[Dailydave] Beyond Fast Flux

matthew wollenweber mwollenweber at gmail.com
Fri Dec 14 23:20:30 EST 2007 

Having spent some time writing network sensors for the government and time
trying to get tools to connect outbound during pen tests I've seen nothing
more effective than clever HTTP traffic embedded in real webpages using tags
and simple encoding. Abusing DNS whether with tunnels, fastflux, or open
resolvers sticks out as anomalous behaviour -- it's not all too difficult to
detect. Yes it's costs money and labor but it can be done. What can you do
about PINK type communication?

I'm not going to claim to have all the answers, but I spent about 9 months
writing network sensors and I can't fathom how you can detect that traffic
on any scale. Fast flux is the current sexy thing but Trickler (govt
software) and Tenable's PVS can be tweaked to pick it up (even on large
OC-3+) pipes.

On Dec 14, 2007 9:44 PM, Paul Ferguson <fergdawg at netzero.net> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> - -- Brandon Enright <bmenrigh at ucsd.edu> wrote:
>
> >If you're going to attack something you should back your argument up
> >with a little evidence.  The C&C methods mentioned in the paper are:
> >
> >* IRC
> >* HTTP to single server
> >* Fast-Flux of DNS Servers
> >* Storm P2P protocols
> >* PINK
> >
> >About the only thing they missed was DHT, which is arguably covered by
> >Storm.
> >
> >PINK is a good idea.  If it really is light-years behind the criminals
> >show us the papers, presentations, and discussions of more advanced >C&C.
> >If your argument is that PINK is primitive or that it won't work,
> >respond with a paper, a countermeasure, or at the very least a detailed
> >email of possible flaws in it.  C'mon, Gadi, you know better.
> >
>
> What about Open DNS resolvers, using double-flux, combined with the
> Storm Overnet?
>
> :-)
>
> - - ferg
>
> -----BEGIN PGP SIGNATURE-----
> Version: PGP Desktop 9.6.3 (Build 3017)
>
> wj8DBQFHYz+Nq1pz9mNUZTMRAv6HAJ9ImdXXvj2bFKn3g45Mo236RjAF3QCg8ohH
> yTozjLY3oGFre6ntmOtKwQs=
> =8fSS
> -----END PGP SIGNATURE-----
>
>
>
> --
> "Fergie", a.k.a. Paul Ferguson
>  Engineering Architecture for the Internet
>  fergdawg(at)netzero.net
>  ferg's tech blog: http://fergdawg.blogspot.com/
>
> _______________________________________________
> Dailydave mailing list
> Dailydave at lists.immunitysec.com
> http://lists.immunitysec.com/mailman/listinfo/dailydave
>



-- 
Matthew  Wollenweber
mwollenweber at gmail.com | mjw at cyberwart.com
www.cyberwart.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.immunitysec.com/pipermail/dailydave/attachments/20071214/7803f4a8/attachment-0001.htm

More information about the Dailydave mailing list