[funsec] The Criminal Underground: A Walk on the Dark Side
dudevanwinkle at gmail.com
Wed Sep 5 15:52:56 CDT 2007
On 9/5/07, Valdis.Kletnieks at vt.edu <Valdis.Kletnieks at vt.edu> wrote:
> On Wed, 05 Sep 2007 08:34:59 EDT, Dude VanWinkle said:
> > If we have a way to detect them, we should be able to tell when they
> > get a new lease on life, or ipv4.
> 220.127.116.11 at Aug 17 01:19:39 UTC-0400. Still same IP, or no? Note that
> this is a *serious* question - it can take 2 weeks for a hacked box to get a
> new IP, and the *new* owner of that IP then gets mystified why nothing works.
> 18.104.22.168 at Sep 3 15:59:28. Still same IP, or no?
> 22.214.171.124 at Sep 4 14:59:26. Is that the same IP still, or no?
> Let me know if I should blacklist those 3. Then we'll only have 139,999,997
> to go.
So you are saying that this 7-10 million number for the botnet was
generated by hand? What ever happened to looking at the C&C for
incoming connections and ngrepping out the IP's ? If we have a way to
determine that these bots are controlled by X bad guys, I assumed
there was a detection method. I could be wrong and these guys just
pulled a number out of there @$$ (maybe they went to the Gartner
School of Statistics), and please correct me if I am.
Is there no programmatic way to use the detection methods in place to
generate a list of currently controlled bots? If we have a detection
method we should be able to generate a living botlist from packets
sent out that day.
I can take other arguments as a reason not to do this like:
Maybe we would be showing our detection methods to the bot herders (am
I on the list? yes? what if I do this: am I still on the list?, no?
then I beat their detection methods, etc)
(this can be semi-vetted by only allowing trusted sources access to the list)
> > So, according to your theory, we can only blacklist people if we know
> > everyone who is compromised, else its completely useless? I disagree.
> No, I'm saying that it's almost completely useless, because you can't make
> enough blacklist entries for it to *matter*.
If I only blocked Robert Soloway's botnet (20-40k at most IIRC) I
would have stopped a major portion of spam from even hitting my spam
filters (and some from making it through). Thats a paltry percentage
of the total bots, but a major portion of spam.
Same thing goes for Pharmamasters 10k botnet.. (even if rented)
> How much time and effort are
> you willing to put in to maintaining this blacklist, and how do you intend
> to keep it up to date?
I will report all the activity that is definitely botnet-related on my
subnets up to a central server that can host the list. Should take a
few hours/days to set up..
> Remember - each time a legitimate visitor doesn't
> get to your website because of a false positive, it's at *least* a bad PR
> event for you, probably a lost customer, and possibly the cost of a tech
> support call to find out they're a FP (and note that if you're using a
> 3rd-party blacklist, the fun and games of getting them unlisted can be
> a problem too).
Well what if the list was generated daily from the traffic generated
by botnets (snort sig, irc to the c&c servers, etc.). You dont want to
blacklist someone, and then have the consumer spend a few hundred
dollars to get their computer cleaned, and then have them still
blocked. That would just be a static list that would be out of date by
the time you printed it. While that was OK during the early years of
the fight, we have evolved beyond that kind of thinking today (one
> As I said - there's only 2 *sane* ways to approach it anymore:
> 1) Only allow whitelisted systems - we have a *lot* of boxes that we only
> allow access to AS1312 systems, or specific subnets thereof. Works great, and
> the subnets move a lot less than botted systems.
and if the whitelisted subnets get hacked? Whats your plan then?
impossible you say ;-)
> 2) Harden your systems against all comers - the broken idea of a blacklist is
> that even if you manage to properly list 25% of the boxes, you're now doing
> twice the work:
> 2a) You're maintaining a 20M to 30M entry blacklist, and keeping it up to date.
Yes, I do it by hand with an abacus and an etch-a-sketch, watch out
V!.., dont bump me!!... damn, now I have to start all over..
> 2b) You're *still* having to defend against the *OTHER* 75%.
> Would you even *consider* buying a security system for your house, if you knew
> *beforehand* that it would (a) only stop 25% of the burglars, (b) you had to
> spend 15 to 20 minutes *every* day fixing it, and (c) 20% of the time, it would
> randomly refuse to let invited guests in?
I would buy that, just for kicks.. and BTW/FYI an alarm system will
only keep out dumb burglars (I.e.: the hamburglar).
> > Security is gained by throwing everything you have at the opposing
> > team, not waiting around for a perfect solution to present itself,
> I'm not looking for a perfect solution. I'm looking for one that has a
> decent return on the time/resources invested.
So what about his then: a rating system, like we have with spam for
bad computers. Like you said earlier, you dont want to block a
legitimate customer. I will take it a step further and say that even
an infected machine has a real user browsing the internet every once
and a while (just like how even a broken clock is right twice a day
;-) and if you blocked every bot, then you would lose ~25% of your
Instead have a rating for the type of communication that is going on.
Arp flood? add 5 points. google query for butterflies? minus 5 points.
I am of course joking, but maybe the idea has some merit..
-JP<who is heading home for the day>
More information about the funsec