Table 6.1 IRC Report: Evil Channel Sort channel

Given eight scanners out of 11 hosts in the channel including any IRC
servers, it is pretty likely that this channel is a botnet. However, false positives
do occur and a channel with just a host or two with a high scanner weight
may easily turn out to be a false positive (not guilty). We call the scanning
weight the 
TCP work weight
and will talk more about it in the next chapter.
We are also interested in the other three channels because they are borderline
cases and far less easy to declare a botnet client network. Here it turned out
that channels hobo and .i-exp were botnet channels with the same IP server
address (we are not giving real IP addresses and will confine ourselves to
giving addresses as either net 192.168/16 or 10/8. In our examples, addresses
with 192.168 as a prefix may be assumed to be local. Addresses using net 10
may be assumed to be remote). It turns out that alien is innocent, and the
other two channels are guilty. We will explain these details in Chapter 8 on
botnets, and in that chapter and Chapter 9 give more details about how we
investigated our data to determine if these channels were botnets.
Notes from the Underground…
From the enterprise perspective, you may encounter two types of botnet
environments in your log files. The set of hosts participating in the bot
traffic is called a 
mesh
. You determine the type of mesh based on
whether the botnet server is located inside or outside your enterprise:
■
Client bot mesh
This is the term for a set of botnet clients
that exists within a campus or enterprise and communicates
with an external botnet server. Botnet clients are sometimes
called zombies.
■
Server bot mesh
This bot mesh includes an on-site botnet
server. Botnet servers are sometimes called Command and
Control (C&C) hosts. 

Download 6,98 Mb.

Do'stlaringiz bilan baham: