Beta

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Is the Botnet Battle Already Lost?

CowboyNeal posted more than 7 years ago | from the fighting-the-good-fight dept.

374

An anonymous reader writes "Researchers are finding it practically futile to keep up with evolving botnet attacks. 'We've known about [the threat from] botnets for a few years, but we're only now figuring out how they really work, and I'm afraid we might be two to three years behind in terms of response mechanisms,' said Marcus Sachs, a deputy director in the Computer Science Laboratory of SRI International, in Arlington, Va. There is a general feeling of hopelessness as botnet hunters discover that, after years of mitigating command and controls, the effort has largely gone to waste. 'We've managed to hold back the tide, but, for the most part, it's been useless,' said Gadi Evron, a security evangelist at Beyond Security, in Netanya, Israel, and a leader in the botnet-hunting community. 'When we disable a command-and-control server, the botnet is immediately re-created on another host. We're not hurting them anymore.' There is an interesting image gallery of a botnet in action as discovered by security researcher Sunbelt Software."

cancel ×

374 comments

Sorry! There are no comments related to the filter you selected.

Problem Solved (0)

Anonymous Coward | more than 7 years ago | (#16463469)

The problem has already been solved the same way that people used to get onto an old BBS. You need to be invited to go to a channel or the channel is hidden.

It is a pity that the general open channels are a thing of the past, but so are private BBS'.

Re:Problem Solved (2, Interesting)

TCM (130219) | more than 7 years ago | (#16463519)

I don't think that bots are invited. This wouldn't make sense from an administrative view. The channels are probably password-protected. Nothing a little sniffing can't fix.

After all, the bot is code running locally. So if it contains any channel names, channel keys or cryptographic keys, you can get to them.

Re:Problem Solved (2, Interesting)

TubeSteak (669689) | more than 7 years ago | (#16463729)

The channels are probably password-protected. Nothing a little sniffing can't fix.
If you've ever been in an XDCC file channel on IRC, you'll see some channels even name their bots XYZ-EDU

There is no easy solution

http://images.slashdot.org/hc/07/4a6fece962b0.jpg [slashdot.org]

Read me and then mod me informative. (-1, Troll)

Anonymous Coward | more than 7 years ago | (#16463547)

Check this cool link [goatse.cx] out!

Re:Problem Solved (2, Informative)

ResidntGeek (772730) | more than 7 years ago | (#16463973)

The botnets aren't using public IRC servers, they're using servers specifically set up to control botnets.

PHURST POAST (-1, Offtopic)

Anonymous Coward | more than 7 years ago | (#16463485)

BOTNETS R TEH


   


    • URLs
      http://example.com/ [example.com] will auto-link a URL
      Important Stuff

              * Please try to keep posts on topic.

How do you know if you've been rooted? (0, Offtopic)

the_humeister (922869) | more than 7 years ago | (#16463497)

I work at a hospital. Sometimes I wonder whether our computers really are as secure as they should. All the computers have AVG installed, but is there something else I can do to check?

Re:How do you know if you've been rooted? (5, Funny)

cnkurzke (920042) | more than 7 years ago | (#16463543)

check if there is a "start" icon in your left lower corner of the screen. if so - yes, chances are you have caught a virus, and your computer is taken over and controled by the dark forces.

Re:How do you know if you've been rooted? (5, Funny)

Telvin_3d (855514) | more than 7 years ago | (#16463567)

You have no idea how depressing it is that I can't decide if the above comment should be modded flamebait, funny, informative or insightful.

Re:How do you know if you've been rooted? (1)

TheDreadSlashdotterD (966361) | more than 7 years ago | (#16463695)

I feel your pain. Alas, we have already commented.

Now, back to meditation!

I have already said it (3, Funny)

this great guy (922511) | more than 7 years ago | (#16464251)

Slashdot needs a mod option: +1, Whatever.

Re:How do you know if you've been rooted? (1)

carlos92 (682924) | more than 7 years ago | (#16464145)

My Start icon is in the left upper corner...does it mean that I am safe? Maybe I can confuse the dark forces....

Re:How do you know if you've been rooted? (5, Informative)

vandoravp (709954) | more than 7 years ago | (#16463559)

Firewalls are useful for monitoring traffic. The best way to detect a zombie computer is to look at the traffic coming in and out, checking for anomalies (such as excessive traffic to places nobody would be going to). Security Now [grc.com] is a great podcast that deals with security issues and locking down your systems. Episodes 3, 8, and 4 are particularly relevant. It can get technical at times but all-in-all it's a great explanation of how things work and what can be done to secure them.

Re:How do you know if you've been rooted? (3, Informative)

guisar (69737) | more than 7 years ago | (#16463727)

Useful in theory but how much time does it actually take to monitor this. There is generally so much ARP and other traffic going on that I've found it's extremely difficult in practice to actually discover such a trend. iptraf and some other tools ease the burden by allowing device and port specific analysis but still you really have to pay attention on a real-time basis or do a lot of data-mining. Who's going to spend this time on home network much less a general business environment where system administrators are already overstreached and security administrators are still the CFO's favorite line item veto?

Re:How do you know if you've been rooted? (5, Informative)

rpbailey1642 (766298) | more than 7 years ago | (#16463963)

Set up a bridge without an IP address and install Snort on it. On FreeBSD or OpenBSD, this procedure is a snap. Your mileage may vary, query Google for assistance.
Snort identifies traffic by signatures, so instead of you eyeballing suspicious patterns, it can tell you if certain phrases are used, certain protocols, or what-have-you. Writing your own signatures are a piece of cake and the process is well-documented.
The bridge sits at the mouth of your network (behind your firewall) and can be used to identify what is getting past the firewall.
For the crafty -- use Snort2pf to automatically block inappropriate traffic. I used this to discourage eDonkey usage on school system's computer network and it worked like a dream.

Know your network. (3, Informative)

khasim (1285) | more than 7 years ago | (#16464127)

There is generally so much ARP and other traffic going on that I've found it's extremely difficult in practice to actually discover such a trend.

ARP should not matter on the firewall.

Anyway, the easiest way is to monitor traffic by IP address, at the firewall, during times when no one should be using the computer with that address. If the machine is doing anything that goes through the firewall at 1 am, you should investigate.

Who's going to spend this time on home network much less a general business environment where system administrators are already overstreached and security administrators are still the CFO's favorite line item veto?

On a home network? Probably no one.

On a business's network, that's completely different. If you leave your network open and are cracked and you lose you credit card numbers, that's between you and the bank. If a business leaves its network open and is cracked and loses YOUR credit card number, they can be sued.

The problem is that not many "network administrators" really know anything about their network or security. There are an almost infinite number of things you can that will take time and money but that will not actually increase the security of your systems.

Education is the beginning.

Re:How do you know if you've been rooted? (0, Offtopic)

Dunbal (464142) | more than 7 years ago | (#16463813)

Episodes 3, 8, and 4

      Yeah Episodes 3 and 4 rock, but dude I thought Lucas wasn't going to do Episode 8? torrent plz!

Re:How do you know if you've been rooted? (1)

vandoravp (709954) | more than 7 years ago | (#16463839)

Bah, should be episode 46, not 4. Yay for proof reading.

The Route Of Existence (1)

Beau Goldly (1014045) | more than 7 years ago | (#16463685)

If you can check it, therein lies the problem. The paradox is in its mere existence, it thinks, therefore it already has. ___________________________________ LunarLodge: "The Last Best Space"®

Re:How do you know if you've been rooted? (3, Funny)

codepunk (167897) | more than 7 years ago | (#16464199)

If you do not know how to check, I can assure you that your network is fully owned.

Re:How do you know if you've been rooted? (2, Informative)

dilvish_the_damned (167205) | more than 7 years ago | (#16464261)

Given where you work, I would suggest security is a state of mind. Do not trust what people put forth as "secure". However it is almost certainly not your problem. If it is your problem, then no matter how small or large your instalation is, I have this to say:
Hire contarctors to evuate your installation. They need not have real access, in fact they should be able to propose possible vulnerabilities without real access, assuming they can ask questions. So you hire them to ask questions, you take note of the questions they ask. Maybe you hire one or two and maybe you hire none. You have just paid people to ask questions about your system. If it were me, in your shoes, and assuming you have power, I would call back the ones that asked really good questions, and explain to them you want more. And then pay those guys.
And then fix your shit. You will end up with some pretty good analysis (first level only) and its on you to decide who you want to invite back. It is OK to initially invite local contractors, but only give out information if they give you a "good vibe".

So back to your original statement "I work at a hospital. Sometimes I wonder whether our computers really are as secure as they should". If you have to ask, then you do not have a qualified team to deal with this. Your second thing is more pointed: "All the computers have AVG installed, but is there something else I can do to check?". I am sorry, if you are really in charge you need to hire someone who can deal with this ASAP. It will take too much time for you to come up to speed. I have many times heard the arguement "but we are small" however you gave the word 'hospital'. Secure your data. If you have lack of funding then get the funding. It seems I cannot stress this enough. You expect the doctors to "do it right", your patients expect your entire facility to "do it right".
On a last note: Bringing someone in who knows more than you does not threaten your position, it only means your a decent manager.
Also, not to be critical, but you mention "AVG" in the hospital [record?] context. I will not say you have no clue, however you have no idea what your dealing with. The world is far more sinister than you know. AVG is a method of turning a 'blind eye'.
If you truelly are involved with IT at a hospital, I would be willing to hook you up with a clinic that has won multiple state and national awards for its handling of IT. They would be willing to help for free, its the way they roll. They do it up right. However, I would have to make sure your for real before I bother them, with you.
I am not sure how we would do that, here on slashdot. Tell you what, you give me an inclination via response and I will figure the mechanics out.
No hospital (or clinic, or eye doctor) should be without real protection.

--dant

silly (1)

convolvatron (176505) | more than 7 years ago | (#16463501)

this whole thing is just ridiculous. yes, sure if you treat existing poorly engineered systems as inviolate and try to work around them its a never ending battle. but the basic tools to provide systemic distributed security have been published for quite some time. fix the problem at its source and stop screwing around.

yes, pkis are not flawless, but it would be a huge step above this kind of flailing

Re:silly (1)

secolactico (519805) | more than 7 years ago | (#16463943)

fix the problem at its source and stop screwing around.

And what is the source?

If the source is an insecure OS, how are we going to convince the botnet fodder to patch/upgrade/secure ? Even if Vista turns out to be a very secure OS, we will have to wait for a couple of generations before adoption is widespread. Do you know anybody who still uses Windows 98? I do.

Is the battle already lost? Probably not. But for the moment they are winning, and all the actions we can take are purely reactive.

obligatory... (1)

RuBLed (995686) | more than 7 years ago | (#16463507)

"Resistance is futile. You will be assimilated."

When in doubt... (1)

inca34 (954872) | more than 7 years ago | (#16463515)

use a big stick. Didn't we learn anything in American History? Roosevelt pwned.

Re:When in doubt... (1)

jpardey (569633) | more than 7 years ago | (#16463599)

Or, in the case of the internets, a big lead tube.

Computer standing by: (0)

Anonymous Coward | more than 7 years ago | (#16463527)

PWN'd IP: 62.48.12.123
Current Command: Spam Partypoker links

Respond to this command to update commands:#

why of course roses are red. (1)

achacha (139424) | more than 7 years ago | (#16463537)

One can always create reverse honey-pot servers that connect to the chat channel and when given a command, reply with "I am sorry Dave, I cannot do that..." and then recite some multi-gigabyte random poem into the channel :)

The key here is "unpatched server" and of course it happens to be a windows box... hmmm...

Re:why of course roses are red. (1)

LordEd (840443) | more than 7 years ago | (#16463933)

multi-gigabyte random poem
That would be a very long poem. By the time you finish reciting that to your young sweetheart, I think she would die of old age.

Oh wait, this is slashdot. Nevermind.

Re:why of course roses are red. (4, Funny)

Dunbal (464142) | more than 7 years ago | (#16464163)

Oh wait, this is slashdot. Nevermind.

      Correct. The sweetheart in question HERE is probably an overclocked dual core Athlon chip that would handle that poem in a few milliseconds.

Restrictive Firewall Infection (2, Interesting)

Anonymous Coward | more than 7 years ago | (#16463561)

Why hasn't anybody created a "good" trojan that uses as many common exploits as possible to infect these already infected machines with a port-80 restrictive firewall? I think for every somewhat bright for-profit trojan creator, there are thousands of brighter people that can come up with an intelligent plan to do this effectively. Use all spreading techniques that the best of the worst use, but minimize the wasted & bloated traffic, while fixing as many computers as possible. Should be simple!!

Only issue I see is legality. Technically however, I see this as very feasible.

