How does the method of fighting "bad" botnets with "good" botnets work? How effective is this as an enterprise defense method?
Security researchers generally view these as a bad idea, although there has been some exciting research from the University of Washington centered on a project called Phalanx (pdf). The idea is that any server requests would have to be processed through the "good" botnet, which is geographically dispersed. Because a large number of servers are implemented as intermediaries, it becomes difficult to overwhelm one specific network link.
Still, as I stated earlier, I believe that this is a bad idea, for two reasons. First, think about how hard it is to secure existing systems. Now, expand that by a few thousand systems directly accessible from the Internet. This scenario leads directly to my second fear: control. Imagine the public relations nightmare should your good botnet be taken over and used to DoS someone else's network.
I propose that instead of building counter-botnets, security professionals could better spend their time tracking the patch-installation success rate for the systems they currently have. Leave the bot-herding to the bad guys.
- Learn more about fast-flux botnets and the threats they pose.
- How risky is it to log into a botnet control channel? Learn about the possible security threats.
Related Q&A from John Strand, featured expert
Expert John Strand explains how to shore up security as you plan a large-scale advertising campaign.continue reading
Expert John Strand reviews how to spot input validation flaws on your websites.continue reading
Expert John Strand reveals two exciting trends in antivirus software.continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.