Slashdot Mirror
Prototype Software Sniffs Out, Disrupts Botnets
coondoggie writes "Earlier this week researchers unveiled
a system to identify and eradicate botnets in the wild. While currently only a prototype, Georgia Tech's BotSniffer would use network-based anomaly detection to identify botnet command and control channels in a LAN. The system wouldn't require any prior knowledge of signatures or server addresses. 'The researchers said their prototype, which was presented at the Internet Society's Network and Distributed System Security Symposium this week, is based on the fact that botnets engage in coordinated communication, propagation, and attack and fraudulent activities.'"
Just run a web server where you allow things like .. .
index.php?main=xxx
and then watch the attempts that come in for xxx, they will
all be scripts that trigger the botnets. grab the scripts
and you have the irc server, the channel, etc.
A recent one that I saw was one katana.webchat.org in channel
#msdos -- no idea if it is still running (ironic since webchat
is supposed to have a security team). I reported it, but never
heard anything back).
Here are a bunch of other ones, access to botnets, free of
charge.
http://www.forestfamily.org/garc/.php/meifase.txt
http://bialoka123.fileave.com/script9.txt
http://raptortx.googlepages.com/inc3.txt
http://snock.host.sk/spread.txt
http://bialoka123.fileave.com/script9.txt
http://members.lycos.co.uk/enviescraps/pbot.txt
http://gikowns.googlepages.com/BOTNET-GIKO.txt
http://www.ligseg.com.br/Etc/24.gif
http://76.162.170.34/Photos/pbot
http://www.hotjazz.xpg.com.br/ty.txt
Use at your own risk, and maybe, these folks will get off their rear ends and shut these things down.
At the traffic level, BitTorrent looks a lot like a bot net. It has a central controllers (the tracker) and makes random connections to other peers, which then trade large amounts of data.
So would this kill BitTorrent? I've heard network security people explain how peer-to-peer technologies are a dead end because they're impossible to run on a secure network since they do look like botnets. How does this deal with that?
The very nature of botnet activities usually requires a coordinated effort. You can't DDOS a website with randomly-delayed attacks from each host, because then it wouldn't be a DDOS, just a slower increase in traffic. Spam campaigns usually only work for the first few minutes before services catch on, and then that particular spam campaign is over. Unless all the bots participate reasonably simultaneously, they can't accomplish their goals as well.
1. Deny IRC traffic at your firewalls. If there is a business need for IRC then setup a IRC proxy, or inline authentication. This simple step will stop many of the bots out there from phoning home.
2. Enable reverse path detection on your network devices. This forces your internal routers to check whether the source ip address that the bot is sending, is available out the interface that your comprimised host exists on.
3. Enable DHCP snooping on your edge switches. By configuring this feature the switchport that your host plugs into passively observes what IP address was given to your computer. If traffic is spoofed (a common occurrence for botnets) the switchport effectively shuts your host down.
4. Monitor your network. There many free and commercial products that will make it clear that your traffic profiles have changed. Some good free tools for this are Cacti - http://www.cacti.net/, Nagios - http://www.nagios.org/ and NTOP - http://www.ntop.org/
5. Utilize update antivirus technology, hopefully one that reports to a central console. These are simple steps, that frankly most people do not use in their networks. If they would the botnet issue would be greatly minimized.
Colin McNamara - CCIE #18233 "The difficult we do immediately, the impossible just takes a little longer"