Re:Restrictive Firewall Infection (0)

Anonymous Coward | more than 7 years ago | (#16463653)

Max Vision did, and he got jail time for it. ...yea, OK, he left himself a backdoor, but still. he fixed the original problem...

Re:Restrictive Firewall Infection (1)

cheshire_cqx (175259) | more than 7 years ago | (#16463715)

I think this was done already, but Google is letting me down. Can't find anything to back up this recollection.

Re:Restrictive Firewall Infection (2, Informative)

Anonymous Coward | more than 7 years ago | (#16463947)

You'd have to do this anonymously, vigilante-style. You'd be thrown in prison just as quickly as the people who create the more malicious exploits, as you would be illegally accessing people's computers, even if you're trying to help.

Re:Restrictive Firewall Infection (1)

Dark_MadMax666 (907288) | more than 7 years ago | (#16464035)

Because all really bright people are really evil. Muahhahahhahaha

Actually (2, Interesting)

Shadowruni (929010) | more than 7 years ago | (#16464121)

This was the subject of "As the worm turns", in the first Stealing the Network (an AWESOME book). The protagonist disassembles a worm and then figures out how to fix, with some unintended consequences. A great read, the story is fictional but the technology is VERY real. Almost a HOWTO in fact.

Why use a trojan? (2, Informative)

khasim (1285) | more than 7 years ago | (#16464239)

Why hasn't anybody created a "good" trojan that uses as many common exploits as possible to infect these already infected machines with a port-80 restrictive firewall?

There have been attempts at doing so with worms ... but these machines are already pwn3d and reporting into a known channel.

In theory, there is nothing stopping the "researchers" from having the zombies identify their OS's, download any patches, install a personal firewall and automatically updating anti-virus program and then removing the original infection.

Sure, many would be re-created due to the user's ignorance, but this is the only way to "deal" with the zombie problem at the "researcher's" level.

No need for a trojan / worm / virus. They should have sufficient control of the zombies that a script could do it.

PHURST POAST (-1, Offtopic)

Anonymous Coward | more than 7 years ago | (#16463571)

BOTNETS R TEH

      1.
                    *

                                URLs
                                http://example.com/ [example.com] will auto-link a URL
                                Important Stuff

                                                * Please try to keep posts on topic.

obligatory (0)

Anonymous Coward | more than 7 years ago | (#16463575)

take off and nuke the site from orbit, it's the only way to be sure

We need a really big lawsuit against Microsoft (3, Interesting)

Animats (122034) | more than 7 years ago | (#16463585)

What's needed is for someone like NY Attorney General Elliot Spitzer to charge Microsoft with reckless endangerment for knowingly, willfully, and negligently distributing and continuing to distribute systems vulnerable to such attacks.

Meanwhile, we may need some brutal firewalls:

  • All incoming e-mail is reformatted. Attachments are converted to .odf or .png, as appropriate. Stuff that can't be converted is dropped. HTML is parsed, checked for syntax, and Javascript dropped.
  • All web browsing to non-secure sites is proxied. Javascript is removed. Flash is removed. Java is removed. All binary data is removed. Images are reformatted to .png format and the HTML adjusted to match. No more "Web 2.0"; those sites just stop working.
  • Web browsing to secure sites via SSL is only permitted if the site has a SSL cert that is a high-grade "we really know who this is" cert.
  • TCP port 80 is all you get outgoing. Incoming, forget it. UDP, forget it. If you want to message, use the phone.
  • You have a machine or two around that are outside the firewall for when you desperately need to do something else. Those machines have a canned read-only disk image that's refreshed on each reboot or logout, like Internet cafe machines.

We're probably going to see some companies going to a locked down firewall like that.

If you're gonna go to all that trouble . . . (5, Insightful)

thesoffish (852987) | more than 7 years ago | (#16463617)

Why not just physically unplug your computer from the network?

Re:If you're gonna go to all that trouble . . . (1)

cryptoluddite (658517) | more than 7 years ago | (#16464091)

Then how would I use lynx to read slashdot??

Re:We need a really big lawsuit against Microsoft (0)

Anonymous Coward | more than 7 years ago | (#16463705)

Or... you could just patch your computer, and virtually none of these exploits would apply.

Re:We need a really big lawsuit against Microsoft (3, Insightful)

linuxbert (78156) | more than 7 years ago | (#16463731)

If you your self won't work like that, then don't waste time suggesting it. these measures are really nothing more then window dressing designed to give the apperance of security. I would hazard a guess that more corporate security people are worried about data theft via usb drives, then they are about becoming part of a botnet.

Re:We need a really big lawsuit against Microsoft (1)

jginspace (678908) | more than 7 years ago | (#16463819)

"You have a machine or two around that are outside the firewall for when you desperately need to do something else. Those machines have [b]a canned read-only disk image that's refreshed on each reboot[/b] or logout, like Internet cafe machines."

A brazilion studies show just how quickly machines get infiltrated. If they're vulnerable they'll get taken over in a matter of minutes as opposed to hours or days so all this really does is avoid an accumulation of baddies - which might actually be a good thing as such an accumulation might totally disable the machine or at least be more likely to show outward symptoms which would draw someone to come and take action rather than allowing it to go on stealthily serving those who were lucky enough to get there first each morning just after power up...

Re:We need a really big lawsuit against Microsoft (4, Insightful)

Geoffreyerffoeg (729040) | more than 7 years ago | (#16463845)

Attachments are converted to .odf or .png, as appropriate.
There are many applications which require macros to be present in Word documents. If you translate the macros to ODF's format (does it even support macros?), you've gained nothing. If you don't, you've caused confusion for many customers. And as far as converting images, how do you ensure the buffer overflow (or worse, the WMF arbitrary-code loophole in the specification - this wasn't technically a bug in the parser) isn't present on the firewall itself? I would think a rooted client machine is much better than a rooted firewall.

No more "Web 2.0"; those sites just stop working.
There are quite a few Web 1.5 sites that critically depend on JS, Flash, Java, etc. Facebook loses a lot if you even have just a partial JS interpreter (and I have seen it happen), and Facebook's coding is arguably not 2.0. Yahoo passwords lose a lot of their security if you disable JS, because then you can't do any sort of key challenges - you have to send the password itself, HTTPS or not. Etc.

Web browsing to secure sites via SSL is only permitted if the site has a SSL cert that is a high-grade "we really know who this is" cert.
You have locked out many universities (MIT is a major one; OU and UL also come to mind) that do not feel like paying a 3rd-party commercial company to certify their identity when they can just pass out root certificates.

TCP port 80 is all you get outgoing. Incoming, forget it. UDP, forget it. If you want to message, use the phone.
Wonderful. No e-mail. No file sharing. No VPNs. No intranets. Web-only is fine for home users on AOL. Home users who do anything else, and corporate users, need other ports.

Your internet-café machines are far more usable than your "normal use" machines at this point.

Re:We need a really big lawsuit against Microsoft (0)

Anonymous Coward | more than 7 years ago | (#16463901)

If your users are game, there are ways around even the harshest firewall. One could, for example, set up an SSH Reverse Tunnel, over port 80 (which is the only port you allow out).
http://gentoo-wiki.com/TIP_SSH_Reverse_Tunnel [gentoo-wiki.com]

Security is great, but trained and dependable users are better.

Re:We need a really big lawsuit against Microsoft (1)

Achromatic1978 (916097) | more than 7 years ago | (#16464067)

Just do "SPI" / Layer 7 filtering. Or don't allow tcp/80 out either, run a Squid instance inside the border.

Sue/address the IRC networks, first. (5, Interesting)

SuperBanana (662181) | more than 7 years ago | (#16463925)

What's needed is for someone like NY Attorney General Elliot Spitzer to charge Microsoft with reckless endangerment for knowingly, willfully, and negligently distributing and continuing to distribute systems vulnerable to such attacks.

Sue the IRC networks first; that's what makes it dumb shit easy for these guys to set up their botnets.

I had a machine hacked by a german movie filesharing group, and they incldued a bot which logged into their channel on Rizon. Like a good little admin, I logged into rizon, checked out the channel. It had several thousand users, a whole slew of fserves...and ZERO conversation. None.

I went to #help and reported the botnet attack and the response was: "hey, you want us to shut down one of the most popular channels here because of a evidenceless accusation that you were hacked by them and used as one of their fserves? LOL ZOMG GET SECURITY AHAHAHAHAHA LUSER P0WNZORED" etc. etc.

It is patently obvious that the Rizon admins are FULLY aware that they have dozens, if not hundreds, of illegal filesharing groups that are using botnets to set up fserves, attack other systems for more bots, etc. They're doing jack shit about it (and in fact, they're making it easier- they now support SSL connections) and I think it's time someone sued them to hell and back. It's time IRC operators were taught that you can't knowingly support criminal activity, and that if users report hackings- they need to look into said reports and act on them. I also think it's time IRC traffic was considered "highly suspicous" and monitored by ISPs for fserve commands and such; fserves have no real legitimate purpose today, except illegal filesharing.

PS: Next time you download a movie or program, bittorrent or IRC DCC....realize that it was distributed, most likely, by a group that hacked unix systems. Those systems were owned and administered by people just like you, and that person is going to have to deal with the damage and headaches. Just like you will, some day.

Re:Sue/address the IRC networks, first. (2, Interesting)

dosius (230542) | more than 7 years ago | (#16464011)

I can assure you, neither of my IRC channels that have fservs have bots from compromised hosts. I wouldn't stand for it anyway. I'd rather my bandwidth be legitimately bought and paid for (or donated as the case may be).

-uso.

Re:Sue/address the IRC networks, first. (1)

wish bot (265150) | more than 7 years ago | (#16464219)

I don't know if you realise, but pretty much anyone can set up an IRC server. In fact I'd speculate that only the really small bot-nets piggy pack on known IRC networks, as anyone with a reasonable sized herd would probably be running their own network of servers (ie - compromised machines).

Re:We need a really big lawsuit against Microsoft (1)

Infernal Device (865066) | more than 7 years ago | (#16463965)

Maybe it's time to stop blaming the victim and start blaming the perpetrators. It's real easy to point fingers at Microsoft, but let's face it, the consequences of a radical redesign of the core software would be too great to handle in one generation. If the shoe were on the other foot and you had to redesign, rewrite, recompile and distribute Linux from scratch and do the same for all the application software, while maintaing some degree of backward compatibility, how long would it take? What would be the cost?

We make mistakes and decisions made a long time ago can affect systems for years to come. You're casting all the blame at Microsoft's feet and none at the ones who take advantage to wrong ends.

Your solution essentially locks everything down to a read-only state. Tell me, how do you serve up that website if the machine doing the serving is read-only? Does it just appear on the machine by magic?

Re:We need a really big lawsuit against Microsoft (1)

Tom (822) | more than 7 years ago | (#16464141)

Meanwhile, we may need some brutal firewalls:

        * All incoming e-mail is reformatted. Attachments are converted to .odf or .png, as appropriate. Stuff that can't be converted is dropped. HTML is parsed, checked for syntax, and Javascript dropped.
        * All web browsing to non-secure sites is proxied. Javascript is removed. Flash is removed. Java is removed. All binary data is removed. Images are reformatted to .png format and the HTML adjusted to match. No more "Web 2.0"; those sites just stop working.


Someone will find a buffer overflow in the parser...


        * Web browsing to secure sites via SSL is only permitted if the site has a SSL cert that is a high-grade "we really know who this is" cert.
        * TCP port 80 is all you get outgoing. Incoming, forget it. UDP, forget it. If you want to message, use the phone.
        * You have a machine or two around that are outside the firewall for when you desperately need to do something else. Those machines have a canned read-only disk image that's refreshed on each reboot or logout, like Internet cafe machines.


People won't use it, because it's inconvenient. Besides, once it's port 80 only, all botnets will talk over port 80, so what? Also, SSL or only port 80? Make up your mind. :-)

Read-only system partition. Yes, that sounds like something. Only problem being: If there is a way to mount it read-write (and there's gotta be, for patches) then someone will find a way to exploit it.

No, none of the quick-fire solutions will work. Our security technology has hit its limits. There is no way to secure a home PC using known methods, it's all hacks and patches and buckets to get the water out of the sinking ship. We need a new approach, and it's gotta start with the #1 vulnerability: The user.
I'm not talking about educating him or making him powerless. We tried both of those, they've failed.

use the clients against themselves (3, Interesting)

TheSHAD0W (258774) | more than 7 years ago | (#16463591)

Modern botnets clients are pretty adaptable; they will download patches, modifying themselves to beat disinfectors. With care, and unless the net manager has taken extreme measures to prevent it, one can induce the clients to remove or disable themselves, rather than just trying to kill the control channel. Should that fail, one should be able to determine what fallback channels the botnet clients use and disable those before killing the current command channel.

We need a trusted network of ISPs (4, Interesting)

Ignorant Aardvark (632408) | more than 7 years ago | (#16463603)

What we need is a large number of ISPs to get together and say, "We trust each other to deal with botnets." Then, with a single command, any trusted ISP within the network could instantly send a command to another ISP to shutdown a site or server that is running a botnet. All of these actions would be logged and would be reviewed to make sure that it is only being used against botnets; any sort of abuse (like using it to shut down protest sites or copyright violation sites) would result in an instant revocation of privileges. This system would be much better than what we currently have: trying to call the other ISP, trying to get them to listen to you, trying to get them to trust you ... it can take days, if ever, to shut down a botnet on another network.

Re:We need a trusted network of ISPs (1, Insightful)

Anonymous Coward | more than 7 years ago | (#16463717)

and then you open yourself to a DoS attack where the botnet purposefully causes a domain to be blacklisted.

"already"? (0)

Anonymous Coward | more than 7 years ago | (#16463607)

The botnet battle was lost many, many years ago.

What about that ThreatNet thing to find zombies? (0)

Anonymous Coward | more than 7 years ago | (#16463611)

Well command and control didn't help.

I wonder if it's time to revisit that real-time zombie monitoring network [ali.as] idea again.

Maybe I'm being complacent, ... (1)

bcrowell (177657) | more than 7 years ago | (#16463665)

... but I honestly don't see this as such a big issue.

Basically this is a problem with people owning computers who don't know how to maintain them properly, and with MS making it unreasonably difficult, expensive, and time-consuming to maintain a Windows machine properly.

But as someone who doesn't run Windows, I don't really care. I'm sure some of the spam I get is from these bots, but spam would exist with or without botnets, and without a major redesign of the e-mail infrastructure and standards, spam can only be mitigated, not cured. My mitigation measures work for me.

Another theoretical possibility is that I could get extorted by somebody carrying out a DDOS attack. But in reality, that seems more like a worry for a big corporation, not an individual like me.

Another possibility is that somebody I do business with could get their machines owned, and gangsters could steal my identity. Well, it hasn't happened to me yet, and it hasn't happened to anyone I know.

I'm a lot more worried about global warming and nuclear proliferation.

Re:Maybe I'm being complacent, ... (3, Insightful)

Dunbal (464142) | more than 7 years ago | (#16463741)

Basically this is a problem with people owning computers who don't know how to maintain them properly

      The cry of "I know, let's invent a computer that is smart enough to maintain itself!" was heard in the boardroom, and thus SkyNet was born - with the dual mission of perfecting itself and eradicating the useless humans that weren't even able to maintain it!

Re:Maybe I'm being complacent, ... (0)

Anonymous Coward | more than 7 years ago | (#16463749)

You *should* be worried b/c you could lose your job, which could happen if a "big corporation" or wherever you work is DDOS attacked. But I guess you're not worried about that happening to you at McDonald's.

Re:Maybe I'm being complacent, ... (1)

Oswald (235719) | more than 7 years ago | (#16463863)

It's fun to bash Microsoft. I do it myself. They're way behind the power curve on proactive security measures and slow to fix vulnerabilities. However, maintaining my WinXP machines consists of checking the radio button labelled "Automatic (Recommended)" in the Automatic Updates dialog. It's not difficult, it's not expensive and it's not time-consuming. I run Ad-aware every once in a while just for grins, but so far it only finds trivial stuff, and I don't think I would be any worse off without it.

Of course, without the $40 router/firewall that keeps the machine from getting pwned every 10 minutes, the rest would be pointless, but honestly, I would need a router no matter what OS I was running.

I do a lot of stuff to stay up to date... (0)

Anonymous Coward | more than 7 years ago | (#16463909)

That should keep my Windows box safe, right?

I mean, those updates fix all the security holes and stuff right away, right?

Those botmasters couldn't possibly have time to root by box between the time they discover the security hole and the time it's fixed, right?

Re:Maybe I'm being complacent, ... (4, Insightful)

bcrowell (177657) | more than 7 years ago | (#16463981)

However, maintaining my WinXP machines consists of checking the radio button labelled "Automatic (Recommended)" in the Automatic Updates dialog. It's not difficult, it's not expensive and it's not time-consuming.
A serious question, then: what do you think makes your outcome different from the outcome experienced by the people who are getting their machines owned? I don't know the answer, because I don't run Windows, but I could speculate:

Is it because they intentionally download stuff that infects their machine with spyware? If so, then maybe security is too difficult for them, because they aren't technologically sophisticated enough to realize that this is a bad idea, and maybe MS is helping to make it too difficult for them, by creating a culture where it's normal for every user to run with unlimited privileges.

Another possibility is that they aren't sophisticated to realize that the simple, commonsense measures you've taken (a router/firewall, doing updates) would be more sensible than measures such as buying anti-virus software, or taking their computer to Circuit City to get it fixed when it "gets slow."

I think the real problem is that a lot of people own more computer than they need. All they really need is a word processor, e-mail, and a web browser. They really don't need a general-purpose computer at all, and don't have the skills needed to maintain one. They might be better off with an internet appliance, or a thin client. The problem is that they don't understand how much they don't understand. It's like the people who have to own a Harley Davidson because it's cool, even though it's an utterly impractical motorcycle for what they want to do.

Re:Maybe I'm being complacent, ... (2, Insightful)

taylortbb (759869) | more than 7 years ago | (#16464209)

I must agree with you that people intentionally download things that will harm their machine. I do computer support and I have had more than one client say "But the included smilies aren't good enough, why did you remove my other ones?" after they ask me to make their machine run faster. As long as spyware/adware/botnet software can be distributed with "free" software that users want the problem isn't going anywhere. Once Vista arrives the UAC stuff will help with remote exploits but people wont understand the importance of that "Enter your password to continue" screen and will happily do it if it gets them some new smileys. This is how Linux is so secure, most users understand the importance of their root password and would never enter it into the brower, other than during the initial install.

On a corporate system where users don't have admin access botnets aren't much of a problem. But on home machines were every user has admin no technological measures will help as long as they can be lowered. As a power user I want to keep my own machine but for many users a subscription PC would be the best idea. They pay per month, don't have admin, and an admin employed by the company you rent the machine from takes care of security. It would be like extending the corporate world into the home. People don't care about security and they're not going to start anytime soon, they don't understand the connection between those smileys and the spam in their inbox.

It's not surprising people can't fix their own machine, how many people can fix their own car? How many people can even change the oil in their own car? The other option would be for computers to be more like cars. People don't install things in their car, and if they want something installed they take it to the dealer. That would work for most people, pick the software you want with the machine, and take it to authorized service center when you want upgrades. There are people that install things in their own cars, just like there will be people that buy non-locked PCs, but users want easy above all else and if a company could do that by pre-installing everything I think most users would get it.

The botnet problem wont dissapear but it can be significantley reduced so it wont be a problem.

Re:Maybe I'm being complacent, ... (2, Interesting)

jcr (53032) | more than 7 years ago | (#16464081)

But as someone who doesn't run Windows, I don't really care. Well, I do care, because a lot of the bandwidth I pay for is crowded by the spam that my hosts filter for me. Not to mention, the bandwidth wasted and the increased cost of network service that comes from millions of unsecurable windows machines trying to infect each other with the malware of the minute. If anyone ever sets up a "no windows allowed" ISP, I'd be a customer in a heartbeat. -jcr

JUST HIT DELETE (0)

Anonymous Coward | more than 7 years ago | (#16463673)

Why can't we all just hit "delete"? takes only a few seconds.

Humans will lose... (1, Funny)

fithmo (854772) | more than 7 years ago | (#16463701)

Botnet, Skynet, whatever... We effectively lost the war against the robots when we first invented computerization, thus creating the posibility for the future war against the robots.

1001001 (1)

fyrie (604735) | more than 7 years ago | (#16463707)

SOS

A modest proposal (4, Insightful)

caitsith01 (606117) | more than 7 years ago | (#16463725)

I am no expert in this area, but a thought occurs.

Why isn't it possible to simply identify the exploit being used to spread a particular botnet, and write software that uses the same exploit to travel throughout the net before activating (perhaps at some specific time) to both wipe out the botnet software and seal off the exploit?

It seems that as soon as you have the original botnet software, re-engineering it for this purpose would be relatively trivial. Plus there would be the immense satisfaction of fighting fire with fire. The software could even remove itself as its final act, saying "I know now why you cry, but it is something I can never do" (although someone else might have to press the button to lower it into molten metal - "I cannot self-terminate").

The only reason I can think that this wouldn't work is that the 'antidote' software would be breaching computer security all over the place - basically doing the precise thing we are trying to stop. However, surely some sort of 'good samaritan' clause could be worked into the law - or the government could adopt responsibility for this process, or at least for pushing the button that sets each counter-botnet loose in the wild.

Of course this may already be the approach taken - I don't know much about the field, as I say.

Re:A modest proposal (1)

freeweed (309734) | more than 7 years ago | (#16463833)

Because for some reason, the people who code "good samaritan" software seem to be very stupid.

Seriously, you could write software like this that DOESN'T spit out traffic. You want to stop a lot of botnets? Hang out on IRC, wait for infected hosts to do their thing, and then patch them. And THEM ONLY. Put up webpages with your exploit, and ONLY PATCH THOSE ALREADY INFECTED.

The problem is, everyone tries to write this stuff a la the original worm/trojan - spewing itself out to hosts all over the Internet, thereby making the cure in many ways worse than the disease.

Re:A modest proposal (0)

Anonymous Coward | more than 7 years ago | (#16463849)

Don't worry, the botnet herders will simply have their worm patch the machine after infection.

Re:A modest proposal (1)

symbolset (646467) | more than 7 years ago | (#16463935)

Yes, this is a checkbox in the toolkit, and it's checked by default.

Re:A modest proposal (3, Interesting)

ZSpade (812879) | more than 7 years ago | (#16463927)

This was done with klez... a good Samaritan wrote a virus that would spread to computers as effectively as klez, look for it, and then eliminate it if found. You know how you knew if you had the Good Samaritan virus? Klez like symptoms. That is a major system slow down, as well as many, many bugs/crashes.

Good times. Viruses like that operate at levels that were only really meant for system tasks, and yet they are were never part of that system. Windows being the careful balancing act that it already is will topple over readily when you add anything to the base.

Re:A modest proposal (1)

Jah-Wren Ryel (80510) | more than 7 years ago | (#16464019)

A) You can't expect the first couple of tries at anti-virus-viruses to be perfect. Just because the prototypes had failings does not mean that the idea itself is not sound. Look how many thousands of regular viruses it took before the regular viruses became relatively competent.

B) Since the goal here in this article is to cripple the botnets, an anti-virus-virus that makes a system unusuable is a positive outcome. If the user can't use it, chances are the botnet can't use it either.

In many jurisdictions there are many legal problems inhibiting the use of anti-virus-viruses. But, neither teething problems nor legal problems are proof that the concept is without merit.

Re:A modest proposal (2, Informative)

NightHwk1 (172799) | more than 7 years ago | (#16463967)

The impression I got from the article is that once infected, the bots will only accept (PGP?)-signed commands, and the original vulnerability is most likely patched to prevent another botnet herder from stealing it. There is no way to order the botnet to self-destruct.

Re:A modest proposal (1)

lagfest (959022) | more than 7 years ago | (#16463995)

So you want to write a program that eliminates botnets, and find Sarah Connor?

Re:A modest proposal (1)

Tom (822) | more than 7 years ago | (#16464097)

This was discussed and dropped many times.

One of the reasons it doesn't work is that many exploit-scripts already plug the hole they used to get in - not to be nice, more in order to make sure the machine isn't re-taken by someone else.

Re:A modest proposal (1)

cryptoluddite (658517) | more than 7 years ago | (#16464159)

The real question is, why do we have exploits? 99% of the ones out there could be eliminated entirely by using a typesafe language for applications and the operating system. Of course you can't entirely remove bugs, but what you can do is prevent systems from running arbitrary code on your system from hacked unsafe programs.

For instance, I have absolutely no problem running Azareus and getting hundreds of connections for random unknown computers because since it is written in a typesafe language (Java) it is pretty much impossible to hack it.

All over the place (1)

Datamonstar (845886) | more than 7 years ago | (#16463781)

Of course this stuff is all over. My sister's PC was infested with malware and a member of a botnet. She has a teenage daughter that clcks on everything sent her way. I discovered, before a complete system wipe, two processes that run on start up using telnet, at least three many pop-up services, two browser tool-bars, a page hijack stacked upon another page hijack that got had it's registry keys still intact, but was disabled by the other hijack, and the system had Python installed and was compiling source code! After all that, they better change their browser habits. I only hope my sister dosen't make her daughter stop using the PC or the web altogether. That's the wrong answer, and hopefully I can educate them and give them an alternative.

