is
sending spam, attacking systems, or providing services like pirated software
and files. Despite the inherent nature of a botnet, this doesn’t mean there isn’t
data available that leads back to the botherder. In fact, a considerable amount
of information can be gathered when a botnet resides on a network, or when
a site is victim to an attack.The intelligence you
gather can be used to iden-
tify what botnet is running on systems, and may be used to ultimately identify
and prosecute the botherder.
One of the first indications of a botnet problem will be revealed in log files
from firewalls and those generated by scans of hosts and network traffic. If the
botnets are being used to send spam, logs will provide
information on excessive
e-mails being sent from computers on the network. Similarly, simultaneous
requests being made to a specific Web site will appear in the logs if the bot’s
purpose is to perform a denial-of-service (DoS) attack. Scans may also indicate
elevated network traffic, and reveal altered behaviors in how computers are
functioning. For example, if the computers are being used to store pirated soft-
ware or files, they may exhibit the functionality associated with a server.These
computers may listen
for requests on the same ports, respond to incoming
HTTP and FTP connections, or have ongoing communication with servers
outside your network. Such abnormal network traffic can provide information
that allows a quick-and-easy way to shut down a botnet attack. If the com-
puters are communicating
with an IRC server, blocking traffic to and from that
server will often deny remote access to computers on your network, and pre-
vent the bots from communicating with the botherder.
Once you’ve identified something is going on, you’ll need to identify
exactly what’s going on. If computers on your network
are infected with bot-
nets, they are there to perform specific actions on behalf of the botherder, so
you should try what the bots have been doing. If they have been sending spam,
you should try to acquire copies of the e-mails sent by the botnet. Doing so
may aid in identifying the botherder, serve as evidence that may lead to his or
her
conviction, and assist in finding information on how to remove the botnet.
If the e-mail includes a hyperlink to take the receiver of the e-mail to a Web
site, this will aid in identifying the botherder. For example, if the spam took the
recipient to a Web site under the guise of updating the person’s banking profile,
it would then be possible for police to identify who owns the site and arrest
them. Even if the spam didn’t
directly lead to the botherder, it would provide
information that could be used to identify how to remove the botnet. Since it
would be the same e-mail being sent out by multiple computers, searching
Do'stlaringiz bilan baham: