[Dshield] how to take down a 'bot-net' ?

Bob Savage bsavage at rnr-inc.com
Fri Oct 4 16:11:39 GMT 2002

How geographically widespread is the typical 'bot-net'?  From your notes
I gather they can be world wide.

-----Original Message-----
From: Johannes Ullrich [mailto:jullrich at euclidian.com]
Sent: Friday, October 04, 2002 10:42 AM
To: list at dshield.org
Subject: [Dshield] how to take down a 'bot-net' ?

Over the last couple days, I spent quite a bit of time trying to
disassemble a 'bot net' created by the latest 'Slapper' incarnation.

A 'bot-net' is a network of computers that are infected with a special
program that connects to an IRC channel and waits for instructions.
Usually, these botnets are used to launch DDOS attacks. For example,
the owner of such a network can instruct all machines connected to it
to flood a certain target.

The problem of disassembling these networks comes up quite frequently,
and I have mixed results so far. Thats why I would like to get some
opinions on how to improve this. So far, the methods I am using are:

- notify owners of infected machines... mixed results here. It works
  great in some cases, not at all in others (depends on what machines
  are connected).
- notify IRC operators... usually useless as they are the once running
  the botnet. 
- notify the owner of the IRC server. Sometimes works great, sometimes
  not at all. Depends usually if they know what a 'botnet' is all about.
- issue a 'kill' command... haven't done that so far. Basically, these
  bots are pretty much standardized. So in some cases, you could send
  an 'uninstall' command. But that has legal issues...
- notify authorities: Which authorities?

jullrich at euclidian.com             Collaborative Intrusion Detection
                                         join http://www.dshield.org

More information about the list mailing list