Embed Size (px)
DESCRIPTION
botnet introduction, types, ways to detect and countermeasures
Citation preview
DEFENSE AGAINSTBOTNETS
Botnets :- IntroductionTypes of BotnetsReal World Scenarios
Defense :-Detection of BotnetsCounter Measures
STRUCTURE
INTRODUCTION
RoBot Network consists of a software stealthily installed on many computers(zombies) remotely controlled by a central authority.
Bot Net
IRC BotnetsHTTP BotnetsPeer-to-Peer Botnets
TYPES OF BOTNETS
Internet Relay Chat(IRC) is a type of a messaging service.
IRC Botnets use IRC servers to issue commands.
IRC BOTNETS
IRC BOTNETS
IRC BOTNETS
IRC BOTNETS
IRC BOTNETS
IRC BOTNETS
HTTP BOTNETS
HTTP BOTNETS
PEER-TO-PEER BOTNETS
How can botnets be used :-• Distributed Denial of Service Attacks (DDoS)• Spamming• Sniffi ng Traffi c & Key logging.• Identity Theft• Attacking IRC Chat Networks• Hosting of Illegal Software• Google AdSense Abuse & Advertisement Addons• Manipulating online polls
REAL WORLD SCENARIO
PassiveData gathered through observation.• Packet Inspection• Analysis of flow records• Analysis of SPAM Attacks
ActiveDetection by being involved i.e. interacting with the botnet.(drawback)Can result in DDOS attack against the analyst, changing of ip’s, protocols etc.• Sink holding• Infiltration• Peer-to-peer botnet enumeration
DETECTION TECHNIQUES
Packet InspectionInspect network data packets
• Match various protocol fields.• Match payload against a predefined pattern of
suspicious content.
Drawbacks:-• Wouldn’t scale• Only known patterns are detected
PASSIVE DETECTION
Analysis of flow recordsTracing network traffi c at an abstract level.Instead of inspecting individual packets communication streams are considered in aggregate form.We look into:- • Source, destination address• Related port no’s• Duration of session• Cumulative size and no of transmitted packets.• Protocol used inside packets.
Advantage:- higher amount of traffi c can be monitored.Eg. ‘Net Flow’ protocol from cisco.
PASSIVE DETECTION
Analysis of SPAM attacks• Spam mails are analyzed and similar templates are
grouped.• These templates can then be matched to a
corresponding botnet.
For this special Honey pots called honey tokens are used .
PASSIVE DETECTION
Honeypot:- It is a trap to detect, deflect or in some manner counter act an attempt at unauthorized use of Information system.
Honey Token:- Spam traps consisting of email addresses with no productive function other than to receive unsolicited emails.
PASSIVE DETECTION
Other Techniques:-• Analysis of log fi les.• Evaluation of anti-virus software feedback.• DNS based approaches.
PASSIVE DETECTION
Sink Holding • Technical countermeasure for cutting off a malicious
control source from rest of the botnet.• Eg. By changing the targeted malicious domain name
so that it points to machine controlled by a trusted party.
ACTIVE TECHNIQUES
Infi ltrationAims to take control of the botnet.
• Hardware- if ip address is known all communications can be wiretapped with the help of hosting company.
• Software- Imitating the communication mechanisms used by the botnet.
ACTIVE DETECTION
Peer-to-peer botnet enumerationRepeatedly querying peers for their neighbor list.
This includes reverse engineering.• Creating a implementation of the botnet to perform
the enumeration task.
ACTIVE DETECTION
Blacklisting• Block all traffi c from included addresses.• Search engine or browser can fi lter or mark such
websites.
Distribution of fake/traceable credentials.• Populate fake data into our records like credit card
details.• Fake data lowers quality of stolen information• Generate mistrust among criminals.
TECHNICAL COUNTERMEASURES
BGP Block holingNull routing malicious hosts to deny traffi c from or to their network.Null-Routing:- It is a process of silently dropping the packets originated from or destined for such addresses.
DNS based countermeasure• Malicious domains can be shut down.• Require court warrant.• Sometimes twitter and rss feeds are used to give
commands, doesn’t work in that case.
TECHNICAL COUNTERMEASURES
Port 25 Blocking Spam mails would not be sent.
Peer to peer counter measurePollute the peer-to-peer listResults in• Loss of overall connectivity• Due to size limitations older original peers will get
replaced by fake peers.
TECHNICAL COUNTERMEASURES
Dedicated laws.User awareness.Use of anti-virus software etc.
SOCIAL COUNTERMEASURES
QUERIES
?
THANKS…
STAY SECURE!!!
