Having spent some time writing network sensors for the government and time trying to get tools to connect outbound during pen tests I've seen nothing more effective than clever HTTP traffic embedded in real webpages using tags and simple encoding. Abusing DNS whether with tunnels, fastflux, or open resolvers sticks out as anomalous behaviour -- it's not all too difficult to detect. Yes it's costs money and labor but it can be done. What can you do about PINK type communication?
<br><br>I'm not going to claim to have all the answers, but I spent about 9 months writing network sensors and I can't fathom how you can detect that traffic on any scale. Fast flux is the current sexy thing but Trickler (govt software) and Tenable's PVS can be tweaked to pick it up (even on large OC-3+) pipes.
<br><br><div class="gmail_quote">On Dec 14, 2007 9:44 PM, Paul Ferguson <<a href="mailto:fergdawg@netzero.net">fergdawg@netzero.net</a>> wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<div class="Ih2E3d">-----BEGIN PGP SIGNED MESSAGE-----<br>Hash: SHA1<br><br></div><div class="Ih2E3d">- -- Brandon Enright <<a href="mailto:bmenrigh@ucsd.edu">bmenrigh@ucsd.edu</a>> wrote:<br><br>>If you're going to attack something you should back your argument up
<br>>with a little evidence. The C&C methods mentioned in the paper are:<br>><br>>* IRC<br>>* HTTP to single server<br>>* Fast-Flux of DNS Servers<br>>* Storm P2P protocols<br>>* PINK<br>><br>
>About the only thing they missed was DHT, which is arguably covered by<br>>Storm.<br>><br>>PINK is a good idea. If it really is light-years behind the criminals<br>>show us the papers, presentations, and discussions of more advanced >C&C.
<br>>If your argument is that PINK is primitive or that it won't work,<br>>respond with a paper, a countermeasure, or at the very least a detailed<br>>email of possible flaws in it. C'mon, Gadi, you know better.
<br>><br><br></div>What about Open DNS resolvers, using double-flux, combined with the<br>Storm Overnet?<br><br>:-)<br><br>- - ferg<br><br>-----BEGIN PGP SIGNATURE-----<br>Version: PGP Desktop 9.6.3 (Build 3017)<br><br>
wj8DBQFHYz+Nq1pz9mNUZTMRAv6HAJ9ImdXXvj2bFKn3g45Mo236RjAF3QCg8ohH<br>yTozjLY3oGFre6ntmOtKwQs=<br>=8fSS<br>-----END PGP SIGNATURE-----<br><font color="#888888"><br><br><br>--<br>"Fergie", a.k.a. Paul Ferguson<br> Engineering Architecture for the Internet
<br> fergdawg(at)netzero.net<br> ferg's tech blog: <a href="http://fergdawg.blogspot.com/" target="_blank">http://fergdawg.blogspot.com/</a><br></font><div><div></div><div class="Wj3C7c"><br>_______________________________________________
<br>Dailydave mailing list<br><a href="mailto:Dailydave@lists.immunitysec.com">Dailydave@lists.immunitysec.com</a><br><a href="http://lists.immunitysec.com/mailman/listinfo/dailydave" target="_blank">http://lists.immunitysec.com/mailman/listinfo/dailydave
</a><br></div></div></blockquote></div><br><br clear="all"><br>-- <br>Matthew Wollenweber<br><a href="mailto:mwollenweber@gmail.com">mwollenweber@gmail.com</a> | <a href="mailto:mjw@cyberwart.com">mjw@cyberwart.com</a><br>
<a href="http://www.cyberwart.com">www.cyberwart.com</a>