8: I think it is necessary to summarize the several defense measures proposed by the author:
A: Eliminate annihilating and annihilate
- Target Audience: defenders should provide several defense capabilities to servents bots to prevent them from being intruded;
- Seize the opportunity: Defenders should develop rapid detection and corresponding systems, and disable the initial servent bots before the botmaster releases the first update command;
- In-depth counterattack: Defenders should poison the P2P botnet communication channel: Add infected honeypots to botnet and generate a static Global IP address, after becoming a servent bots, plusb (peerlist updated servent bots) may be added. The more they are added, the greater the impact on effective communication of communication channels;
However, the author also specifically proposed a counterattack method:
- Once the honeybot is infected, Defender should allow the bot to quickly infect more honeypots;
- When the report command is received, all honeypots should immediately respond accordingly, express their own capabilities and centers, and try to join the core hub plusb.
- It would be better if defender could provide distributed honeypots and a large number of IP addresses.
B: monitoring Monitoring
The author wrote a lot of things about the ideal situation of using honeypots, and then pointed out:
A possible weakness point of the proposed Botnet is its centralized monitoring sensor. If defenders have setup a good traffic logging system. It is possible that they cocould capture the traffic to a botnet sensor.
The last sentence in this Chapter also writes: This makes it important to conducting CT further research on this approach since we must be prepared in case a future smart botnet can detect and disable honeypot.
9: Discussion
The author first stressed that honeypots plays a very important role; botmaster needs to design countermeasures. There have been related literature in this regard, signed by software or hardware:
[27: honeypoics with Vmware Basics]
[28: Advanced honey pot Identification and exploitation]
[29: honed Security Advisory 2004-001: Remote Detection via simple probe packet]
Or use the legal and moral limitations of honeypots. Many current botnets do not stop honeypots. --- the simply because attacker does not feel the threat of honeypots.
With the increase of honeypots technology, it has become popular and widely used. We believe that the botmaster will definitely add the honeypots detection mechanism to botnets. The war between the two will only get closer and closer!
Current research shows that the current Internet botnet (mainly IRC botnet) monitoring is not too difficult, but the problem is: if a botnet attack is prevented? For legal and ethical reasons, a security worker cannot actively attack and capture remote bot bots or a botnet C & C server, even if we know that a remote machine is installed with a bot program. For example, the "good worm" method is not feasible in the real Internet environment? Currently, the methods that rely on ISPs to limit bot botnets are slow and consume resources. Therefore, there are enough challenges in botnet defense.
10 Discussion
The author pointed out that to defend against such an advanced botnet, we point out that honeypot may play an important role. we shoshould, therefore, invest more research into determining how to deploy honeypots efficiently and avoid their exposure to botnets and botmasters.