[91885] in North American Network Operators' Group
RE: [Full-disclosure] what can be done with botnet C&C's?
daemon@ATHENA.MIT.EDU (billn@billn.net)
Thu Aug 17 17:43:29 2006
Date: Thu, 17 Aug 2006 14:44:01 -0700 (MST)
From: billn@billn.net
To: Jordan Medlen <jmedlen@sagonet.com>
Cc: nanog@nanog.org
In-Reply-To: <auto-000031913200@cgpro.iccx.net>
Errors-To: owner-nanog@merit.edu
On Thu, 17 Aug 2006, Jordan Medlen wrote:
>
> I'm sure most people on this list have heard of or use snort. There is an
> add-on package called snortsam. This package allows automation of blocking
> traffic deemed malicious via a null route statement or ACL statement. We
> have been in the process over the last month of implementing this on our
> network with much success. I think the only problem that we have had with it
> thus far is underestimating just how well it was actually going to work. As
> with any snort implementation, it takes time to tweak and tune the rule
> sets, however we have managed to kill a huge amount of traffic either coming
> from our customers or destined to our customers. While this is not a perfect
> system, it is much better than idly sitting there and letting the abuse
> continue.
>
> ---
> Jordan Medlen
> Chief Technology Officer and Architect
> Sago Networks
Is this the kind of thing that could get a boost from projects like
ThreatNet (http://www.ali.as/threatnet/)?
I've been peripherally involved with the project, mostly in chasing
conceptual issues and hammering out the trust relationship details, in
addition to being an rabid, er, avid developer of network management
tools, right down to near-real time log analyzers. I think that if you're
to a point that you trust your tools enough to make an informed decision
and automate your null routes, why not expand on that and use the same
networked intelligence the C&C's embody?
- billn
