RE: mitigating botnet C&Cs has become useless

----- Original Message Follows -----

> What? That's what I'm trying to find out, but I'm not
> as smart as most, so I can only point out the things
> that I believe definitely won't work and why I think
> that. Hopefully by the application of flame to my butt
> by smart people for saying what I do will spark some
thought toward the goal.

Start with:

http://www.nanog.org/mtg-0602/greene.html

I didn't see anything in there relating to bot brains.
Also, with regard to 'cyberspace is just a meatspace
overlay' I considered whay would I do to troubleshoot an
overlay network. I'd work on the layer where the problem
exists. (Duh! Here, the problem exists at two layers:
Technically it's allowed and meat-wise there're those kinds
of people in this world. So, the solution must be at both
layers; meatspace and cyberspace. That makes us all
correct, yes? (again, I'm putting on my flame-proof
underpants...

One thing someone mentioned offline:

The goal, as noted, shouldn't be to shut these things
down. It should be to keep them operating, not interfered
with, so that the C&C channels remain detectable

Shutting down C&C's is a direct action.

More fun? Monitor those C&C's. In real time, update your
filtering to tag attack packets as a QoS that is
rate-limited at your borders. This would be hard for a
botherder to detect, but would limit damage against remote
sites. You don't actually want to *block* them; blocking
them lets the botherder know that you're on to them. But
this has to be done fairly cleverly (much moreso than I
suggest), so that they can't easily figure it out. This
is just an example for the sake of conveying the overall
idea.

But shutting them down, that's like the police arresting
all the informants. It doesn't stop the crime, it just
eradicates all your easy leads.

What're folk's thoughts on that?

scott

Well that's one perspective.

I love the bit about tagging the packets and using QoS (whatever that
means) though, that would be a hoot. Keep in mind bots are not just
for DoS. They spam, they capture keystrokes and mouseclicks, they can
be proxies and so on. If in the name of botnets QoS gets widely
deployed I'll put print out this email, puree it in a blender and
humbly chug it down at a future NANOG.

John

I'm not sure I'd liken shutting C&C infrastructure down to
"arresting the informants". I think that's quite a bad analogy,
actually, as informants are [often] third parties while C&C
infrastructure is used to convey actual execution instructions
- which are very often much more than DoS, as John pointed
out.

-danny

useless...

  perhaps. i'm partly of the mind that botnets, p2p networks, manets,
and other self-organizing systems are the "wave" of the future (or even the
present) and the technologies, per se, are not inherently "evil" or even bad.

  imho, it is short sighted to try and curtail, mitigate, and eradicate
these types of technologies - its kind of like trying to kill off SMTP because
it only sends spam, FTP because its only used to distribute PR0N... and HTTP
because its only used by peadophiles stalking my daughters on MySpace...

  better to understand how these things are used and figure out how to
determine INTENT and then filter on that instead of technological eradication.

just my contrarian 0.02 rupias.

--bill

I promised myself I'd never, ever post three comments on the same
topic here, but hey...

What I think would be a good thing would be focusing on ONE miscreant,
some low-hanging fruit for starters. Just one. And shut him/her/it
down, hound him off the face of the earth, get him arrested, whatever,
put him out of business.

And then move on to #2.

Not that it will, one by one, get them all. But it *will* raise the
stakes, particularly as techniques are developed.

IMHO part of the problem is that everyone is trying to solve the
entire problem all at once with some magic bullet.

It's whack-a-mole in a Hilbert space, too difficult.

useless...

  perhaps. i'm partly of the mind that botnets, p2p networks, manets,
and other self-organizing systems are the "wave" of the future (or even the
present) and the technologies, per se, are not inherently "evil" or even bad.

Well, that clearly depends on your prescription for "self-organizing".
I certainly wouldn't categorize the botnets I'm referring to as self-
organizing, in particular when they're being employed in a _very
organized manner - most always unbeknownst to each systems
ultimate owner, and more and more often in such a way that allows
A botherder to employ them for an ever-expanding array of
malicious activities.

  imho, it is short sighted to try and curtail, mitigate, and eradicate
these types of technologies - its kind of like trying to kill off SMTP because
it only sends spam, FTP because its only used to distribute PR0N... and HTTP
because its only used by peadophiles stalking my daughters on MySpace...

  better to understand how these things are used and figure out how to
determine INTENT and then filter on that instead of technological eradication.

Right, hence my point. By and large, SPs don't have the time or
resources to police the greater Internet, and therefore, they respond
in a very reactive fashion when some malicious activity *that* warrants
action dictates. Taking out known botnet C&C infrastructure is more
proactive and at least from my perspective, continues to yield a
discernible impact.

