427 Botnet fm qxd

Notes from the Underground…
The Hacker Rule of Economy
Small attacks don’t pay.
A hacker sending spam wants to send a 
lot
of
spam. A botnet client scanning for hosts to increase the botnet mesh
size wants to scan and exploit a 
lot
of hosts. Otherwise the rate of
return is too low. The hacker won’t get enough money from the spam
or enough hosts for the botnet. Another economic measure is that
using a lot of bots results in an attractive network that might be sold
to others. It is also more resistant simply because any bot client can
become a bot server. If the human owner of the botnet has many
clients, it is less important if one is lost and removed from the mesh. 
This is why ourmon looks for anomalies in the large and tries to point
out parallelism and give the user some sense of scale in an attack. Ourmon
won’t tell you about a single SQL slammer packet.That isn’t a design goal for
ourmon. Snort, on the other hand, can tell you about a single SQL slammer
packet because detecting individual packet threats is a design goal.
We need one more definition before we go on. In intrusion detection, the
terms 
false positive
and 
false negative
are used. A 
false positive
is an event that the
system reported that appears bad and in point of fact is benign.Too many
false positives can cause an analyst to lose interest. A 
false negative
is worse. In
that case the system reports that something is okay (or doesn’t report any-
thing) and in point of fact the event is bad. Not reporting that the wolf is in
the house and is wearing grandma’s dress is bad, so false negatives are very bad
indeed. On the other hand, systems and analysts using the system have limits.
Too many false positives can wear an analyst out to the point that he or she
doesn’t pay attention any more. As a result, a family of wolves in the house
could be ignored.

Download 6,98 Mb.

Do'stlaringiz bilan baham: