1. 9th TWNIC IP Open Policy Meeting
2007/12/5, Taipei
Botnets & DDoS Introduction
Kae Hsu (IS-TW)

2. Agenda
• Bot
• Botnet and the mechanisms used in
• Botnets activities and economics
• Harms from Botnets
• DDoS mitigation
• Botnets detection and defense
• Reference
2007/12/5 2 Copyright 2007 - Trend Micro Inc.

3. Bot
• Brief history of Bot (summarized from “Botnets, THE KILLER WEB APP”)
– GM (1989)
• A robot user in an IRC channel.
– PrettyPark (1999)
• A Bot client on Windows95/98.
• Malicious IRC Bots.
– SubSeven Trojan/Bot
• Create backdoor in the system.
• SubSeven server could control SubSeven clients via IRC server.
– GT Bot (2000)
• Based on the mIRC client
– could trigger mIRC client to run scripts from IRC server.
– support raw TCP and UDP socket connections.
– SDBot (2002)
• Written in C++ and the author released the source code.
• Exploits and infects.
2007/12/5 3 Copyright 2007 - Trend Micro Inc.

4. Bot
• History brief (cont.)
– Agobot (2002)
• Modular design.
• Using P2P file-sharing applications to spread.
Characteristic-Based Families
– Spybot (2003)
• Open source Trojan and deviate from SDBot.
– RBot (2003)
• Most detections in Windows platform, with 1.9 million PCs. (2005)
– Polybot (2004)
• Derived from the AgoBot.
– Mytob (2005)
• Hybrid from MyDoom and bot IRC C&C functionality.
2007/12/5 4 Copyright 2007 - Trend Micro Inc.

5. Botnet and the mechanisms used in
• Botnet
– Some Bots controlled by a single one/organization (botherder)
and execute the commands from the botherder.
• Botnet Life Cycle
1. Exploit.
2. Report to the botherder (via C&C channel).
3. Retrieve the anti-antivirus module.
4. Rally and secure the Bot client.
5. Listen to the C&C channel and receive command.
6. Retrieve the payload module.
7. Execute the command.
8. Report result to the C&C channel.
9. Back to step 5.
10. Erase all evidence and abandon the Bot client.
2007/12/5 5 Copyright 2007 - Trend Micro Inc.

6. Botnet and the mechanisms used in
• C&C: Command and Control
– Botherder use C&C to collect Bot client information and delivery
the commands to Bot clients.
– IRC server is the most early and widely used C&C
• Interactive.
• Easy to build a IRC server.
• Easy to create and control several Botnets using one server.
• Easy to create redundancy.
– Web-based C&C servers.
– P2P Botnets.
– Random.
– IM C&C.
– Remote Administration.
– Drop Zone and FTP-based C&C.
2007/12/5 6 Copyright 2007 - Trend Micro Inc.

7. Botnets activities and economics
• Exploit new Bot client
• DDoS attack
– DDoS ransom - $$$
• Software installation
– adware - $$$
– clicks4hire - $$$
• Spam and phishing - $$$
• Storage and distribution of stolen or illegal data
• Ransomware - $$$
• Data mining - $$$
• Reporting results
• Erase the evidence, abandon the client
2007/12/5 7 Copyright 2007 - Trend Micro Inc.

8. Harms from Botnets
• Spam
– Botherder control Bot clients to email spam.
• DDoS – Distributed Denial of Service
– Flooding lots of anomaly traffic or launch lots of service request
to the DDoS target
• The service is blocked on victim cause of resource exhausted.
– bandwidth resource
– system resource
– DDoS is hard to prevent
• It is hard to classify normal or abnormal traffic.
– Anomaly TCP/UDP/ICMP flooding is easy to detect.
– Anomaly service access request is hard to detect.
• ISP uplink congestion will impact other customer
– Traffic scrubbing is helpless to uplink congestion.
2007/12/5 8 Copyright 2007 - Trend Micro Inc.

9. Harms from Botnets
• Botnets: the source of DDoS
– In a Botnet, zombie PCs would be used to generate the attack
traffic to the victims.
– If a Botnet have >100,000 zombie PCs, each PC generate
50kbps attack traffic to the victim; The total attack traffic could
reach more than 5Gbps!!!
• 5Gbps traffic could congest lots of links of enterprise and ISP.
– If a Botnet have >100,000 zombie PCs, each PC generate 1kpps
attack traffic to the victim; The total attack traffic could reach
more than 100Mpps!!!
• 100Mpps traffic could shutdown lots of equipments of enterprise
and ISP.
– Most ISPs use “black-hole” mechanism to drop the attack traffic,
but it will drop normal traffic flow to victim too
• ISPs help the cyber-criminal complete the attack.
2007/12/5 9 Copyright 2007 - Trend Micro Inc.

10. Harms from Botnets
• Scale of Botnet:
– Telenor takes down 'massive' botnet – more than 10,000 zombie
PC
• http://www.theregister.co.uk/2004/09/09/telenor_botnet_dismantled/
– Dutch Botnet suspects ran 1.5 million machines
• http://www.techweb.com/wire/security/172303160
– Of the 600 million computers currently on the internet, between
100 and 150 million were already part of these botnet…
– http://news.bbc.co.uk/1/hi/business/6298641.stm
• Strength of Botnet:
– Estonian government websites were shutdown cause serious
DDoS attack from Apr. 27, 2007
• At its peak on May 9, the attack shut down up to 58 sites at once.
• Computers from the United States, Canada, Brazil, Vietnam and
others have been used in the attacks.
2007/12/5 10 Copyright 2007 - Trend Micro Inc.

