If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. |
|
|
Thread Tools | Display Modes |
#1
|
|||
|
|||
botnet detector?
Hi All,
During the recent DDOS attacks, I have been getting a lot of complaints from customers about eMail and browsers not making connection. I thought it was just the bottleneck caused by the DDOS network flood. Now I am wondering, maybe they were part of the botnet. Other than keeping their antivirus up to date, does anyone have a favorite way of checking to see if someone is part of a botnet? I presume network traffic from the botnet will only occur when triggered and the rest of the time be dormant. So watching network traffic would only work during the attack. Am I right? Many thanks, -T |
Ads |
#2
|
|||
|
|||
botnet detector?
From: "Todd"
Hi All, During the recent DDOS attacks, I have been getting a lot of complaints from customers about eMail and browsers not making connection. I thought it was just the bottleneck caused by the DDOS network flood. Now I am wondering, maybe they were part of the botnet. Other than keeping their antivirus up to date, does anyone have a favorite way of checking to see if someone is part of a botnet? I presume network traffic from the botnet will only occur when triggered and the rest of the time be dormant. So watching network traffic would only work during the attack. Am I right? Many thanks, -T This is a WinXP news group. Such a question is better served in a malware related news group. The following are suggested for future questions of this nature.. alt.comp.virus alt.comp.anti-virus What do you mean "recent DDoS attacks" ? There are DDoS attacks taking place everyday against a myriad of hosts some you may know or heard of and some you most likely haven't heard of and others that have gone unreported. It's like sayiong "during the recent rain storm" and fail to provide a locality. Your stating "During the recent DDOS attacks..." has no context. As for whether you network is unwilling component of a Botnet. You have to sniff the network and examine the traffic. Check you logs, routers and border gateways. Install BotHunter on your network - http://www.bothunter.net/ In short, Botnets generate detectable network traffic. -- Dave Multi-AV Scanning Tool - http://multi-av.thespykiller.co.uk http://www.pctipp.ch/downloads/dl/35905.asp |
#3
|
|||
|
|||
botnet detector?
On 04/14/2013 04:35 PM, David H. Lipman wrote:
From: "Todd" Hi All, During the recent DDOS attacks, I have been getting a lot of complaints from customers about eMail and browsers not making connection. I thought it was just the bottleneck caused by the DDOS network flood. Now I am wondering, maybe they were part of the botnet. Other than keeping their antivirus up to date, does anyone have a favorite way of checking to see if someone is part of a botnet? I presume network traffic from the botnet will only occur when triggered and the rest of the time be dormant. So watching network traffic would only work during the attack. Am I right? Many thanks, -T This is a WinXP news group. Such a question is better served in a malware related news group. The following are suggested for future questions of this nature.. alt.comp.virus alt.comp.anti-virus I have a long history with the guys on this group and I do appreciate what they bring to the table. But, I will look over there too. Thank you for the tip. What do you mean "recent DDoS attacks" ? I was talking about the ones you hear on the news. The SpamHaus attack in particular. There are DDoS attacks taking place everyday against a myriad of hosts some you may know or heard of and some you most likely haven't heard of and others that have gone unreported. It's like sayiong "during the recent rain storm" and fail to provide a locality. Your stating "During the recent DDOS attacks..." has no context. As for whether you network is unwilling component of a Botnet. You have to sniff the network and examine the traffic. Check you logs, routers and border gateways. Install BotHunter on your network - http://www.bothunter.net/ The user's manual would show up in Firefox 20, 64 bit for Linux. It also give no clue as to which plugin it is looking for either. What I am puzzled by is how this thing is used. Does it require a two port firewall such as iptables? (I am good at iptables). Or does it just sniff passing traffic? If it is just sniffing, how does it get around targeted traffic from a switching hub? I noticed they have a live CD in their future. Very cool. In short, Botnets generate detectable network traffic. All the time? Or only when triggered? Thank you for the help! -T |
#4
|
|||
|
|||
botnet detector?
On 04/14/2013 01:51 PM, Todd wrote:
Hi All, During the recent DDOS attacks, I have been getting a lot of complaints from customers about eMail and browsers not making connection. I thought it was just the bottleneck caused by the DDOS network flood. Now I am wondering, maybe they were part of the botnet. Other than keeping their antivirus up to date, does anyone have a favorite way of checking to see if someone is part of a botnet? I presume network traffic from the botnet will only occur when triggered and the rest of the time be dormant. So watching network traffic would only work during the attack. Am I right? Many thanks, -T How about Sysinternals "TCP View"? But would that only show when the botnet was triggered? |
#5
|
|||
|
|||
botnet detector?
From: "Todd"
On 04/14/2013 01:51 PM, Todd wrote: Hi All, During the recent DDOS attacks, I have been getting a lot of complaints from customers about eMail and browsers not making connection. I thought it was just the bottleneck caused by the DDOS network flood. Now I am wondering, maybe they were part of the botnet. Other than keeping their antivirus up to date, does anyone have a favorite way of checking to see if someone is part of a botnet? I presume network traffic from the botnet will only occur when triggered and the rest of the time be dormant. So watching network traffic would only work during the attack. Am I right? Many thanks, -T How about Sysinternals "TCP View"? But would that only show when the botnet was triggered? No. I wrote sniff the network. You are not going to catch nodes beaconing to a C2 server that way. -- Dave Multi-AV Scanning Tool - http://multi-av.thespykiller.co.uk http://www.pctipp.ch/downloads/dl/35905.asp |
#6
|
|||
|
|||
botnet detector?
From: "Todd"
On 04/14/2013 04:35 PM, David H. Lipman wrote: From: "Todd" Hi All, During the recent DDOS attacks, I have been getting a lot of complaints from customers about eMail and browsers not making connection. I thought it was just the bottleneck caused by the DDOS network flood. Now I am wondering, maybe they were part of the botnet. Other than keeping their antivirus up to date, does anyone have a favorite way of checking to see if someone is part of a botnet? I presume network traffic from the botnet will only occur when triggered and the rest of the time be dormant. So watching network traffic would only work during the attack. Am I right? Many thanks, -T This is a WinXP news group. Such a question is better served in a malware related news group. The following are suggested for future questions of this nature.. alt.comp.virus alt.comp.anti-virus I have a long history with the guys on this group and I do appreciate what they bring to the table. But, I will look over there too. Thank you for the tip. That may be be that's not how News Groups are used. The Botnet is a network, the infected computers can be ANY OS on the network from Windows Servers to Linux. Therefore your WinXP centricity is hurting your ability to get the propert information. You don't ask a Harley Davidson group how to fix a Yamaha. -- Dave Multi-AV Scanning Tool - http://multi-av.thespykiller.co.uk http://www.pctipp.ch/downloads/dl/35905.asp |
Thread Tools | |
Display Modes | |
|
|