Tuesday, August 28, 2007

New Bot Herder Evasion Tactics

Ever wonder what keeps those bots going? It's called fast flux DNS, according to an article on Security Focus.

Rather than rely on a single IRC channel, bot herders are using the DNS tactic to evade detection and stay out at night past curfew. IRC channels, the bot medium of choice until recently, were a single point of failure. Once a bot fighter took down the IRC, the bot came down with it.

Not so with DNS fast flux, which uses a network of servers, playing musical chairs with IP address and their DNS entries. Not only do they move around fast enough to stay ahead of their pursuers, they're a network that can't be easily taken down by removing one foul DNS server from the network.

Russ Cooper also had a blurb in MCP's Security Watch column this month.