It's all about ROI - and anything more than reactionary measures
only moves them further from profitability. Putting solutions in place
that allow the SPs to recoup costs associated with playing sysadmin
for customers are the only way they'll be able to give dedicated
focus to the problem.

just my contrarian 0.02 rupias.

I'd expect no less Bill

-danny

Even assuming SPs had the time and the resources, its not always clear
what actions should be considered acceptable for SPs to do. If resources
were the only issue, making this another "War on X" and throwing lots of
money at the problem would be the answer. But that's not the right
answer.

People/customers seem to get just as upset with "proactive" SPs as they do
with "unactive" SPs. Even if it was possible to run the Internet like the
most secure closed corporate network, is that what people actually want?
I know lots of vendors that would be more than happy to sell SPs lots and
lots of security stuff to achieve that

Hopefully, by their nature SPs will always be a bit reactive. Unless
I want them to, I don't want SPs messing with my traffic. Its my right
to connect anything I want, send anything I want, do anything I want with
my Internet connection. On the other hand, when I do complain I want the
SP to instantly be able to stop anything I don't want, even when I don't
know what it is, and be able to track every bad thing that every happened
even before I knew it was bad but not keep records of what anyone has
done. And of course, I don't think I should pay extra for it.

Railroads have the railroad police. The Post Office has postal
inspectors. Do we want to give ISP security the power to arrest
people? There are probably some security officers at SPs that
would love to bust some doors down and slap handcuffs on a few
people.

I think I touched on this lightly in one of my previous posts on
this topic - but yes, I completely agree..

-danny

There are plenty of (US) law enforcement agencies ready and willing to
do just that.

...

Let me try to become Gadi. First of all block port 80 (http)
Next block port 53 udp (dns).

Now you have got rid of amplification attacks because spoofing does
no longer work and you have got rid of all those silly users that
only know how to click the mouse.

...

I think it was the 1970s when I started telling people that the only
truly secure computer was the one that was unplugged and buried under
two miles of fused stone. Of course, this conflicts with usability.
And, these days, with the all-worshipped network access.

This level of security is, of course, not the solution. I trust that
Peter D. was being sarcastic.

surfer@mauigateway.com ("Scott Weeks") writes:
> ... I'm just saying that there has to be a better way than police-type
> actions on a global scale. ...

no, there doesn't have to be such a way. where the stakes are in meatspace
(pun unintended), the remediation has to be in meatspace. cyberspace is
just a meatspace overlay, it can only pretend to have different laws when
nothing outside of cyberspace is at stake. i think that the days when
botnets were mostly used for kiddie-on-kiddie violence or even gangster-on-
gangster violence are permanently behind us. it's up to the real LEOs now,
because it's on their turf now, which is to say, it's in the real world now.

as was true of spam when i said this about spam ten years ago, it is true
now of botnets that the only technical solution is "gated communities". but
the internet's culture, which merely mirrors the biases of those who use it,
requires the ability for children to go door to door selling girl scout
cookies, without necessarily having the key code to every one of the doors.

so the internet community has no appetite for the trappings of any technical
solution to botnets. the meatspace community and their LEOs absolutely *do*.

I think it was Scott Weeks who pointed out that gated communities are
for the rich, and only push the E-VIL out to the rest of the community,
who then have to board up their windows and cower.

How do we make our world less fearsome?

As Barry Shein and others mentioned, we have to make this kind of action
in general something which people are afraid to do because of its
consequences. We also want to make it something which people are
reluctant to do, not only because it's unprofitable, but because it's
WRONG.

I may sound like a fogy when I say this [OK, maybe I am one, but so are
most of you that grew up along with me!], but it seems that in general
many folks are worrying less about what is RIGHT and WRONG, but about
what they can get away with, and what society feels permissive about.
That's a general problem. It can be fixed only be educating folks from
the time they're born (a) to CARE about "right" and "wrong", and (b) to
understand that messing with another's packets is as wrong as messing
with his bank account.

To make it less profitable, we have to make it harder. That means
making sure that protection on networks is as good as possible. I am
less adept at elaborating on that than many who have already done so.

To make sure that there are consequences, we need to work with local Law
Enforcement Organizations [for those who didn't know what LEOs were] to
get these folks punished somehow. If that means that we have to educate
the LEOs and legislatures, then that's what it takes.

Do we need special Internet police? I would hope not. But perhaps we
need an educated CyberCrime division of existing LEOs. This will not
happen tomorrow, and not at all if we don't both push and help.

And why is it up to us to do these things? Because it's our job. And
in some cases our vocation. It may cost us more, or we may volunteer
more time to do some of these things. But if the ones who know what
they are doing don't do this, then it will cost us all even more.