WHITE PAPER

GLOBAL NETWORK SERVICE PROVIDERS: SECURING A POSITION TO CHALLENGE THE BOTNET

Network attackers set out to disrupt, damage or takedown infrastructure. Breadth of reach and efficiency are keys to their success. As a result, botnets continue to be a favored attack vehicle, providing rapid control of several thousand or even more than a million devices at one time. While under control, hackers can perform mass identity theft or seek to flood critical communication paths, to the detriment of an organization’s effectiveness. Detecting and remediating these botnets has become increasingly challenging, as the attackers find new mechanisms to hide the bots and to make the extent of the botnet invisible. However, Global Network Service Providers, such as Level 3 Communications, comprise a small group of professionals who have both the skills and the data to help combat this threat. In this paper, we provide the evidence that directly supports the fact that Global Network Service Providers are in a position to challenge the botnet. Furthermore, they have an obligation to invest, in order to step up to that challenge. A review of botnets, their evolution and methods of prevention, are also included.

What is a Botnet?One of the largest threats to the Internet today is that of botnets. A botnet can be best described as a group of computers with a common control mechanism, often installed as software, which is directed towards a malicious goal. A botnet operator acts like a master and controls the botnet, with each device being a mindless zombie that carries out the master’s commands. Botnets have many victims, and most are unaware that they are a part of this malware metropolis. Botnet architecture varies widely, as does the methodology used to carry out attacks, to remain intact or to avoid detection. They have long lives because they often mutate into new variants and attackers constantly evolve the structure of their botnets. Studies of dominant botnets from 2001 to 2011 showed the time from first observation to takedown ranging

from seven months to ten years, with an average of a little over three years in existence.

It is very hard to know the full size of a botnet because of questionable counting methods and attacker tactics to keep them hidden. For example, The Nugache botnet had a random topology and the attackers limited the number of connections to remote peers to no more than a dozen per day. It would therefore take a week of observation to see a few hundred hosts in the network. Estimates for the botnets studied from 2001 to 2011 ranged from roughly 6,600 nodes within the Waledec botnet to two million nodes for the Pushdo botnet.

One would not want to become a victim of a botnet. Malware delivered to the victim’s device can modify the Windows registry, create new files on the device or open network sockets that enable additional damage. Screenshots from applications being used can be made visible to the botnet operator. Personal information can also be sent to the botnet master. Victims are normally innocent and they often do not know that their computer is infected until real trouble begins. They are lured into action and become infected by clicking on a website ad, clicking on a malicious link in one of their emails, accessing an external device or downloading a new application from a site that appears to be trusted. Countermeasures can often create even more victims. With the Mariposa botnet, which operated from May to December 2009 and infected millions of hosts, a working group was established to counter the botnet. When the attackers noticed that they were being wrestled with, they retaliated with a Distributed Denial of Service (DDoS) attack and directed 900 Mbps of traffic at the members of the working group. Innocent victims who were sharing networks with these working group members had their network service disrupted for hours.

To appreciate today’s new challenges around botnets, it is important to understand their evolution, which is summarized within the following section.

SUMMARY

Botnet EvolutionThe first botnets were established to exploit the security flaws within networks in a very distributed manner. As an example, the “Morris Worm” became a household word in network circles in the late 1980s. By infecting hundreds of computers in universities across the United States, the attack was large enough to have an impact. In the earlier era of technology, Internet Relay Chat (IRC) was the common communication vehicle for computer criminals, and it was only natural that the botnet’s communication channel was implemented using this highly resilient infrastructure. With a wide variety of open source implementations, this was a very easy way to enable bots to listen for commands, as well as to report back their status. Unfortunately for the attackers, IRC’s well-defined implementation and well-known network of chat servers, made it very easy for security researchers to eventually identify and remove the communication path for these botnets. After there was no longer a way for the botnets to communicate, the victim machines could not participate in any malicious activity and ultimately they were no longer a botnet. Instead of taking the opportunity to find more protected methods of communication, most botnet creators found it simple enough to start their own IRC server networks to avoid detection and removal. This minor step of doing just enough to stay ahead, rather than holistically solving their problem, has been a common theme for botnet developers and operators over time. Staying one step ahead did not last long however, as these chat servers were often hard-configured into the botnet software. This meant that any security researcher who got access to the botnet software had the configured IP address, and could easily have the server removed. Also, because these botnets relied on

