[funsec] 'Fast-Flux' Foils Botnet Takedowns
fergdawg at netzero.net
Mon Jul 9 18:29:59 CDT 2007
-----BEGIN PGP SIGNED MESSAGE-----
I'm very happy to see this issue getting more attention...
Network security analyst Lawrence Baldwin has helped take down his share of
bot nets, but he worries that those days may largely be over.
Traditional bot nets have used Internet relay chat (IRC) servers to control
each of the compromised PCs, or bots, but the central IRC server is also a
weakness, giving defenders a single server to target and take down. An
increasingly popular technique, known as fast-flux domain name service
(DNS), allows bot nets to use a multitude of servers to hide a key host or
to create a highly-available control network. The result: No single point
of weakness on which defenders can focus their efforts.
Last month, two significant online threats -- the Storm Worm and a recent
MySpace Web virus -- became the latest malicious programs to incorporate
fast-flux hosting into their infrastructure. A recent Storm Worm infection,
for example, connected to a bot net that had more than 2,000 redundant
hosts spread amongst 384 providers in more than 50 countries, said analyst
Baldwin, who is the chief forensics officer for myNetWatchman.com.
- - ferg
-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.6.2 (Build 2014)
-----END PGP SIGNATURE-----
"Fergie", a.k.a. Paul Ferguson
Engineering Architecture for the Internet
ferg's tech blog: http://fergdawg.blogspot.com/
More information about the funsec