Home page logo

fulldisclosure logo Full Disclosure mailing list archives

From: "mailing lists" <bofn () irq org>
Date: Mon, 14 Aug 2006 09:20:49 +0200


 On Sun, 13 Aug 2006 12:00:10 +0100 (BST)
full-disclosure-request () lists grok org uk wrote
Send Full-Disclosure mailing list submissions to
      full-disclosure () lists grok org uk

To subscribe or unsubscribe via the World Wide Web, visit
or, via email, send a message with subject or body 'help' to
      full-disclosure-request () lists grok org uk

You can reach the person managing the list at
      full-disclosure-owner () lists grok org uk

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Full-Disclosure digest..."

Note to digest recipients - when replying to digest posts, please trim your post
appropriately. Thank you.

Today's Topics:

   1. Re: Getting rid of Gadi Evron and Dude VanWinkle (Aaron Gray)
   2. Re: Server Redundancy (wac)
   3. what can be done with botnet C&C's? (fwd) (Gadi Evron)


Message: 1
Date: Sun, 13 Aug 2006 01:25:18 +0100
From: Aaron Gray <angray () beeb net>
Subject: Re: [Full-disclosure] Getting rid of Gadi Evron and Dude
To: full-disclosure () lists grok org uk
Message-ID: <44DE716E.8020600 () beeb net>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed


vodka hooch wrote:
for months now we've had to put up
now its time to shut up
how do i setup my gmail?
i know this is unmoderated list but im pulling my hair out to sift 
through the real email
please dont turn full dis into symantec trolltraq, hlp me! :)

Yahoo! Messenger with Voice. Make PC-to-Phone Calls 


to the US (and 30+ countries) for 2ยข/min or less.

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.1.405 / Virus Database: 268.10.9/417 - Release Date: 11/08/2006


Message: 2
Date: Sat, 12 Aug 2006 22:39:16 -0400
From: wac <waldoalvarez00 () gmail com>
Subject: Re: [Full-disclosure] Server Redundancy
To: "Tim Hecktor" <th () domainbox de>
Cc: full-disclosure () lists grok org uk
      <be950f350608121939k48bcaf2ex7d3de004b36bc643 () mail gmail com>
Content-Type: text/plain; charset="iso-8859-1"


Thanks I'll check ipvs.


On 8/10/06, Tim Hecktor <th () domainbox de> wrote:


<Isn't there a way to map a name to several IPs?
<Or use aliases?

Maybe this is what you are looking for:

pandora:~# dig ftp.freenet.de

; <<>> DiG 9.2.1 <<>> ftp.freenet.de
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59136
;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 3, ADDITIONAL: 3

;ftp.freenet.de.                        IN      A

ftp.freenet.de.         1457    IN      CNAME   ftp-0.freenet.de.
ftp-0.freenet.de.       600     IN      A
ftp-0.freenet.de.       600     IN      A
ftp-0.freenet.de.       600     IN      A
ftp-0.freenet.de.       600     IN      A

This will map a name to more than one ip and will give you load-balancing
this way, but not real redundancy.
To map a service to different hosts redundant you can use a box running
ipvs. This box can be made redundant with a identical box using mon and
heartbeat to do ip failover.

Best regards,

Tim Hecktor

-------------- next part --------------
An HTML attachment was scrubbed...



Message: 3
Date: Sun, 13 Aug 2006 01:43:35 -0500 (CDT)
From: Gadi Evron <ge () linuxbox org>
Subject: [Full-disclosure] what can be done with botnet C&C's? (fwd)
To: full-disclosure () lists grok org uk
Message-ID: <Pine.LNX.4.21.0608130142220.11492-100000 () linuxbox org>
Content-Type: TEXT/PLAIN; charset=US-ASCII

Hi guys, here is a forward of my follow-up to the previous message.


---------- Forwarded message ----------
Date: Sat, 12 Aug 2006 13:12:30 -0500 (CDT)
From: Gadi Evron <ge () linuxbox org>
To: botnets () whitestar linuxbox org
Subject: what can be done with botnet C&C's?

