[87801] in North American Network Operators' Group
Re: Reporting botnets?
daemon@ATHENA.MIT.EDU (Bill Nash)
Wed Jan 11 11:46:33 2006
Date: Wed, 11 Jan 2006 08:53:33 -0800 (PST)
From: Bill Nash <billn@bacchus.billn.net>
To: nanog@merit.edu
In-Reply-To: <200601102225.k0AMPtWr013566@world.std.com>
Errors-To: owner-nanog@merit.edu
There are companies/products that specialize in mitigating C&C traffic in
a fairly elegant manner.
One specific one that we've had good experiences with is Mainnerv's
Darknet product. They deploy a box on the network, interfacing with your
enterprise via a BGP peer, which issues a handful of routes to actively
blackhole, intercept, and analyzer traffic to known C&C's that are being
actively tracked. That part isn't too exotic, their strength lies in the
good intelligence processes on their side, for maintaining their blackhole
listing.
The implementation impact is minimal and trojan outbreaks are generally
stopped dead even as the compromise is taking effect. As a proactive
measure, it's a fast way to spot compromised machines within your network
even as the malignant activity is mitigated.
- billn
On Tue, 10 Jan 2006, Martin Hannigan wrote:
>
>
>> Please advise, where to can I report botnet control activities?
>> I'm from overseas and interested if there are some law enforcement
>> organizations in US who may handle these issues?
>>
>> I assume it is illegal business in US, and I have enough evidence
>> how botnet control sites command our trojaned customer PC's to send
>> spam and activate DDoS attacks.
>>
>>
>
> I think your best bet is to report it first to your local authorities
> and then report it to the ISP that the C&C is sitting on. There are
> techniques that have been established over time and a few things
> you can do to mitigate, at least temporarily, (1) identify it and any
> others (2) make sure that taking action won't cause collateral damage
> or important stuff runs on it and blackhole it, (3) contact the dns
> provider and ask them to (a) lock out the user, (b) extend the TTl
> to the max that their software allows, (c) change the C&C resolution
> to 127.0.03. That will at least do some level of mitigation and allow
> you to clean up the mess while you figure out how you want to pursue
> it.
>
> I'm sure you'll also hear from some people on this list who can assist.
>
> Botnets are a dime a dozen. It's good to kill the C&C's and it's
> good to report them to LEA's, but from there, all bets are off.
>
> I believe any action would depend on exactly what they were doing
> with them. For example, if it's a bunch of skiddies fighting over
> who controls an iRC channel and they are DDOS'ing each other, well,
> that may not get much attention.
>
> Hope that helps.
> -M<
>
>