a centralized Command and Control (C2) server, there was a central point of failure for the botnet. Not surprisingly, botnets continued to evolve and attackers invented other techniques to counter the efforts of security researchers. Security researchers again had to build new mechanisms to combat the threats. There became a need to find the botnet software “live” on an infected computer, so as to acquire more knowledge about the botnet. However, this had scalability complications because the technology did not exist to get this information across a widely dispersed botnet. The popular solution to this problem became the honeypot. A honeypot is a system configured to look like an easy victim for infection, but is actually bait, controlled by a security researcher. The security professional obtains quite a bit of knowledge when the honeypot is compromised, including the ability to obtain copies of malware and botnet software. By distributing honeypots around the Internet, the security community is able to have a higher likelihood of getting their hands on the software they are looking for. As in all security efforts, limitations exist with this technique. There is no guarantee that the honeypot will be infected within a reasonable time, or even at all. If the motivation of the attacker is not known, the honeypot may not be in the right place at the right time. Today’s botnets are sometimes deployed with very specific targets. For example, a botnet may be developed and deployed to extract intellectual property from a specific company or industry. Attackers research which companies fit the sector profile, and target those employees and servers to plant the botnet software. If a researcher does not have a honeypot in one of these specific organizations, the security community may never see this botnet software or the botnet in its entirety. This is a frightening reality that demands new techniques for botnet detection.

Over the last decade, attackers have advanced their botnet implementations with end-to-end encryption and proprietary signaling protocols. Each of these types of implementations helps to hide the botnet’s behavior from detection, which is referred to as “obfuscation” in the security community. Yet no approach has been as game changing as the Peer-to-Peer (P2P) capability. P2P communication, rather than centralized communication, has rendered the legacy techniques of botnet detection ineffective. P2P botnets enable every peer to act as a C2 server. Each peer bot can download the commands, configuration files and executables from other bots. Every compromised computer is capable of providing data to the other bots. The peers are setup to find each other within the botnet. There is a fundamental problem with combatting such botnets because the population of hosts is heterogeneous and they were never meant to behave like a cooperative network. Zeus, Kelihos and Alureon/TLD4 are examples of P2P botnets that can survive indefinitely, because they are extremely difficult to unravel.

This has resulted in the need for researchers to focus much more on node enumeration, versus simply finding the C2 servers. Collecting IP addresses and additional information about the location of the individual hosts has become a requirement in botnet detection and remediation. In addition, botnets spread at an aggressive rate, which makes this task even more complex. It is common to see new victims joining the botnet at the average rate of over one million per month, ranging from a low of 600,000 to a high of over two million. The average security researcher does not have access to either host information or communication traffic that would enable proper node information to be collected. This indicates the need for more advanced detection methodologies and access to credible data. The researcher who does have these capabilities and access is able to be proactive about botnet activity and

provides a unique value. A Global Network Service Provider like Level 3 is able to provide such value, because it holds the keys to network entry and visibility.

Advantages of Working with a Global Network Service ProviderGlobal Network Service Providers are strategically positioned to deal with the challenges of botnet threats, because the technology and resources to do the proper network filtering resides within their infrastructure. The required filtering comes from high-performance routers, at the most basic level, and through the advanced blocking inherent in deep packet inspection and analysis. This filtering is made available by way of advanced traffic shaping technology. Broadly stated, Global Network Service Providers can take advantage of information asymmetry and economies of scale to provide more security at a lower cost. A global provider of Internet services can truly impact the methodology of botnet research. In a 2010 study, “The Role of Internet Service Providers in Botnet Mitigation, An Empirical Analysis based on Spam Data”, it was discovered that the Service Providers included in the study had a key position as control points for botnet activity. Data on Service Providers who collectively possessed the bulk of the market share in 40 countries was analyzed. (30 of those countries are members of the Organization for Economic Co-operation and Development). This resulted in data on 200 ISPs. Using a global dataset of 63 billion spam messages and incoming SMTP connections from 138 million unique IP addresses during the period 2005 – 2008, it was found that just 10 of the 200 Service Providers accounted for about 30 percent of all unique IP addresses sending spam worldwide. In addition, just 50 Service Providers accounted for over half of all IP addresses sending spam worldwide. The graph below summarizes these findings.

An even more relevant and specific pattern was uncovered. Just 50 Service Providers consistently were found to be directly connected to more than half of the infected sources. To further substantiate the Service Provider’s role in botnet mitigation, we can look at a report issued in January 2011 titled “Internet Service Providers and Botnet Mitigation: A Fact-Finding Study on the Dutch Market”. Results are based on a study done in the Netherlands between January 2009 and June 2010. The study set out to prove whether Service Providers can serve as a natural control point for botnet activity, based on the Dutch market. It also compared the findings within the Netherlands to that of other countries. In the Netherlands, over 60% of all infected machines were connected to the network of the three largest Dutch Service Providers. On average, across 40 countries, 80% of infected sources were connected to networks administrated by well-known Service Providers.

These studies are supported by Cisco’s Web Security Report of 2013, where a 30 percent decline was seen in unique malware hosts and IP address from January 2013 to September 2013. This suggests that malware is being concentrated in fewer hosts and fewer IP addresses across fewer Service Providers.

The results of these reports are significant, because they indicate that Service Providers can be very effective enablers of botnet management, when compared to the hundreds of millions of end user machines and actors that are spread over hundreds of countries. The data from these studies indicate that the task of detecting and managing botnets can be funneled through top network providers, thereby achieving a greater chance of success in the control and eventual remediation of the botnets. These same studies suggest that more responsibility around botnet mitigation should be placed on the top Service Providers. This could be done through collective action, self-regulation or government intervention. Interestingly enough, in March 2012,

80%

70%

60%

50%

40%

30%

20%

10%

0%

Top 10 Top 50 Top 100 Top 150 Top 200

2005

2006

2007

2008

Service Provider Category by Market Share

Per

cent

of g

loba

l tot

alPercent of Spam Sources located across top Service Providers

the U.S. Communications Security, Reliability and Interoperability Council (CSRIC) tasked a working group to develop a set of voluntary practices where network broadband providers could help mitigate botnets. This “Botnet Remediation” working group did accomplish the task with a “U.S. Anti-Bot Code of Conduct for ISPs”, otherwise known as the “ABCs for ISPs”. Through an ‘opt-in’ code of conduct, Service Providers are encouraged to take a leading role in combating the largest threats facing the Internet today. The Code of Conduct encourages network providers to, amongst other actions, detect bots operating within their own networks and to develop best practices for reducing bot infections. Outside of the U.S., there are public-private partnerships in countries such as Australia, The Netherlands, Germany and Japan that aim for similar goals. Gunter Ollmann (CTO, IOActive Inc) in the TMCnet article “Detecting Botnets in Service Provider Networks: The Impact of CSRIC’s U.S. Anti-Bot Code of Conduct” on September 6, 2012, stated his view that the most impactful detection mechanisms lie within each Service Provider’s own network and their willingness to take on this task. He believes that providers can measure the size of botnets and the rate they are growing or shrinking, so as to tune remediation advice to the victims.

Further work is needed to strengthen the network providers’ incentives to mitigate botnets. Level 3 Communications has already established our role in this effort and has been able to detect botnet infections in the millions across a variety of botnets. Our study of C2 and P2P oriented botnets has proven to be powerful and credible in the remediation of industry-impacting botnets across the world. We are currently tracking a number of threats based on activity seen across IPs, ASNs and C2s in countries and cities globally, while also analyzing the traffic patterns across various measurements of time. By using advanced data feeds and analysis, Level 3 is able to improve our intelligence without having to install intrusive and controversial monitoring technologies in our network. Furthermore, we are able to provide better oversight for our customers with regard to their security posture, as well as mitigation guidance. The data Level 3 has access to comes from operation of one the world’s largest IP networks, one of the worlds largest Content Delivery Networks (CDN) and one of the largest global open Domain Name Systems (DNS). In any month we see packets flowing to or from about 70% of every allocated IP address in the world.

10,000

20,000

30,000

40,000

50,000

60,000

Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov

Unique Host

Unique IP

Month

2013 Unique Malware Hosts and IP Addresses

Value of Level 3’s ApproachWhile the ultimate goal of most botnet research is to take down the nodes, there are other objectives that the Security Operations Center at Level 3 is targeting. The learnings realized within the botnet battle provide a wealth of information about the C2 servers, along with the names and the locations that have been engulfed within the botnet. Leveraging our consulting services with customers and working with partners, Level 3 can obtain even more insight about the infected nodes, such as the operating system versions or the applications that attackers are targeting. Through more in-depth analysis, the software used or samples of the malware can also be discovered. This type of information is very difficult to come by and it requires a large investment in the analysis of host and network data from real intrusion events.

Just as this information is important to the typical hacker in reconnaissance, those who are trying to learn more about the hackers and their intent can also use it. Level 3 is able to dissect and reverse-engineer the software used within the malware in order to determine the type of information being collected from the victim’s machines. There are a small and very limited number of providers who have the skills and data at their fingertips to work at this level of sophistication.

The value of this information cannot be overlooked since the Internet is starting to become one large botnet, in some respects. If a researcher is able to get control of a botnet by exploiting vulnerabilities within it, this provides an edge over the attacker that is unique in many ways. Rather than fighting the botnets, they can use the botnet to gather more intelligence about the attacker or the approach. The victim’s information is useful when mapping the botnet and in learning about the communication tactics being used.

