1

Presented ByAbu Hamed Mohammad Misbah Uddin

Supervised ByDan Bogdanov

Motivation Some Backgrounds Detecting Botnets Experimentation

Collecting Data Detecting Scanner Detecting DDoS Detecting Spammer

Detecting C&C flows Looking Ahead

2

Botnet attack is a major threat for the service providers

Most of the detection is done at the application layer

If the solution can be implemented at the network layer without digging deep as a first level of defense ….

NetFlow and other similar network level logging protocols provide crucial information ….. Can be used to trace botnets

3

Bot: Malware installed an unprotected computer that converts the machine into a zombie

Botnet: Network of zombies controlled by a master called as bot-herder through C&C channel Types: IRC, HTTP, P2P (Based on C&C

mechanism) Common botnet attacks:

DDoS, spamming, malware spreading, online

4

Investigate the network layer behavior pattern of the botnets

Sources of Information Need information of packet activity with enough

detail to trace the communication pattern Cisco NetFlow, Juniper cflowd, IETF IPFIX etc.

Information we can get …… Src & Dst IP, Src & Dst Port, Incoming & Outgoing

Interface, IP Protocol, ToS, TCP Flags, Start & End Time etc. of a flow

What’s next? Find the pattern using these information

5

Detecting botnets based upon attack signature

DDoS Spamming Scanning

Easier to track down

Detecting botnets by analyzing C&C flows Relatively difficult, specially if it’s a P2P botnet

6

Detecting C&C flows among regular flows is very difficult, specially if the C&C channel is based on P2P protocol.

An experimental scheme defined by Timothy et al successfully detected botnet C&C traces in huge flow set.

For stages Filtering Classification Correlation Topology Analysis

7

Phase 1: Netflow log collection Choose toolset

Phase 2: Devise the detection mechanism from the

botnet behavior using the toolset

Phase 3: Apply the mechanism to find the botnet in the

8

There are several means to collect netflow data but we used easiest way collect existing logs from a given network It turns out its not so easy after all After knocking (practically everyone !) we found a

huge collection of netflow logs Internet2 Observatory Data Collection

The only problem is that there is no indication of botnet traces which we can use to evaluate the success of the mechanisms

Therefore we decided to detect botnet in the netflow logs from the naïve detection schemes

9

Rsync To collect data from Internet2 observatory data

collection Needed to create an account beforehand

Flow-tools Internet2 netflow logs are stored in flow-tools

format. Therefore flow-tools was an obvious choice.

Other toolset exists (i.e. Nfdump)

10

Vertical, Horizontal and Block Scanning If the scanner uses TCP protocol, flag information can be

used Find the top talker with TCP SYN bit set only (Yiming Gong)

Our experiment found block scanner from netflow logs (probably)

11

Common behavior of every DDoS attack Huge amount of packets (service request, data) to a set of hosts/

servers in a very short period (TCP SYN flood, Ping flood, Smurf attack etc.)

We devised ICMP Unreachable msg flood detecting scheme Find the victims with huge number of flows containing ICMP port/

host/network unreachable msgs

12

A useful information: sends more email but receives few

We used method described by Gert Vliek Found some probable spammers

13

Novel Detection Scheme using netflow data

Finding Botnet by DDoS detection Use principal component analysis to find patterns in the

flows Find bad changes in the pattern (huge data in small

time) Trace the nodes causing the change

Finding Scanner There are twenty one metrics defined to find a scanner

in Silk documentation. But using all of them together is bit difficult.

Solution: Use all of them in a weighted sum. How to assign the weight?

14

Botnet Detection Based on Network Behavior W. Timothy Strayer, David Lapsely, Robert Walsh, and Carl Livadas

Detecting worms and abnormal activities with netflow, Yiming Gong

Detecting spam machines, a netow-data based approach, Gert Vliek

Many other

15

Dan Bogdanov Prof. Gerald Maguire Jr. Internet2 Consortium

16