Botnet Targets Web Sites With Junk SSL Connections 64
angry tapir writes "More than 300 Web sites are being pestered by infected computers that are part of the Pushdo botnet. The FBI, Twitter, and PayPal are among the sites being hit, although it doesn't appear the attacks are designed to knock the sites offline. Pushdo appears to have been recently updated to cause computers infected with it to make SSL connections to various Web sites — the bots start to create an SSL connection, disconnect, and then repeat." SecureWorks's Joe Stewart theorizes that this behavior is designed to obscure Pushdo's command and control in a flurry of bogus SSL traffic.
Re:nginx to the rescue? (Score:2, Insightful)
It sounds like some pretty old fashion DoS/DDoS attacks. What's so fancy about initiating multiple requests, and leaving them hanging? Folks have been tuning up their http servers to handle this for years. Why can't they tune up their https side too, other than the admins being lazy or inept?
Re:nginx to the rescue? (Score:2, Insightful)
Re:nginx to the rescue? (Score:5, Insightful)
Not really.
I've had to parse logs for similar things. Thousands of requests hit a particular exploitable web page, but only one or two IP's are sending further information. It's easy to trim it down the list of candidates, and find who the real problem is.
That's what the feds do in any investigation. They have a broad list of suspects. They eliminate folks until they have their persons of interest, and then down to the guy who they'll be convicting.
Re:From TFA (Score:4, Insightful)
Re:How to stop bot nets (Score:5, Insightful)
is that because the antivirus program makes the computer crawl to a halt so the bot program has no CPU resources left to run?
ftfy (Score:1, Insightful)
Not really.
I've had to parse logs for similar things. Thousands of requests hit a particular exploitable web page, but only one or two IP's are sending further information. It's easy to trim it down the list of candidates, and find who the real problem is.
That's what the feds do in any investigation. They have a broad list of suspects. They eliminate folks until they have their persons of interest, and then down to the guy who they'll be charging.
Re:From TFA (Score:2, Insightful)
Dude, like maybe it doesn't NEED to send anything.
Maybe like, the connections themselves ARE the data.
Whoooaaa.
Re:From TFA (Score:3, Insightful)
Moral standards? What are those? God, I hate obscure standards!!
Oh, wait - didn't Microsoft Embrace, Extend, and Extinguish moral standards years back? It's hard to remember . . .
Re:time for a bayesian protocol filter? (Score:2, Insightful)