From: Moe Trin on 23 Feb 2010 22:01 On Tue, 23 Feb 2010, in the Usenet newsgroup comp.security.firewalls, in article <hm149u$mvf$1(a)news.eternal-september.org>, Rick wrote: >"Rise of the Point-and-Click Botnet >A kit lets beginners craft sophisticated attacks. >Five years of development later, the latest version of this software, >which can be downloaded for free and requires very little technical >skill to operate, Why to you think we call 'em skript kiddiez? >Actually this could also be used as the good guys "fire back" system! Getting down to crawl in the gutter usually isn't the best idea. Given the possibility of IP spoofing (yes, it's possible - read the man page for nmap), how does this mode make you any better than the scammer? Old guy
From: Rick on 24 Feb 2010 06:26 Moe Trin wrote: > On Tue, 23 Feb 2010, in the Usenet newsgroup comp.security.firewalls, in > article<hm149u$mvf$1(a)news.eternal-september.org>, Rick wrote: > >> "Rise of the Point-and-Click Botnet >> A kit lets beginners craft sophisticated attacks. > >> Five years of development later, the latest version of this software, >> which can be downloaded for free and requires very little technical >> skill to operate, > > Why to you think we call 'em skript kiddiez? > >> Actually this could also be used as the good guys "fire back" system! > > Getting down to crawl in the gutter usually isn't the best idea. > Given the possibility of IP spoofing (yes, it's possible - read the > man page for nmap), how does this mode make you any better than the > scammer? > > Old guy "I don't want to become what I hate." - Batman
From: Moe Trin on 25 Feb 2010 20:44 On Thu, 25 Feb 2010, in the Usenet newsgroup comp.security.firewalls, in article <hm6bou$cpv$4(a)news.eternal-september.org>, Rick wrote: >Quite so. Our ISP is often "banned" from others because the ISP is so >large that it has lots of spammers. Where I work, we intentionally block access from/to all residential ranges we're aware of. We're one of the research facilities for the company, and thus we're not loosing customers by doing so. >No, my "fire back" is strictly a fantasy. BUT what can be done? Depends. In most cases, we don't see ``attacks'' because we limit access to our networks. Because our systems don't even complete the "three-way handshake" needed to initiate a TCP connection, skript kiddiez soon get bored and move on. Robotic stuff is usually well behaved, and moves on if a single connection attempt fails. They recognize we're not playing, and there are more targets for them to look at elsewhere. Two examples - the Chinese traffic to ports 7212, 8080, 8090, 9090, and similar is usually one packet per attempt - 40-ish octets/bytes up to several times an hour per IP address maximum from a relatively limited number of /20 blocks, and trivial to ignore. Opposite this was the windoze messenger spam (4-900 octets of UDP to ports 1025-1030, most often with randomly spoofed IP addresses. This was running 250-600 KB per address per day. With a single Internet IP, this isn't to bad, but that's an appreciable chunk of bandwidth when your presence is a /16 or larger. There were relatively simple ways to block this too. Sometimes that doesn't work. Are the packets coming from "this" country? You _may_ be able to bring legal/criminal complaints (see your legal advisor - may not be worth the effort/expense). If the packets are coming from some "other" country, there probably isn't very much you can do other than asking your upstream to block. A point a lot of people forget is that in the _absence_ of a contract that says otherwise, a network entity doesn't have to accept traffic from everywhere. It's a variation on the response to spammers by mail administrators - "my network, my rules". One other point to consider: We rarely bother logging rejected or blocked traffic on the firewall. It's blocked, and isn't going to be doing anything, so why bother? If we do block something we shouldn't (some legitimate need), we'll hear about it soon enough. We may turn on logging once in a while to see if anything has changed, but that's pretty rare. Old guy
From: Kyle T. Jones on 26 Feb 2010 10:55 Moe Trin wrote: <snip> I thought this was germane to what y'all are discussing: http://www.networkworld.com/news/2010/022510-microsoft-recruited-top-notch-guns.html (might be an ad to skip(: "But behind the scenes, Microsoft's legal action was just one component of a synchronized campaign to bring down Waledac. Last year, researchers with the University of Mannheim in Germany and Technical University Vienna in Austria published a research paper showing how it was possible to infiltrate and control the Waledec botnet. They had studied Waledac's complicated peer-to-peer communication mechanism. Microsoft -- which was annoyed by Waledec due to its spamming of Hotmail accounts -- contacted those researchers about two weeks ago to see if they could perform their attack for real, according one of the University of Mannheim researchers, who did not want to be identified. "They asked me if there was also a way besides taking down those domains of redirecting the command-and-control traffic," said the Mannheim researcher. Waledac distributes instructions through command-and-control servers that work with a peer-to-peer system. Led by a researcher who did his bachelor thesis on Waledac, the action began early this week. "This was more or less an aggressive form of what we did before," the Mannheim researcher said. "We disrupted the peer-to-peer layer to redirect traffic not to botmaster servers but to our servers." " Cheers.
From: Moe Trin on 26 Feb 2010 22:00 On Fri, 26 Feb 2010, in the Usenet newsgroup comp.security.firewalls, in article <hm8qsv$o0i$2(a)news.eternal-september.org>, Kyle T. Jones wrote: >"But behind the scenes, Microsoft's legal action was just one component >of a synchronized campaign to bring down Waledac. [...] >"This was more or less an aggressive form of what we did before," the >Mannheim researcher said. "We disrupted the peer-to-peer layer to >redirect traffic not to botmaster servers but to our servers." I'll wait until I hear further from Gadi Evron (Israeli security guy) in a post to Bugtraq. He's published some interesting material to that mailing list about the various bot-nets. Old guy
|
Pages: 1 Prev: Security Tool virus Next: 641732 Information portals for computer and Web technology 23 |