Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
July 28, 2017 Attn: Evelyn L. Remaley Deputy Associate Administrator National Telecommunications and Information Administration U.S. Department of Commerce 1401 Constitution Avenue NW, Room 4725, Washington, D.C. 20230
RE: Docket No. 170602536-7536-01 Dear Evelyn,
On behalf of the CSCC, we would ask that the attached Industry Technical White Paper the CSCC released on July 17, 2017, be included as part of the record in the above proceeding.
Sincerely, Robert Mayer USTelecom Association Vice President, Industry and State Affairs
Kathryn Condello CenturyLink Director, National Security/Emergency Preparedness
IndustryTechnicalWhitePaper
ABSTRACTOnMay11,2017PresidentTrumpsignedExecutive
Order13800,StrengtheningtheCybersecurityofFederalNetworksandCriticalInfrastructure,tasking
theDepartmentofCommerceandtheDepartmentof
HomelandSecuritytoleadanopenandtransparent
processtoidentifywaystoimprovetheresilienceoftheinternetandcommunicationsecosystemand
reducethethreatsperpetuatedbybotnets,
particularlydistributeddenialofserviceattacks.In
thistechnicalwhitepaper,thecommunicationssectordescribesthebotnetproblemfromtheperspectiveof
internetserviceproviders(ISPs),identifiessome
challengesandopportunities,andthenproposes
severalpreliminaryrecommendationsoractionablestepsthatecosystemparticipants,includingISPs,
shouldconsidertomitigatethethreatsassociated
withbotnetsandautomatedattacks.
CommunicationsSectorCoordinatingCouncil
July17,2017
CommunicationsSectorCoordinatingCouncil|www.comms-scc.org
TableofContents
ExecutiveSummary.....................................................................................................1
InternetEcosystemandCommunicationsSector.........................................................3
Bots,BotnetsandAssociatedThreats..........................................................................7
CurrentToolsandTechniques...................................................................................14
EmergingSolutions....................................................................................................18
ChallengesandOpportunities...................................................................................21
IndustryRecommendations.......................................................................................29
Conclusion.................................................................................................................31
AppendixA-CyberThreatReports...............................................................................i
AppendixB–ThreatsfromBotnets............................................................................iv
Glossary.....................................................................................................................vi
CommunicationsSectorCoordinatingCouncil|www.comms-scc.org
1
ExecutiveSummary
Abotisacodeusedtoseizecontroloveracomputeroradevicetoformanetworkofinfectedmachines,knownasabotnet.Manybotnetsareself-spreadingandself-organizingnetworksof
compromisedmachinesthatcanbeusedtoperformmaliciousactivitiesinacoordinatedway
throughcommandandcontrol(C&C)channels.Whilebotsarenotnew,thegrowing
deploymentofInternetofThings(IoT)devicesamplifiestheircapabilitytocreatealarge-scaleglobalsecuritythreat.
Inrecognitionofthisgrowingglobalthreat,onMay11,2017,PresidentTrumpsignedExecutive
Order13800,StrengtheningtheCybersecurityofFederalNetworksandCriticalInfrastructure,1taskingtheDepartmentofCommerce(DoC)andtheDepartmentofHomelandSecurity(DHS)to
leadanopenandtransparentprocesstoidentifywaystoimprovetheresilienceoftheinternet
andcommunicationsecosystemandreducethethreatsperpetuatedbybotsandbotnets.
Inthistechnicalwhitepaper,thecommunicationssector,specificallyinternetserviceproviders(ISPs)inthiscontext,seekstoinformthatprocessbydescribingthesharedresponsibilitiesof
keyparticipantsintheinternetecosystemformitigatingthethreatsposedbybotnets.Itisa
fallacytobelievethatanysinglecomponentoftheinternetecosystemhastheabilitytomitigate
thethreatfrombotnetsandotherautomatedsystems.WhileISPs,asinfrastructureownersandoperators,playanimportantroleinthisecosystem,sodothemanufacturersofdevices,
developersofsoftware,systemintegrators,edgeproviders,cloudserviceproviders,andothers.
Itwilltaketheconcertedeffortofallmembersofthisecosystemtoaddressfullythethreats
frombotsandbotnets.
Theinternetecosystemhasbeenworkingcollaborativelytoneutralizethethreatsfrombotsand
botnetsforyears.Inthispaper,theCommunicationsSectorCoordinatingCouncil(CSCC)
identifiesanumberofchallengesofmitigatingbotnets,andopportunitiesforincreasedcollaborationandcooperationamongmembersoftheinternetecosystemtoaddressthe
problemincluding:
• Improvingtheefficiencyoflawenforcementprocesstotakedownbotnets;
1TheWhiteHouseOfficeofthePressSecretary,PresidentialExecutiveOrderonStrengtheningtheCybersecurityofFederalNetworksandCriticalInfrastructure(May11,2017),availableathttps://www.whitehouse.gov/the-press-office/2017/05/11/presidential-executive-order-strengthening-cybersecurity-federal.
CommunicationsSectorCoordinatingCouncil|www.comms-scc.org
2
• Sharingofactionablecyberthreatinformation;
• Reducingthedependencyupontheuseofnetworkaddresstranslation(NAT)functions;
• Mitigatingbotnettrafficfromforeigncountries;
• Managingend-usernotificationsofmalwareinfections;
• DefendingagainstunsecuredIoTdevices;
• Combattingtheuseoffastfluxdomainnameserver(DNS)bybotnetstohidetheirinfrastructure;and
• Coordinatingnetwork-to-networknetworkmanagement.
AspartofDoCandDHS’sopenandtransparentprocess,theCSCCalsoproposesthefollowing
preliminaryrecommendationsoractionablestepsthatecosystemparticipants,includingISPs,
shouldconsidertomitigatethethreatsassociatedwithbots,botnets,andautomatedattacks:
• Streamlinethelawenforcementprocesstotakedownbotnets;
• EncouragecontinuedmigrationtoIPv6;
• Ensurethatsharedcyberthreatinformationisactionableandtailoredtomeetrecipients’needs;
• Networkoperatorsandend-usersshouldincludepre-negotiatedprovisionsfortrafficfilteringintransitandpeeringagreements;
• EncouragetheInternetCorporationforAssignedNamesandNumbers(ICANN),
registries,andregistrarstoadoptthefastfluxmitigationtechniquesrecommendedbytheSecurityandStabilityAdvisoryCommittee(SSAC);
• Improvebotnetdetectionbyencouragingtheadoptionanduseofmachinelearningtechniques;
• Ensureallend-pointsincludingIoTdevicesadheretoindustrydevelopedsecuritystandards;
• Ensureend-pointsarerunningup-to-datesoftware;and
• IoTdevicesshouldusenetworkisolationand/ornetworkbasedfilteringtechniquesforanycommunicationstocloud-basedservices.
CommunicationsSectorCoordinatingCouncil|www.comms-scc.org
3
InternetEcosystemandCommunicationsSector
Theecosystemsupportingtheinternet,includingthemembersofthecommunicationssector
providinginternetaccessservicesiscomplex,diverse,andinter-dependent.Tofullyunderstandthethreatsthatbotnetspose,itisimportanttounderstandtheecosystemandstakeholders’
relationships.Thissectionprovidesasummaryoftheinternetecosystemandexplainshowthe
communicationssectorfitsintothebroaderinternetecosysteminprotectingcriticalinfrastructurefromthreatsfrombotsandbotnets.
InternetEcosystem
Theinternetecosystemisadiverse,highlyintegratedsystemcomprisedofmanystakeholders.
TheInternetSociety(ISOC)describesthebroadinternetecosystemasbeingmadeupofsixprimarycommunitiesasshownbelow.2
2InternetSociety,WhoMakestheInternetWork:TheInternetEcosystem(Feb.3,2014),availableathttp://www.internetsociety.org/who-makes-internet-work-internet-ecosystem(accessedJuly16,2017).
CommunicationsSectorCoordinatingCouncil|www.comms-scc.org
4
Figure1InternetEcosystem
Source:InternetSociety
Thenetworkoperators,whicharepartofthecommunicationssector,providethe“SharedGlobalServicesandOperations”showninFigure1.Whenviewedsolelyfromthenetwork
perspective,theinternetecosystemlooksmorelikeFigure2.
CommunicationsSectorCoordinatingCouncil|www.comms-scc.org
5
Figure2NetworkViewofInternetEcosystem
Inthiscontext,theinternetecosystemiscomprisedofmanymachines/devices(e.g.,
smartphones,desktopcomputers,IoTdevices,etc.)thatconnecttonetworkserviceproviders.
Thenetworkserviceprovidersuseacombinationoftransitandpeering3toprovideinternetconnectivitytoservicecreators(e.g.,hosting,ecommerce,socialmedia,enterprises,etc.).
Manyoftheservicecreatorsarecloud-based,meaningthattheyoperateanetworkofmachines
workingtogethertoprovideaservice.Allofthepartsworktogethertoprovidewhatiscommonlyreferredtoastheinternet.
CommunicationsSector
Ownersandoperatorsofcommunicationsinfrastructure(broadcast,cable,satellite,wireless,
andwireline)comprisethecommunicationssector.Thecommunicationssectorisoneofthe16CriticalInfrastructure/KeyResource(CI/KR)sectorsidentifiedintheDHSNationalInfrastructure
ProtectionPlan(NIPP).Thissectorincludesthenetworkoperatorsthatprovideinternetaccess
services.Aspartofapublic/privatepartnershipwithDHS,thecommunicationssectorutilizes
theCommunicationsSectorCoordinationCouncil(CSCC)andtheCommunicationsInformation
3Note:ThereisaglossaryinAppendixBthatprovidesmoreinformationonthetechnicaltermsusedinthisdocument.
CommunicationsSectorCoordinatingCouncil|www.comms-scc.org
6
SharingandAnalysisCenter(Comm-ISAC)tohelpsecurethecommunicationsnetworksCI/KR
fromharm.
Thecommunicationssectorhasalonghistoryofcooperationwithinitsmembershipandwithfederalgovernmentwithrespecttonationalsecurityandemergencypreparedness.Thishistory
distinguishesthecommunicationssectorfrommostothercriticalsectorsidentifiedinthe
NationalInfrastructureProtectionPlan(NIPP).Thesectorexemplifiescooperationandtrusted
relationshipsthathaveresultedinthedeliveryofcriticalserviceswhenemergenciesanddisastersoccur.Thisstrongbondexistslargelybecauseofthreeorganizationsthathavebeen
createdinresponsetoearlierthreatstothenation’scriticalinfrastructure.
Policy-TheNationalSecurityTelecommunicationsAdvisoryCommittee(NSTAC).The
NSTAC(wwwncs.gov/nstac/nstachtml)wascreatedin1982byExecutiveOrder12382.It
providesahighlysuccessfulexampleofhowindustryhelpsdirectgovernmentdecisionsaround
nationalsecurityandemergencypreparednesscommunications(NS/EP).NSTACiscomprisedofupto30chiefexecutivesfrommajortelecommunicationscompanies,networkservice
providers,andinformationtechnology,finance,andaerospacecompanies.Througha
deliberativeprocess,theyprovidethePresidentwithrecommendationsintendedtoassurevital
telecommunicationslinksthroughanyeventorcrisis,andtohelptheU.S.Governmentmaintainareliable,secure,andresilientnationalcommunicationsposture.KeyareasofNSTACfocus
include:strengtheningnationalsecurity;enhancingcybersecurity;maintainingtheglobal
communicationsinfrastructure;assuringcommunicationsfordisasterresponse;andaddressing
criticalinfrastructureinterdependencies.
Planning-CommunicationsSectorCoordinatingCouncil(CSCC).TheCSCCwascharteredin
2005inorderto:helpcoordinateinitiativestoimprovethephysicalandcybersecurityofsectorassets;easetheflowofinformationwithinthesector,acrosssectorsandwithdesignated
Federalagencies;andaddressissuesrelatedtoresponseandrecoveryfollowinganincidentor
event.Themorethan40membersoftheCSCCbroadlyrepresentthesectorandincludecable
providers,commercialandpublicbroadcasters,informationserviceproviders,satelliteproviders,underseacableproviders,utilitytelecomproviders,serviceintegrators,equipment
vendors,andwirelessandwirelineownersandoperatorsandtheirrespectivetrade
associations.
Operations-NationalCoordinatingCenterforTelecommunications(NCC)
CommunicationsSectorCoordinatingCouncil|www.comms-scc.org
7
CommunicationsInformationSharingandAnalysisCenter(Comm-ISAC).In1982,federal
governmentandtelecommunicationsindustryofficialsidentifiedtheneedforajointmechanism
tocoordinatetheinitiationandrestorationofnationalsecurityandemergencypreparednesstelecommunicationsservices.In1984,ExecutiveOrder12472createdtheNCC.This
organization’suniquepartnershipbetweenindustryandgovernmentadvancescollaborationon
operationalissuesona24X7basisandcoordinatesNS/EPresponsesintimesofcrisis.Since
2000,theNCC’sCommunicationsInformationSharingandAnalysisCenter(Comm-ISAC),comprisedof51industrymembercompanies,hasfacilitatedtheexchangeofinformation
amonggovernmentandindustryparticipantsregardingvulnerabilities,threats,intrusions,and
anomaliesaffectingthetelecommunicationsinfrastructure.Industryandgovernmentrepresentativesmeetweeklytosharethreatandincidentinformation.Duringemergencies,
industryandgovernmentrepresentativesinvolvedwiththeresponseeffortsmeetdaily,oreven
morefrequently.
Bots,Botnets,andAssociatedThreatsBot–aprogramthatisinstalledonasysteminordertoenablethatsystemto
automatically(orsemi-automatically)performataskorsetoftaskstypicallyunderthecommandandcontrolofaremoteadministrator(akabotmasterorbotherder).4
Botnet–anetworkofinternet-connectedend-usercomputingdevicesinfectedwithbot
malwareandareremotelycontrolledbythirdpartiesfornefariouspurposes.5
Botsarenotanewphenomenon.Itisimportanttonotethatnotallbotsarebad,andnotallbotnetsareusedfornefariouspurposes.Therearesomegoodbotsinenvironmentslike
gamingandInternetRelayChat(IRC).However,forthepurposesofthispaper,allmentionsof
botsandbotnetswillassumetheyaremaliciousorpotentiallymaliciousinnature.
A“botnet”isanetworkofbotsworkingtogetherwiththecapabilityofactingoninstructions
generatedremotely.Atypicalbotnetmayrangefromafewthousandbotstohundredsof
4FederalCommunicationsCommission(FCC),CommunicationsSecurityReliabilityandInteroperabilityCouncil(CSRIC)III,U.S.Anti-BotCodeofConduct(ABCs)forInternetServiceProviders,(Mar.2012),availableathttps://transition.fcc.gov/bureaus/pshs/advisory/csric3/CSRIC-III-WG7-Final-ReportFinal.pdf(accessedJune20,2017).5Id.
CommunicationsSectorCoordinatingCouncil|www.comms-scc.org
8
thousandsorevenmillionsofbots.Botsandbotnetsarehighlycustomizableandcanbe
programmedtodomanythings,including:theftofpersonalandothersensitiveinformation,
spam,emailaddressharvesting,distributeddenialofservice(DDoS)attacks,key-logging,hostingillegalcontent,andclickfraud.Thesetypesofcyber-attacksaredescribedingreater
detaillaterinthispaper.
EarlybotsusedIRCtocommunicatetotheirC&Cservers.Overtime,botsandbotnetshave
grownmoresophisticated.Forinstance,botsandbotnetshavebeenmademoreresilientbyincorporatingpeer-to-peer(P2P)architecturesandprotocols;domainnamegenerating
algorithms;hypertexttransferprotocol(HTTP)tospecificuniformresourcelocators(URL)within
legitimatewebsites;sophisticated,hierarchicalC&Cinfrastructures;andencryption.Eachoftheseimprovementshasmadeitmoredifficulttoidentifyandisolatebadtrafficfromlegitimate
networktraffic.
Historically,botsinfecteddesktopcomputersandservers,resultingineventualdetectionand
removalusingantivirussoftware.Incontrast,IoTdevicesoftendonothaveauserinterface(UI);aredesignedtorunautonomously;andareconnectedeitherdirectlyorindirectlytothe
internet.Thesedevicesdonotlendthemselveswelltosometraditionalsecurityprotections.
Theymayconnecttotheinternetwithoutafirewallandareusuallyplacedonthesamelocal
areanetwork(LAN)segmentasotherhighervaluetargets.Theyareunlikelytorunanti-virussoftware.Inaddition,theymaybeconsideredalowsecurityrisksincetheyarelowcostand
onlyprocessseeminglyinnocuousdata.However,IoTdevicesareactuallyenticingtargetsfor
exploitation,asthedevicesprovidecomputingpowerthatcanbeutilizedbybadactors,
typicallyunnoticedbytheowners,andareoften“installandforget”equipment.
LargenetworksofIoTdevicescanbecomecompromisedbybotswhenconnectedtohigh-speed
internetconnections,whichcancausesignificantdamage.TheOctober2016MiraibotnetDDoS
attackagainstDNSproviderDynisoneofthemorerecentexamples.TheMiraibotnetexploitedweaksecurityinmanyIoTdevicesbycontinuouslyscanningtheinternet,lookingformoreIoT
devicesthatwereprotectedbyfactorydefaultorhardcodedusernamesandpasswords.6As
theMiraibotnetdiscoveredvulnerableIoTdevices,itloadeditsmalwareontothedevicesand
begancommunicatingwiththeC&Cserversawaitinginstructions.TheMiraibotnetthenwas
6SymantecSecurityResponse,Mirai:whatyouneedtoknowaboutthebotnetbehindrecentmajorDDoSattacks,SymantecOfficialBlog(Oct.27,2016),availableathttps://www.symantec.com/connect/blogs/mirai-what-you-need-know-about-botnet-behind-recent-major-ddos-attacks(accessedJune20,2017).
CommunicationsSectorCoordinatingCouncil|www.comms-scc.org
9
usedtolaunchalarge-scaleDDoSattackagainstDynbyinstructingeachinfecteddevicetoflood
theDynDNSserverswithahigh-volumeofpacketsusingtheDNSservicedestinationport(user
datagramprotocol(UDP)port53)aswellasfloodingauthoritativeserverswithnumerousrequestsforinvaliddomainnames.7TheattackpreventedanumberofDyn’scustomersfrom
beingabletoaccessdomainnamesservedbyDynDNSduringtheattack.
TheDynattackwasnotanisolatedincident.Thepeakattacksizeincreaseddramaticallyina
shortperiodoftime,risingfrom500Gbpsin2015to800Gbpsin2016.8TheKrebsonSecuritysitewasalsohitbyanattackinSeptember2016,whichreached620Gbps.Infact,theMirai
botnetandotherIoTbotnetswereinexistenceforsometimepriortotheseattacksand
generallyusedforperformingsmallerDDoSattacks.
BotnetThreats
Asdescribedabove,botsandbotnetsarehighlycustomizable,andasaresult,canbe
programmedtodomanybeneficialthingsontheinternet.However,theyareoftenand
increasingly,usedfornefariousactivitiessuchasthetypesofattackslistedbelow.
• DDoSattacks;
• Datatheft;
• Illicitcontentdistribution;
• Bruteforcepasswordguessing;
• Processingtheft;
• Clickfraud;
• Emailspam;and
• Unauthorizedgateway.
Theremainderofthissection,however,willfocusonDDoSattacks.DescriptionsoftheothertypesofattackslistedabovecanbefoundinAppendixB.
7ScottHamilton,DynAnalysisSummaryOfFridayOctober21Attack,DynBlog(Oct.26,2016),availableathttp://dyn.com/blog/dyn-analysis-summary-of-friday-october-21-attack/(accessedJune20,2017).8ArborNetworks,12thAnnualWorldwideInfrastructureSecurityReport,ArborNetworksSpecialReportVol.XII(2016),atp.21,availableathttps://pages.arbornetworks.com/rs/082-KNA-087/images/12th_Worldwide_Infrastructure_Security_Report.pdf(accessedJune30,2017).
CommunicationsSectorCoordinatingCouncil|www.comms-scc.org
10
DDoSattacks–ahighlyaprevalentformofattackperpetratedbybotnets–illustratesomeof
themanychallengesofpreventingattacks,aswellasofpreventingbotsfromcompromising
end-points.
DDoSattackscanbebrokenintofourmaincategories:9
• Volumetric;
• Application/resource;
• Stateexhaustion;and
• Controlplane.
VolumetricDDoSattacksconsistofhundredstohundredsofthousandsofbotsfloodingthevictimwithpackets,resultingindenialoftheservicetoothers.Theattackscanbedirect,where
thebotssendthepacketsaddresseddirectlytothevictimeitherwiththeirownsourceIP
addressoraspoofedsourceIPaddress.Indirectattacksleverageatechniqueknownasa
reflectiveamplificationattack,inwhichbotsspoofthesourceIPaddresstobethatoftheintendedattacktarget.10ThebotsthensendrequestpacketstootherservicessuchasDNS,
CharacterGeneratorProtocol(chargen),orSimpleServiceDiscoveryProtocol(SSDP)totrickthe
servicestosendresponsestowardthevictim.Indirectorreflectionattacksareoftencraftedto
causetheservicetosendaresponsethatismuchlargerthanthebot’sinitialrequest,resultinginanamplificationattack.Insomecircumstances,theamplificationscanbethousandsoftimes
greaterthanthebots’initialrequestpackets.
Applicationattackstendtobelowervolumetrafficattacksthanvolumetricattacks.Theyare
characterizedbybotssendinglegitimate-lookingapplication-levelrequeststoasystemtoconsumeresources(e.g.,CPU,diskaccess,databaselookups,etc.)andoverwhelmthesystem,
therebypreventingothersfromaccessingit.
Stateexhaustionattacksleveragethefactthatdeviceslikeservers,firewalls,andintrusiondetectionsystemshavelimitedcapabilitiestotrackthestateofconcurrenttransactions.The
9FCCCSRICIV,RemediationofServer-BasedDDoSAttacksFinalReport,(Sept.2014),availableathttps://transition.fcc.gov/pshs/advisory/csric4/CSRIC_IV_WG5_Remediation_of_Server-Based_DDoS_Attacks_Report_Final_(pdf)_V11.pdf(accessedJune20,2017). 10Messaging,MalwareandMobileAnti-AbuseWorkingGroup,M3AAWGIntroductiontoReflectiveDDoSAttacks(May2017),availableathttps://www.m3aawg.org/sites/default/files/m3aawg-reflective-ddos-attack-intro.pdf(accessedJune20,2017).
