Comments on: Cutting down botnet efficiency

by: Paulo

Tue, 11 Oct 2005 13:41:41 +0000

This might be of some interest: Creators of Massive Botnet Arrested [Slashdot].

by: Administrator

Tue, 11 Oct 2005 11:43:46 +0000

Manni:
That could be an option in the future. But it’s not really designed for a firewall blacklist. It’s designed as a mailserver blacklist.

by: Manni

Tue, 11 Oct 2005 08:50:55 +0000

Well, the Spamhaus XBL is just the database you want to have: http://www.spamhaus.org/xbl/index.lasso

by: Administrator

Tue, 11 Oct 2005 07:17:49 +0000

This type of blacklist will only be totally effective for as long as the bad guys haven’t figured out P2P completely yet. I’d really like to see this thing work, but I know I’m not the person to do it.

I’m sure the blacklist would be huge. And hopefully there’s a technical way to implement it, without slowing down web access?

Actually, I’d like to see something different than null routing. I’d like to see users redirected to some internal webpage. The log for that webpage could be used to find infected machines, and then (hopefully) alerting users.

by: RichardP

Tue, 11 Oct 2005 02:43:53 +0000

I’ve heard that suggestion before. I don’t think a master central list is practical. Reliable estimates suggest that more than a million machines belong to botnets at any particular moment. A list that large is too large and too dynamic to load into router access control lists. I suppose one could publish a BGP feed of the addresses and configure routers to null route those addresses, but that would cause a great deal of route table bloat. In addition, I suspect the administration of such a list would be nightmare. There are a number of mailing lists that spend a great deal of time with this issue, but they generally restrict list membership. In particular, I am thinking of the drone armies/botnets research and mitigation mailing list, etc.