Link here – http://www.itu.int/ITU-D/cyb/cybersecurity/docs/itu-botnet-mitigation-toolkit-background.pdf. The paper is pretty long, but the second half is a technical analysis and a good introduction to anti-botnet technologies: authenticated email, reputation systems, DNS block lists and path authentication, whois, honeypots, darknets, and user-based feedback loops.

Also talks about two interesting techniques the bad guys use, including fast-flux DNS in which the advertised website and email source quickly cycle through geographic locations (and domain names). Thus, by the time the good guys try to take out a server or domain, it’s probably too late, and won’t matter in another minute anyway. Then there’s a so-called Rock Phish style proxy, in which a large number of proxy servers are used to protect a small number of critical botnet servers.

No Comments »