mitigating botnet C&Cs has become useless

The few hundred *new* IRC-based C&Cs a month (and change), have been
around and static (somewhat) for a while now. At a steady rate of change which
maintains the status quo, plus a bit of new blood.

In this post I ask the community about what you see, against what we have
observed, and try and test my conclusions and numbers against your

The subject line "why mitigating botnet C&Cs has become useless" is
misleading. It has been useless for a long time, but someone
had to hold back the tide, which several online mitigation communities
have been doing.

Today it has become (close to) completely useless. I will present the case
on why that is in my opinion, in a few bullets, and we can discuss what
alternatives we have, or if perhaps I am misreading what's going on.

*. When a botnet C&C is mitigated, it is immediately re-created on
another host on the same ISP or another.
*. Most botnet C&Cs are a part of a larger group, such as an IRC network
or another, possibly hidden "behind the scenes" network. lusers are being
redirected on the spot or reconnect to another host.
*. Most botnet C&Cs are a compartmentalized group out of the whole,
possibly a sub-group several tiers down. Much like a terrorism cell.
*. If the above measures and features fail, most botnets have a secondary
control channel with which an immense host can be re-directed. This has
been seen back a few years ago.
*. Many botnet C&Cs now use fast-flux technology, moving IP addresses
quite often.
*. When the C&C is taken down, the bot may not jump to a new host, a new
one may simply be installed.
*. Coordinated take-down of entire networks is extremely difficult, relies
on incomplete intelligence and only takes care of the problem for an
extremely short period of time until re-assembly.

The name of the game is the SPBC: Simple Primitive Botnet Control (C&C).

Simple - as it is simple, vs. a complex dynamic control channel.
Primitive - old and quite unimpressive.
Botnet - d'oh
C&C - Command and Control

It's simple, we can see most of them with our tools. Primitive, hey, they
have been using these for a long long time. It works.

As what we mainly did is concentrate on taking the C&C down, as well as
academically study how to detect or quantify it, what we achieved was
teaching the Bad Guys their business. That is yesterday's news.

They are an oiled machine. We don't hurt them any more. Botnet have
become mainstream. They are part of sales pitches now.

SPBC for the botnet controllers these days relies on proven and tested
techniques, concentarting and backing themselves on:
Reliability - Efficient and stable.
Robust - Easily replaced.
Diverse - varying control channels, from DNS, other IRC servers and direct
connect to a downloader ready to download a new bot or re-infect a known
bad network.
Distributed - need I speak of that one?

What taking down C&C's does achieve?
1. Coordination on security issues between ISP's, continued and
peer-pressure based. Slowly but surely becoming more and more LEO,
regulation and vendor-run in comparison to what it used to be.

2. Responsiveness to abuse - gaging ISP response is interesting and shows
how interested they are.

3. Feeling good - cleaning the back yard and moving the problem to someone
else (another ISP). Hmm, yeah.. not really. In most cases the same ISP's
have the same problems month after month. They just make the C&C's
"unknwon" vs. "yes, we know where they are".

We are now past the point where killing C&Cs has been harmful. It
was. These days the only real use a C&C can have for an organization with
a network, is to check for infected clients connecting in.

When it was harmful, creating the current situation, we were comfortable
with it as it helped hold back the immediate problem - which was important
by itself.

That's my educated opinion, following this since 1996, and gathering
statistics for several years, some of which are seen by this community
every month.

Please, I would love to hear your opinions, disputes and how you find the
operational intell on botnet C&Cs useful to this day on networks for
mitigation purposes.

Then I would like to try and check my facts against your findings as well,
and see if my conclusions hold up or if I miscalculated.

Please try and limit your answers on this thread (unless you start
another) to network mitigation issues.

Thank you all for your input. Oh, and I wasn't very accurate. Killing C&Cs
these days is still harmful, just that now it doesn't even hold back the


Note: this is also being sent to the public botnets mailing list.

The really interesting question is when botnets are going to use
p2p-technologies since one wouldn't know how to stop them then.
Please let that never happen....

I am not sayin gyou are wrong, or that dynamic channels won't happen far
more widely. Currently they are not widely used as they are not
needed. Web, IRC, etc. are quite efficient.

That said, there is one problem to solve with every evolved C&C, the more
complex it is the easier it is to follow.

  Gadi. (Gadi Evron) writes:

The subject line "why mitigating botnet C&Cs has become useless" is
misleading. It has been useless for a long time, but ...

Today it has become (close to) completely useless. ...

i wish that the value of this activity were zero. instead, it's negative.

see <; for details.

*SPs* today deal with command and control infrastructure on a
very tactical basis, and as for specific bots themselves, even
more tactically (i.e., usually when some incident requires that
they take some response action).

They're very incident driven from that respect, and with an attempt
to focus on revenue and services profitability, it just amplifies the
problem. That is, they're busy turning the steam valves and putting
out fires - who has the time for strategizing and waging a global
war on organized crime and it's employment of botnets that yields a
negligible return on a considerable investment, just cutting deeper
into their losses?

[disclaimer: the above is a gross oversimplification and many SPs
do far more, but it's largely applicable across a broad spectrum of

Heck, they rarely have time to chase DOS attack sources past their
network perimeter and today report less than 2% of *actionable*
attacks to LEOs.

It's an ROI game...

While you could spin botnet resurrection a hundred ways, taking out
the bots themselves, even if it's often times only as temporal function,
is the low hanging fruit and something SPs can understand and

I agree that the root of the problem is the miscreants perpetrating
these crimes, and they need to be prosecuted, but the responsibility
falls far wider than the SPs.

I also accept the references provided by Paul and others, but what's
the near-term alternative?