[Dshield] Dalnet being uses as a C&C server

Tomas L. Byrnes tomb at byrneit.net
Thu Jun 21 03:10:26 GMT 2007


What we were talking about was instigating an investigation to see if
this particular host was, in fact, a C&C server. If it was, then the
determination might have been made that it should, temporarily, be
blocked, using a dynamic feed controlled by the handlers, until the
Responsible Party responded. This would have been at the full discretion
of, and based on the proper incident handling triage used by, the
Internet Storm Center handlers. 

That didn't happen, because the DALNET RPs handled it. 

My admonition to the original poster was, repeatedly, to use the handler
notification form, instead of posting here, so that the proper handling
could have been started. If anyone chose to block solely based on the
posts to this list, then they are a ripe target for socially engineered
denial of service. 

The ThreatSTOP feeds, unlike traditional blacklists, are dynamic, and
based entirely on real-time bad actor sensor nets: DShield and TQM.
Except for the ISC handler emergency block, which is usually not active,
and when activated (as it was for the MPACK seed host on Monday) is
usually only one host, and expires after 48 hours, unless explicitly
renewed by the Storm Center Handler On Duty, Johannes, or Marc. 

In short, no-one was talking about blacklisting DALNET. If any
blacklisting was going to occur, it would have been of one host on
DALNET, after full and proper incident response by the ISC handlers, and
it would have been very short lived. 

At least for ThreatSTOP subscribers, that blacklisting, and the removal,
would have been automatic.

As far as choice: our users are made completely aware of the sources of
our threat feeds, and our feeds are very limited in scope, and dynamic.
If a host is on the DShield top 10, Dshield block list, TQM Cube top 10,
TQM Dirty Dozen, or is subject to an explicit block based on emergency
escalation by the ISC, odds are, the vast majority of the Internet is
better off not connecting to, or accepting connections from, them at the
moment.

Unlike a traditional RBL, it's really easy to get off any of those
lists: stop connecting to closed ports, non-existent e-mail addresses,
or engaging in enough nefarious activity that the Handlers notice, and
your RP doesn't respond.

Tom Byrnes
CTO
DISS, Inc./threatSTOP
VOX 760.798.9517
PCS 760.402.3999
Text Message: 7604023999 at messaging.sprintpcs.com
e-mail: tomb at threatstop.com
IM: MSN Messenger tomb at byrneit.net
      Skype: zwithapggb
 


> -----Original Message-----
> From: list-bounces at lists.dshield.org 
> [mailto:list-bounces at lists.dshield.org] On Behalf Of ge at linuxbox.org
> Sent: Wednesday, June 20, 2007 6:08 PM
> To: General DShield Discussion List
> Subject: Re: [Dshield] Dalnet being uses as a C&C server
> 
> On 2007-06-20 11:04-0700, Dalvenjah FoxFire wrote:
> >Hello,
> >
> >I'd just like to chime in on this thread. I want to point out that 
> >DALnet first received notice of this issue at abuse at dal.net 
> at 4:45PM 
> >PDT; the channel involved was blocked from use at 10:05PM 
> PDT. That's 
> >what I would consider an excellent 5 hour response time; it also 
> >appears from this thread that confirmation was received that 
> action was 
> >taken at around the same time.
> >
> >The apparent continuing discussion of "well I don't know if I trust 
> >that, let's pursue blocking DALnet" troubles me. As someone 
> who has for 
> >upwards
> 
> I am unsure when this came up, as I didn't read the whole 
> thread, but maybe we need an history lesson here.
> 
> Botnets came originally from IRC, and therefore used public 
> IRC networks. Nowadays they mostly use private IRC servers if 
> not other protocols all-together, but some still use the old 
> networks.. and it is quite a burden on these networks.
> 
> There are hundreds if not thousands of "legacy botnets" still 
> connecting to servers for years, as well as new ones. There 
> is no real power for IRC operators to deal with this, and it 
> is quite a menace for them (in the networks where they 
> actually notice it).
> 
> Blocking a legitimate public server for the DALnet network is 
> lack of clue on our part, and should not be done. In fact, I 
> should stress that it was on DALnet itself where much of what 
> today we call botnet hunting originated, and I am talking 
> about 1996-7, not 2004. Some of us who were on these networks 
> back then, fighting these things, are still around.. but we 
> are mostly gone.
> 
> So, let's just stop talking about blocking IRC networks, and 
> please white-list them if you have a C&C blacklist, unless it 
> is for your own organization alone where it is your choice alone.
> 
> Thanks,
> 
> 	Gadi.
> _________________________________________
> SANSFIRE 2007 July 25-August 2 in Washington, DC.  56 
> courses, SANS top instructors, and a great tools and 
> solutions expo. Register today!
> http://www.sans.org/info/4651 (brochure code ISC)
> 



More information about the list mailing list