CommunicationsSectorCoordinatingCouncil|www.comms-scc.org
11
botsleveragethislimitationandconsumeallthestatecapabilitiesbyopeningmanyconnections
andnotfullycontinuingthoseconnectionstocompletion.
ControlplaneattacksleveragethelimitationsoftheinternetprotocolssuchastheBorderGatewayProtocol11(BGP),IPv6,12andDNSprotocol.13
AchallengewithalltypesofDDoSattacks--especiallyforISPs--isidentifyingthem.Cyber
criminalsarerapidlydevisingmoresophisticatedbotnets,makingithardertodistinguishbad
trafficfromgoodtraffic.Theearliestformsofbotsoftentransmittedtheirmessagesinclear-text,onwell-knownports,tohard-codedIPaddresses,therebymakingthetrafficbotheasyto
identifyandtoblock.Increasinglybotsmasqueradetheirtrafficasapplication--leveltraffic(e.g.,
theymakeitlooklikeregularwebtrafficorencryptedwebtraffic,usepeer-to-peertechniquestoavoidasinglepointoffailure,oruseVPNstoencryptandtunneltheirtraffictoevade
detection).
TheMiraibotnetattackalsoleveragedthefactthattherearemillionsofIoTdevicesalloverthe
globe,andtheattacktrafficwasgeneratedfromthefarcornersoftheinternet,sourcedatthevictims’locations.Level3ThreatResearchLabsreportedthatitobservedoveramillionIoT
devicesparticipatinginbotnetattacks,andalargepercentagewerelocatedinTaiwan,Brazil,
andColumbia.14ThechallengeforanISPindetectingandblockingthistrafficisthatitdoesnot
originateontheISP’snetworkandmayonlytransitaportionofthenetwork,ifittransitsitatall.Andeveniftherearebotsonthenetworkoriginatingtraffic,thevolumeoftrafficfromthe
botsmaynotbehighenoughtodetectonthenetwork.
Botnetattacktrafficmaylookentirelynormal.Muchofitisreflectiveamplifiedattacks(which
offerthebestbangforthebuck),frequentlyusingwellknowncommonservicessuchasDNS,networktimeprotocol(NTP),andHTTP.
11K.Butler,etal,ASurveyofBGPSecurityIssuesandSolutions,ProceedingsoftheIEEE98,no.1(Jan.2010),atp.100-122(doi:10.1109/jproc.2009.2034031). 12Cisco,IPv6ExtensionHeadersReviewandConsiderations[IPVersion6(IPv6)],(Oct.10,2006),availableathttp://www.cisco.com/en/US/technologies/tk648/tk872/technologies_white_paper0900aecd8054d37d.html(accessedJune30,2017). 13SuranjithAriyapperuma,andChrisMitchell,SecurityvulnerabilitiesinDNSandDNSSec,ProceedingsofProceedingsofTheSecondInternationalConferenceonAvailability,ReliabilityandSecurity,ARES2007,TheInternationalDependabilityConference-BridgingTheoryandPractice,Austria,Vienna,availableathttp://web.mit.edu/6.033/www/papers/dnssec.pdf(accessedJune30,2017). 14Level3ResearchLabs,AttackofThings!,availableathttp://www.netformation.com/level-3-pov/attack-of-things-2(accessedJune20,2017).
CommunicationsSectorCoordinatingCouncil|www.comms-scc.org
12
TherearehundredsofdifferenttypesofattackswithinthefiveDDoSattackcategories.Mirai
itselfhasaboutadozenDDoSattacksprogrammedintoit.Thebotnetspreadbyscanningfor
opentelnetports(transmissioncontrolprotocolport23).Telnetisacleartextprotocolandisextremelyinsecureandshouldnotbeusedovertheinternet,butthisisexactlyhowMiraiwas
spread.DuringtheDynDNSattack,MiraiusedDNS“watertorture,”15whichitproxiedthrough
severalwell-knownopenresolvers(Google8.8.8.8,forexample).Theattackonthe
KrebsonSecurity16websitewasdesignedtoappearlikethegenericroutingencapsulation(GRE)protocol.17Bothattackscouldhavebeenblockedbyupstreaminternettransitproviders.Inthe
caseoftheDynattack,networkserviceprovidersandtheComm-ISACreachedouttoDynto
offerassistance.
TheKrebsonSecurityattackbeingGRE-basedcouldhavebeenblockedbymostISPs.TheDyn
trafficwasproxiedbywell-knownopenresolvers,soratelimitingthattraffictowardstheDyn
IPscouldhavemitigatedmostoftheeffectsofthatattack.Brobot,whichaffectedmanyU.S.
financialsystems,usedHTTPandHTTPSformostofitsattacks.Blockingitwouldrequirecontentexaminationandfiltering,somethingISPsgenerallydonotdoandcannotdoforHTTPS
withoutholdingtheend-user’sprivatekeys.Malicioustrafficthatisencrypted(e.g.,HTTPS)
cannotbefiltered.
Thelatestattacksillustratethesophisticationandscalethatbotnetshaveachieved.Botnetsaredetectable;thechallengeisstoppingthem.Thebestwaytostopthemistopreventtheir
spreadinthefirstplace.Therealchallengefortheinternetecosystemindealingwithbotnet
threatsistheremediationofinfectedend-points.Withouteitherremediatingtheend-pointor
disconnectingtheinfectedend-pointfromtheinternet,thethreatfromtheinfectedend-pointremains.Ensuringthatend-pointsarerunningthelatestsoftwarewiththelatestsecurity
patchesisarecognizedbestpracticeformitigatingthespreadofandthreatsfrommaliciousand
nefariousbots.
15DNSwatertortureisanattacktypewheremanyend-pointssendqueriesforavictim’sdomainwitharandomstringprependedtothedomainthatoverwhelmsthevictim’sauthoritativeDNSserverandmakingthevictim’sdomaininaccessible.16See,https://krebsonsecurity.com.17KrebsonSecurity,KrebsOnSecurityHitWithRecordDDoS(Sept.21,2016),availableathttp://krebsonsecurity.com/tag/gre-ddos/(accessedJuly16,2017).
CommunicationsSectorCoordinatingCouncil|www.comms-scc.org
13
MostBotnetTrafficOriginatesOutsidetheUnitedStates
Thethreatlandscapefrombotnetscontinuestoevolve.Accordingtothreatintelligence
companies,notabletrendsidentifiedinthethreatlandscapein2016arethat:1)insecureIoT
devicesareabigsourceofDDoSattacktraffic;18and2)thevastmajorityoftheattacktraffic
originatesfromoutsidetheUnitedStates.19
In2016,attacksfromIoTdevicesmadeheadlineswiththeMiraibotnetattacksfromimproperly
securedsecuritycamerasandtheirclosed-circuitTV(CCTV)recorders(DVRs).AsnotedbyLevel
3ThreatResearchLabs,manyoftheinsecurecamerasandDVRswerelocatedinTaiwan,Brazil,
andColumbia.20Shodan,21asearchenginethatletstheuserfindspecifictypesofIoTandotherdevicesthatareconnectedandvisibleonthepublicinternet,reports(asofJuly2017)300K+
susceptibleHikvisiondevicesconnecteddirectlytotheinternet,withthevastmajorityofthose
deviceslocatedinBrazil(45,000),India(36,000),China(34,000),Mexico(25,000),andSouth
Korea(20,000).22
Whileattributingtheexactsourceofbotnetattacksisdifficult,itisalmostalwayspossibleto
determinethesourcecountryofthetraffic.Numerousreports23indicatethattheleading
sourcesofattacktrafficareChinaandothercountriesinSoutheastAsia(e.g.,Vietnam,Taiwan,
andThailand).24
Thisisconsistentwithanearlierstudythatshowedastrongcorrelationbetweendevicesused
forbotnetattacksandthecountryinwhichthedevicesreside.Suchdevicesaretypically
runningsoftwarewithoutthelatestsecuritypatches.25Inonestudy,researchersanalyzedsix
18Akamai,StateoftheInternetSecurityQ42016Report(Winter2016),availableathttps://www.akamai.com/us/en/multimedia/documents/state-of-the-internet/q4-2016-state-of-the-internet-security-report.pdf(accessedJune20,2017). 19Incapsula.com,GlobalDDoSThreatLandscapeQ12017(Spring2017),availableathttps://www.incapsula.com/ddos-report/ddos-report-q1-2017.html(accessedJune20,2017). 20Level3ResearchLabs,AttackofThings!,availableathttp://www.netformation.com/level-3-pov/attack-of-things-2(accessedJune20,2017).21Seeshodan.io(Shodanscanstheinternetindexingdevicesthatrespondtoportscansonport80,8080,443,8443,21,22,23,161,5060,554,andotherwell-knownports).22Shodan,Searchof“Hikvision,”availableathttps://www.shodan.io/search?query=hikvision(accessedJune20,2017).23SeeAppendixAofthispaperfordatafromdifferentthreatreports.24Incapsula.com,GlobalDDoSThreatLandscapeQ12017(Spring2017),availableathttps://www.incapsula.com/ddos-report/ddos-report-q1-2017.html(accessedJune20,2017).25HadiAsghari,MichaelCiere,andMichaelJ.G.VanEten,Post-MortemofaZombie:ConfickerCleanupAfterSixYears,InUSENIXTheAdvancedComputingSystemsAssociation,Proceedingsof24thUSENIXSecuritySymposium,Washington,D.C.(Aug.2015),availableathttps://www.usenix.org/system/files/conference/usenixsecurity15/sec15-paper-asghari.pdf(accessedJune20,2017).
CommunicationsSectorCoordinatingCouncil|www.comms-scc.org
14
yearsoflongitudinaldatafromthesink-holeofConficker,oneofthelargestbotnetseverseen,
toassesstheimpactonbotnetmitigationofnationalanti-botnetinitiatives,aimedatgetting
end-userstocleaninfectedend-usermachines.Theyfoundthatpeakinfectionlevelsstronglycorrelatewithsoftwarepiracy.Thisimpliesthatcountrieswithahighernumberofend-users
runningunlicensedcopiesofsoftwaretendtohavehighernumbersofbotsbecausethose
assetshavealowerpercentageofregisteredusersgettingsecuritypatches.
AsimilarpatternwasseenwiththeMiraibotnet,whichexploitedthefactthataclassofIoTdevicesshippedwithwell-known,defaultlogincredentialsthatend-usersrarelychange.
Vulnerabilitieswithatleastoneofthemanufacturerswerereportedasfarbackas2013.26Only
aftertheMiraibotnetattackwasreporteddidthemanufacturerinquestionprovideafirmwareupdatetoaddressthevulnerabilities,and,eventhen,itrequiredmanualinterventionbydevice
end-userstoupdatethefirmware,asthedevicesdidnotsupportanautomatedmannerfor
securelyupdatingtheirsoftware.
CurrentToolsandTechniques
ApplicationofCybersecurityFrameworkagainstBotnets
TheCybersecurityFramework,developedbyNationalInstituteofStandards&Technology(NIST),27isavoluntaryrisk-based“setofindustrystandardsandbestpracticestohelp
organizationsmanagecybersecurityrisks.”TheFrameworkiscomposedoffivefunctionalareas
–1)Identify,2)Detect,3)Protect,4)Respond,and5)Recover.TheleadingISPsusethe
Frameworkaspartoftheiroverallcyberriskmanagementprocessestoaddressthethreatsposedbybotsandbotnetsagainsttheirnetworks.
