[Dshield] Tracking Botnets
peteoutside at yahoo.com
Mon Nov 21 17:26:43 GMT 2005
David Cary Hart <DShield at tqmcube.com> wrote: Every smtp relay attempt I see comes in what looks like a cluster.
Here's an example:
It is reasonable to assume that these five different clients/machines
are under (remote) common control? Does this, in turn, suggest a
strategy for dismantling these nets?
I would say yes to both questions.
I think that various analytic techniques (clustering, association rules, assorted statistical tests) can give you a good idea of how likely a set of suspected bots are to be running the same bot and/or to be under common control. Armed with that, an ISP could perform a nodal analysis and shut down the control channels. For example, if you have 10 boxes you suspect to be on a botnet, and they all communicate with an 11th host, then that host could be a controlling server or somesuch.
Of course there are ways around this--many bots communicate in p2p fashion or through side channels or alternate data streams. However, this makes the bots much less responsive and reliable. If your analysis is good enough and quick enough, you won't stop boxes from being compromised, nor stop people from setting up botnets, but you will make it very difficult to do so, shorten the network's lifespan (time to discovery and cleanup), and limit the utility of 0wning a bunch of boxes in the first place.
'Course, I could be wrong, but I think it's worth a shot.
Yahoo! FareChase - Search multiple travel sites in one click.
More information about the list