is here. several companies are rehearsing their old products and buzzwording them for ddos mitigation or botnets, but not trend micro.

trend micro released a brand new product, implemented with the novel idea of utilizing dns to detect bots on an isp or corporate network.

whether by massive requests for a c&c (bots phoning home) or massive requests for an mx record (spam bots), looking for negative caching (nx being cached as the c&c is not there yet but requested) and beyond.
it works. i don’t know if that’s what trend micro is doing, but it’s one step in the right direction to better botnet detection and mitigation.

larry seltzer wrote a good article on it:
http://www.eweek.com/article2/0,1759,2020286,00.asp

this idea has been explored before:

the domain name service as an ids:
http://blogs.securiteam.com/index.php/archives/321

the original paper can be found, here:
http://staff.science.uva.nl/~delaat/snb-2005-2006/p12/report.pdf
(these guys were cool enough to reference me, hehe)

other papers were linked to from the above mentioned post.

this is pretty cool, and is worth a look. i guess we will find out what this commercialized technology is worth now that it is out of the home-grown/academic tools realm.

gadi evron,
ge@beyondsecurity.com.