Slashdot Mirror

← Back to Stories (view on slashdot.org)

Botnets Using Ubiquity For Security

Posted by kdawson on from the whack-a-c-and-c dept.

Trailrunner7 sends in this excerpt from Threatpost: "As major botnet operators have moved from top-down C&C infrastructures, like those employed throughout the 1990s and most of the last decade, to more flexible peer-to-peer designs, they also have found it much easier to keep their networks up and running once they're discovered. When an attacker at just one, or at most two, C&C servers was doling out commands to compromised machines, evading detection and keeping the command server online were vitally important. But that's all changed now. With many botnet operators maintaining dozens or sometimes hundreds of C&C servers around the world at any one time, the effect of taking a handful of them offline is negligible, experts say, making takedown operations increasingly complicated and time-consuming. It's security through ubiquity. Security researchers say this change, which has been occurring gradually in the last couple of years, has made life much more difficult for them. ... Researchers in recent months have identified and cleaned hundreds of domains being used by the Gumblar botnet, but that's had little effect on the botnet's overall operation."

7 of 95 comments (clear)

  1. Some news from Australia on this by AHuxley · · Score: 3, Interesting

    http://www.acma.gov.au/WEB/STANDARD..PC/pc=PC_310317
    "The AISI collects data from various sources on computers exhibiting 'bot' behaviour on the Australian internet.
    Using this data, the ACMA provides daily reports to ISPs identifying IP addresses on their networks that have been
    reported in the previous 24-hour period.
    ISPs can then inform their customer that their computer appears to be compromised and provide advice on how they can fix it."

    The only question seems to be when will p2p be seen as a botnet, limewire ect. Will the Anti-Counterfeiting Trade Agreement (ACTA) alter 'bot' behaviour to new areas isp use and account 'fixing'?
    Will isp's get powers to pop packets to note 'bot' behaviour early on, rather than seeing their ip's reported back days later?

    --
    Domestic spying is now "Benign Information Gathering"
  2. ISP accountability by drDugan · · Score: 2, Interesting

    It seems to me there is an accountability gap for ISPs. Those providing network connections are not held accountable for machines on their network. Yet another example of prices and business practices not matching the real costs of activities.

    To me, I would think the real solution, long term, to fixing botnets is creating a tight loop with internal scanning, reporting, warnings, verification, and then turning off Internet connection to machines that are infected. ISPs will need to be "motivated" to take responsibility for actions taken on their network, and they will have to have fully automated systems that take infected machines offline.

    It doesn't seem like this is a priority for ISPs yet. Its easier and cheaper to simply ignore the problem.

    1. Re:ISP accountability by Splab · · Score: 3, Interesting

      BS, ISPs are just lazy. Here in Denmark at least a couple of the ISPs will actively block your connection if they detect botnet-like activity from your machine. When flagged any requests will be directed to a homepage where they tell you that you probably are infected and asks you to contact support for further assitance.

    2. Re:ISP accountability by Anonymous Coward · · Score: 3, Interesting

      It's a very dangerous route to go down. If all isps did that, I'm pretty sure that botnets would start encrypting their c&c data. Then what? If you just block all data you can't understand, say good-bye to vpn, legit p2p applications, and private communications between actual people.
      Of course, if you detect that your customers are ddosing some server, that's a different story.

  3. They seem to throttle their "attacks" as well. by RobertSeattle · · Score: 5, Interesting

    My small 16 person company gets an average of 300K Directory Harvesting emails a day - everyday - day in day out. All I have to say is I appreciate the jerks running the botnets for not killing my domain with 30 Million of these a day. They throttle their crap to a certain level somehow so they are annoying but not crippling. Gee, thanks, I guess.

    1. Re:They seem to throttle their "attacks" as well. by JWSmythe · · Score: 2, Interesting

          Tie your spam filtering software into your firewall. Nothing says loving like dropping their inbound traffic. :) We only receive about 20k spams/day now (versus more than 300k before), just by having rolling blacklists based on spammy inbound traffic. You'll get a handful through, but nothing else will come in for days.

      --
      Serious? Seriousness is well above my pay grade.
  4. Efficiency by w00tsauce · · Score: 3, Interesting

    I for one think botnets are uber cool, a testament to the efficiency of the internet. Using computers that would normally sit idle to do something, even if it's detrimental is just plain cool. I also think botnets foreshadow the future of the internet, where most applications work by p2p instead of the normal client-server relationship.