427_Botnet_05.qxd 1/9/07 9:59 AM Page 139 T

T
IP
The site www.spamcop.net provides a number of spam-related ser-
vices, including spam reporting, DNS blacklists for spam weeding at
mail servers, and useful information about the entire spam phe-
nomenon from the mail administration point of view. The site
www.lurhq.com/proxies.html contains an older (2002) article about
open proxies that is still worth reading. 
Network Infrastructure: 
Tools and Techniques
In this section we focus on network infrastructure tools and techniques. We
will briefly discuss a few network-monitoring tools that, in addition to their
primary network traffic-monitoring task, often prove useful in detecting
attacks. We also briefly talk about various isolation measures at both Layer 3
and Layer 2 (routing versus switching) that can, of course, include commercial
firewalls, routers using access control lists (ACLs), and other network confine-
ment measures. Logging can play a role here as well. Our goal as always is to
spot the wily botnet, especially in terms of DoS attacks or possible scanning.
Figure 5.1 shows a very general model for sniffers and other network
instrumentation. We can distinguish a couple of cases that are commonly in use:
■
You may hook a sniffer box (first-stage probe) up to an Ethernet
switch or hub for packet sniffing. Here we assume that a switch has
to be set up to do port mirroring.That means Unicast packets that,
for example, go to and from the Internet are also sent to the probe
port. A hub “mirrors” all packets by default. In some cases you might
need to invest in expensive optical-splitting equipment or the like if
your desire is to sniff a point-to-point WAN/telco connection.This
simple model fits the use of simple sniffing tools, including commer-
cial and open-source sniffers as well as more complex IDS systems
(such as Snort, discussed in a moment).This is a so-called out-of-line
solution.Typically sniffers are not in the data path for packets.

Download 6,98 Mb.

Do'stlaringiz bilan baham: