[AusNOG] NBN must avoid becoming 'failed state'

Terry Manderson terry at terrym.net
Tue Sep 21 21:35:16 EST 2010


Vitaly,

On 21/09/2010, at 5:28 PM, Vitaly Osipov wrote:

> IMHO if you ask a non-techie person whether they seriously care about
> their computer becoming a part of the botnet, they are not too
> concerned if their data does not get stolen. Your measures do not

I think this statement is premature in regard to assessing the concern of the owner of any compromised machine and probably needs a backfill of information. More often than not I hear of far too many occurrences of IT professionals describing such compromises in a flippant or nonchalant fashion that results in a downgrade of any care level by the victim. It also assumes that a machine was under enough analysis before, during, and after a compromise to be able to tell if personal data is stolen or not. But I'll leave you your right to have an opinion. :-)

> quite prevent a computer from becoming part of a botnet, although they
> may help decrease the chance somewhat by filtering TCP traffic from
> *known* CCs. And they will help with tracking things as well.
> 
> Then again, this setup will lead to another round of "flux" - e.g. CCs
> will start sending cryptosigned commands from spoofed IPs (overseas,
> outside your antispoofing control) over UDP telling the zombies to
> submit their info to a temporary IP or a set of IPs etc. Or bounce the
> data between zombies several times before finally sending it out. And
> so on. The data will still be stolen, because you will never be able
> to disconnect the new bots quickly enough. So, the only issue you can
> solve in reality is DDoS.


I won't go into the details of how some bots already interact with their C&C with the use of fast flux domains and other 'cool' cyrpto things but I will say through the awareness of local network traffic an operator can get enough of a picture (using heuristics, hashes, etc) to place a bot in a walled garden automatically. Thus saving the user from loosing more data than they may have already and taking yet another bot out of a bot herder's collective or better, providing a clue to the bot herder's modus operandi. There are a number of ISPs/ASPs around the world that employ such efforts and from what I hear their customers love them for it. Okay so 'love' might be a bit of an overstatement, but the respect is there.

Cheers
Terry




More information about the AusNOG mailing list