Identify
IntheFramework,thefirststepisidentifyingbothwhatneedstobeprotectedandwhatarethe
cyberthreats.TheFederalCommunicationsCommission’s(FCC)CommunicationsSecurity,
26DepartmentofHomeland(DHS)SecurityOfficeofCybersecurityandCommunications,VulnerabilityNoteVU#800094-DahuaSecurityDVRscontainmultiplevulnerabilities(Dec.4,2013),availableathttp://www.kb.cert.org/vuls/id/800094(accessedJune20,2017). 27NationalInstituteofStandardsandTechnology,CybersecurityFramework(May25,2017),availableathttps://www.nist.gov/cyberframework(accessedJune20,2017).
CommunicationsSectorCoordinatingCouncil|www.comms-scc.org
15
ReliabilityandInteroperabilityCouncil(CSRIC)IVWorkingGroup4finalreport,Cybersecurity
RiskManagementandBestPractices,providesimplementationguidanceontheuseofthe
Frameworkfornetworkserviceproviders.ISPs,aspartofthecriticalinfrastructure,haveidentifiedthattheyneedtoprotecttheircorenetworksfromcybersecuritythreatssuchasbots
andbotnets.ISPsmayalso,aspartofamanagedsecurityservice,protecttheircustomersfrom
theharmsofcyberthreats.
Inadditiontoidentifyingwhatneedstobeprotected,networkserviceprovidersusetheFrameworkandothertoolstoidentifythethreats.Thefirststepisidentifyingtheattack
surfacesoftheassetstobeprotectedandthenidentifyingtheknownattackvectors.This
informationiscontinuouslysynthesizedwiththreatintelligencedatatoensurecomprehensivecoverageandtoidentify,andultimatelyaddress,newvulnerabilities.Obtaininghigh-quality
cyberthreatdataisoneofthemostimportantaspectsofimplementingandrunningastrong
botnetmitigationprogram.Fortheprogramtobeeffective,nearzerofalsepositivedatais
needed.Falsepositivescangreatlyincreaseanetworkserviceprovider’soperatingcosts,impactitscustomersatisfaction,anddamageitsbrand.AsoutlinedintheCSRICVWorking
Group5reportonCybersecurityInformationSharing,28networkserviceprovidershave
developedaninformationsharingecosystemtobothuseandsharecyberthreatindicator
informationfromanarrayofsources,toidentifybotnetsandtheirassociatedthreats.Includedinthisecosystemaretrustedthird-party(TTP)datafeeds,informationfromDHSincludingits
AutomatedInformationSharing(AIS)system,andinter-sectorinformationsharing.
Detect
AsoutlinedintheFramework,detectionofthreatsandattacksisthenextstepinprotecting
networksfrombotnetattacks.Asdescribedearlier,botnetattackscomeinmanyforms,so
detectingthemrequiresanarrayoftoolsandtechniquestailoredforeachkindofattack.Regardlessofthetypeofbotnetattack,networkserviceprovidersuseacoresetoftechniques,
includingpacketsampling,signatureanalysis,andheuristicorbehavioralanalysis.
Manybotnetsattempttodisguisetheirtrafficasnormalinternettraffic.Thismakesit
particularlydifficulttodetecthighlydistributedbotnetsorlow-volumetrafficbotnets,asthe
28FCCCSRICV,WorkingGroup5:CybersecurityInformationSharing,FinalReport(Mar.15,2017),availableathttps://www.fcc.gov/files/csric5-wg5-finalreport031517pdf(accessedJune20,2017).
CommunicationsSectorCoordinatingCouncil|www.comms-scc.org
16
trafficwillbebelowthealarmthresholdsonanysingleoperator’snetwork.Forexample,during
theMiraiDynDNSwaterboardingattack,theattackersproxiedtheirrequeststhroughwell-
knownopenDNSresolvers.29
Protect
Networkserviceprovidersuseavarietyoftechniquestoprotecttheirnetworksfromattacksandundertakemeasurestohelptheircustomersprotectthemselvesfromattacks.
Networkserviceprovidersusedifferentfilteringtechniquestodirectlyprotecttheirnetwork
infrastructure(e.g.,routers,servers).BotsoftenspoofthesourceIPaddressintheattack
packets.Thisistypicallyseeninnetworkreflectionattacks,butasseeninhighvolumeattackssuchastheMiraibotnetorDynattack,thiscanbeaccomplishedevenwithoutIPspoofing.
Regardless,asabestcommonpractice,most,ifnotall,networkserviceprovidersperform
networkfilteringforspoofedIPaddresses.30
NetworkserviceprovidersalsouseacombinationofotherfilteringtechniquessuchasAccessControlLists(ACLs),trafficpolicing,blackholing,andsinkholingintheirnetworkstofilter
knownbotnettraffic.ThesetechniquescanbeeffectiveforneutralizingtheC&Ctrafficfor
client-serverbotnets.Thisislesseffectiveagainstmoreadvancedbotnetsthatusepeer-to-peerarchitecture,encryption,and/orfastfluxDNStechniquesfortheirC&Cchannel.Fastfluxisa
DNStechniqueusedbybotnetstohidephishingandmalwaredeliverysitesbehindanever-
changingnetworkofcompromisedhostsactingasproxies.
NetworkserviceprovidersalsohavemadelargeinvestmentsinDDoSscrubbingsystemsto“scrub”outDDoSattacksagainsttheirnetworksandtheircustomerswhohavepurchasedDDoS
mitigationservices.DDoSscrubbingsystemsrelyupondivertingthevictim’strafficthroughthe
scrubber“on-demand”tofilteroutattacktrafficfromgoodtraffic,andthenplaceitbackonthe
provider’snetworktosendittoitsoriginaldestination.Networkserviceprovidersuseacombinationofin-housescrubbingsystemsandthird-partyscrubbingsystemsviacontractswith
29ScottHamilton,DynAnalysisSummaryOfFridayOctober21Attack,DynBlog(Oct.26,2016),availableathttp://dyn.com/blog/dyn-analysis-summary-of-friday-october-21-attack/(accessedJune20,2017). 30P.FergusonandD.Senie,NetworkIngressFiltering:DefeatingDenialofServiceAttackswhichemployIPSourceAddressSpoofing,BestCurrentPractice(BCP)38(May2000),availableathttps://tools.ietf.org/html/bcp38(accessedJune20,20170;F.Baker,andP.Savola,IngressFilteringforMultihomedNetworks,BCP84(Mar.2004),availableathttps://tools.ietf.org/html/bcp84(accessedJune20,2017);andMutuallyAgreedNormsforRoutingSecurity(MANRS),Participants(Mar.6,2015),availableathttps://www.routingmanifesto.org/participants/(accessedJune20,2017).
CommunicationsSectorCoordinatingCouncil|www.comms-scc.org
17
thirdpartyDDoSmitigationproviders.However,networkserviceprovidersdonothavethe
capacitytoscruballtrafficallofthetime.
Inadditiontoscrubbingtraffic,manyprovidersusetheFlowspec31capabilitiesofBGPtodynamicallyblockeasilyidentifiabletrafficontherouter.Thetrafficisusuallyblockedusingthe
basicfive-tupleofvaluesfoundinIPFIX32(sourceanddestinationIP,sourceanddestination
port,andprotocol).FlowspecisadvantageousinthatBGPupdatescanbemadeandwithdrawn
fairlyquicklyinthenetwork,allowingforfastermitigation.
Networkserviceprovidersalsocanprovidespecifictoolsandservicestotheircustomersto
protectthemselves,includingend-pointanti-virussoftwareandhomegatewayswithintegrated
security.33LargeISPcustomersoperatingstubnetworksoredgeprovidersalsocanuseatechniquetomitigateDDoSattacksknownasAnycast,whichallowsmultiplehostsorend-points
tohavethesameIPaddress.Bygeographicallydistributingthesehosts,themagnitudeofthe
DDoSattackneedstobesignificantlylargertoaccountforthedistributedhostsandsucceedat
disruptingthesiteorservice.AnycastservicescanbedeployedbyedgeprovidersorpurchasedfromDDoSmitigationpartners.
Severalnetworkserviceprovidersalsoofferasuiteofmanagedsecurityservicesincludingbut
notlimitedtotheDDoSscrubbingservicesmentionedabove.Thesecanincludecapabilities
suchasnetworkbasedfirewalls,mobiledevicemanagementservices,threatanalysisandeventdetection,secureVPNconnectivitytothecloud,andwebandemailsecurity.
Respond&Recover
Today,asoutlinedintheCybersecurityFramework,whenanetworkserviceproviderdetects
malicioustrafficfromaboteitheronitsnetworkortowardanend-pointonitsnetwork,it
respondsandrecoversasnecessary.Theresponseconsistsofmitigatingtheimpactfromthe
malicioustraffic,and,ifnecessary,remediatingtheinfectedend-point.
Tomitigatethemalicioustraffic,thenetworkserviceprovidermustfirstdeterminethescopeof
theimpactfromthemalicioustraffic.Formalicioustrafficthatisimpactingitsnetworkorits
31LeonardoSerodio,TrafficDiversionTechniquesforDDoSMitigationusingBGPFlowspec(May2013),availableathttps://nanog.org/sites/default/files/wed.general.trafficdiversion.serodio.10.pdf(accessedJuly7,2017). 32B.Claise,B.Trammell,andP.Aitken,SpecificationoftheIPFlowInformationExport(IPFIX)ProtocolfortheExchangeofFlowInformation,IETFTools(Sept.2013),availableathttps://tools.ietf.org/html/rfc7011(accessedJuly7,2017). 33McAfee,McAfeeWebGateway,availableathttps://www.mcafee.com/us/products/web-gateway.aspx(accessedJuly7,2017).
CommunicationsSectorCoordinatingCouncil|www.comms-scc.org
18
abilitytodeliverservice,thenetworkserviceproviderwillneedtoworktofilteroutthe
malicioustrafficusingoneofthefilteringtechniques(e.g.,ACL,blackhole,sinkhole,orscrub)
describedearlier.Inaddition,ifthemalicioustrafficisinboundtowarditsnetwork,thenetworkserviceprovidermaycontacttheupstreamnetworkandaskittofilterthetrafficemanating
fromthatnetwork.
Formalicioustrafficthatisdeterminedtobeemanatingfromacustomerend-pointonits
network,thenetworkserviceprovider,asrecommendedinthevoluntaryAnti-BotCodeofConductforInternetServiceProviders(ABCforISPs)34will:
• Detect–identifyanddetectbotnetactivityintheISP’snetworkoronbehalfofenterprisecustomerswhohavepurchasedservicesfromtheISPtodeterminepotential
botinfectionsonend-userdevices;
• Notify–notifyend-users,includingpotentiallybothconsumersandenterprisebusinessclientsofsuspectedbotinfections;
• Remediate–provideinformationtoend-usersabouthowtheycanremediatebotinfectionsand/oractivelyassistenterprisebusinessclientsinremediatingtheimpactsofbotnets;and
• Collaborate–providefeedbackandexperienceslearnedtootherISPs.
EmergingSolutionsTheinternetecosystemiscontinuingtoimproveitsabilitytomitigatetheattacksfrombotnets.Effortsareunderwaytoimprovebothdetectionandmitigationcapabilities.
TechnologicalApproaches.Alargenumberofmalwareusesatechniqueknownasadomain
generationalgorithm(DGA)toperiodicallygeneratealargenumberofdomainnamesthatcan
beusedasrendezvouspointsfortheirC&Cserversinanattempttoobfuscatethebotnet’strueinfrastructure.Currently,securityinvestigatorscanworktoreverseengineertheDGAusedby
eachvariantofmalware.Thereverseengineeringcanbeatime-consumingprocess,andis
oftenanineffectivewhack-a-moleapproach.Toaddressthisissue,industryhasbeeninvestigatinghowtoapplymachinelearningtoautomatetheprocessandworkinreal-timeas
34MessagingMalwareMobileAnti-AbuseWorkingGroup(M3AAWG),ABCsforISPs,availableathttps://www.m3aawg.org/abcs-for-ISP-code(accessedJune20,2017).
CommunicationsSectorCoordinatingCouncil|www.comms-scc.org
19
themalwareregistersdomainnameswithaninternetregistry.Effortsareunderwayto
commercializeandintegratemachinelearningforbotnetdetectionintonetworkprotection
products.
Newerbotnetsnowoftenuseencryption(e.g.,TLS35)tohidetheirC&Cchannel.TheSecure
SocketsLayerSSLBlacklist(SSBL)project36illustratesthateventhoughthebotnetisusing
encryption,itisstillpossibletodetectthebotnet.Itispossibletoidentifythebot’sC&Ctraffic
byinspectingthemaliciousSSLcertificatestogenerateauniqueSHA-137fingerprintforeachbotnetusingdeeppacketinspection(DPI).Effortsareunderwaytocommercializethisapproach
andintegratethemethodsintonetworkprotectionsystemstoallowforreal-timefingerprinting
andmitigationofbotnets.
Inaddition,researchersaredevelopingtheuseoftarpitsatnetworkscaletoslowthe
propagationofbotnets.38ResearchersareinvestigatinghowtoturnunusedIPaddressspace
intobotnettarpits.39Thebasicideaistorouteallinboundtrafficthatisaddressedtothe
unusedIPaddressestothetarpit.Thetarpithasasetofprogrammedrulesforhowtorespond,andtherebyextendsthetimeittakesforabotnettoworkitswayupthekillchain.40By
extendingthetime,thetargetsoftheattackhavemoretimetodeterminewhatadditional
defensivemeasuresneedtobeputinplacetoneutralizetheattack,ifany.
Inadditiontotarpits,networkprovidershaveundertakeneffortstodeterminehowtoleveragethefeaturesofSoftwareDefinedNetworks(SDNs)tohelpmitigateattacksfrombotnets.SDNs
providethecapabilitytodynamicallycreateoverlaynetworks.Whencombinedwithother
networkpartitioningtechniquesandtechnology,itbecomespossibletodynamicallycreate
virtuallanesforthedifferentIP-basedservices.Withthisapproach,IoTproviderscanworkwithnetworkserviceproviderstocreateend-to-endvirtuallanesfromtheIoTdevicethroughthe
networktothecloud-basedservice.ThisprocessensuresacompromisedIoTdevicecannot
35E.RescorlaandN.Modaugu,DatagramTransportLayerSecurityVersion1.2,IETFTools(Jan.2012),availableathttps://tools.ietf.org/html/rfc6347 (accessedJune20,2017). 36SSLBlacklist,SSLBlacklist,availableathttps://sslbl.abuse.ch/blacklist/(accessedJune20,2017). 37SHA-1–SecureHashAlgorithm1isacryptographichashfunctionthatgeneratesa20bytehashkeyusedbymanysecurityapplicationsandprotocolsincludingTLSandSSLaspartofencryptingdata.38Labrea,TomListonTalksaboutLabrea,availableathttp://labrea.sourceforge.net/Intro-History.html(accessedJuly17,2017). 39Tarpitsaredefensivemeasuresagainstattackswheretheserverpurposelydelaysincomingconnectionstomakespammingandbroadscanninglesseffective.40EricHutchins,MichaelCloppert,andRohanAmin,Intelligence-DrivenComputerNetworkDefenseInformedbyAnalysisofAdversaryCampaignsandIntrusionKillChains,CNDPapers(Nov.21,2010),availableathttp://papers.rohanamin.com/?p=15(accessedJuly7,2017).
CommunicationsSectorCoordinatingCouncil|www.comms-scc.org
20
communicatewithunauthorizedendpoints.Inotherwords,acompromiseddevicecouldnotbe
usedinaDDoSattackorsendinformationtonon-authorizedhosts.TheNetworkSlicingfeature
in5Gnetworksisagoodexampleofthis,41andsimilarapproachesarebeinginvestigatedforSDN-enabledwirelinenetworks.
CollaborationInitiatives.Severalindustry-ledinitiativesareunderwaytoimproveautomated
cyberthreatinformationsharing.TheCybersecurityInformationSharingAct(CISA),enactedin
2015,andthesubsequentrolloutoftheDHSAutomatedInformationSharing(AIS)capabilityarehelpingtofacilitatemachine-to-machine(M2M)initiatives.
ThereareatleasttwootherautomatedM2Msharinginitiativesthatmaybeusefulin
combattingbotnets.Bothhaveacommongoalofensuringthatthecyberthreatinformationbeingsharedis“actionable”bytherecipient.Theparadigminthepastoftenhasbeenfor
networkstotrytobuildbetterprotectionattheirnetworkingresspoints.Theseinitiativesshare
informationwithneighboringnetworkstomitigatethethreatasclosetothesourceofthe
malicioustrafficaspossible.
TheInternetEngineeringTaskForce(IETF)isdevelopingaprotocolcalledDDOSOpenThreat
Signaling(DOTS)42forthereal-timeexchangeofDDoS-relatedtelemetrybetweenDDoS
mitigationnetworkelements.TheIETFDOTSprotocolisworkingtoimprovethecooperation
betweenDDoSattackvictimsandpartiesthatcanhelpinmitigatingsuchattacks.TheprotocolwillsupportrequestsforDDoSmitigationservicesandstatusupdatesacrossinter-organizational
administrativeboundaries(e.g.,network-to-network).
TheMessagingMalwareMobileAnti-AbuseWorkingGroup(M3AAWG)DDoSspecialinterest
group43membersarecollaboratingonasimilarendeavor.M3AAWGisdevelopinganapplicationprograminterface(API),datastore,andopensourcereferenceimplementationsfor
networkserviceproviderstoshareDDoSthreatindicatorsforthepurposeofidentifyingsources
ofDDoSattacktraffic,butnotformitigatingattacksinrealtime.M3AAWG’sapproachallowsnetworkserviceproviderstosharethesourceIPaddressesfortheinboundIPflowsthattheir
DDoSdetectionsystemsidentifyinananonymousfashionwiththenetworkonwhichtheDDoS
41See5GAmericas,NetworkSlicingfor5GNetworks&Services,availableathttp://www.5gamericas.org/files/3214/7975/0104/5G_Americas_Network_Slicing_11.21_Final.pdf(accessedJuly7,2017).42IETF,DDoSOpenThreatSignaling(dots),availableathttps://datatracker.ietf.org/wg/dots/about/(accessedJune20,2017). 43M3AAWG,M3AAWGIssuesNewPapersExplainingPasswordSecurity,MultifactorAuthentication,EncryptionUseandDDoSSafeguards;AnnouncesLeadershipandCommitteeChairs,PressRelease(Apr.4,2017),availableathttps://www.m3aawg.org/news/rel-leadership-papers-2017-04(accessedJune20,2017).
CommunicationsSectorCoordinatingCouncil|www.comms-scc.org
21
attackoriginated.ThisallowsnetworkoperatorstocleanupthesourcesofDDoSattacktraffic.
BysharingonlythesourceIPaddress,thisapproachiscompatiblewithmostoftheglobal
privacylawswithrespecttothesharingofidentifiableinformation.
ChallengesandOpportunitiesCybersecurityissharedresponsibility.Reducingthethreatsfrombots,botnets,andtheirautomatedattacksrequiresthecooperationandcollaborationbyallmembersoftheinternet
ecosystem.Thissectionidentifiesanumberofareaswherethethreatspresentedbybotsand
botnetscanbereducedwithbettercooperationandcollaborationbymembersoftheinternetecosystem.
BotnetTakedowns
Challenge–Notechniqueismoreeffectivethanlawenforcementactionsthatleadtothearrest
oftheperpetrators.Thisistheonlysolutionthataddressestherootcauseoftheproblem,andnotjustasymptom.Unfortunately,executingabotnettakedownrequiressignificantupfront
forensicanalysisandcarefulcoordinationamongmanystakeholders,oftenacrossinternational
borders.Alimitingfactorintheoverallvelocityofbotnettakedownsisthelackoflaw
enforcementresources.Theotherchallengeisthatmostbotnetsareinternationalinnature,requiringresource-intensiveandtime-consumingcooperationbetweennations.
Opportunity–Additionallawenforcementresourcesandstreamlininginternationalprocesses
wouldaidtheoverallbotnettakedownprocess.
ActionableCyberThreatInformation
Challenge-Networkserviceprovidersmusthavebothaccurateandactionablecyberthreat
informationtobeabletoquicklyneutralizebotnets.Forinformationtobeactionable,thecyber
threatindicatorhastobecorrelatedtoasingleend-point.Manyofthedatafeedsusedandsharedbyenterprisearelong-termIPreputationlistsoflittlevaluetonetworkserviceproviders
thatoperatenetworkswithalargesetofsubscribersthathavedynamicallyassignedIP
addresseswithshortleases.Thismeansthecyberthreatindicatormustbetimelyandeither
includethecurrentIPaddressortheIPaddressandatime-stampofthemaliciousactivity.
CommunicationsSectorCoordinatingCouncil|www.comms-scc.org
22
ThesameistrueforIPaddressesofthebotnetC&Cservers.C&Cserversoftendonothavea
staticIPaddress.OftentheC&CserversareonsharedhostswhereasingleIPaddressisshared
bymultiplehosts.Inaddition,theC&CserversmayhaveapoolofIPaddressesorsharedhoststhattheyrotatethrough.
Networkserviceprovidersneedasingle,highlyreliable,near-termindicationthatanIPaddress
hasgeneratedmalicioustrafficorhasbeenscannedtoshowexposedvulnerableservices,as
wellasthecompromisedhosts.
Opportunities-Expertsagreethatcyberthreatinformationneedstobetimelyandtargetedto
beeffective.ThecyberinformationsharinginitiativesoftheIETF’sDOTSWorkingGroupand
theM3AAWGDDoSSIGarestepsintherightdirection.DHS’sAIS44alsoprovidesanopportunitytoimproveandenhancethetimelyandtailoredsharingofcyberthreatindicators
tomeetrecipients’needs.
NetworkAddressTranslation
Challenge–WirelineISPsoperatingIPv4networkstypicallyprovidearesidentialsubscriberwithasinglepublicIPv4address.Theresidentialsubscriberoftenusesahomerouterthatincludesa
networkaddresstranslation(NAT)function,whichallowsthemtosharetheironepublicIPv4
addresswithmultipledevicesinthehome.
WhenanISPreceivesinformationaboutaresidentialsubscribersendingmalicioustraffic,thatinformation,atbest,canonlycontaintheIPv4addressassignedtothecustomerandnotthatof
theactualend-pointbehindthehomerouter.TheuseofNATtechnologymakesitdifficultfor
theISPtoidentifythespecificdeviceinthesubscriber’shomethatissendingmalicioustraffic.
