<font class="Apple-style-span" face="verdana, sans-serif"><br></font><div class="gmail_quote">On Tue, Dec 6, 2011 at 9:44 PM, Dobbins, Roland <span dir="ltr"><<a href="mailto:rdobbins@arbor.net">rdobbins@arbor.net</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;"><div class="im"><br>
On Dec 7, 2011, at 11:48 AM, Jothan Frakes wrote:<br>
<br>
> Isn't that bot/c&c visibility just opaque on the local or other transport nets? seems like Opendns or the server providing encrypted responses would see it.<br>
<br>
</div>The point is for access network operators to be able to see it.<br>
<div class="im"><br></div></blockquote><div><br></div><div>Totally agree. In many cases they may even be compelled by company policy or even by law to do so. This seems like encrypted endpoints would / could obfuscate even DPI intervention on the local network.</div>
<div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;"><div class="im">
> In fact, this might provide a cental resolver a mode complete picture of bot/c&c activity levels, absent interventions.<br>
<br>
</div>I don't see how encryption helps with that at all - quite the opposite.<br></blockquote><div><br></div><div>In this case OpenDNS would seemingly have visibility to all the DNS requests, so they see the bot/c&c activity there.</div>
<div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
<div class="im"><br>
> It could even be said that this might improve detection of activity that might otherwise be below an observeable threshold due to current interventions.<br>
<br>
</div>The point of visibility is to *enable* intervention.<br></blockquote><div><br></div><div>Yes (amen to that, too, especially some of those requiring immediate attention). </div><div><br></div><div>My point, perhaps poorly articulated, was that 'local' intervention that quashes some activity in many networks such that it is only seen in those networks and not beyond or upstream. There are many in the security realm and antivirus, etc that use the heuristics and patterns of activity to sense bot/c&c activity in the wild. They see some of it, but the local intervention on some of the networks MAY eliminate visibility into it, leave some malware activity statistically irrelevant below thresholds, where the visibility to the raw activity might have been above thresholds. </div>
<div><br></div><div>:)</div><div><br></div><div>-J</div></div>