, and then have them still blocked. That would just be a static list that would be out of date by the time you printed it. While that was OK during the early years of the fight, we have evolved beyond that kind of thinking today (one would hope)
As I said - there's only 2 *sane* ways to approach it anymore: 1) Only allow whitelisted systems - we have a *lot* of boxes that we only allow access to AS1312 systems, or specific subnets thereof. Works great, and the subnets move a lot less than botted systems.
and if the whitelisted subnets get hacked? Whats your plan then? impossible you say ;-)
2) Harden your systems against all comers - the broken idea of a blacklist is that even if you manage to properly list 25% of the boxes, you're now doing twice the work: 2a) You're maintaining a 20M to 30M entry blacklist, and keeping it up to date.
Yes, I do it by hand with an abacus and an etch-a-sketch, watch out V!.., dont bump me!!... damn, now I have to start all over..
2b) You're *still* having to defend against the *OTHER* 75%.
Would you even *consider* buying a security system for your house, if you knew *beforehand* that it would (a) only stop 25% of the burglars, (b) you had to spend 15 to 20 minutes *every* day fixing it, and (c) 20% of the time, it would randomly refuse to let invited guests in?
I would buy that, just for kicks.. and BTW/FYI an alarm system will only keep out dumb burglars (I.e.: the hamburglar).
Security is gained by throwing everything you have at the opposing team, not waiting around for a perfect solution to present itself,I'm not looking for a perfect solution. I'm looking for one that has a decent return on the time/resources invested.
So what about his then: a rating system, like we have with spam for bad computers. Like you said earlier, you dont want to block a legitimate customer. I will take it a step further and say that even an infected machine has a real user browsing the internet every once and a while (just like how even a broken clock is right twice a day ;-) and if you blocked every bot, then you would lose ~25% of your customers. Instead have a rating for the type of communication that is going on. Arp flood? add 5 points. google query for butterflies? minus 5 points. I am of course joking, but maybe the idea has some merit.. -JP<who is heading home for the day> _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- The Criminal Underground: A Walk on the Dark Side Paul Ferguson (Sep 01)
- <Possible follow-ups>
- Re: The Criminal Underground: A Walk on the Dark Side Paul Ferguson (Sep 01)
- Re: The Criminal Underground: A Walk on the Dark Side Dude VanWinkle (Sep 04)
- Re: The Criminal Underground: A Walk on the Dark Side Valdis . Kletnieks (Sep 04)
- Re: The Criminal Underground: A Walk on the Dark Side Dude VanWinkle (Sep 05)
- Re: The Criminal Underground: A Walk on the Dark Side Valdis . Kletnieks (Sep 05)
- High Concept Comedy: Security is Economic! Bruce Ediger (Sep 05)
- Re: The Criminal Underground: A Walk on the Dark Side Dude VanWinkle (Sep 05)
- Re: The Criminal Underground: A Walk on the Dark Side Valdis . Kletnieks (Sep 05)
- Re: The Criminal Underground: A Walk on the Dark Side coderman (Sep 05)
- Re: The Criminal Underground: A Walk on the Dark Side Dude VanWinkle (Sep 05)
- Re: The Criminal Underground: A Walk on the Dark Side coderman (Sep 05)
- Re: The Criminal Underground: A Walk on the Dark Side Dude VanWinkle (Sep 06)
- Re: The Criminal Underground: A Walk on the Dark Side Valdis . Kletnieks (Sep 06)
- Re: The Criminal Underground: A Walk on the Dark Side Jim Murray (Sep 06)
- Re: The Criminal Underground: A Walk on the Dark Side Rob, grandpa of Ryan, Trevor, Devon & Hannah (Sep 06)
- Re: The Criminal Underground: A Walk on the Dark Side Dude VanWinkle (Sep 04)