Opportunity-IPv6eliminatestheneedtouseNATforIPaddresssharing,aseverydeviceconnectedtotheinternetcanhaveapubliclyroutableIPv6address.Whilenotapanacea,the
eliminationofNATroutersmaymakeiteasiertoidentifyend-devicestransmittingmalicious
trafficundercertaincircumstances,andtofilterthesuspecttrafficappropriately.AsofJune
44DHS,AutomatedIndicatorSharing(AIS),availableathttps://www.dhs.gov/ais(accessedJune20,2017).
CommunicationsSectorCoordinatingCouncil|www.comms-scc.org
23
2017,IPv6adoptionbynetworkproviderswasapproximately19%globally,45and35%and
growingwithintheU.S.
Off-NetTraffic
Challenges-Aswidelydistributedglobalnetworks,mostbotsandtheirC&Cserversareoutside
thenetworkserviceprovider’snetworkandadministrativecontrol.Infact,numerousreports
makeclearthattheoverwhelmingmajorityofbotnettrafficoriginatesoutsidetheU.S.46
Furthermore,inmostcases,onlyasmallportionofanetworkserviceprovider’send-pointsmay
beinfectedbyanysinglebotnet,andtheamountoftrafficgeneratedbythebotnetonthe
networkwillbeminiscule.Thissmallamountoftrafficcanbeverydifficulttodetectasitwill
nottriggermanyofthenetworkmonitoringthresholdsthatanetworkserviceproviderhasinplace.
Opportunity-Toaddressbothofthesechallengesrequirescollaborationamongnetwork
serviceproviders,asoneofthemosteffectivemeasuresistofilterthetrafficasclosetothe
deviceinfectedwiththebot.Anytransitorpeeringagreementsshouldincludelanguagethataddressesavailabilityandscrubbingoftraffictoallowfornetworkoperatorstoaskthe
upstreamprovider(s)tofiltermalicioustraffic.
End-UserNotifications
Challenge-Notifyingandgettingend-userstotakeactioncontinuestobeachallenge.Therearemultiplewaysthatmembersoftheinternetecosystemcannotifyanend-user:47
• Email;
• Telephonecall;
• Postalmail;
45Google,IPv6Adoption(June18,2017),availableathttps://www.google.com/intl/en/ipv6/statistics.html#tab=per-country-ipv6-adoption&tab=per-country-ipv6-adoption(accessedJune20,2017). 46Incapsula.com,GlobalDDoSThreatLandscapeQ42016(Winter2017),availableathttps://www.incapsula.com/ddos-report/ddos-report-q4-2016.html(accessedJune20,2017). 47MichaelGlenn,MalwareNotificationandRemediationToolsandTechniques,CenturyLinkpresentationtoNISTWorkshop:TechnicalAspectsofBotnet(May30,2012),availableathttps://www.nist.gov/sites/default/files/documents/itl/csd/centurylink_malware_notification_and_remediation.pdf(accessedJune20,2017).
CommunicationsSectorCoordinatingCouncil|www.comms-scc.org
24
• Textmessage;
• Webbrowsernotification;
• Walledgarden;and
• OtherMethods.48
AstudycommissionedbyM3AAWGtodeterminetheeffectivenessofvariousnotificationand
remediationmethodsshowedthatthetwomosteffectivemethodsareatelephonecalltothedeviceuserandpostalmail.49ThegrowinguseofIoTdevicesinhomespresentsnewchallenges
innotifyingend-users.IoTdevicesoftenhavelimiteduserinterfaces,thusnegatinganumberof
thenotificationmethods(webbrowser,walledgarden,etc.).ThisisfurthercompoundedbythefactthatanISPcanonlynotifyanend-userthat“adevice”intheirhomeisinfected,andcannot
identifythespecificcorrupteddevice.
Opportunities–Variousmeasuresexisttoimprovedeviceidentificationgoingforward.Better
designedIoTdevicesthatadheretoindustrystandardssuchasthosebeingdevelopedbytheOpenConnectivityFoundation(OCF)50isoneavenuetoimprovesecurity.And,asnotedearlier,
networkoperatorsupportforIPv6willaidinboththeidentificationoftheinfecteddevice,as
wellasnotifyingtheuserofthedevice.
FastFluxDNS
Challenge–Theuseoffastflux51bymalwareandbotnetstohidetheirinfrastructurecontinues
togrow.FastfluxisaDNStechniquewherenumerousIPaddressesassociatedwithasingle
domainnameareswappedinandoutwithextremelyhighfrequency.Fastfluxeffectivelyhides
thecomputersorserversthatareperformingthemaliciousattacksfrombeingdetected.FastfluxmakescuttingoffcontactofthebotstotheC&CserversdifficultorimpossiblebyIPaddress
filteringalone.
Opportunity–In2008,theICANNSecurityandStabilityAdvisoryCommittee(SSAC)publishedasecurityadvisorythatmadeanumberofmitigationrecommendationstoaddressfastfluxDNS
48Othermethodsmayincludesocialmediamessage,alerttotheTVviatheset-top-box,directdepositvoicemailmessage,etc.49GeorgiaTechResearchers,DNSChangerRemediationStudy,PresentationtoM3AAWG27thGeneralMeeting,SanFrancisco,CA(Feb.19,2013),availableathttps://www.m3aawg.org/sites/default/files/document/GeorgiaTech_DNSChanger_Study-2013-02-19.pdf(accessedJune20,2017).50SeeOpenConnectivityFoundation,availableathttps://openconnectivity.org/(accessedJune20,2017).51ICANNSecurityandStabilityAdvisoryCommittee(SSAC),SAC025SSACAdvisoryonFastFluxHostingandDNS(Mar.2008),availableathttps://www.icann.org/en/system/files/files/sac-025-en.pdf(accessedJune20,2017).
CommunicationsSectorCoordinatingCouncil|www.comms-scc.org
25
techniques.Amongitsfindingsandrecommendations,theSSACencouragedICANN,registries,
andregistrarstoconsiderthefastfluxmitigationpracticesintheadvisory.
Sincethattime,advancementsinmachinelearninghavebeenappliedtodetectingbotnetsusingfastfluxDNStechniques.Advancementsintheapplicationofmachinelearningtodetect
botnetsthataremakingchangestoDNSentriesenablesautomationandintegrationintobotnet
detectionsystems.
InsecureIoTDevices
Challenge–Asdiscussedthroughoutthispaper,thegrowinginstalledbaseofIoTdevicesis
makingsuchdevicesattractivetargetsforcybercriminalstoinfectwithbotcode.Agood
exampleistherecentMiraibotnetattack,inwhichunsecured,internet-connectedIoTsecuritycameraswereinfectedtogenerateamassiveDDoSattack.Thisisnotanewphenomenon;the
problemhasbeenaroundforyears,asforyears,manyconsumer-gradehomeroutersshipped
withknownvulnerabilitiesthathavebeenexploitedtogeneratelarge-scaleDNSamplification
attacks.
Thetypesofknownvulnerabilities52foundinmanyIoTdevicesonthemarkettodayinclude:
• ShippingIoTdeviceswithout-of-datesoftwarecontainingknownvulnerabilitiesandlackingthecapabilityforanautomatedsoftwareupdate;
• Protectiononlybyfactorydefaultorhardcodedusernamesandpasswords;
• Unauthenticatedcommunications;
• Unencryptedcommunications;and
• Lackofmutualauthenticationandauthorization.
InsecureIoTdevicespresentauniquechallengeasoncetheyarecompromiseditisoftenimpossiblefortheend-usertodetectthattheyhavebeencompromisedand,asnotedearlier,it
isdifficultforanetworkserviceprovidertonotifytheend-userthattheirdevicehasbeen
compromised.Evenaftertheend-userisawareofthecompromise,itisoftenimpossibleto
52BroadbandInternetTechnicalAdvisoryGroup(BITAG),InternetofThingsSecurityandPrivacyRecommendations(Nov.2016),availableathttp://bitag.org/documents/BITAG_Report_-_Internet_of_Things_(IoT)_Security_and_Privacy_Recommendations.pdf(accessedJune20,2017).
CommunicationsSectorCoordinatingCouncil|www.comms-scc.org
26
remediatetheproblemduetoeitherthelackofasoftwareupdateand/orlackofautomated
softwareupdates.
Opportunity-IoTdevicescanbebettersecuredthroughtheuseofnetwork/pathisolation.53Network/pathisolationtechniques(VPNs,VLANs,policybasedrouting,networkslicing,etc.)can
beusedtocreateindependentlogicaltrafficpaths.Theseindependentlogicaltrafficpaths
ensuretheIoTtrafficcanonlyreachthedesignatedendpoints.Thishelpstomitigatethe
impactsofanymalicioustrafficthatacompromisedIoTdevicemaysend.
Withtheadvancesinnetworkfunctionvirtualization(NFV)andSDNs,opportunitiesexistforIoT
manufacturerstodesigndevicestousenetwork/pathisolationtechniquesaspartoftheir
service.Additionally,opportunitiesexistfornetworkserviceproviderstooffernetwork/pathisolationasaservicetoIoTprovidersorend-usersfortheirIoTdevices.
AmplificationAttacks
Challenge-AnamplificationattackisatypeofDDoSattackthattakesadvantageofthefactthat
asmallquerysuchasaDNSquerycangenerateamuchlargerresponse.Whencombinedwithsourceaddressspoofing,anattackercandirectalargevolumeofnetworktraffictoatarget
system.TheasymmetricnatureofamplificationattacksmakesitthepreferredchoiceforDDoS
attacks.AmplificationattacksoftenleverageUDPbasedprotocolssuchastheDNSprotocol,
networktimeprotocol(NTP),charactergenerator(CharGEN),andquoteoftheday(QOTD).Approximately15internetprotocolsaresusceptibletoamplificationattacks.54Internet
engineersdevelopedanextensiontotheDNSprotocol,calledDNSSecurity(DNSSEC)toaddress
DNSvulnerabilitytoDNScachepoisoning.Unfortunately,asideeffectofthisfixisthatthe
securityextensiontoDNSmakestheDNSresponsesmuchlargerandhelpstofurtheramplifytheattack.
Theimplementationofsourceaddressvalidation(SAV)55asrecommendedinIETFBCP38/84
preventsamplificationattackswithspoofedsourceaddresses.AlthoughmostlargeU.S.
53Cisco,NetworkVirtualization--PathIsolationDesignGuide(July22,2008),availableathttp://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Network_Virtualization/PathIsol.html(accessedJune20,2017). 54UnitedStatesComputerEmergencyReadinessTeam(US-CERT),UDP-BasedAmplificationAttacks,Alert(TA14-017A)(Nov.4,2016),availableathttps://www.us-cert.gov/ncas/alerts/TA14-017A(accessedJune20,2017). 55SAVhasbeenabestpracticebyISPsforalongtime(seeIETF2267publishedin1998),butduetothedifficultyofimplementingSAVinsomecommercialsituationsitmaynotbefullyimplementedacrossISPs’networks.
CommunicationsSectorCoordinatingCouncil|www.comms-scc.org
27
networkserviceproviders56haveimplementedsourceaddressvalidation,approximately30%of
theoverallIPaddressspaceisstillspoofable.57
Opportunity-TheuseofIPfilteringorsourceaddressvalidation(SAV)asoutlinedintheIETF’sbestcommonpractices(BCP)38and84forspoofedIPaddressesisaproventechniqueto
mitigateDDoSamplificationattacksusingspoofedsourceaddresses.
