Enterprise Security-Fast Flux Bot Nets

[Oakenfold]

Has anyone had to deal with one of these yet? I was not aware of this technique until I read this article.

"Traditional bot nets have used Internet relay chat (IRC) servers to control each of the compromised PCs, or bots, but the central IRC server is also a weakness, giving defenders a single server to target and take down. An increasingly popular technique, known as fast-flux domain name service (DNS), allows bot nets to use a multitude of servers to hide a key host or to create a highly-available control network. The result: No single point of weakness on which defenders can focus their efforts."

Security Focus Full Article by Robert Lemos

After reading the article it sounds like the domain has to be taken down, any other thoughts on how to deal with this?

 

[Zugzwang152]

The last paragraph had it down: for the immediate future the focus has to be on preventing infections. Unfortunately, you can put as many layers of defense within your own network and still be smacked by someone else's lack of preparation.

 

[n0cmonkey]

With the advent of p2p bots I'm not too worried about it.

 

[bsobel]

Originally posted by: n0cmonkey
With the advent of p2p bots I'm not too worried about it.

There still needs to be a mechaism for the bots to find peers. In the example given, going after the dns is the right solution. Going for the server behind the dns has always been the wrong approach (albeit, it was simpler).

 

[n0cmonkey]

Originally posted by: bsobel

Originally posted by: n0cmonkey
With the advent of p2p bots I'm not too worried about it.

There still needs to be a mechaism for the bots to find peers. In the example given, going after the dns is the right solution. Going for the server behind the dns has always been the wrong approach (albeit, it was simpler).

Good point.

I'm waiting for the bots to pass along peer information after infection. No DNS required.

 

[Oakenfold]

Originally posted by: Zugzwang152
The last paragraph had it down: for the immediate future the focus has to be on preventing infections. Unfortunately, you can put as many layers of defense within your own network and still be smacked by someone else's lack of preparation.

That's the part that I have trouble with seeing as being realistic. Relying on others to prepare, perhaps a better way to sell this approach would be to raise business and consumer education on why having adequate controls in place on a computer are important.

In addition this doesn't resolve problems that have to be dealt with today.

Originally posted by: n0cmonkey
With the advent of p2p bots I'm not too worried about it.

Care to expand on that?

 

[n0cmonkey]

Originally posted by: Oakenfold

Originally posted by: Zugzwang152
The last paragraph had it down: for the immediate future the focus has to be on preventing infections. Unfortunately, you can put as many layers of defense within your own network and still be smacked by someone else's lack of preparation.

That's the part that I have trouble with seeing as being realistic. Relying on others to prepare, perhaps a better way to sell this approach would be to raise business and consumer education on why having adequate controls in place on a computer are important.

In addition this doesn't resolve problems that have to be dealt with today.

Originally posted by: n0cmonkey
With the advent of p2p bots I'm not too worried about it.

Care to expand on that?

Botnets seem to be moving to a p2p/decentralized model. There is no single C&C. Often times the connections are encrypted too. Waste has actually been seen in the wild as the communication method, which I thought was pretty neat.