* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Download Botnets
Computer security wikipedia , lookup
Deep packet inspection wikipedia , lookup
Denial-of-service attack wikipedia , lookup
Mobile security wikipedia , lookup
Computer and network surveillance wikipedia , lookup
Distributed firewall wikipedia , lookup
Cracking of wireless networks wikipedia , lookup
Botnets Dr. Neminath Hubballi IIT Indore © Neminath Hubballi Introduction  Bot: A program performing automated task  A bot itself is not bad  A botnet is a collection of computers, which are connected and work under the instruction of a master in order to accomplish something  Typically botnets are used for committing computer crimes  A botnet is controlled by a person or a group of people  Usually has monetary interests  Advertisement companies  Spam sending companies: outsource the work to bots IIT Indore © Neminath Hubballi Motivation  A report from Dhamballa, 2010 – number of infections increased at the rate of 8% per week  Almost every botnet newly created overtaking the previous largest  Financial profits  User credential stealing  Click fraud  Political interests  Illegal activity include       DDoS attacks Spamming Traffic sniffing Spreading malware Port scanning Key loggers etc.. IIT Indore © Neminath Hubballi Components of a Botnet Infrastructure  Command and Control Infrastructure  Centralized  Client server model  Distributed  Works more autonomously  Also called as peer to peer botnets  Crucial  Have to maintain a stable connectivity  Robust  Stable  Reaction time  Communication protocol IIT Indore © Neminath Hubballi Centralized Control  Multiple communication channels with master Courtesy: Botnets: Detection, Measurement, Disinfection & Defense, Europian Network and Information Security Agency IIT Indore © Neminath Hubballi Decentralized Control  Each bot will propagate commands to others Courtesy: Botnets: Detection, Measurement, Disinfection & Defense, Europian Network and Information Security Agency IIT Indore © Neminath Hubballi Botnets Types  There are 2 types of botnets  Operate through IRC  Operate through web server  Operate as Peer-to-Peer network IIT Indore © Neminath Hubballi Internet Relay Chat (IRC) based  Uses a Push model of communication  Master pushes commands for execution to the Bots  All Bots receive commands through IRC PRIVMSG, understand the instruction and execute the command and send back results  In order to issue commands Botmaster first authenticates herself with a username and password  Advantages  Open source  Easy for modification  Two way communication  Real-time connectivity  Public and private mode interaction  Disadvantages   Single point of failure Easily detectable IIT Indore © Neminath Hubballi Communication Over IRC  Sequence of Events  Master authenticates  Master queries info about botnet –version number  Master queries system information  Issue instruction to scan other potentially vulnerable machines  Bot replies with scan results Courtesy: Botsniffer: Detecting Botnet Command and Control Channels in Network Traffic IIT Indore © Neminath Hubballi HTTP based  This type of Botnet uses HTTP as a communication medium  Uses a pull method of interaction  Bots periodically poll the master requesting new commands to be issued  Through a HTTP post method Bots connect to the master  Usually used for form submissions  Advantage of using HTTP  It becomes difficult to detect  Port 80 is open in all firewalls  Normally encryption is used to avoid detection and eavesdropping IIT Indore © Neminath Hubballi Role of DNS in Botnet  DNS has an important role to play in Botent networks  It allows changes to be done to the Botnet infrastructure transparently  Fast Flux Networks      Create a domain evil.com Authoritative DNS server for the network evil.com is owned by attacker Attacker has multiple infected machines in her possession The RR mapping is changed at a very high frequency Each time the client connects to a different infected machine or Bot machine  All of these machines or Bots act as a proxy to the Bot server  Increases the resiliency of Botnet infrastructure IIT Indore © Neminath Hubballi Fast Flux Network Courtesy: Botnets: Detection, Measurement, Disinfection & Defense, Europian Network and Information Security Agency IIT Indore © Neminath Hubballi Who Suffers from Botnet  Three entities  Victim – suffers directly  ISP – have to carry lot of malicious traffic  Third party – effect of malware  Defense  Victim- corporates have to protect their IT assets  ISP – detect malicious traffic  Third party – keep the machine clean IIT Indore © Neminath Hubballi Threat Characterization  Botnet Size and Origin  Footprint- Number of infected machines indicates scaling factor  Live Population – How many of infected machines are able to interact using CC infrastructure currently  Spam throughput: Received spam emails per unit of time  Freshness of IP address in spam emails –fresh one is better  Bandwidth usable for DDoS attacks  Harvested personal data – more data approximately leads to more financial gain IIT Indore © Neminath Hubballi Botnet Detection  There are two types of detection mechanisms  Passive techniques  Activity can be tracked without interfering with environment  No disturbance  Active techniques  Blocking malicious domains and identifying infected machines IIT Indore © Neminath Hubballi Source of Data for Passive Detection  Packet analysis  Shell code detection  Protocol filed  Combination of some fields etc.  Drawbacks     Full packet inspection is difficult Scaling is a factor Only known patterns are detected If the attack code is split across multiple packets, streams it is far more difficult to detect IIT Indore © Neminath Hubballi Source of Data for Passive Detection  Flow Record Analysis  Flow is a summary of what transpired in communication  Typical attributes are:  Source and destination address  Related port numbers  Protocol used inside the packets  Duration of the session  Cumulative size and  Number of transmitted packets.  Drawbacks  Payload is ignored  Keep track of all sessions  Switches and routers do it for you Courtesy: BotGrep IIT Indore © Neminath Hubballi Source of Data for Passive Detection  Use of DNS Data  Identify Fast Flux Networks  Collect DNS queries and responses and do an offline analysis  Identify “typo squatting” domain names in the data  Ex. Goggle.com  Malicious domain name can be blocked by domain registrars  Currently not happening  If a domain is identified as a malicious domain  In all likelihood the queries to that domain are from infected machines  It helps to track down even those machines IIT Indore © Neminath Hubballi Source of Data for Passive Detection  Use of spam email analysis  Botnets often run spam campaigns  All spam emails will have similarity     In contents Pattern Length of mail Source IP address used (often they reuse the IP addresses)  Antivirus software feedback  Collect information from many sensors IIT Indore © Neminath Hubballi Active Countermeasures  Shinkholing –Changing the records of malicious domain to point to a good node Courtesy: Botnets: Detection, Measurement, Disinfection & Defense, Europian Network and Information Security Agency IIT Indore © Neminath Hubballi Active Countermeasures  Identifying infected Machines through DNS Cache Snooping  This will help identify whether any machines in the local network are part of a malicious domain  Issue a query to a DNS server for a domain which is suspicious  Verify the TTL value  If any other machine has already visited that domain, it is likely that TTL value has decreased w.r.t the default TTL value given by authoritative name server  Another variation is through by setting RD flag off IIT Indore © Neminath Hubballi Active Countermeasures Courtesy: Botnets: Detection, Measurement, Disinfection & Defense, Europian Network and Information Security Agency IIT Indore © Neminath Hubballi
 
									 
									 
									 
									 
									 
									 
									 
									 
									 
									 
									 
									 
									 
									 
									 
									 
									 
									 
									 
									 
									 
									 
                                             
                                             
                                             
                                             
                                             
                                             
                                             
                                             
                                             
                                             
                                            