Torrents, Skype and Security
Disclaimer: all of the following is my personal thoughts, not intended to discredit the systems mentioned and their manufacturers.
A little about me: I do network security. 8 years. I specialize in cisco (CCIE Security).
I myself am wary of both systems (Torrent, Skype). But still could not articulate what I really do not like. And now I will try to tell you objectively, whenever possible, what disturbs me.
')
But for starters, I remind the respected habratchiku what a botnet is, what it is eaten with and why it is so dangerous.
A botnet is an association of scattered computers under one malicious control. Botnets are divided into active and passive. Computers in an active botnet know that they are remotely controlled. In the passive - no.
How do computers get into the botnet? As a rule, trojans are used for this (you install one on the computer, and parallel to you the unordered is sent), sent with mail, worms (malicious code propagating through the network), programs on self-starting flash drives, etc. The main task is to install a program on the computer that will “knock” (try to connect) from inside the firewall to the control hosts (call-home). As soon as an infected computer reaches the management server, it can be managed according to the established session.
Attempts to connect are made, as a rule, by name (s), and these names dynamically change in the CSN every day.
And the ports of these applications (dog children!) Choose different, random ones in the hope that they are open on the firewall.
And what are they dangerous?
A good botnet yes in skilled hands is a powerful weapon for generating distributed denial of service attacks (DDoS), sending spam and other attacks. There is no effective weapon against DDoS yet (the channel “plugged” by the provider, the client cannot dig up ”). Do you want to be part of a botnet?
And now some facts about the torrent :
1. Torrents (many clients) can connect to many ports.
2. Torrents use multiple addresses to register with.
3. You put the client yourself, initiate the connection from under the firewall screen
4. Activity on pumping (when traffic is taken from the client) can easily hide any actions with the client
and about skype :
1. When installing Skype, everyone is issued a certificate signed by the Skype server
2. When adding a new subscriber, its certificate is added.
3. When connecting to the server, all traffic is encrypted with the server certificate (public key). I tried to filter it a week ago using cisco IPS and was confounded: (The old (unencrypted) version of IPS filtered by patterns.
4. Skype can cling (to unknown addresses and unknown ports) to different servers
5. Skype session (service) is not monitored, as well as conversational, because it is encrypted ...
What do I conclude from this?
And the fact that both services from a network point of view painfully resemble the actions of a botnet ...
I do not dissuade anyone from anything. Moreover, I recognize that Skype is a simple and GENIUS thing that combines several simple and smart ideas (encryption, certificates for automatic trust, brute-force connection, opening 2 sessions from 2 clients from inside firewalls). And user friendly. But it is a headache of security men, if it is necessary to close it.
And the torrent, I think, is useful to many (although IMHO, its influence and popularity is greatly inflated and I do not really understand) ...
Only one “but”: personally, I’m not at all sure that at one non-bright moment millions of computers of users of popular services will not turn into one giant botnet, from which there will be no salvation ... It’s enough to “upgrade version”.
I would be very happy to be wrong. Disprove my words. And you can call me paranoid and alarmist :)
Sincerely, Sergey Fedorov
A little about me: I do network security. 8 years. I specialize in cisco (CCIE Security).
I myself am wary of both systems (Torrent, Skype). But still could not articulate what I really do not like. And now I will try to tell you objectively, whenever possible, what disturbs me.
')
But for starters, I remind the respected habratchiku what a botnet is, what it is eaten with and why it is so dangerous.
A botnet is an association of scattered computers under one malicious control. Botnets are divided into active and passive. Computers in an active botnet know that they are remotely controlled. In the passive - no.
How do computers get into the botnet? As a rule, trojans are used for this (you install one on the computer, and parallel to you the unordered is sent), sent with mail, worms (malicious code propagating through the network), programs on self-starting flash drives, etc. The main task is to install a program on the computer that will “knock” (try to connect) from inside the firewall to the control hosts (call-home). As soon as an infected computer reaches the management server, it can be managed according to the established session.
Attempts to connect are made, as a rule, by name (s), and these names dynamically change in the CSN every day.
And the ports of these applications (dog children!) Choose different, random ones in the hope that they are open on the firewall.
And what are they dangerous?
A good botnet yes in skilled hands is a powerful weapon for generating distributed denial of service attacks (DDoS), sending spam and other attacks. There is no effective weapon against DDoS yet (the channel “plugged” by the provider, the client cannot dig up ”). Do you want to be part of a botnet?
And now some facts about the torrent :
1. Torrents (many clients) can connect to many ports.
2. Torrents use multiple addresses to register with.
3. You put the client yourself, initiate the connection from under the firewall screen
4. Activity on pumping (when traffic is taken from the client) can easily hide any actions with the client
and about skype :
1. When installing Skype, everyone is issued a certificate signed by the Skype server
2. When adding a new subscriber, its certificate is added.
3. When connecting to the server, all traffic is encrypted with the server certificate (public key). I tried to filter it a week ago using cisco IPS and was confounded: (The old (unencrypted) version of IPS filtered by patterns.
4. Skype can cling (to unknown addresses and unknown ports) to different servers
5. Skype session (service) is not monitored, as well as conversational, because it is encrypted ...
What do I conclude from this?
And the fact that both services from a network point of view painfully resemble the actions of a botnet ...
I do not dissuade anyone from anything. Moreover, I recognize that Skype is a simple and GENIUS thing that combines several simple and smart ideas (encryption, certificates for automatic trust, brute-force connection, opening 2 sessions from 2 clients from inside firewalls). And user friendly. But it is a headache of security men, if it is necessary to close it.
And the torrent, I think, is useful to many (although IMHO, its influence and popularity is greatly inflated and I do not really understand) ...
Only one “but”: personally, I’m not at all sure that at one non-bright moment millions of computers of users of popular services will not turn into one giant botnet, from which there will be no salvation ... It’s enough to “upgrade version”.
I would be very happy to be wrong. Disprove my words. And you can call me paranoid and alarmist :)
Sincerely, Sergey Fedorov
Source: https://habr.com/ru/post/85969/
All Articles