Slashdot Mirror
Prototype Software Sniffs Out, Disrupts Botnets
coondoggie writes "Earlier this week researchers unveiled
a system to identify and eradicate botnets in the wild. While currently only a prototype, Georgia Tech's BotSniffer would use network-based anomaly detection to identify botnet command and control channels in a LAN. The system wouldn't require any prior knowledge of signatures or server addresses. 'The researchers said their prototype, which was presented at the Internet Society's Network and Distributed System Security Symposium this week, is based on the fact that botnets engage in coordinated communication, propagation, and attack and fraudulent activities.'"
We don't need AI and network scanners and blah blah blah. It's crazy easy to detect just by the traffic patterns and amount of data sent if a computer is infected. So ISPs detect everyone that sent data to known botnet targets or controllers and disconnect that customer until they disinfect themselves. Then everyone will be convinced to practice better overall security and they won't crack down on p2p as much because botnet traffic will no longer bog down entire ISP networks and I'll have lots of business as a computer repairer :-P it's the perfect idea really.
Google's Super Secret Search Algorithm: SELECT @search_results FROM internet WHERE @search_results = 'good'
Don't be so quick to say that it won't work. We don't have enough information as to how it is designed and you don't understand anomaly based detection works. The idea behind network anomaly based detections is to identify communication between two or more host that aren't supposed to exist or that didn't in the past. That is the 5 cents explanation of it.
The very nature of botnet activities usually requires a coordinated effort. You can't DDOS a website with randomly-delayed attacks from each host, because then it wouldn't be a DDOS, just a slower increase in traffic. Spam campaigns usually only work for the first few minutes before services catch on, and then that particular spam campaign is over. Unless all the bots participate reasonably simultaneously, they can't accomplish their goals as well.
1. Deny IRC traffic at your firewalls. If there is a business need for IRC then setup a IRC proxy, or inline authentication. This simple step will stop many of the bots out there from phoning home.
2. Enable reverse path detection on your network devices. This forces your internal routers to check whether the source ip address that the bot is sending, is available out the interface that your comprimised host exists on.
3. Enable DHCP snooping on your edge switches. By configuring this feature the switchport that your host plugs into passively observes what IP address was given to your computer. If traffic is spoofed (a common occurrence for botnets) the switchport effectively shuts your host down.
4. Monitor your network. There many free and commercial products that will make it clear that your traffic profiles have changed. Some good free tools for this are Cacti - http://www.cacti.net/, Nagios - http://www.nagios.org/ and NTOP - http://www.ntop.org/
5. Utilize update antivirus technology, hopefully one that reports to a central console. These are simple steps, that frankly most people do not use in their networks. If they would the botnet issue would be greatly minimized.
Colin McNamara - CCIE #18233 "The difficult we do immediately, the impossible just takes a little longer"
Yes, that's what I was showing they accept authentication from ANYONE. .user and i'm in.
:(. They already uploaded and made changes to the original link, I wonder if they have any idea their config file bookmarked on Slashdot.
And all these idiots did was ban my *!user@host. I reconnected via irssi after changing my username and I got back in. I'm trying to script up something entertaining but sadly the IRC server masks host names