.

Reverse Attacking and tracking down bot-nets?

<<

manoj9372

Jr. Member
Jr. Member

Posts: 72

Joined: Mon Oct 05, 2009 8:54 am

Post Wed Oct 06, 2010 3:20 am

Reverse Attacking and tracking down bot-nets?

I have some questions regarding bot-nets

1)is it possible to reverse attack the bots which is attacking us?
for example say if we got hit by some bots and we have logged their ip address,and instead of blocking them can we set our router to send the packets to them with-out being processes by our routers?Because i think it may also over load some of our band-width ,but at the same time the bots also getting attacked nah?

am i right? is it possible to do?how to configure the router to do such an task?



2) 90% of us may have this problem,
And also we are at the "receiving" end of the attack,instead of contacting isp's,law enforcing authorities for this (in reality they wont care about us much because it is a small attack for them)what are the steps we can do to trace back the attacker?

even tough it was some what complex i think it can be still possible to track them down...


We have some servers or some isp home connections,but when DDos Attacks happens on some "important" time and down our servers,we are trying to contact the hosting's-support team or isp whom are very very slow in responding to our questions,
And even they respond ,it is not suffuicient to us,And also most of the times unless the attackers stop the attack we can not do much things..

I really hate this,As a network professionals(i am not a professional,but asking in general) can't we do nothing other than complaining?

Also what can we do to track the original source of the attack?
I know it is really hard,but i don't think it is impossible to do ...



looking for some ideas...,hope i will get some....
<<

vekarman

User avatar

Newbie
Newbie

Posts: 28

Joined: Thu Mar 19, 2009 1:21 am

Post Wed Oct 06, 2010 6:34 am

Re: Reverse Attacking and tracking down bot-nets?

Immediate response could be "deploy a honeypot". I hope over a period of time, honeypots must have evolved from plain TCP/IP windowing feature to something more sophisticated.

However, you have to understand the legal implications based on your location country.
CISSP
<<

sil

User avatar

Hero Member
Hero Member

Posts: 551

Joined: Thu Mar 20, 2008 8:01 am

Location: ::1

Post Wed Oct 06, 2010 9:36 am

Re: Reverse Attacking and tracking down bot-nets?

manoj9372 wrote:I have some questions regarding bot-nets

1)is it possible to reverse attack the bots which is attacking us?
for example say if we got hit by some bots and we have logged their ip address,and instead of blocking them can we set our router to send the packets to them with-out being processes by our routers?Because i think it may also over load some of our band-width ,but at the same time the bots also getting attacked nah?

am i right? is it possible to do?how to configure the router to do such an task?


This is akin to asking: "Someone stole John Doe's gun and took shots at me. Is it ok for me to shoot at John Doe?"

Most botnets consist of machines that have been compromised. The end owners of those machines are unaware their machines are behaving badly. For you to counterattack these machines would be criminal point blank.


manoj9372 wrote:2) 90% of us may have this problem,
And also we are at the "receiving" end of the attack,instead of contacting isp's,law enforcing authorities for this (in reality they wont care about us much because it is a small attack for them)what are the steps we can do to trace back the attacker?

even tough it was some what complex i think it can be still possible to track them down...


It's not that law enforcement don't really care on the contrary they do care about these attacks. If you take note of the above comment I made, there is little they can do as it is difficult to track down who created a botnet.

As for ISP's taking a stand, some do, some don't. Same rules apply. Good ISP's take DDoS attacks seriously but they cannot go as far as blocking say an upstream because again, they're caught in the cross-fire.

manoj9372 wrote:We have some servers or some isp home connections,but when DDos Attacks happens on some "important" time and down our servers,we are trying to contact the hosting's-support team or isp whom are very very slow in responding to our questions,
And even they respond ,it is not suffuicient to us,And also most of the times unless the attackers stop the attack we can not do much things..


The issue with botnets is and forever will be the underlying issue of "people don't know their machines are behaving badly." Trying to send out thousand of emails to the different providers often yields little since it is likely they've been overwhelmed at the amount of e-mail they're receiving and or received already. Blacklisting works when done properly but if you could find the bullet-proof solution to this, I guarantee you that you will be a billionaire in no time. Many companies try and they all fail because the logic of countering is flawed. You can block N amount of machines until the cows come home but depending on someone's botnet, all the attacker has to do is jump onto a C&C and send from different hosts.

Counterattacking a botnet is not only criminal, it's outright stupid. You're already being saturated with traffic, why add more traffic on a counter attack. Load balancing helps as does BCP filtering however, if BCP filtering isn't done across the whole link, its useless.
<<

Ketchup

User avatar

Hero Member
Hero Member

Posts: 1021

Joined: Fri Jul 04, 2008 7:44 pm

Location: Philadelphia, PA

Post Wed Oct 06, 2010 11:01 am

Re: Reverse Attacking and tracking down bot-nets?

Botnets get shutdown, it just takes time.  Like Sil said, the challenge is trying to figure out who is controlling the botnet.  Going after the poor dope whos computer was infected hardly makes any sense.  Another one will easily take his place. 

Recently, the Mariposa botnet was shut down.  It took a ridiculous amount of collaboration to shut it down:

http://www.net-security.org/secworld.php?id=8962
~~~~~~~~~~~~~~
Ketchup
<<

manoj9372

Jr. Member
Jr. Member

Posts: 72

Joined: Mon Oct 05, 2009 8:54 am

Post Wed Oct 06, 2010 12:02 pm

Re: Reverse Attacking and tracking down bot-nets?

what about routing the "attacks " or "traffic" of "attacking class" sat syn flood and re-direct them to some ip's and filtering them?
and also is there any chances to hack one of the zombie with the traffic send
by one of  the zombie?

did any body tried like this?

also i have seen some companies tracking down the original source of dos attacks with out law enforcing authorities involved,how they are doing it?

any other ways for a common user to detect the source of attack?
<<

ziggy_567

User avatar

Sr. Member
Sr. Member

Posts: 378

Joined: Tue Dec 30, 2008 1:53 pm

Post Wed Oct 06, 2010 1:55 pm

Re: Reverse Attacking and tracking down bot-nets?

In order to track the source of a DOS, you must have cooperation from the networks where traffic is coming from. Basically, you're going to follow the trail hop by hop. Each hop must cooperate with you. In some cases, this is possible, but as it has been pointed out, it takes an inordinate amount of cooperation.

If the attacker is smart, the attacker will use nodes that are geographically dispersed and will have traffic coming from countries that are known to be difficult to work with. This slows the process considerably, and in most cases will thwart your efforts completely.
--
Ziggy


eCPPT - GSEC - GCIH - GWAPT - GCUX - RHCE - SCSecA - Security+ - Network+
<<

manoj9372

Jr. Member
Jr. Member

Posts: 72

Joined: Mon Oct 05, 2009 8:54 am

Post Wed Oct 06, 2010 3:37 pm

Re: Reverse Attacking and tracking down bot-nets?

Also i am sure this can not be done in legal ways,
Also can you tell me how can i hack one of the bot with the traffic it sending to me?

is it possible?

if it is possible,then i am having the higher %% of tracking down the source of the attack...
Last edited by manoj9372 on Wed Oct 06, 2010 3:40 pm, edited 1 time in total.
<<

Ketchup

User avatar

Hero Member
Hero Member

Posts: 1021

Joined: Fri Jul 04, 2008 7:44 pm

Location: Philadelphia, PA

Post Wed Oct 06, 2010 4:05 pm

Re: Reverse Attacking and tracking down bot-nets?

It's not legal for you to hack one of the bots.  Remember, the bot is a victim here.  The best you can is report the attack to the authorities. 
~~~~~~~~~~~~~~
Ketchup
<<

manoj9372

Jr. Member
Jr. Member

Posts: 72

Joined: Mon Oct 05, 2009 8:54 am

Post Thu Oct 07, 2010 7:49 am

Re: Reverse Attacking and tracking down bot-nets?

I know it not-legal,but i want to know the possbilities
,is it possible to hack the port on the zombie on which it is  connected to bot-net?

Return to Network Pen Testing

Who is online

Users browsing this forum: No registered users and 1 guest

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software