The recent “de-peering” of the AS-Troyak ISP and its consequent struggle (and relative success) to reconnect to the Internet has put into the spotlight the tangled web of connections and C&Cs that is one of the main reasons why botnets are so hard to disrupt permanently.
By incorporating an amazing amount of redundancy into their network, the bot masters are able to regroup and reroute their connections – when some go down, other are ready to take their place. This recent takedown also proved that there are ISPs out there that consciously host and work with bot masters, and their thorough planning and organizing of a web that will assure almost bulletproof connectivity is what makes them ideal for this kind of thing.
According to The Register and RSA, Troyak is connected to eight networks and at least four ISPs that host the C&C channels. These ISPs are, in their turn, connected upstream to other ISPs that were probably unaware of what was going on. Some of them are believed to have already pulled the plug last week, which accounts for the drop in numbers that ZeuS botnets sustained.
The consequent restoration of the connections was a little disheartening, but Sean Brady, RSA’s manager of the identity protection and verification group, is not worried because their is only so many upstream providers that can be used. “You get enough of them and eventually, you’re going to knock this whole thing offline,” he claims.
In time, ISPs will have to be more careful about what their customers are doing if they want to keep working. Adam Rice, CSO at Tata Communications (India’s largest ISP) says that “technology exists for any Tier-1 ISP to listen in and sample their core and paint a pretty complete picture on not only malicious traffic that might be transiting their network, but also stuff that is originating or terminating within the network.”
In his interview with SearchSecurity, he also states that such technology is not “prohibitively expensive” and it is unlikely to infringe many privacy laws since it’s analyzes data flow and not the payload. “We use this technology internally right now to be able to see and stop denial-of-service attacks on our network,” he says, and adds that this kind of approach can be used “to see all kinds of traffic.”