Re-branding IPS as an anti botnet tool

i have seen a pr last month from mcafee on this issue, and now they issued another one.

for most cases, i don’t believe in ids products.

i think that trying to pitch i[dp]s as a solution for botnets is technologically silly, but marketing-wise right on the spot. as the solution it is plain and simple silly.
a lot of security vendors will now start taking that approach, dealing with the buzzword.

an ips will not cure your botnet problems. it may help pinpoint some bots (or similar) on your network, which is important, but that’s about it.

i wish mcafee all the luck in the world, but this is, in my opinion, way
way way over-hyped:
http://www.mcafee.com/us/local_content/white_papers/wp_botnet.pdf

in another pr they present a case study on how they saved a south american
country from a botnet attack using their ips. i would like to see
more.. or something, to back it up as to how, before i state my opinion.

what do you think?

gadi evron,
ge@beyondsecurity.com.

Share
  • Dave Reggie

    I have read the paper 3 times and have used IntruShield for over 2 years. It is NOT a common IPS packet-grepping box, but much more advanced.

    I do not think IntruShield IPS will ‘solve’ bonets, but a good one can kill off many of their C&C structures. The paper also raises the point that IPS may allow insight into where the botnet controllers are and how big are the bots. Don’t write it off!

    Although as more and more get encrypted, it’s value will decline quickly. Nonetheless, even then IPS can stop exploits, and so can slow botnet growth. It gets my thumbs up, it’s a genuine attempt, not just ‘hype’.

  • http://blogs.securiteam.com/index.php/archives/author/mattmurphy/ Matthew Murphy

    I’m inclined to agree with Dave that IPS is a potentially valuable anti-botnet tool. Even when the command and control becomes encrypted, the IPS could probably be configured to block large anomalous traffic flows that are commonly associated with, for instance, spam runs and DDoS attacks. Granted, I’m working for an IPS vendor, but it remains my personal opinion that IPS could be of utility here. There’s also a great deal of middle ground between something being a solution (i.e., the end of the problem) and being utterly useless in solving the problem. Most real-world technical solutions consist of several technical and tactical changes, rather than simply introducing one new technique or technology. I think IPS could be a useful part of that “mix”, even if not the answer by itself. An IPS with quarantine functionality could be used to proactively disable network access for machines that send thousands of e-mails via foreign hosts. An IPS with rate-limiting would greatly hamper the same class of communications without cutting them off entirely. Either solution would greatly reduce the number of spam zombies if applied by a sizeable portion of the consumer-hosting internet providers out there. Indirectly, the providers themselves would see benefits of a meaningful reduction in spam zombie population or effectiveness, because less spam would hit their own mail servers.

  • sunshine

    IPS does provide with an answer, just not a very good one.

  • Tuffer

    sunshine, maybe you could expand on why think ips is a not very good botnet solution. what would you suggest as a more suitable solution to the problem outlined within the paper mentioned in earlier?

  • http://blogs.securiteam.com/index.php/archives/author/mattmurphy/ Matthew Murphy

    “Very good” is relative. IPS won’t end the problem, but it is much better at dealing with certain classes of bots, in particular spam zombies, than the status quo at most ISPs. That status quo, of course, is manual intervention, presumably after complaints from people receiving spam from these bots. Just because a technology can’t solve the entire problem doesn’t mean it shouldn’t be used, or that it isn’t cost-beneficial to use it. So, regardless of your opinion of McAfee’s marketing, the question remains: Why shouldn’t organizations who are serious about tackling the bot problem use IPS as a tool to automate the identification, detection (and likely quarantine) processes where possible? I’m interested in what your answer is, because I personally don’t see a good reason. ISPs who take advantage of IPS with quarantine functionality could automate the process of detecting certain classes of bots and then quarantine affected users, automatically pointing them to remedies designed to solve the problem, and all with a very low margin of error.