North American Network Operators Group|
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical
mitigating botnet C&Cs has become useless
The few hundred *new* IRC-based C&Cs a month (and change), have been around and static (somewhat) for a while now. At a steady rate of change which maintains the status quo, plus a bit of new blood. In this post I ask the community about what you see, against what we have observed, and try and test my conclusions and numbers against your findings. The subject line "why mitigating botnet C&Cs has become useless" is misleading. It has been useless for a long time, but someone had to hold back the tide, which several online mitigation communities have been doing. Today it has become (close to) completely useless. I will present the case on why that is in my opinion, in a few bullets, and we can discuss what alternatives we have, or if perhaps I am misreading what's going on. *. When a botnet C&C is mitigated, it is immediately re-created on another host on the same ISP or another. *. Most botnet C&Cs are a part of a larger group, such as an IRC network or another, possibly hidden "behind the scenes" network. lusers are being redirected on the spot or reconnect to another host. *. Most botnet C&Cs are a compartmentalized group out of the whole, possibly a sub-group several tiers down. Much like a terrorism cell. *. If the above measures and features fail, most botnets have a secondary control channel with which an immense host can be re-directed. This has been seen back a few years ago. *. Many botnet C&Cs now use fast-flux technology, moving IP addresses quite often. *. When the C&C is taken down, the bot may not jump to a new host, a new one may simply be installed. *. Coordinated take-down of entire networks is extremely difficult, relies on incomplete intelligence and only takes care of the problem for an extremely short period of time until re-assembly. The name of the game is the SPBC: Simple Primitive Botnet Control (C&C). Simple - as it is simple, vs. a complex dynamic control channel. Primitive - old and quite unimpressive. Botnet - d'oh C&C - Command and Control It's simple, we can see most of them with our tools. Primitive, hey, they have been using these for a long long time. It works. As what we mainly did is concentrate on taking the C&C down, as well as academically study how to detect or quantify it, what we achieved was teaching the Bad Guys their business. That is yesterday's news. They are an oiled machine. We don't hurt them any more. Botnet have become mainstream. They are part of sales pitches now. SPBC for the botnet controllers these days relies on proven and tested techniques, concentarting and backing themselves on: Reliability - Efficient and stable. Robust - Easily replaced. Diverse - varying control channels, from DNS, other IRC servers and direct connect to a downloader ready to download a new bot or re-infect a known bad network. Distributed - need I speak of that one? What taking down C&C's does achieve? 1. Coordination on security issues between ISP's, continued and peer-pressure based. Slowly but surely becoming more and more LEO, regulation and vendor-run in comparison to what it used to be. 2. Responsiveness to abuse - gaging ISP response is interesting and shows how interested they are. 3. Feeling good - cleaning the back yard and moving the problem to someone else (another ISP). Hmm, yeah.. not really. In most cases the same ISP's have the same problems month after month. They just make the C&C's "unknwon" vs. "yes, we know where they are". We are now past the point where killing C&Cs has been harmful. It was. These days the only real use a C&C can have for an organization with a network, is to check for infected clients connecting in. When it was harmful, creating the current situation, we were comfortable with it as it helped hold back the immediate problem - which was important by itself. That's my educated opinion, following this since 1996, and gathering statistics for several years, some of which are seen by this community every month. Please, I would love to hear your opinions, disputes and how you find the operational intell on botnet C&Cs useful to this day on networks for mitigation purposes. Then I would like to try and check my facts against your findings as well, and see if my conclusions hold up or if I miscalculated. Please try and limit your answers on this thread (unless you start another) to network mitigation issues. Thank you all for your input. Oh, and I wasn't very accurate. Killing C&Cs these days is still harmful, just that now it doesn't even hold back the tide. Gadi. Note: this is also being sent to the public botnets mailing list.