Embed Size (px)
DESCRIPTION
Citation preview
Kae Hsu (IS-TW)
9th TWNIC IP Open Policy Meeting2007/12/5, Taipei
Botnets & DDoS Introduction
2007/12/5 2 Copyright 2007 - Trend Micro Inc.
Agenda• Bot• Botnet and the mechanisms used in• Botnets activities and economics• Harms from Botnets• DDoS mitigation• Botnets detection and defense• Reference
2007/12/5 3 Copyright 2007 - Trend Micro Inc.
Bot• Brief history of Bot (summarized from “Botnets, THE KILLER WEB APP”)
– GM (1989) • A robot user in an IRC channel.
– PrettyPark (1999)• A Bot client on Windows95/98.• Malicious IRC Bots.
– SubSeven Trojan/Bot• Create backdoor in the system.• SubSeven server could control SubSeven clients via IRC server.
– GT Bot (2000)• Based on the mIRC client
– could trigger mIRC client to run scripts from IRC server.– support raw TCP and UDP socket connections.
– SDBot (2002)• Written in C++ and the author released the source code.• Exploits and infects.
2007/12/5 4 Copyright 2007 - Trend Micro Inc.
Bot• History brief (cont.)
– Agobot (2002)• Modular design.• Using P2P file-sharing applications to spread.
Characteristic-Based Families– Spybot (2003)
• Open source Trojan and deviate from SDBot.– RBot (2003)
• Most detections in Windows platform, with 1.9 million PCs. (2005)– Polybot (2004)
• Derived from the AgoBot.– Mytob (2005)
• Hybrid from MyDoom and bot IRC C&C functionality.
2007/12/5 5 Copyright 2007 - Trend Micro Inc.
Botnet and the mechanisms used in• Botnet
– Some Bots controlled by a single one/organization (botherder) and execute the commands from the botherder.
• Botnet Life Cycle1. Exploit.2. Report to the botherder (via C&C channel).3. Retrieve the anti-antivirus module.4. Rally and secure the Bot client.5. Listen to the C&C channel and receive command.6. Retrieve the payload module.7. Execute the command.8. Report result to the C&C channel.9. Back to step 5.10.Erase all evidence and abandon the Bot client.
2007/12/5 6 Copyright 2007 - Trend Micro Inc.
Botnet and the mechanisms used in• C&C: Command and Control
– Botherder use C&C to collect Bot client information and delivery the commands to Bot clients.
– IRC server is the most early and widely used C&C• Interactive.• Easy to build a IRC server.• Easy to create and control several Botnets using one server.• Easy to create redundancy.
– Web-based C&C servers.– P2P Botnets.– Random.– IM C&C.– Remote Administration.– Drop Zone and FTP-based C&C.
2007/12/5 7 Copyright 2007 - Trend Micro Inc.
• Exploit new Bot client• DDoS attack
– DDoS ransom
• Software installation– adware– clicks4hire
• Spam and phishing• Storage and distribution of stolen or illegal data• Ransomware• Data mining• Reporting results• Erase the evidence, abandon the client
Botnets activities and economics
- $$$
- $$$
- $$$- $$$
- $$$
- $$$
2007/12/5 8 Copyright 2007 - Trend Micro Inc.
Harms from Botnets• Spam
– Botherder control Bot clients to email spam.
• DDoS – Distributed Denial of Service– Flooding lots of anomaly traffic or launch lots of service request
to the DDoS target• The service is blocked on victim cause of resource exhausted.
– bandwidth resource– system resource
– DDoS is hard to prevent• It is hard to classify normal or abnormal traffic.
– Anomaly TCP/UDP/ICMP flooding is easy to detect.– Anomaly service access request is hard to detect.
• ISP uplink congestion will impact other customer– Traffic scrubbing is helpless to uplink congestion.
2007/12/5 9 Copyright 2007 - Trend Micro Inc.
Harms from Botnets• Botnets: the source of DDoS
– In a Botnet, zombie PCs would be used to generate the attack traffic to the victims.
– If a Botnet have >100,000 zombie PCs, each PC generate 50kbps attack traffic to the victim; The total attack traffic could reach more than 5Gbps!!!
• 5Gbps traffic could congest lots of links of enterprise and ISP.– If a Botnet have >100,000 zombie PCs, each PC generate 1kpps
attack traffic to the victim; The total attack traffic could reach more than 100Mpps!!!
• 100Mpps traffic could shutdown lots of equipments of enterprise and ISP.
– Most ISPs use “black-hole” mechanism to drop the attack traffic, but it will drop normal traffic flow to victim too
• ISPs help the cyber-criminal complete the attack.
2007/12/5 10 Copyright 2007 - Trend Micro Inc.
Harms from Botnets• Scale of Botnet:
– Telenor takes down 'massive' botnet – more than 10,000 zombie PC
• http://www.theregister.co.uk/2004/09/09/telenor_botnet_dismantled/– Dutch Botnet suspects ran 1.5 million machines
• http://www.techweb.com/wire/security/172303160– Of the 600 million computers currently on the internet, between
100 and 150 million were already part of these botnet…– http://news.bbc.co.uk/1/hi/business/6298641.stm
• Strength of Botnet:– Estonian government websites were shutdown cause serious
DDoS attack from Apr. 27, 2007• At its peak on May 9, the attack shut down up to 58 sites at once.• Computers from the United States, Canada, Brazil, Vietnam and
others have been used in the attacks.
