Sign in to follow this  
Followers 0
Cemptiom

How to cripple a botnet

2 posts in this topic

I'm an aspiring network admin at a small ISP. We manage about 60 highrise buildings. Each building has anywhere from 1 to 60 24 port switches, or some DSLAMs, or some coax gateways, with p2p radios on the roof, with a main router at a central building.

I recently got an email from a guy working for SiteTruth that explains that there's phishing emails coming from a phony email address, but that the IP associated with the domain of the emails is one of ours. He goes on to say that a traceroute to the IP bounces around a bunch of our IPs before hitting the trace IP. I did the same traceroute and saw the same route he included in the email.

So the route hits on about 60 of our IPs before hitting the target IP. We use dhcp for clients on our entire network and none of these IPs in the trace are associated with our equipment as all our equipment have excluded static IPs.

So I'm wondering how I can cripple this phishing scam/botnet? with minimal effort. I have access to all our equipment. I could find the MAC of the offending IP on the router and track it down to a particular port on a switch in a building and shut off that port, but if the client has no idea he's part of a botnet and has no idea this is occuring than I'll have to re-enable the port as they are paying customers.

Interestingly enough I've just performed the same tracert as I did a few days ago when I got the email and now there's only about 20 hops on our IPs before the target of the trace is hit. I'm guessing this is just due to us using dhcp.

Any more info on exactly what's happening and how to deal with it would be much appreciated. I don't understand why there's so many hops between dynamic IPs on our network during a simple tracert, does that confirm a botnet?

Edited by Cemptiom
0

Share this post


Link to post
Share on other sites

What machines is it hitting off?  Each hop it is bouncing off should be a router, or "routing device" forwarding packets based on its routing table. 

 

I'm not a Cisco I.P. God (pretty far from it actually), but sounds like some routing table issues. I know some routing tables are built dynamically. So that could explain the issue. Or even some nasty wiring that is causing weird loops in the route. 

 

You say the i.p. address is associated with a domain? 

 

As far as getting rid of unwanted traffic; simply email the owner of the infected computer. It might be good to let him know what is going on, and that you are receiving complaints. Then give him some quick pointers in fixing it. Let him know if the problem goes unresolved, you might need to filter traffic from his system that is causing the problem.

 

I'm guessing from your post, you might not even have access to what IP address is associated with what customer, at what time. That is really not a good thing. Even though there are no laws in the USA to do so, it sometimes can cover your ass in a big way.  That's why most ISP's have always used authentication for customers. Maybe implementing something like, 802.1x. 

 

IMO, having a bunch of users with no way to track who is doing what, is asking for trouble.  

0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0