« The anatomy of a botnet
Mail spam run »

Cutting down botnet efficiency

After writing the previous post, I got to thinking about ways to cut down on the number of zombies. Here’s what I came up with:

If some biggie could organize a blacklist that could be used by as many ISP’s as possible, then we could firewall the addresses to the places where the botnets are controlled. If some big players were in on this, it would SERIOUSLY hamper the botnets’ efficiency, if the blacklist is updated frequently enough. Bigger companies with their own networks would probably like this as well (Google, anyone?)

Please let me know if this gets off the ground! And I’d love the credit for the idea, of course.

Update October 15: Users want ISPs to filter spyware. Related topic.

This entry was posted on Monday, October 10th, 2005 at 2:55 pm and is filed under Parasites. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

5 Responses to “Cutting down botnet efficiency”

  1. RichardP Says:
    October 10th, 2005 at 8:43 pm

    I’ve heard that suggestion before. I don’t think a master central list is practical. Reliable estimates suggest that more than a million machines belong to botnets at any particular moment. A list that large is too large and too dynamic to load into router access control lists. I suppose one could publish a BGP feed of the addresses and configure routers to null route those addresses, but that would cause a great deal of route table bloat. In addition, I suspect the administration of such a list would be nightmare. There are a number of mailing lists that spend a great deal of time with this issue, but they generally restrict list membership. In particular, I am thinking of the drone armies/botnets research and mitigation mailing list, etc.

  2. Administrator Says:
    October 11th, 2005 at 1:17 am

    This type of blacklist will only be totally effective for as long as the bad guys haven’t figured out P2P completely yet. I’d really like to see this thing work, but I know I’m not the person to do it.

    I’m sure the blacklist would be huge. And hopefully there’s a technical way to implement it, without slowing down web access?

    Actually, I’d like to see something different than null routing. I’d like to see users redirected to some internal webpage. The log for that webpage could be used to find infected machines, and then (hopefully) alerting users.

  3. Manni Says:
    October 11th, 2005 at 2:50 am

    Well, the Spamhaus XBL is just the database you want to have: http://www.spamhaus.org/xbl/index.lasso

  4. Administrator Says:
    October 11th, 2005 at 5:43 am

    Manni:
    That could be an option in the future. But it’s not really designed for a firewall blacklist. It’s designed as a mailserver blacklist.

  5. Paulo Says:
    October 11th, 2005 at 7:41 am

    This might be of some interest: Creators of Massive Botnet Arrested [Slashdot].

Leave a Reply