Slashdot Mirror

← Back to Stories (view on slashdot.org)

Is the Botnet Battle Already Lost?

Posted by ryuzaki0 on from the fighting-the-good-fight dept.

An anonymous reader writes "Researchers are finding it practically futile to keep up with evolving botnet attacks. 'We've known about [the threat from] botnets for a few years, but we're only now figuring out how they really work, and I'm afraid we might be two to three years behind in terms of response mechanisms,' said Marcus Sachs, a deputy director in the Computer Science Laboratory of SRI International, in Arlington, Va. There is a general feeling of hopelessness as botnet hunters discover that, after years of mitigating command and controls, the effort has largely gone to waste. 'We've managed to hold back the tide, but, for the most part, it's been useless,' said Gadi Evron, a security evangelist at Beyond Security, in Netanya, Israel, and a leader in the botnet-hunting community. 'When we disable a command-and-control server, the botnet is immediately re-created on another host. We're not hurting them anymore.' There is an interesting image gallery of a botnet in action as discovered by security researcher Sunbelt Software."

2 of 374 comments (clear)

  1. Re:How do you know if you've been rooted? by vandoravp · · Score: 5, Informative

    Firewalls are useful for monitoring traffic. The best way to detect a zombie computer is to look at the traffic coming in and out, checking for anomalies (such as excessive traffic to places nobody would be going to). Security Now is a great podcast that deals with security issues and locking down your systems. Episodes 3, 8, and 4 are particularly relevant. It can get technical at times but all-in-all it's a great explanation of how things work and what can be done to secure them.

  2. Re:How do you know if you've been rooted? by rpbailey1642 · · Score: 5, Informative

    Set up a bridge without an IP address and install Snort on it. On FreeBSD or OpenBSD, this procedure is a snap. Your mileage may vary, query Google for assistance.
    Snort identifies traffic by signatures, so instead of you eyeballing suspicious patterns, it can tell you if certain phrases are used, certain protocols, or what-have-you. Writing your own signatures are a piece of cake and the process is well-documented.
    The bridge sits at the mouth of your network (behind your firewall) and can be used to identify what is getting past the firewall.
    For the crafty -- use Snort2pf to automatically block inappropriate traffic. I used this to discourage eDonkey usage on school system's computer network and it worked like a dream.