In my last email message I addressed some of the issues related to botnet
C&C's and their mitigation. As mentioned, I waited to see what other
experiences told other people, as well as glimpse the opinion of others here.

In this message I will try and address some of the questions asked, but
once again limiting myself mostly to JUST networking rather than the whole
realm of botnet fighting.

"I work on this [C&C] for 30 days, only to find out one of you took it
down."  -- US Federal Agent, two days ago, ISOI (DA Workshop).

And still, sticking to networking issues, as obviously we cannot yet
depend on law enforcement to protect our networks for us, how do we handle

When we kill them (and by "kill" I naturally mean "report our suspicion
to the responsible authority so they can investigate, confirm and proceed
according to their AUP") we kill them, but only to our knowledge. They
immediately move elsewhere we do not know about in our space or someone
else's, maybe misplacing an extremely smallish percentage of their
population while they are at it.

Okay, say I am right... What *can* we do?

We can take advantage:

1. QoS and traffic limiting tools.
Many tools created in recent years, and used exstensively by many ISP's,
regardless of any Net Neutrality legislation, are at our disposal and
already implemented on our networks.

Much like, for business reasons, many of us would limit P2P, how about
limiting the traffic to compromised users?

How, what and when is up to you.

You can know who your compromised users are by watching flows to C&C's.

2. Blocking communication to C&C's.

Watch the flows, block the users from communicating out to them. Watch
these users and see where else they are communicating in comparison to
other users, en-masse.

It's a matter of doing the same thing, for a different purpose.

3. Walled garden and tech support costs.

Obviously, if any of these users call you (and they VERY OFTEN do), you
lose money on them for a long time to come.. only they will call again.

A combination of quarantine, complete or partial, might work.

Combine that with what some already do, such as sell users Anti Virus
products, and you get a nice deal. Add to that a support company to lend
help to users, unrelated to tech support, by subscription, and you may
just have more business avenues to explore.

4. Stop internal network infections. It is unbelievable how the networks
with the most bots are the networks that allow internal users to connect
wherever they want within the network.

All these come to show that although responsiveness to C&C's is important
(rather than shutting them down), on the scale of the Internet, what
will actually help the Internet is if you take care of it on your own

You don't have to do any of these, or all of these. Just to wake up to the
fact that killing C&C's will mostly not help anyone, and if anything, will
do harm. Using them to deal with problematic users, even if only to block
them from acessing that C&C is more to the point.

You can choose how to handle these issues, but if you want to stop harming
the Internet, stop your users from participating, DDoSing,
etc. while not harming your business (no one can handle that tech
support load). Monitor the C&C's running on your network - contact law
enforcement. These are compromises that will keep happening, you are aware
of, and cause millions of dollars in damages.

"So, are we supposed to leave these compromised boxes up?"

My answer is this, if you fail to remove a spy, as another would just take
his place, wouldn't you rather know where that spy is and work to take
him down for good?

The answer to that is NO, as most of us won't and can't. That said, if you
must kill the C&C, be aware, it is nothing more than sweeping the
problem, localy on your network, as well as on your friends', under the

Do you know who your local fed is? See if he can help, he most likely
can't and if he could, without a much wider cooperation between everybody,
he or she would be extremely limited by looking just at your C&C's. That
said, I doubt you would want that fed's attension.

You can limit P2P traffic yet you won't limit scanning traffic? Outgoing
email traffic from port 25 on dynamic hosts? Bandwidth to
compromised users? Port 80, or sny, traffic not through your proxy?

Consider what other tools are in your arsenal. My ideas may be completely
wrong for you, yet that does not change the fact that killing the C&C will
just mean you are kept in the dark.

Some large carriers do many of these already, run honey-nets, and what
not. Do you?

I would like to hear some opinions on what networks can do, ecnomically,
from people here. Please stick to network operations issues.


This is being X-posted to NANOG.


Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

End of Full-Disclosure Digest, Vol 18, Issue 24

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
  • Unsubscribe Stephen Walker (Aug 01)
    • <Possible follow-ups>
    • unsubscribe mailing lists (Aug 14)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]