Re:All over the place (1)

cryptoluddite (658517) | more than 7 years ago | (#16464221)

I think you've just hit on the real reason Intel is making an 80-core processor: 34 cores for mass mailers, 15 for some botnets, 27 for norton antivirus, 2 cores to correct my math, and then 2 left over to run SETI@Home.

Uneducated questions (0)

Anonymous Coward | more than 7 years ago | (#16463789)

If destroying the host won't work, as the bot herders just create another... what about taking the host over, and hijacking the botnet itself? If you could do that, couldn't you "disband" that botnet by ordering all the bots to patch themselves against the vulnerability, seal off certain ports, etc.?

an obvious solution (1)

Wizzerd911 (1003980) | more than 7 years ago | (#16463791)

why don't they build into Vista and update XP (since nobody's going to buy Vista) so that you can't send repeated connection requests up to a reasonable limit.

Net Force (1)

QuantumG (50515) | more than 7 years ago | (#16463795)

So, err, do we need some kind of international police force to keep the Internet clear of botnets? Should the UN run it? Do they get cool blue suits and have their own swat teams around the world?

Come on folks, "lost"??! (4, Insightful)

swordgeek (112599) | more than 7 years ago | (#16463803)

The so-called botnet battle is no different than the war on spam or the anti-virus front, or any of the others.

It's not a failure of technology. It's BAD PEOPLE, exploiting BAD SOFTWARE, who aren't being dealt with because of BAD EXECUTION of BAD LAWS. Fix the software, the law, and the enforcement of the law (esp. jurisdiction), and you'll neutralise 95+% of the bad people.

This crap is criminal. Crimes like this are sheltered by discussions about philosophy, politics, jurisdiction, and technology. If people would stop discussing and arguing, and start working together on the problem, it could be eliminated in under 24 months.

But convincing people to work together is impossible, so we might as well get used to it.

Re:Come on folks, "lost"??! (1)

Dunbal (464142) | more than 7 years ago | (#16463843)

Fix the software, the law, and the enforcement of the law (esp. jurisdiction)

      Therein lies the problem. Easier said than done. How do you propose to address these issues, specifically?

Re:Come on folks, "lost"??! (1)

gbobeck (926553) | more than 7 years ago | (#16464057)

How do you propose to address these issues


Its rather simple... someone just needs to convince Congress that the government needs to create the post of "Internet Plumber", whose sole purpose is to make sure the internet tubes are either kept spotlessly clean, or thouroughly plugged to prevent botnet attacks.

The person who is elected to the position of Internet Plumber will be required to wear the honorable red uniform of Mario. The Internet Plumber will also be required to give weekly updates about the internet tubes. C-SPAN will be required to air these update reports, even if the Internet Plumber is engaged in a job resulting in the plumber's crack being exposed.

As for the law... people who are found guilty of creating and/or using botnets for any reason shall be forced to use AOL or Compuserve dialup for the remainder of their natural lives. All email they send and forum posts they post shall only consist of the words "Me to." They will only be permitted to use computers running Windows ME, and the desktop must feature a background image of the goatse man or tubgirl.

This should be a good start in the war against botnets.

Re:Come on folks, "lost"??! (0)

Anonymous Coward | more than 7 years ago | (#16463877)

There are plenty of GOOD laws against this, or at least laws that would work.

The problem is that law enforcement just couldn't give two shits about this. The FBI won't get involved unless you've had $10,000 in damages (minimum) and local law enforcement is probably little more effective than shaking their fists angrily in the direction of Hong Kong/Moscow/etc.

Re:Come on folks, "lost"??! (1)

Pantero Blanco (792776) | more than 7 years ago | (#16463989)


It's not a failure of technology. It's BAD PEOPLE, exploiting BAD SOFTWARE, who aren't being dealt with because of BAD EXECUTION of BAD LAWS. Fix the software, the law, and the enforcement of the law (esp. jurisdiction), and you'll neutralise 95+% of the bad people.

This crap is criminal. Crimes like this are sheltered by discussions about philosophy, politics, jurisdiction, and technology. If people would stop discussing and arguing, and start working together on the problem, it could be eliminated in under 24 months.


How do you plan to fix the law, the enforcement, and the software without any discussion of philosophy, politics, jurisdiction, and technology...? Sane laws depend on philosophy and politics. Sane enforcement depends on well-designed jurisdiction. Sane software depends on an understanding of technology. If you try to solve a problem without discussing those things, the LAST thing you'll have is people working together.

It's simple. They don't care. (4, Insightful)

PhiRatE (39645) | more than 7 years ago | (#16463831)

The simple problem with the fight against botnets is that it's asymmetric, and not in our favor. The bots are in a place that is particularly difficult for someone attempting to dismantle the network to reach, the property of someone else. It's not the technical problems that make a botnet so difficult to dismantle, but the legal ones.

The botnet creators don't give a damn, their objective involves breaking the law (where there is one) in order to hijack someones computer. Someone attempting to destroy the botnet is likely to be atempting to operate within the law, which requires notifying and enlisting the support of the owners of the compromise machines, many of which:

a) are difficult or impossible to contact
b) don't speak your language
c) don't understand anything about the problem
d) don't care

Any single instance of a botnet may have weaknesses that permit its demise without running into potential legal problems (such as a poorly-secured disable command), however botnets as a concept have no real theoretical weakness given the appropriate cryptography and care of construction. Decentralised, failure resistant networks of cooperating nodes is a well researched area and at the level botnets operate, barely constitute a challenge to anyone with the necessary knowledge of protocols, cryptography and programming.

They're here to stay, there is no practical non-desperate legal changes or technical tricks which will kill the concept entirely. Even if the general level of internet security increased 10-fold, there'd still be more than enough vulnerable computers to support botnet operators, and lets face it, that level of security change is not going to happen. Even if the general OS level improves, old and embedded (non-patchable) devices are still plentiful, and there will be more no-patch applicance like systems in the future which will continue to be exploited.

As a systems administrator or someone otherwise concerned with the impact, the rules are simple. Stay patched, Stay vigilant. If a large botnet decides to get you, hope your ISP subscribes to something like tipping-point that will give them a head start on deflecting the inbound traffic. That's about it.

Skynet is taking everything over! (1)

rob1980 (941751) | more than 7 years ago | (#16463841)

Run for your lives! Oh... wait.

Automated response (1)

Coulson (146956) | more than 7 years ago | (#16463907)

This has been discussed on Slashdot before, but it seems relevant here. If it proves impossible to stop self-replicating worms by patching holes, you can either have mandatory auto-updates provided by a "trusted" source (your friendly OS provider), or launch active defenses: white-hat worms whose payload is the patch itself. Or an anti-botnet which DOS'es infected hosts (similar to what BlueFrog tried to do for spam). Of course these cause problems and can be gamed (someone spoofs an attack as coming from you, bringing the anti-botnet to bear against you, etc.)

The basic problem is: manual patching is never going to keep up with automated discovery of vulnerable machines. You either need an automated fixing process (immune system), or you need to clamp down heavily on allowed interaction (boy-in-a-bubble style).

larger battle (5, Insightful)

Tom (822) | more than 7 years ago | (#16464053)

This isn't a battle for/against botnets. They're just the symptoms. What this really means is that the battle to have secure home PCs is lost. I won't even get into the Windos vs. Real OS discussion. The point is deeper still: Our homes are safe from burglars because those with the great skills and expert tools don't break into homes, they break into banks.
Not so on the Internet. Due to automation you can play the numbers game, and taking over 100,000 machines is feasable, less risky yet possibly just as profitable as breaking into one bank.

The best non-computer equivalent I can think of is the plague. Welcome to the crowded cities of the middle ages. Even if you, personally, are safe, you're still affected. Think about it.

My comments.. (5, Interesting)

paulmer2003 (922657) | more than 7 years ago | (#16464073)

A long time ago, I used to run botnets and that other bullshit...So take it as I know what I am talking about.

It is a pity that the general open channels are a thing of the past, but so are private BBS'.
This is not true at all. There are plenty of -sp channels on IRC. Hell, just do a /list on EFnet...thousands upon thousands. And usually, when just going around IRC, you arent just going to walk up upon a botnet..
With care, and unless the net manager has taken extreme measures to prevent it, one can induce the clients to remove or disable themselves, rather than just trying to kill the control channel.
No shit. Simply decompile the exec, get the password (shouldent be hard, unless it is encrypted, usually isnt), get the server ip/port/password/channel and possibly channel key, join the channel, login to the bots (.l password or what ever) and do .rm and boom, they lost their entire net (thats assuming they have it set so *!*@* can login).
Basically this is a problem with people owning computers who don't know how to maintain them properly, and with MS making it unreasonably difficult, expensive, and time-consuming to maintain a Windows machine properly.
Now now. I am a Linux fan and such, but blaming Microsoft here is just stupid! You know why? Because usaully the thing is exploited hasent been patched yet. Every program has bugs, thats just how it is. Get over it. And how is it expensive to maintain windows machines properly? Windows Update is free, no?
But as someone who doesn't run Windows, I don't really care.
While *nix botnets arent nearly as prevalent as Windows botnets, there are still ones out there...Dont think you are exempt.
nother possibility is that somebody I do business with could get their machines owned, and gangsters could steal my identity.

Its very easy to get your identity stolen these days..Simply do some SQL injection on a pron site or what ever, then boom, you got yourself 5k credit cards.
Why can't we all just hit "delete"? takes only a few seconds.
Were you dropped a child? On Windows, you cant delete a exec if its running..and most botnet execs fuck up things like the task manager and have backups of themselfs on your box.
Why isn't it possible to simply identify the exploit being used to spread a particular botnet, and write software that uses the same exploit to travel throughout the net before activating (perhaps at some specific time) to both wipe out the botnet software and seal off the exploit?
Easier said than done. How does your 'software' know what on the machine is a trojan? That wouldent be very good would it if your 'software' illegally compromised hosts trying to get rid of the trojans and accidently got some guys stuff that isnt infected? Also consider, when ever a new exploit is leaked in to the wild, all of the current botnet trojans are updated with it...There are widely diffrent...there is no plasuable way to just rid of all hosts comprimised with hole ____

Obligatory: Yes, but does it run linux? (1)

symbolset (646467) | more than 7 years ago | (#16464103)

Seriously. Does this beowulf botnet run linux? Are linux hosts being deprived of the global machine endeavor to sell us more v1agra and inform us of opportunities to participate in online gaming? Can we not assist in the provision of "bulletproof hosting"? Does *BSD not deserve to take it's place in the pantheon of truly "highly available, totally reliable, even if netops doesn't want to run them" services? I say if an open source OS can't support these services, what good is it? This is the future of clustering I tell you!

TFA says only this:

  • Botnets filled--and easily replenished--with compromised Windows have emerged as the key hub for well-organized crime rings around the globe, using stolen bandwidth from drone zombies to make money from nefarious Internet activity, according to security experts tracking the threat.
  • Statistics from multiple sources justify Evron's pessimism. According to data culled from Microsoft's MSRT (Malicious Software Removal Tool), back-door Trojans and bots represent a "significant and tangible threat to Windows users."
  • Since the first iteration of the MSRT in January 2005, the tool has removed at least one Trojan from about 3.5 million unique computers. Of the 5.7 million infected Windows machines, about 62 percent was found with a Trojan or bot.

Surely something can be done to get our linux and BSD boxen involved in this noble global effort! Sure, with their limited user base all ten of the OSS servers on these internets would hardly make a splash in the ocean of Windows boxes, but every little bit helps. Something must be done. Somebody start a project or six on Sourceforge and do something about this.

I, for one... (0)

pablodiazgutierrez (756813) | more than 7 years ago | (#16464107)

...welcome our new botnet overlords.

BTW... does anyone know what TFA is about anyway?

RBL (3, Interesting)

theglassishalf (216497) | more than 7 years ago | (#16464139)

In the end, this problem is only going to get mitigated if we take it as seriously as we did the spam problem. For a long time, ISPs would allow spammers onto their servers because there was no incentive to kick them off. RBLs changed all that.

ISPs that tolerate insecure computers need to get blocked. Blocked from everything. It COULD happen, if Comcast and AT&T both decide they've had enough.

This would have the added benefit of stopping a lot of spam.

Yes, RBLs didn't get rid of spam. But they sure did (do) help. And a good part of the reason they don't work better is botnets. (remember Blue Security [securityfocus.com] ?

-Daniel

To stop the bots, target their creators (0)

Anonymous Coward | more than 7 years ago | (#16464161)

This is a global policing issue, NOT a server manager's issue. The vile thieves behind bots need to be aggressively identified, and the punishments made so crippling, not even the most amoral would dare risk it. End of story.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?
or Connect with...

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>