nullcon Goa 2010 http://nullcon.net
Botnet Mitigation, Monitoring and Management
- Harshad Patil
Introduction
Why they use Botnets?
Attack vectors- Where are they used?
Taxonomy of botnet and how it operates
Detection and prevention of botnets
Some recent botnets
Current Botnet Mitigation efforts
Botnet Monitoring
nullcon Goa 2010 http://nullcon.net
Agenda
nullcon Goa 2010 http://nullcon.net
Introduction
What are bots, botnets, botmasters, and zombies,IRC,P2P?
Three characteristic attributes of bota remote control facility,
the implementation of several commands,
and a spreading mechanism
What is DOS
nullcon Goa 2010 http://nullcon.net
• </attack>• <attack id="122002" start="2006-10-14 02:21:47" stop="2006-10-14 03:36:11"> # About an hour and 15 minutes duration• <severity importance="1" lrm="0.9077" red_rate="1e+06" unit="pps"/>• <type class="3" subclass="5"/> # Misuse Null TCP• <direction type="Incoming" name="anonymous" gid="756"/>• <protocols>6</protocols> # IP Protocol 6, TCP• <tcpflags></tcpflags> # No Flags - Null TCP• <source>• <ips>0.0.0.0/0</ips> # Very well distributed or Source-spoofed IPs• <ports>0-65535</ports> # Very well distributed source ports• </source>• <dst>• <ips>xx.xx.X.X/32</ips> # Surprise, undernet IRC Server…• <ports>6667</ports> # 6667 IRC• </dst>• <infrastructure num_routers="19" num_interfaces="52" sum_bps="622878440000" sum_pps="15571961000" max_bps="1980325333" max_pps="6188517"/>• </attack>
•Source: ISC
nullcon Goa 2010 http://nullcon.net
Why Botnets?
Capability of botnet
Botnet Economy
Self propagation
Robustness
Efficiency
Effectiveness
Usage of different Encryption systems
P2P botnet advantages!
nullcon Goa 2010 http://nullcon.net
Attack vectors
Spamming
Phishing
Click Fraud, Google Adsense
Sniffing traffic- Corporate Espionage, ID Theft
Keystroke logging
Data Mining
Manipulating online MMOGs
nullcon Goa 2010 http://nullcon.net
How they operate
How botmasters discover new bots
2 architectures: CnC and P2P
Communication between the bot and the botmaster
Botnet Complexity
How they evade IDS/Honeypots
nullcon Goa 2010 http://nullcon.net
CnC Architecture
Botmaster
C & C
Bots Bots Bots
nullcon Goa 2010 http://nullcon.net
P2P Architecture
Botmaster
C & C C & C
Bots Bots Bots
nullcon Goa 2010 http://nullcon.net
Concerning factors
Complexity of the Internet.
Shortest compromise time: few secs..
Extradition issues and different laws of different countries..
Easy to escape detection techniques by new encryption types.(MD6 encryption: Conficker)
nullcon Goa 2010 http://nullcon.net
Concerning factors
•Courtesy: McAfee
nullcon Goa 2010 http://nullcon.net
Concerning factors
nullcon Goa 2010 http://nullcon.net
Concerning factors
Protection Detection Remediation
nullcon Goa 2010 http://nullcon.net
nullcon Goa 2010 http://nullcon.net
DetectionNepenthes
HoneyBow
Observe the behavior of botsNetwork based behavior:
Host-based behavior
Bothunter: Vertical Correlation. Correlation on the behaviors of single host.
Botsniffer: Horizontal Correlation. On centralized C&C botnets
Botminer: Extension on Botsniffer, no limitations on the C&C types.
nullcon Goa 2010 http://nullcon.net
Protection
Honeynets
IDS
Snort
Tripwire
OurMon
CWSandbox
•Current Mitigation efforts:
nullcon Goa 2010 http://nullcon.net
Current Mitigation effort
•Current Mitigation efforts:
nullcon Goa 2010 http://nullcon.net
Botnet Monitoring System:
•Current Mitigation efforts:
Some current cases
Torpig
Conficker
A current flash 0day attack.
nullcon Goa 2010 http://nullcon.net
Torpig details
nullcon Goa 2010 http://nullcon.net
nullcon Goa 2010 http://nullcon.net
Conclusion
Bots pose a threat to individuals and corporate environments
Use: DDoS attacks, to spam, steal, spy, hack, …
Defense: Prevention- Honeypots, IPS, N/w analysis tools Detection: IDS, analysis tools
Management: Understanding security failures is much like anticipating that houses catch on fire and smoke detectors save lives.
•Current Mitigation efforts: