Friday, March 03, 2006

How not to chase bots

EWeek describes a hunt for bot command and control.

I don't think this is going to do much more than force the bot-herders to develop a peer to peer control mechanism. In principle every member of a botnet could be a controller. The only thing the bot controller needs is an up to date list of IP addresses of the bots under control, that is easy enough to maintain as the bots are established. The only 'central control' you need is a public key pair for authenticating the bot control channel commands.

Of course this is not necessarily what is really going on. Journalists don't always ask the right questions (Larry is usually good here) and people don't necessarily answer entirely accuractely.

Botnets may look like armies but that does not mean that military style decapitation techniques are going to work. They work in the military because armies have to work within chain of command principles that are constrained by the limits of human communication and interaction. Every order has to flow through the officers. Take out the NCOs of the other side and the engagement is usually won. Take out the mid ranking officers and the battle is usually won. Take out the high command and the campaign is usually won. It takes a long time for an army to replace officers but it only takes a few seconds to replace a botcontroller unless you can arrest the human perpetrator. I would follow the money trail rather than the easier to confuse bit trail.

The way to go after the bots is to go after the human operators at the top and to restrict the value of the worker bots to the bare minimum. I have written about reverse firewalls in the past. I still think that is part of the necessary approach. The other part is to have a reaction system so that when a bot starts banging with a DDoS attack we can identify it and shut it down pronto.

The Feds have been effective against botherders recently. I would like to know how.

No comments: