[Full-disclosure] Oh Yeah, botnet communications
tbiehn at gmail.com
Fri Feb 20 14:38:40 GMT 2009
There's nothing complicated about it - it's dead simple.
Who needs a botnet available 24/7?
The registrars are all down at the same time?
Why does it have to be domains?
Perhaps the bots pick a range of IPs to scan based on the news... any bots
with IPs falling into this range become C&C points the rest scan the range
to look for control nodes. Owners do the same.
What makes you think you need the extra nodes that (because of your
mentioned examples or a risk of quantum events) pulled a different article?
Maybe it's time to rethink using CPUs because there's sometimes extremely
hot weather that causes them to shut off.
On Fri, Feb 20, 2009 at 12:21 AM, <Valdis.Kletnieks at vt.edu> wrote:
> On Thu, 19 Feb 2009 23:38:37 EST, T Biehn said:
> > God Valdis,
> > Dont concentrate on the mundane, the core issue is the unpredictable
> > of it.
> > You have them all coordinate reading the news at 12:00 AM GMT.
> > You build some silly algorithm that ensures they pick the right article.
> Right, so now you need this insanely complicated system to make sure that
> get the right article at midnight, even if you have a race condition or
> getting an old copy because of a caching proxy in the path or if they hit
> different boxes on a load balancer and the articles update a few seconds
> and then make sure they all pick the "right" article - which means they
> need to
> *agree* on the right article without knowing for sure what article the
> bots are looking at. And that also means that the botnet owner (or at
> a system they have) has to *also* be online so it can also check CNN and
> out what domain to register - which sucks if Godaddy just put up the "Down
> 3 hours due to unexpected system problem" sign or any of a zillion other
> modes in trying to register that next domain in real time. You can't
> the next 3-4 day's worth of domains ahead of time and make sure they went
> Lots of failure modes there.
> Or you can just hash the damned clock once an hour, which seems to be quite
> sufficient to keep the average botnet running.
> *THAT* is why they don't base it off a news RSS feed - all these mundane
> make it *harder*. You wanna do it the hard way that has more ways to fail
> sprout bugs, be my guest. Most of the coders out there prefer something
> just a bit simpler.
-------------- next part --------------
An HTML attachment was scrubbed...
Full-Disclosure is hosted and sponsored by Secunia.