TheMutuallyAgreedNormsforRoutingSecurity(MANRS)58isanindustry-ledefforttocodifya
setofsharedvaluesfornetworkoperatorsintoasetofdefinitionsandidealbehaviors.MANRSrecommendstheimplementationofanti-spoofingfilteringtopreventpacketswithincorrect
sourceIPaddressesfromenteringorleavingthenetwork.Todate,over45networkoperators
areparticipatinginMANRS.TheopportunityexiststogetthespoofableaddressspacetonearzerowitheverynetworkoperatorparticipatinginMANRS.
Network-to-NetworkCoordinatedNetworkManagement
Challenge-Althoughnetworkmanagementmaysoundsimpleanddesirable,itisnotwithout
challenges,especiallygiventhenegativeimpactoninternetend-users.Ideallybotnetmitigationswouldbefastanddirectedatthesourceoftheattack.Advancementsinhow
networksarearchitectedusingSDNsandtheuseofautomatedM2Msharingofcyberthreat
indicatorsstarttomakeittechnicallyviablefornetworkoperatorstoautomatethecoordination
oftheirbotnetmitigationsandreducetheresponsetimetowheneitheramaliciousbotisdetectedonanetworkorabotnetisinitiatinganattack.Buttherearechallenges,rangingfrom
technicaltocontractual,andpolicyissues.
Thetechnicalchallengesincludebothdetectionandmitigation.Withoutasourceofground
truthforwhatisandisn’tbotnettraffic,givenbotnettrafficisoftendesignedtolooklikenormalinternettraffic,thereisthepotentialforfalsepositives.Evenwithasourceofgroundtruth,
botnetmitigationmethodswillvaryfromnetworktonetworkduetoinherentdifferencesin
56MANRS,Participants(Mar.6,2015),availableathttps://www.routingmanifesto.org/participants/(accessedJune20,2017). 57CenterforAppliedInternetDataAnalysis,StateofIPSpoofing,availableathttps://spoofer.caida.org/summary.php(accessedJune20,2017). 58MANRS,MutuallyAgreedNormsforRoutingSecurity(MANRS)Document(Sept.8,2016),availableathttp://www.routingmanifesto.org/manrs/(accessedJune20,2017).
CommunicationsSectorCoordinatingCouncil|www.comms-scc.org
28
howthenetworksaredesignedandbuilt,aswellasthedifferencesinservicelevelagreements
betweennetworkserviceprovidersandtheircustomers.
Blindlymitigatingbotnetsthroughtheuseautomationisfraughtwithrisks.Therearemanycaseswhereacommandandcontrolserverisnotownedorcompletelyunderthecontrolofthe
botoperatorsuchas:1)sharedserverDNS,2)sharedIPs,and3)publicwebsites.59Blindly
applyingabotnetmitigationmethodsuchasfilteringtheIPaddresswouldpreventallthe
servicesthatsharetheresource(e.g.,DNS,sharedserver,orservice)frombeingaccessible.Thechallengeisnotlimitedtosharedresources.Withoutfullknowledgeoftheservicelevel
agreementinplacebetweenthenetworkserviceproviderandcustomer,anetworkservice
cannotblindlyfilterthetraffictothatend-point.
Inaddition,withinthetelecom/ISPindustrythereisanemergingtrendtowardtheadoptionof
SDN,whichisstillinitsinfancy,butgenerallydescribestheautomationofmanagementand
orchestrationofnetworkassetsandservices.Typically,thisincludesthecouplingofbigdata
frameworksthatleverageadvancedanalyticsandmachinelearningtoserveasfeedbackloopsfortheseSDN-drivennetworkstopredict,recommend,andprescribeinanefforttoimprove
responsivenessandresilienceoftheirassetsandservices.Suchimplementationsvarywidelyin
termsofcapabilityandmaturityacrossproviders,andinmostcasesreflecthighlyprotected
intellectualpropertythatprovidesauniquelycompetitiveexperienceandofferings.Nevertheless,suchanecosystemcouldbeusedasanattackmitigationstrategy.
DeploymentofSDNandthesetoolsiswellbeyondtheconceptualstages;itisthecomplexity
andcostofglobalimplementationacrosshighlyheterogeneousnetworksthatstandas
obstaclestoproviders’speedinimplementingthem.
Opportunity–Bettercollaborationandcoordinationcanreducethetimethatittakesto
respondtocyberthreats.Asmentionedearlier,industryisdevelopingsolutionssuchastheIETF
DOTS,M3AAWGDDoSSIG’sinformationsharingpilot,andaninformationsharingpilotbeingledbyCTIAthatwillreducetheresponsetimebysharing“actionable”cyberthreatinformation.In
addition,asthreatinformationsharingplatformsmatureintheircapabilities,thiswillaidin
reducingnetworkoperators’responsetime.
59PublicwebsitesincludesiteslikeTwitter,AmazonAWS,GoogleCloud,andRapidshare.
CommunicationsSectorCoordinatingCouncil|www.comms-scc.org
29
Thekeyforanysuccessfulcoordinatednetworkmanagementagainstbotnetsisclose,trusted
collaborationandcommunicationsbetweenstakeholders.
IndustryRecommendationsThispapersetsforthsomeoftheproblemspresentedbybotsandbotnetsandthechallenges
andopportunitiesfacingtheownersandoperatorsofbroadbandnetworks.Thefollowingsectionfocusesonthepreliminaryrecommendationsthatmaybeactionablebynotonly
networkserviceprovidersbuttheentireinternetecosystemtohelpreducethethreatsfrom
botnetsusingexistingtechnology.ThepreliminaryrecommendationsherearefromtheCSCC’sperspective.Thereisaneedtodiscussbestpracticesandcapabilitiesforallsegmentsofthe
ecosystemincludingsoftwaredevelopersalongwithcloud,hosting,andapplication
infrastructureproviders.
AttackMitigation
• EncouragecontinuedmigrationtoallIPv6.
ThebroaduseofIPv6willallowdevicestohaveauniqueaddressandcanmakeiteasiertotrackdownthesourceofmalicioustrafficundercertaincircumstances.
• Ensurethatsharedcyberthreatinformationisactionableandtailoredtomeettheneedsofrecipients.
Cyberthreatinformationthatissharedbetweeninternetstakeholdersneedstobeactionablebytherecipients.Informationsharingpoolparticipantsshouldtailorthe
informationtheysharewiththeirpeerstobeactionable.
• Includepre-negotiatedprovisionsfortrafficfilteringintransitandpeeringagreements.
Networkserviceoperatorsofallsizes(ISPs,enterprises,governments,educationalinstitutions,etc.)andend-usersshouldensuretheyhaveprovisionsinplacewiththeir
CommunicationsSectorCoordinatingCouncil|www.comms-scc.org
30
internettransitprovidersandpeeringnetworkstoprovideforupstreamfilteringand
scrubbingofmalicioustraffic.
• Streamlinethelawenforcementbotnettakedownprocess.
Lawenforcementcanplayakeyroleinneutralizingbotnets.Effortsarenecessaryto
streamlinethelawenforcementprocesstoincreasethespeedandefficacyoflaw
enforcementbotnettakedowns.
• EncourageICANN,registries,andregistrarstoadoptthefastfluxmitigation
techniquesinSAC025SSACAdvisoryonFastFluxHostingandDNS.
TheinternetecosystemshouldencourageICANN,registries,andregistrarstoconsider
andadoptthefastfluxmitigationtechniquesintheSSACadvisory.
• Adaptandapplymachinelearningtothedetectionofbotnets.
Theinternetecosystemshouldmoveawayfrommanuallyreverseengineeringbotnet
domaingenerationalgorithmsandbeginapplyingmachinelearningtoautomatethereal-timedetectionofbotnetsusingfastflux,encryption,andothertechniquestomask
theirinfrastructure.
EndpointPrevention
• Ensureallend-pointsincludingIoTdevicesadheretoindustrydevelopedsecuritystandards.
Multipleindustry-ledeffortsareunderwaytodevelopsecuritystandardsforIoTdevices.IoTdevicemanufacturesandIoTserviceprovidersshouldworktoensureallIoTdevices
adheretotheirrespectiveindustrysecuritystandardsandbestpracticesforIoTsecurity.
• Ensureend-pointsarerunningup-to-datesoftware.
Asthesayinggoes“anounceofpreventionisworthapoundofcure.”Thisappliestoconsumer/customerend-pointsaswell.Ensuringthatallend-points(desktops,mobile,
IoT,etc.)arerunningup-to-datesoftwarewiththelatestsecuritypatchesandupdates
CommunicationsSectorCoordinatingCouncil|www.comms-scc.org
31
willhelptremendouslyinreducingthenumberofinfectedandcompromisedend-points
ontheinternet.
• IoTdevicesshouldusenetworkisolationand/ornetwork-basedfilteringtechniquesforanycommunicationstocloud-basedservices.
Networkisolationand/ornetworkbasedfilteringareproventechniquesforreducing
theabilityofarogueinternetend-pointfromdoingharm.60IoTdevicemanufacturers
andIoTserviceprovidersshoulddesigntheirproductsandservicestomakeuseofthese
techniques.
Conclusion
Cybersecurityisasharedresponsibility.Securingtheinternetfromthreatsfrombotnetsrequiresthecollaborationandcooperationofallmembersoftheinternetecosystem,both
domesticallyandinternationally.Thepreliminaryrecommendationsinthispaperrepresentjust
someofthemanywaysthatbotnetthreatsandtheircapacityforharmcanbereducedthrough
broadengagementbythestakeholders.
AbouttheAuthors
MattTooleyistheVicePresidentofBroadbandTechnologyatNCTA–TheInternetand
TelevisionAssociation.HeisamemberoftheCommunicationsSectorCoordinatingCouncil’s
ExecutiveCommittee.Tooleyhasover30yearsofexperienceinthebroadbandindustryin
developinganddeployingbroadbandtechnologyforinternetserviceproviders.
ThispaperincludeskeycontributionsfromAT&T,CenturyLinkandCoxCommunications.
60BITAG,InternetofThings(IoT)SecurityandPrivacyRecommendations(Nov.2016)atSec.6(discussing“Apossibleroleforin-homenetworktechnology”),availableathttp://bitag.org/documents/BITAG_Report_-_Internet_of_Things_(IoT)_Security_and_Privacy_Recommendations.pdf(accessedJune20,2017).
CommunicationsSectorCoordinatingCouncil|www.comms-scc.org
i
AppendixA-CyberThreatReports
Top10WorstBotnetCountries
Rank Country NumberofBots
1 China 1,375,637
2 India 958,814
3 RussianFederation 569,463
4 Brazil 429,942
5 Vietnam 380,639
6 Iran,IslamicRepublicOf 242,909
7 Argentina 177,701
8 Thailand 173,027
9 Mexico 145,516
10 C?* 141,684
Source:SpamhausasofJune29,2017.https://www.spamhaus.org/statistics/botnet-cc/
*Spamhausreportsthetenthcountryonthislistas“C?.”
