Prototype Software Sniffs Out, Disrupts Botnets

coondoggie writes "Earlier this week researchers unveiled a system to identify and eradicate botnets in the wild. While currently only a prototype, Georgia Tech's BotSniffer would use network-based anomaly detection to identify botnet command and control channels in a LAN. The system wouldn't require any prior knowledge of signatures or server addresses. 'The researchers said their prototype, which was presented at the Internet Society's Network and Distributed System Security Symposium this week, is based on the fact that botnets engage in coordinated communication, propagation, and attack and fraudulent activities.'"

Re:Useful but fundamentally flawed....

[TubeSteak]

"For instance, at a similar time, the bots within a botnet will execute the same command -- obtain system information, scan the network -- and report to the command and control server with the progress/result of the task. Normal network activities are unlikely to demonstrate such a synchronized or correlated behavior." That is why it won't matter if the botnet is using encrypted communications or not.

Unfortunately, it wouldn't be much of a challenge to institute a randomized delay between receiving commands, executing them, and reporting back to the C&C. The C&C could even change the randomization factor depending on how many bots are in that specific subnet of IPs. More bots = more time delay to thwart the sniffer.

Will it stop BitTorrent?

At the traffic level, BitTorrent looks a lot like a bot net. It has a central controllers (the tracker) and makes random connections to other peers, which then trade large amounts of data.

So would this kill BitTorrent? I've heard network security people explain how peer-to-peer technologies are a dead end because they're impossible to run on a secure network since they do look like botnets. How does this deal with that?