-1

I was reading about bot-nets and was wondering why it is not possible to find the origin of these nets and route them out by identifying the origin computer which sets these up ?

I perhaps don't understand them very much so pardon my naive question.

Theoritically all traffic that originates from every computer has to go through an ISP, a bunch of intermediate routers and finally reach it's destination host. So if the ISPs monitor incoming and outgoing addresses they should be able to tell which IP addresses is making all these connections to a large number of destinations or some such heuristic...

In general these backbone providers and ISPS together essentially know where the connections from each computer go, so why not follow them ?

treefrog
  • 1,027
  • 1
  • 15
  • 30
  • 6
    I'm thinking this question is going to get better responses from http://security.stackexchange.com/ – wkl Dec 29 '11 at 22:39

2 Answers2

2

Normally it's not a single computer that sets them up. Many botnets are propagated by a worm/virus/trojan, so it's only a bit simpler to find the originating host as it is to find the first guy with influenza.

Another problem is if the signal hops across several ISPs, it's not very easy to trace, since an ISP doesn't have access into the logs of the preceding ISPs in the chain, nor do they see the activity that is going on in hosts downchain from them. It takes a central authority like FBI to track things down, and even they have problems if connection hops through, say, Vanuatu.

Amadan
  • 191,408
  • 23
  • 240
  • 301
  • 2
    not to mention NAT, VPN, proxies, mobile devices, and a host of other tech that can be used to hide ones activities. – Sam Axe Dec 29 '11 at 22:45
  • 2
    @Boo: Very true. Basically, OP: If the problem was easy, it would have been solved. The very fact that it's not solved, despite the rather huge problems and revenue losses, not to mention theft and life endangerment if crackers go after a particularly sensitive target, shows how hard the problem is. – Amadan Dec 29 '11 at 22:52
  • OK, the ISPS don't have access to each others data but a backbone providers do- dont they ? I remember reading someone article about that, that they can see pretty much all the traffic (taking place of the central viewer you mention) that goes through their networks. They should still be able to, look at stuff without violating privacy =- if they only look at origins and endpoints. Please share any references if you have any. Thankyou – treefrog Dec 29 '11 at 23:07
  • Backbone providers, in theory, could see the origin and endpoint hosts, but can't see user identities within a site. On a host with 200 accounts, how do you associate that this outgoing packet is related to that incoming packet? Besides, sniffing even a smallish network is a full-time job for a machine, I believe. Sniffing a backbone... I don't even want to think about the resources required. – Amadan Dec 30 '11 at 01:06
1

The reason is because botnets are literally slaves of a main computer. The bots have been infected by viruses or rootkits that can be controlled and be told to do things remotely. This is normally small things, like DDoS. The controller is normally located on a VPS or dedicated server and can be moved from place to place so the origin is very hard to find.

Also saying that ISP's could just look for the connection. Thousands of connections come in from the internet every day to your computer. So routing through all these connections on the thousands of computers that are infected would consume vast amounts of time and could come up with nothing, as logs are not always kept.

I'm sure if ISP's wanted to they could track them, however it's a massive waste, in their eyes, of resources.

HarryBeasant
  • 490
  • 1
  • 9
  • 21