CommunicationsSectorCoordinatingCouncil|www.comms-scc.org
ii
Top10BotnetTrafficAttackingCountries
Rank Country PercentageofAttackTraffic
1 China 50.8%
2 SouthKorea 10.8%
3 UnitedStates 7.2%
4 Egypt 3.2%
5 HongKong 3.2%
6 Vietnam 2.6%
7 Taiwan 2.4%
8 Thailand 1.6%
9 UnitedKingdom 1.5%
10 Turkey 1.4%
Source:IncapsulaGlobalDDoSThreatLandscapeQ12017.https://www.incapsula.com/ddos-report/ddos-report-q1-2017.html
CommunicationsSectorCoordinatingCouncil|www.comms-scc.org
iii
TopCountriesby%ofCountries’IPAddressesParticipatinginDDoSAttacks,Q1-Q4201661
Q12016 Q22016 Q32016 Q42016
Country %ofCountriesIPAddresses
Country %ofCountriesIPAddresses
Country %ofCountriesIPAddresses
Country %ofCountriesIPAddresses
SourceIPs SourceIPs SourceIPs SourceIPs
Turkey0.282%
Vietnam0.130%
U.K.0.036%
Russia0.078%
43,400 20,244 44,460 33,211
Brazil0.075%
China0.093%
Brazil0.025%
U.K.0.059%
36,472 306,627 81,276 72,949
China0.035%
Taiwan0.081%
China0.025%
Germany0.042%
115,478 28,546 81,276 49,408
SouthKorea
0.028%Canada
0.026%France
0.025%China
0.014%
31,692 20,601 23,980 46,783
U.S.0.005%
U.S.0.006%
U.S.0.004%
U.S.0.012%
72,598 95,004 59,350 180,652
Sources:
Akamai’sStateoftheInternetSecurityQ42016report.https://www.akamai.com/us/en/multimedia/documents/state-of-the-internet/q4-2016-state-of-the-internet-security-report.pdf
Wikipedia contributors, "List of countries by IPv4 address allocation," Wikipedia, The Free Encyclopedia,https://en.wikipedia.org/w/index.php?title=List_of_countries_by_IPv4_address_allocation&oldid=776891748 (accessed July 17, 2017).
61ThenumberofsourceIPsparticipatinginDDoSattacksisfromtheAkamaiStateofInternetSecurityReportQ42016report.Thedatahasbeennormalizedforthepercentofacountries’assignedIPv4addressesfromIANAdataatthetimeofthewritingofthispaper.ThepercentagesmayvarysomefromthetimeoftheAkamaireport.
CommunicationsSectorCoordinatingCouncil|www.comms-scc.org
iv
AppendixB–ThreatsfromBotnets
ClickFraud
Websitesareoftenpaidforbyadvertisers.Advertiserspaybythenumberof“clicks”orvisitsto
theadvertiser’swebsite.Ifawebsiteoradvertisingbrokerisabletogenerateaperceptionthatmanypeoplearevisitinganad,itcompelstheadvertisertopayforeachofthosevisits.One
waytogeneratelotsofclicksistocommandabotnettogeneratethosevisits.
Emailspam,phishingemail,ormalwareemail
Botnetsareoftenusedtooriginateunsolicitedbulkemail,whichmayalsoincludedistributionof
malwareofvarioustypessuchasransomware,linkstophishingsites,andmalwareassociated
withbots.Botnetscanalsobeusedtosendmoremundaneunsolicitedsalespropaganda.
UnauthorizedNetworkGateway
Botswithinaprotectednetworkboundarysuchasanenterprisenetworkcanbecome
unauthorizedgatewaysintotheprotectedboundary,andcanbeusedtogainaccesstootherresources(dataorcomputers)withintheprotectedboundary(akalateralmovement).
DataTheft
Botscanstealdatafrominfecteddevicesthroughmeanssuchasnetworkmonitoring,key
logging,orscrapingdatafrommemoryordisk.Thisisfrequentlyaccomplishedbecausemany
botmemberssitwithinprivateandenterprisenetworksnexttoassetscontainingthevaluable
data.Agreatamountofdatathefttodayisaccomplishedwith“SpearPhishing”62attackswherevalidlookingemailsaresenttoapersonatacompanyandthatemailisusedtostealintellectual
propertyorbankinginformation,ortohostmalware.Atypicalattackmayconsistofthe“bad
guy”sendinganemailtoanadministrativeassistantorotherlowerlevelemployeethatlooks
likeitcamefromaseniorexecutive,wherebythe“executive”isaskingfortheemailrecipienttoresetapasswordbecausean“invoiceneedstobepaid”today.Therecipientwillresetthe
62FederalBureauofInvestigation(FBI),SpearPhishers(Apr.1,2009),availableathttps://archives.fbi.gov/archives/news/stories/2009/april/spearphishing_040109(accessedJuly17,2017).
CommunicationsSectorCoordinatingCouncil|www.comms-scc.org
v
passwordusingobfuscatedlinkscontainingmalwareintheemail.Thisallowstheinfectionto
beginandtheinstallationofAPT(AdvancedPersistentThreat)softwareconductsillegal
activities.
IllicitContentDistribution
Botsaresometimesconnectedtopeer-to-peerfilesharingnetworkstohelpstoreanddistributeillegalcontent.
Bruteforcepasswordguessing
Botnetsareusedforbruteforcepasswordguessing.Onemethoduseshighspeedpasswordguessingattemptsusingarandompasswordalgorithm,apassworddictionaryorapredefined
passwordlist.First,bruteforcingcanbeusedbyanindividualbotmemberasarecruitment
methodtoinfectotherdevicesbyscanningforanyassetswithaknownopenexposedportandthenimplementingoneofthebruteforcemethodsexplainedto“guess”thepassword.Second,
itcanbeusedbyabotorbotnettobruteforceanintendedtargetslogincredentialstogain
accesstotheprivilegeordatathecredentialprovides.
ProcessingTheft(e.g.,Bitcoinmining)
Duetothenumberofbotmemberstypicallyseeninbotnets,andtherisingpriceofcrypto
currency(e.g.Bitcoin),botnetsareveryfrequentlyseenbeingusedto“mine”forcoins.TheprocessforminingBitcoinsrequiresthesolvingofverycomplexmathequationswhichwhen
solved,awardtheminerasetnumberofcoins.Inordertobesuccessful,aminerneedsa
tremendousamountofcomputingpowertosolvetheseequationsintheleastamountoftime.
Thisiswhereabotnetcanbeextremelyuseful.Byharnessingthecomputingpowerofalargernumberofbotsand“commanding”thosebotstoactasminers,thebotnetownercanusethe
combinedprocessingofmanybotstomakeBitcoinminingverylucrative.
Botnetshavealsobeenusedtoharnessthecomputingpoweroftheinfecteddevicesinorderto
performBitcoinminingorotheractivitiesforthebenefitofthemaliciousactorsrunningthebotnetandnotthelegitimateownersofthecomputingresources.
CommunicationsSectorCoordinatingCouncil|www.comms-scc.org
vi
Glossary
AIS–AutomatedIndicatorSharing,TheDepartmentofHomelandSecurity(DHS)operatesafreeservicefortheexchangeofcyberthreatindicators.
Bot–Aprogramthatisinstalledonasysteminordertoenablethatsystemtoautomatically(or
semi-automatically)performataskorsetoftaskstypicallyunderthecommandandcontrolofaremoteadministrator(akabotmasterorbotherder).
Botnet–Anetworkofinternet-connectedend-usercomputingdevicesinfectedwithbotmalware,whichareremotelycontrolledbythirdpartiesfornefariouspurposes
Command&Control(C&C)–Aremotecomputerusedtocoordinatetheactionsofbots.
CTI–CyberThreatIndicatoristheinformationthatisnecessarytodescribeoridentifyan
attributeofacybersecuritythreat.
DDoS–DistributedDenialofServiceattackisanattempttomakeanonlineserviceunavailablebyoverwhelmingitwithtrafficfrommultiplesources.
DNS–DomainNameSystemisthehierarchicaldecentralizednamingsystemforresources
connectedtotheinternet.
DNSWaterTorture–Anattacktypewheremanyend-pointssendqueriesforavictim’sdomain
witharandomstringprependedtothedomainthatoverwhelmsthevictim’sauthoritativeDNSserverandmakingthevictim’sdomaininaccessible.
DOTS–DDoSOpenThreatSignalingisamethodbywhichadeviceorapplicationparticipatingin
DDoSmitigationmaysignalinformationrelatedtocurrentthreathandlingtootherdevicesorapplications.
ICANN–InternetCorporationforAssignedNamesandNumbersisthenonprofitorganization
responsibleforcoordinatingthemaintenanceandprocedurestheinternet’snamespace.
CommunicationsSectorCoordinatingCouncil|www.comms-scc.org
vii
IRC-InternetRelayChatisaninternetprotocolthatfacilitatescommunicatingintextusinga
client/serverarchitecture.
IoT-InternetofThingsistheumbrellatermtoreferencethetechnologicaldevelopmentin
whichagreatlyincreasingnumberofdevicesareconnectedtooneanotherand/ortothe
Internet.
IPv4–InternetProtocolversion4isthefourthversionoftheInternetProtocol(IP).IPv4isone
ofthecoreprotocolsandstillroutesmostInternettraffictoday.
IPv6–InternetProtocolversion6isthesixthversionoftheInternetProtocol(IP).IPv6isthe
mostrecentversionandwasdevelopedtoaddresstheanticipatedproblemofIPv4address
exhaustion.IPv6isintendedtoreplaceIPv4.
KillChain–IdeaputforthbyLockheedMartintodescribethephasesofatargetedcyber-attack:
1)reconnaissance,2)weaponization,3)delivery,4)exploit,5)installation,6)command&
control,and7)actions.
NAT–NetworkAddressTranslationisamethodforremappingoneIPaddressspaceinto
anotherbymodifyingtheaddressintheIPpacketheaderstoallowmultipleend-pointstoshare
oneaddresswhiletheytransitanetworkrouter.
NetworkServiceProvider–Anetworkserviceprovideroroperatorisanyenterprisethatis
operatinganetworkthathasanassignedautonomoussystemnumber(ASN).
Peering–Peeringisthevoluntaryinterconnectionoftwoseparatednetworksforthepurposeof
exchangingtrafficbetweenusersoneachnetwork.
Peer-to-Peer(P2P)–TraditionallybotnetsclientscommunicatetoaC&Cserverforcommands.P2PbotnetsoperatewithoutaC&Cserverwhereeachbotisbothaclientandaserver.
SoftwareDefinedNetworking(SDN)–Anapproachtocomputernetworkingthatallowsforthe
programmaticcontrolofnetworkbehaviorusingopeninterfacesanddecouplingthepacketforwardingplanefromthecontrolplanetoallowfortheuseofstandardserversandEthernet
switchestoprovidetheroutingfunctioninsteadofspecializedrouters.
CommunicationsSectorCoordinatingCouncil|www.comms-scc.org
viii
SSAC–TheSecurityandStabilityAdvisoryCommitteeadvisestheICANNcommunityandBoard
onmattersrelatingtosecurityandintegrityoftheinternet’snamingandaddressallocationsystems.
Tarpit–Atarpitiscomputerthatpurposelydelaysincomingconnections.Itisadefensive
measuretomakespammingandnetworkscanningslower.Itisanalogoustoatarpitinwhich
animalscangetboggeddownandslowlysinkunderthesurface.
Transit–Internettransitistheserviceofallowingnetworktrafficto“transit”anetworktoreach
anothernetwork.SmallnetworkoperatorsandenterprisesbuyInternettransittogainaccess
theInternet.