2007/12/5 11 Copyright 2007 - Trend Micro Inc.
Harms from Botnets• DDoS example
– ISPs Bot clientBOTNETS
VICTIMS
attack traffic
link congestion
2007/12/5 12 Copyright 2007 - Trend Micro Inc.
Harms from Botnets– All of the packets forward to victim were dropped.
BOTNETS
VICTIMS
attack traffic
2007/12/5 13 Copyright 2007 - Trend Micro Inc.
DDoS mitigation• Scrub the traffic, accept and forward the normal packets
and drop the abnormal packets– Build the traffic scrubbing system in your netowrk
• Congestion still would be happened on ISP border router.
– Order scrubbing service from upstream ISP or scrubbing service provider.
VICTIMS
link congestion
VICTIMS
link congestion
scrubbing service provider
2007/12/5 14 Copyright 2007 - Trend Micro Inc.
• Internet projects to detect Bot/Botnets– Darknet
• A subnet that no any machine host in.• There should not be any normal traffic flow to this subnet
– Anomaly traffic flow sent by malware almost.• It is possible to trace the compromised machine by analyzing those
anomaly traffic.
Botnets detection and defense
R(config)#ip route 172.17.12.128 255.255.255.128 172.17.12.4
enable promiscuous mode
analyze exploit traffic and catch Bot client IP
172.17.12.0/24
.1
.2
.4
Internet
.3
Bot client
2007/12/5 15 Copyright 2007 - Trend Micro Inc.
• Internet projects to detect Bot/Botnets– Honeypots
• A machine that exploit by malware on purpose.– Botnets life cycle:
» 2) Report to the botherder (via C&C channel).» 5) Listen to the C&C channel and receive command.» 6) Retrieve the payload module.» 8) Report result to the C&C channel.
– To sniff and analyze the connections of Bot, we could catch:» the IP address of C&C» the IP address of victims
Botnets detection and defense
honeypot
.1
.2
.4
Internet
.3port mirror
catch the C&C IP: 172.31.1.1
C&C172.31.1.1
2007/12/5 16 Copyright 2007 - Trend Micro Inc.
Botnets detection and defense– Honeypot (cont.)
• In theories, off-line the C&C would destroy the whole Botnet– It is the vulnerability of centralized C&C.
• Use black-hole to block the C&C IP on the Internet– But botherder would not structure their Botnet by only one C&C
» Use DNS to improvement C&C surviving.
.1
.2
.4
Internet
.3
honeypot
C&C
port mirror
R(config)#ip route 172.31.1.1 255.255.255.255 null0
2007/12/5 17 Copyright 2007 - Trend Micro Inc.
• BGP flow-spec– A new BGP NLRI
• The reason to use BGP: re-use– protocol algorithms.– operational experience.– administrative processes such as inter-provider peering agreements.
– Distribute traffic flow specifications and action.• Flow-spec NLRI
– Type 1 – destination prefix– Type 2 – source prefix– Type 3 – IP protocol– Type 4 – port– Type 5 – destination port– Type 6 – source port– Type 7 – ICMP type– Type 8 – ICMP core
Botnets detection and defense
2007/12/5 18 Copyright 2007 - Trend Micro Inc.
Botnets detection and defense• Flow-spec NLRI (cont.)
– Type 9 –TCP flags– Type 10 – packet length– Type 11 – DSCP– Type 12 – fragment
• Traffic filtering actions– Traffic-rate– Traffic-action
» Terminal action» Sample
– Redirect
– Use BGP flow-spec in your network
Bot client D
Normal client B
Server A
Normal client C
2007/12/5 19 Copyright 2007 - Trend Micro Inc.
Botnets detection and defense– Use BGP flow-spec in your network
• Update BGP flow-spec route to border router– ‘SRC=D, DST=A, action=drop’
• Update BGP flow-spec route to peering partner– ‘SRC=D, DST=A, action=drop’
Bot client D
Normal client B
Server A
Normal client C
Bot client D
Normal client B
Server A
Normal client C
2007/12/5 20 Copyright 2007 - Trend Micro Inc.
Reference• “Botnets, THE KILLER WEB APP”
– by Craig A. Schiller etc.; Syngress Publishing Inc., 2007• The Team Cymru Darknet Project
– http://www.cymru.com/Darknet/index.html• The Honeynet Project
– http://www.honeynet.org/index.html• “Dissemination of flow specification rules”
– draft-marques-idr-flow-spec-04.txt• “Configuring a flow route”
– http://www.juniper.net/techpubs/software/junos/junos85/swconfig85-routing/id-10317421.html#id-10317421
• “Inferring Internet Denial-of-Service Activity”– by David Moore etc.
• “The Zombie Roundup: Understanding, Detecting, and Disrupting Botnets”
– by Evan Cooke etc. • “How CNCERT/CC fighting to Botnets”
– by Mingqi Chen.; CNCERT/CC
2007/12/5 21 Copyright 2007 - Trend Micro Inc.2007/12/6 21Classification
Thank You
