Prev: Security Tool virus
Next: 641732 Information portals for computer and Web technology 23
From: Moe Trin on 23 Feb 2010 22:01
On Tue, 23 Feb 2010, in the Usenet newsgroup comp.security.firewalls, in
article <hm149u$mvf$1(a)news.eternal-september.org>, Rick wrote:

>"Rise of the Point-and-Click Botnet
>A kit lets beginners craft sophisticated attacks.

>Five years of development later, the latest version of this software,
>which can be downloaded for free and requires very little technical
>skill to operate,

Why to you think we call 'em skript kiddiez?

>Actually this could also be used as the good guys "fire back" system!

Getting down to crawl in the gutter usually isn't the best idea.
Given the possibility of IP spoofing (yes, it's possible - read the
man page for nmap), how does this mode make you any better than the
scammer?

Old guy
From: Rick on 24 Feb 2010 06:26
Moe Trin wrote:
> On Tue, 23 Feb 2010, in the Usenet newsgroup comp.security.firewalls, in
> article<hm149u$mvf$1(a)news.eternal-september.org>, Rick wrote:
>
>> "Rise of the Point-and-Click Botnet
>> A kit lets beginners craft sophisticated attacks.
>
>> Five years of development later, the latest version of this software,
>> which can be downloaded for free and requires very little technical
>> skill to operate,
>
> Why to you think we call 'em skript kiddiez?
>
>> Actually this could also be used as the good guys "fire back" system!
>
> Getting down to crawl in the gutter usually isn't the best idea.
> Given the possibility of IP spoofing (yes, it's possible - read the
> man page for nmap), how does this mode make you any better than the
> scammer?
>
> Old guy

"I don't want to become what I hate." - Batman


From: Moe Trin on 25 Feb 2010 20:44
On Thu, 25 Feb 2010, in the Usenet newsgroup comp.security.firewalls, in
article <hm6bou$cpv$4(a)news.eternal-september.org>, Rick wrote:

>Quite so. Our ISP is often "banned" from others because the ISP is so
>large that it has lots of spammers.

Where I work, we intentionally block access from/to all residential
ranges we're aware of. We're one of the research facilities for the
company, and thus we're not loosing customers by doing so.

>No, my "fire back" is strictly a fantasy. BUT what can be done?

Depends. In most cases, we don't see ``attacks'' because we limit
access to our networks. Because our systems don't even complete the
"three-way handshake" needed to initiate a TCP connection, skript
kiddiez soon get bored and move on. Robotic stuff is usually well
behaved, and moves on if a single connection attempt fails. They
recognize we're not playing, and there are more targets for them to
look at elsewhere. Two examples - the Chinese traffic to ports
7212, 8080, 8090, 9090, and similar is usually one packet per
attempt - 40-ish octets/bytes up to several times an hour per IP
address maximum from a relatively limited number of /20 blocks, and
trivial to ignore. Opposite this was the windoze messenger spam
(4-900 octets of UDP to ports 1025-1030, most often with randomly
spoofed IP addresses. This was running 250-600 KB per address per
day. With a single Internet IP, this isn't to bad, but that's an
appreciable chunk of bandwidth when your presence is a /16 or
larger. There were relatively simple ways to block this too.

Sometimes that doesn't work. Are the packets coming from "this"
country? You _may_ be able to bring legal/criminal complaints (see
your legal advisor - may not be worth the effort/expense). If the
packets are coming from some "other" country, there probably isn't
very much you can do other than asking your upstream to block. A
point a lot of people forget is that in the _absence_ of a contract
that says otherwise, a network entity doesn't have to accept traffic
from everywhere. It's a variation on the response to spammers by
mail administrators - "my network, my rules".

One other point to consider: We rarely bother logging rejected
or blocked traffic on the firewall. It's blocked, and isn't going
to be doing anything, so why bother? If we do block something we
shouldn't (some legitimate need), we'll hear about it soon enough.
We may turn on logging once in a while to see if anything has
changed, but that's pretty rare.

Old guy
From: Kyle T. Jones on 26 Feb 2010 10:55
Moe Trin wrote:

<snip>

I thought this was germane to what y'all are discussing:

http://www.networkworld.com/news/2010/022510-microsoft-recruited-top-notch-guns.html

(might be an ad to skip(:

"But behind the scenes, Microsoft's legal action was just one component
of a synchronized campaign to bring down Waledac.

Last year, researchers with the University of Mannheim in Germany and
Technical University Vienna in Austria published a research paper
showing how it was possible to infiltrate and control the Waledec
botnet. They had studied Waledac's complicated peer-to-peer
communication mechanism.

Microsoft -- which was annoyed by Waledec due to its spamming of Hotmail
accounts -- contacted those researchers about two weeks ago to see if
they could perform their attack for real, according one of the
University of Mannheim researchers, who did not want to be identified.

"They asked me if there was also a way besides taking down those domains
of redirecting the command-and-control traffic," said the Mannheim
researcher.

Waledac distributes instructions through command-and-control servers
that work with a peer-to-peer system. Led by a researcher who did his
bachelor thesis on Waledac, the action began early this week.

"This was more or less an aggressive form of what we did before," the
Mannheim researcher said. "We disrupted the peer-to-peer layer to
redirect traffic not to botmaster servers but to our servers."
"

Cheers.
From: Moe Trin on 26 Feb 2010 22:00
On Fri, 26 Feb 2010, in the Usenet newsgroup comp.security.firewalls, in
article <hm8qsv$o0i$2(a)news.eternal-september.org>, Kyle T. Jones wrote:

>"But behind the scenes, Microsoft's legal action was just one component
>of a synchronized campaign to bring down Waledac.

[...]

>"This was more or less an aggressive form of what we did before," the
>Mannheim researcher said. "We disrupted the peer-to-peer layer to
>redirect traffic not to botmaster servers but to our servers."

I'll wait until I hear further from Gadi Evron (Israeli security guy)
in a post to Bugtraq. He's published some interesting material to
that mailing list about the various bot-nets.

Old guy
 | 
Pages: 1
Prev: Security Tool virus
Next: 641732 Information portals for computer and Web technology 23