2

I've been working on setting up dynamic blacklists, and one question that came up is how long typical entries should be kept on a blacklist. In the interest of equity, there should obviously be some point at which entries are aged out to prevent blocking legitimate traffic to or from an IP that's been reassigned.

I searched around, but couldn't find any specific information about the lifespan of a C2 server (also known as C&C or Command and Control).

Obviously it will vary from case to case, and there's no way to be 100% certain because there are so many unknown factors; but I'm curious if there is any research-based information out there that I just haven't been able to find.

CrunchBangDev
  • 178
  • 7

1 Answers1

2

The Anti-Phishing Working Group (APWG) has statistics about how long it takes, after notification (e.g., through MarkMonitor or similar), for a dead-drop site (e.g., malware or botnet C2) to go down. Take it with a grain of salt though, the APWG tracks criminal actors, but nation-state actors have been found to keep their C2 running for 4-5 years, perhaps even longer.

Some payloads do not utilize standard, IPv4-based communications (some common examples include Address Routing Protocol covert channels or even SMB named pipes) -- and some payloads have no network communications (not even RF or speaker-based) at all because they are programmed to do damage (or degrade systems, deny access, et al) as logic bombs.

atdre
  • 18,885
  • 6
  • 58
  • 107
  • 1
    Thanks for the info! Most of what we deal with are active attackers and ransomeware, but it is certainly good to keep in mind how much variety exists in the malicious actor's toolkit. – CrunchBangDev Jul 26 '16 at 20:09