Re: ISP Operators AISURU/Kimwolf botnet

[William Herrin via NANOG <nanog () lists nanog org>]

On Sat, Jan 17, 2026 at 10:13 PM Mel Beckman <mel () beckman org> wrote:
> Alas, those days are over. You probably already know this, but in case others don’t, the problem with the AISURU is 
> that home user’s infected devices don’t do scanning, so you can’t detect them. They simply send DDoS packets — which 
> just look like normal traffic —against pre-defined targets communicated over the botnet C2 network.

Hi Mel,

From what I gather, modern botnets provide the attacker with a swiss
army knife of capabilities including the one you mention. If your
purpose is to detect them rather than automate filtering, you don't
have to catch them doing everything, you only have to catch them doing
one thing.

Look at it this way: the attacker has to hide _everything_ he does
from you. You only have to catch _one_ thing he does to detect that
intrusion.

It's the reverse of the normal pattern where the attacker can
infiltrate a system by succeeding once while the defender has to
succeed every time to keep him out.

Regards,
Bill Herrin


-- 
For hire. https://bill.herrin.us/resume/
_______________________________________________
NANOG mailing list 
https://lists.nanog.org/archives/list/nanog () lists nanog org/message/Z24OZH2GYCMP6G4Z33H7FQFFI4WKB2SW/