Botnets Using Ubiquity For Security 95
Trailrunner7 sends in this excerpt from Threatpost: "As major botnet operators have moved from top-down C&C infrastructures, like those employed throughout the 1990s and most of the last decade, to more flexible peer-to-peer designs, they also have found it much easier to keep their networks up and running once they're discovered. When an attacker at just one, or at most two, C&C servers was doling out commands to compromised machines, evading detection and keeping the command server online were vitally important. But that's all changed now. With many botnet operators maintaining dozens or sometimes hundreds of C&C servers around the world at any one time, the effect of taking a handful of them offline is negligible, experts say, making takedown operations increasingly complicated and time-consuming. It's security through ubiquity. Security researchers say this change, which has been occurring gradually in the last couple of years, has made life much more difficult for them. ... Researchers in recent months have identified and cleaned hundreds of domains being used by the Gumblar botnet, but that's had little effect on the botnet's overall operation."
Some news from Australia on this (Score:4, Interesting)
"The AISI collects data from various sources on computers exhibiting 'bot' behaviour on the Australian internet.
Using this data, the ACMA provides daily reports to ISPs identifying IP addresses on their networks that have been
reported in the previous 24-hour period.
ISPs can then inform their customer that their computer appears to be compromised and provide advice on how they can fix it."
The only question seems to be when will p2p be seen as a botnet, limewire ect. Will the Anti-Counterfeiting Trade Agreement (ACTA) alter 'bot' behaviour to new areas isp use and account 'fixing'?
Will isp's get powers to pop packets to note 'bot' behaviour early on, rather than seeing their ip's reported back days later?
ISP accountability (Score:3, Interesting)
It seems to me there is an accountability gap for ISPs. Those providing network connections are not held accountable for machines on their network. Yet another example of prices and business practices not matching the real costs of activities.
To me, I would think the real solution, long term, to fixing botnets is creating a tight loop with internal scanning, reporting, warnings, verification, and then turning off Internet connection to machines that are infected. ISPs will need to be "motivated" to take responsibility for actions taken on their network, and they will have to have fully automated systems that take infected machines offline.
It doesn't seem like this is a priority for ISPs yet. Its easier and cheaper to simply ignore the problem.
They seem to throttle their "attacks" as well. (Score:5, Interesting)
Re:ISP accountability (Score:4, Interesting)
BS, ISPs are just lazy. Here in Denmark at least a couple of the ISPs will actively block your connection if they detect botnet-like activity from your machine. When flagged any requests will be directed to a homepage where they tell you that you probably are infected and asks you to contact support for further assitance.
Efficiency (Score:3, Interesting)
Re:ISP accountability (Score:3, Interesting)
It's a very dangerous route to go down. If all isps did that, I'm pretty sure that botnets would start encrypting their c&c data. Then what? If you just block all data you can't understand, say good-bye to vpn, legit p2p applications, and private communications between actual people.
Of course, if you detect that your customers are ddosing some server, that's a different story.
Re:They seem to throttle their "attacks" as well. (Score:3, Interesting)
Tie your spam filtering software into your firewall. Nothing says loving like dropping their inbound traffic. :) We only receive about 20k spams/day now (versus more than 300k before), just by having rolling blacklists based on spammy inbound traffic. You'll get a handful through, but nothing else will come in for days.