11. Harms from Botnets
• DDoS example
– ISPs Bot client
BOTNETS
attack
traffic
VICTIMS
link
congestion
2007/12/5 11 Copyright 2007 - Trend Micro Inc.

12. Harms from Botnets
– All of the packets forward to victim were dropped.
BOTNETS
attack
traffic
VICTIMS
2007/12/5 12 Copyright 2007 - Trend Micro Inc.

13. DDoS mitigation
• Scrub the traffic, accept and forward the normal packets
and drop the abnormal packets
– Build the traffic scrubbing system in your netowrk
• Congestion still would be happened on ISP border router.
VICTIMS
link
congestion
– Order scrubbing service from upstream ISP or scrubbing service
provider.
scrubbing service provider
VICTIMS
link
congestion
2007/12/5 13 Copyright 2007 - Trend Micro Inc.

14. Botnets detection and defense
• Internet projects to detect Bot/Botnets
– Darknet
• A subnet that no any machine host in.
• There should not be any normal traffic flow to this subnet
– Anomaly traffic flow sent by malware almost.
• It is possible to trace the compromised machine by analyzing those
anomaly traffic.
enable promiscuous mode
Bot client
Internet
.4
analyze exploit traffic and catch Bot client IP
.1
.3
R(config)#ip route 172.17.12.128 255.255.255.128 172.17.12.4 .2
172.17.12.0/24
2007/12/5 14 Copyright 2007 - Trend Micro Inc.

15. Botnets detection and defense
• Internet projects to detect Bot/Botnets
– Honeypots
• A machine that exploit by malware on purpose.
– Botnets life cycle:
» 2) Report to the botherder (via C&C channel).
» 5) Listen to the C&C channel and receive command.
» 6) Retrieve the payload module.
» 8) Report result to the C&C channel.
– To sniff and analyze the connections of Bot, we could catch:
» the IP address of C&C
» the IP address of victims
C&C
172.31.1.1
Internet
.4
catch the C&C IP: 172.31.1.1
.1
.3
port mirror
honeypot
.2
2007/12/5 15 Copyright 2007 - Trend Micro Inc.

16. Botnets detection and defense
– Honeypot (cont.)
• In theories, off-line the C&C would destroy the whole Botnet
– It is the vulnerability of centralized C&C.
C&C
Internet
.4
.1
.3
port mirror
honeypot
.2
R(config)#ip route 172.31.1.1 255.255.255.255 null0
• Use black-hole to block the C&C IP on the Internet
– But botherder would not structure their Botnet by only one C&C
» Use DNS to improvement C&C surviving.
2007/12/5 16 Copyright 2007 - Trend Micro Inc.

17. Botnets detection and defense
• BGP flow-spec
– A new BGP NLRI
• The reason to use BGP: re-use
– protocol algorithms.
– operational experience.
– administrative processes such as inter-provider peering agreements.
– Distribute traffic flow specifications and action.
• Flow-spec NLRI
– Type 1 – destination prefix
– Type 2 – source prefix
– Type 3 – IP protocol
– Type 4 – port
– Type 5 – destination port
– Type 6 – source port
– Type 7 – ICMP type
– Type 8 – ICMP core
2007/12/5 17 Copyright 2007 - Trend Micro Inc.

18. Botnets detection and defense
• Flow-spec NLRI (cont.)
– Type 9 –TCP flags
– Type 10 – packet length
– Type 11 – DSCP
– Type 12 – fragment
• Traffic filtering actions
– Traffic-rate
– Traffic-action
» Terminal action
» Sample
– Redirect
– Use BGP flow-spec in your network
Bot client D
Normal
client B
Normal
client C
Server A
2007/12/5 18 Copyright 2007 - Trend Micro Inc.

19. Botnets detection and defense
– Use BGP flow-spec in your network
• Update BGP flow-spec route to border router
– ‘SRC=D, DST=A, action=drop’
Bot client D
Normal
client B
Normal
client C
Server A
• Update BGP flow-spec route to peering partner
– ‘SRC=D, DST=A, action=drop’
Bot client D
Normal
client B
Normal
client C
Server A
2007/12/5 19 Copyright 2007 - Trend Micro Inc.

20. Reference
• “Botnets, THE KILLER WEB APP”
– by Craig A. Schiller etc.; Syngress Publishing Inc., 2007
• The Team Cymru Darknet Project
– http://www.cymru.com/Darknet/index.html
• The Honeynet Project
– http://www.honeynet.org/index.html
• “Dissemination of flow specification rules”
– draft-marques-idr-flow-spec-04.txt
• “Configuring a flow route”
– http://www.juniper.net/techpubs/software/junos/junos85/swconfig85-
routing/id-10317421.html#id-10317421
• “Inferring Internet Denial-of-Service Activity”
– by David Moore etc.
• “The Zombie Roundup: Understanding, Detecting, and Disrupting
Botnets”
– by Evan Cooke etc.
• “How CNCERT/CC fighting to Botnets”
– by Mingqi Chen.; CNCERT/CC
2007/12/5 20 Copyright 2007 - Trend Micro Inc.

21. Thank You
Classification 2007/12/6
2007/12/5 21 Copyright 2007 - Trend Micro Inc.