Protecting Against BotnetsThe most effective methodology for enterprises to protect against botnets is to patch software, provide

user education and monitor the network perimeter. By keeping software on all devices up to date, the simplest point of entry for attackers is removed. Patching software keeps a machine clean, not mean. The latest security software, browsers and operating systems must be maintained, and automatic updates are the safest policy to use. Also, viruses and malware can infect USBs and other external devices. Current security software should be used to scan these before they are accessed. User education is critical because users can execute the malware directly by accessing corrupted external devices, sharing their credentials or not protecting them appropriately, clicking on malicious links within emails or websites and downloading applications from non-trusted sites. A policy of “When in doubt, throw it out” with regard to social media, emails, website clicks and questionable external devices should be clear to all users. In addition, all devices that connect to the Internet need to have the same scrutiny, including computers, smartphones, gaming systems and those millions of sensors that are becoming collectively know as the “Internet of Things”. Vigilant monitoring by the security team can help protect against impacts from unknown vulnerabilities. Watching for irregular behavior at the network perimeter is a way to understand when hosts are communicating with external systems in a non-typical manner. Exfiltration of data, spamming, or DDoS attacks are all behaviors of a victim host participating in a botnet and each have a unique signature within the network. Monitoring this type of behavior requires extreme diligence. Finding and retaining skilled personnel to perform the investigations is difficult. Fortunately, the Global Network Service Provider is in the lead regarding this expertise and the ability to act. Level 3 is a Global Network Service Provider. Our Security Operations Centers track over one million potentially malicious packets per day and close to two million infected machines with in-house Threat

Intelligence Systems. We are able to investigate more than 10,000 sources of attacks per day, giving us the information to recommend takedown requests to our customers. As a direct compliment, we also offer Managed Security Services that specifically address the origins of attacks such as Managed Firewall, Secure Access, DDoS Service, Email and Web Protection Services and Consulting. Through our diverse security offerings and our network expertise, we control network threats before they impact customer operations. ConclusionIn this paper, we reviewed the definition of a botnet and botnet evolution to the current time. Attackers are extremely persistent and they continue to design new technologies to obfuscate their botnets and make them harder to mitigate. This has placed new demands on security researchers, who now need more information about the individual hosts of the botnet. As several studies have shown, large global Service Providers are uniquely positioned to obtain this information. In addition, these providers normally have the necessary staff to successfully detect and mitigate these prevalent threats. Level 3 Communications, as a Global Network Service Provider, excels in these capabilities, with access to huge volumes of flow and connection data that is associated with the world’s Internet traffic and multiple Security Operation Centers. These Centers are equipped with security experts who monitor the network around the clock with sophisticated Threat Intelligence Systems. The breadth and depth of these resources, along with our Managed Security Services offerings, secures our position to challenge the botnet – one of the largest threats to the Internet in existence today.

1. OECD (2012), “Proactive Policy Measures by Internet Service Providers against Botnets”, OECD Digital Economy Papers, No. 199, OECD Publishing.http://dx.doi.org/10.1787/5k98tq42t18w-en 2. The Role of Internet Service Providers in Botnet MitigationAn Empirical Analysis Based on Spam Data1Michel van Eetena), Johannes M. Bauerb), Hadi Asgharia),Shirin Tabatabaiea), Dave Randc)a) Delft University of Technology, the Netherlands, m.j.g.vaneeten@tudelft.nlb) Michigan State University, USA, bauerj@msu.educ) Trend Micro Incorporated, USA, Dave_Rand @ trendmicro.com

3. So You Want to Take Over a Botnet David Dittrich Date unknown 4. Cisco 2014 Annual Security Report 5.Internet Service Providers and Botnet Mitigation: A Fact Finding Study on the Dutch Market January 2011 Michel JG van Eeten, Hadi Asghari, Johannes M Bauer, Shirin Tabattabaie 6. US Anti-Bot Code of Conduct (ABCs) for Internet Service Providers (ISPs) March 22 2012 Communications, Security, Reliability, and Interoperability Council (CSRIC) 7. Proactive Botnet Counter Measures An Offensive Approach Felix LEDER, Tillman WERNER, Peter MARTINI Date Unknown 8.Detecting Botnets in Service Provider Networks: The Impact of CSRIC’s U.S. Anti-Bot Code of ConductBy TMCnet Special GuestGunter Ollmann | September 06, 2012http://www.tmcnet.com/voip/departments/articles/306425-detecting-botnets-service-provider-networks-impact-csrics-us.htm

ABOUT LEVEL 3We build, operate and take end-to-end responsibility for the network solutions that connect you to the world. We put customers first and take ownership of reliability and security across our broad portfolio.

1.877.2LEVEL3info@level3.comlevel3.com

10000

© 2014 Level 3 Communications, LLC. All Rights Reserved. Level 3, Level 3 Communications, the Level 3 Communications Logo, and “Connecting and Protecting the Networked World” are either registered service marks or service marks of Level 3 Communications, LLC and/or one of its Affiliates in the United States and/or other countries. Level 3 services are provided by wholly owned subsidiaries of Level 3 Communications, Inc. Any other service names, product names, company names or logos included herein are the trademarks or service marks of their respective owners.