RE: [Full-disclosure] what can be done with botnet C&C's?

["Jordan Medlen" <jmedlen () sagonet com>]

Snort itself can be configured to send email notifications without the
snortsam add-on. Snortsam does have a "do-not-block" list as well so that
certain hosts are never blocked. This is useful for our NOC staff since we
continually run tests such as nmap towards our customer's servers that would
otherwise have our NOC IP space blocked.

-Jordan 

-----Original Message-----
From: owner-nanog () merit edu [mailto:owner-nanog () merit edu] On Behalf Of
virendra rode //
Sent: Thursday, August 17, 2006 2:38 PM
To: jmedlen () sagonet com
Cc: nanog () nanog org
Subject: Re: [Full-disclosure] what can be done with botnet C&C's?


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

in-line:

Jordan Medlen wrote:
> I'm sure most people on this list have heard of or use snort. There is 
> an add-on package called snortsam. This package allows automation of 
> blocking traffic deemed malicious via a null route statement or ACL 
> statement. We have been in the process over the last month of 
> implementing this on our network with much success. I think the only 
> problem that we have had with it thus far is underestimating just how 
> well it was actually going to work. As with any snort implementation, 
> it takes time to tweak and tune the rule sets, however we have managed 
> to kill a huge amount of traffic either coming from our customers or 
> destined to our customers. While this is not a perfect system, it is 
> much better than idly sitting there and letting the abuse continue.
- -------------------------
One thing would be nice (maybe a wish-list) if snortsam could send an e-mail
notification (similar to other proactive tools) rather than pushing for ACL
change which could possibly break something due to FP.
This could lead to a headless chicken syndrome scenario. Also where I come
from, we cannot implement change(s) to any P1/P2 (business
critical) devices w/o a change management request except for emergencies.



regards,
/virendra


> ---
> Jordan Medlen
> Chief Technology Officer and Architect Sago Networks
>
> -----Original Message-----
> From: owner-nanog () merit edu [mailto:owner-nanog () merit edu] On Behalf 
> Of Michael Nicks
> Sent: Sunday, August 13, 2006 2:07 PM
> To: nanog () nanog org
> Subject: Re: [Full-disclosure] what can be done with botnet C&C's?
>
>
> I hate to stir the flames again, but this idea sounds a lot like RBLs.  
> :)
>
> All kidding aside, I'm curious as to when we will reach the point 
> where the devices of our networks will be able to share information 
> regarding sporadic bursts or predefined traffic patterns in network 
> traffic within a certain time frame, determine it is a related 
> outgoing (or incoming) attack, and mitigate/stop the traffic. I think 
> it certainly is possible to accomplish this on a per-router level, but 
> being able to have the devices communicate and share information between
one another is a completely separate thing.
> (New protocol perhaps.)
>
> The only real method that I really have in my toolkit to stop incoming 
> DDoS on a AS-wide perspective is originating a /32 within an AS with a 
> next-hop of a discard interface.
>
> Something similar to that nature but more flexible and designed for 
> the sole purpose of preventing/stopping abuse would be a very nice
feature.
> Cheers.
> -Michael
>
> --
> Michael Nicks
> Network Engineer
> KanREN
> e: mtnicks () kanren net
> o: +1-785-856-9800 x221
> m: +1-913-378-6516
>
> Payam Tarverdyan Chychi wrote:
> >  I've been reading on this subject for the last several weeks and it 
> > seems as if everyone just like to come up with out of the box ideas 
> > that are not realistic for today's network environments
> >
> > > > J.Oquendo, thanks for the Smurf example . as there are still
> > admins/engineers at large networks that have no clue as to what they 
> > are doing. so QoS is for sure out of the question.. at least at this 
> > time.
> >
> > Depending on agents to take actions and protecting our networks is 
> > even a bigger joke. Back in late 90s where kiddies were using the 
> > simplest types of C&C, open wide irc networks with visible Channels 
> > and no encryptions. and agents couldn't do anything unless the attack 
> > was big enough to take down Amazon, yahoo, Microsoft or some other 
> > major provider with enough $$$ to start an investigation.
> >
> > So what makes you think that agents are of any help in today's world 
> > where c&c have gotten so much more sophisticated, use backup private 
> > servers, encryption, tunneling and much much more..
> >
> > In my opinion, the only way to really start cracking down on c&c and 
> > put an end to it is the cooperation of major ISP's. I realize that 
> > most isp's cant/wont setup a security team to just investigate c&c / 
> > attacks (would this really fall under the Abuse team?) but perhaps If 
> > all major networks worked together and created a active db list of 
> > c&c found either on their networks or attacking ones network. then it 
> > would be much much easier to trace back c&c and dispose of them.
> >
> > Unfortunately, we don't live in a perfect world and most isp's hate 
> > sharing any information. I guess its better for them to have a bigger 
> > ego than a safer / more stable network.
> >
> > Please feel free to correct me if I am wrong.
> >
> > -Payam
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFE5LdspbZvCIJx1bcRAk04AJ9bsdHfeGY/8bo+CFFyPCNBIYLAxwCaAqv/
0v8mDACXHUBiSQAtBgZ0p0g=
=yOnO
-----END PGP SIGNATURE-----