[Dshield] how to take down a 'bot-net' ?

Johannes Ullrich jullrich at euclidian.com
Fri Oct 4 15:42:02 GMT 2002

Over the last couple days, I spent quite a bit of time trying to
disassemble a 'bot net' created by the latest 'Slapper' incarnation.

A 'bot-net' is a network of computers that are infected with a special
program that connects to an IRC channel and waits for instructions.
Usually, these botnets are used to launch DDOS attacks. For example,
the owner of such a network can instruct all machines connected to it
to flood a certain target.

The problem of disassembling these networks comes up quite frequently,
and I have mixed results so far. Thats why I would like to get some
opinions on how to improve this. So far, the methods I am using are:

- notify owners of infected machines... mixed results here. It works
  great in some cases, not at all in others (depends on what machines
  are connected).
- notify IRC operators... usually useless as they are the once running
  the botnet. 
- notify the owner of the IRC server. Sometimes works great, sometimes
  not at all. Depends usually if they know what a 'botnet' is all about.
- issue a 'kill' command... haven't done that so far. Basically, these
  bots are pretty much standardized. So in some cases, you could send
  an 'uninstall' command. But that has legal issues...
- notify authorities: Which authorities?

jullrich at euclidian.com             Collaborative Intrusion Detection
                                         join http://www.dshield.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://www.dshield.org/pipermail/list/attachments/20021004/612a4ef6/attachment.bin

More information about the list mailing list