return to ICG Spaces home    ICG Risk Blog    discussions    newsletters    login    

ICG Risk Blog - [ Detecting a stealth directed bot net attack ]

Detecting a stealth directed bot net attack


In response to Directed bot nets, a private member asked, "Is there a way to figure out what "problem" one might have already?? Are Macs equally vulnerable as PCs?"

Readers are welcome to weigh in with their own comments as my reply is that it is not easy and that there is an active component to my safety checking for a bot net product that may not be producing a failure signature on your machine.

First and foremost, have a good virus scanner and keep it current by downloading/checking for updates daily. (Our service sends us notices and when we start getting them during the day, we immediately upgrade.) Many known attacks will compromise a machine such that other malware can climb atop it.

Second, have firewalls in place even for a lone PC. (If you have a DSL or Cable Modem "always on" condition, it is criminal not to have one as your dedicated IP address gets swept such that you become a known target. Sometimes -- such as for Roadrunner which may dynamically allocate an IP address within their domain -- attackers will sweep the domain looking for live targets.) We use hardware firewalls that are much more resistant to being compromised or disabled by an attack. You can also add a personal software firewall such as the free version of Zone Alarm which will more easily alert you to outbound traffic requests that might give away a resident bot net. We shut down most ports as a matter of course.

Beyond that, I check the SANS Institute Internet Storm Center which opens with a 'Handlers Diary' of what is going on in the world in terms of network threats. As an obsolescing techie, I am not unfamiliar with ports (think of them as windows into your operating system) so that when ISC talks of ports, sources, targets, trends, and services, I can read the map. Some simple definitions from their pages:

  • Port: The port targeted
  • Source: distinct source IP scanning for a given port -- these are the attackers
  • Target: distinct IP targeted by these sources -- these are just as stated -- targets
  • Service: service(s) commonly used on this port -- for our purposes, the attacking apps

ISC adds millions of records daily and their reports can be set to flag trends, i.e., new sources, targets, and services that warrant more investigation.

If this is not daunting for you, then what I look at are Today's Diary, Daily Archive (to the right of Today's Diary), Top 10, and Trends. ISC has all manner of reports with which you look at activity on a specific port, etc., but that gets beyond my attention span and skill level to do something meaningful with it.

If a reader has a better approach for tying to spot an emerging bot attack, I am all ears.

FYI, while I love the CAIDA site (Cooperative Association for Internet Data Analysis), my primary use for this site is as an encyclopedia of the Web's topology. The paths that interest me are Analysis and Tools (mainly Taxonomy and Visualization). Under the spell of many of the fine visualization tools, the web takes on the aura of the living three-dimensional animal that it is.

P.S. To the reader's last question, there are relatively few Mac attacks in comparison to Wintel or Linux/Unix.

Gordon Housworth

Cybersecurity Public  InfoT Public  


  discuss this article

<<  |  May 2020  |  >>
view our rss feed