Slashdot Mirror

← Back to Stories (view on slashdot.org)

Prototype Software Sniffs Out, Disrupts Botnets

Posted by Zonk on from the are-you-john-connors dept.

coondoggie writes "Earlier this week researchers unveiled a system to identify and eradicate botnets in the wild. While currently only a prototype, Georgia Tech's BotSniffer would use network-based anomaly detection to identify botnet command and control channels in a LAN. The system wouldn't require any prior knowledge of signatures or server addresses. 'The researchers said their prototype, which was presented at the Internet Society's Network and Distributed System Security Symposium this week, is based on the fact that botnets engage in coordinated communication, propagation, and attack and fraudulent activities.'"

4 of 51 comments (clear)

  1. Re:Useful but fundamentally flawed.... by TubeSteak · · Score: 4, Insightful

    "For instance, at a similar time, the bots within a botnet will execute the same command -- obtain system information, scan the network -- and report to the command and control server with the progress/result of the task. Normal network activities are unlikely to demonstrate such a synchronized or correlated behavior." That is why it won't matter if the botnet is using encrypted communications or not.

    Unfortunately, it wouldn't be much of a challenge to institute a randomized delay between receiving commands, executing them, and reporting back to the C&C. The C&C could even change the randomization factor depending on how many bots are in that specific subnet of IPs. More bots = more time delay to thwart the sniffer.
    --
    [Fuck Beta]
    o0t!
  2. Will it stop BitTorrent? by Anonymous Coward · · Score: 5, Insightful

    At the traffic level, BitTorrent looks a lot like a bot net. It has a central controllers (the tracker) and makes random connections to other peers, which then trade large amounts of data.

    So would this kill BitTorrent? I've heard network security people explain how peer-to-peer technologies are a dead end because they're impossible to run on a secure network since they do look like botnets. How does this deal with that?

  3. It's an arms race by vinn01 · · Score: 3, Insightful


    The system as described shows promise. The current crop of botnet software all exhibit a behavior pattern that can be detected.

    Of course there's been other attempts at botnet detection software, but network deployment has been sparse. Deployment is key. Maybe Georgia Tech's good name will help get it deployed. It has be be proved useful to the large network operators or it will never spread beyond a few test systems.

    The network operators have to want this detection software enough to deploy and maintain it. It has to help their bottom line. Then it can be developed beyond a university research prototype.

    Will the bad guys update the botnet software to out maneuver the good guys? You can bet on it. But keep in mind that the the people who developed the botnet software generally are generally not the same ones who operate the largest botnets. The botnet operators will be greatly impacted until they can get updated software and then get it deployed.

    This system will cause a botnot disruption that will take time to rebuild. Then, the botnet detection software will need to be updated. And the arms race will continue...

  4. Better takedown, not DPI by Mark(ATL) · · Score: 2, Insightful

    The problem is not one of identification, it is very easy to detect members of a botnet without resorting to Deep Packet Inspection everywhere. The main problem is lack of local laws and regulation, and varying degree's of takedown management.