This document discusses botnets and defenses against them. It describes different types of botnets including IRC, HTTP, and peer-to-peer botnets. Detection techniques are discussed including passive monitoring of network traffic, analysis of spam attacks, and active infiltration of botnets. Countermeasures are also outlined such as blacklisting botnet IP addresses, seizing botnet command and control domains, and educating users.
14. REAL WORLD SCENARIO
How can botnets be used : -
• Distributed Denial of Ser vice Attacks (DDoS)
• Spamming
• Snif fing Traf fic & Key logging.
• Identity Thef t
• Attacking IRC Chat Networks
• Hosting of Illegal Sof tware
• Google AdSense Abuse & Adver tisement Addons
• Manipulating online polls
15. DETECTION TECHNIQUES
Passive
Data gathered through observation.
• Packet Inspection
• Analysis of flow records
• Analysis of SPAM Attacks
Active
Detection by being involved i.e. interacting with the botnet.
(drawback)Can result in DDOS attack against the analyst,
changing of ip’s, protocols etc.
• Sink holding
• Infiltration
• Peer-to-peer botnet enumeration
16. PASSIVE DETECTION
Packet Inspection
Inspect network data packets
• Match various protocol fields.
• Match payload against a predefined pattern of suspicious
content.
Drawbacks:-
• Wouldn’t scale
• Only known patterns are detected
17. PASSIVE DETECTION
Analysis of flow records
Tracing network traf fic at an abstract level.
Instead of inspecting individual packets communication
streams are considered in aggregate form.
We look into:-
• Source, destination address
• Related port no’s
• Duration of session
• Cumulative size and no of transmitted packets.
• Protocol used inside packets.
Advantage:- higher amount of traf fic can be monitored.
Eg. ‘Net Flow’ protocol from cisco.
18. PASSIVE DETECTION
Analysis of SPAM attacks
• Spam mails are analyzed and similar templates are grouped.
• These templates can then be matched to a corresponding
botnet.
For this special Honey pots called honey tokens are used .
19. PASSIVE DETECTION
Honeypot:- It is a trap to detect, deflect or in some manner
counter act an attempt at unauthorized use of Information
system.
Honey Token:- Spam traps consisting of email addresses with
no productive function other than to receive unsolicited
emails.
20. PASSIVE DETECTION
Other Techniques:-
• Analysis of log files.
• Evaluation of anti-virus software feedback.
• DNS based approaches.
21. ACTIVE TECHNIQUES
Sink Holding
• Technical countermeasure for cutting of f a malicious control
source from rest of the botnet.
• Eg. By changing the targeted malicious domain name so that
it points to machine controlled by a trusted party.
22. ACTIVE DETECTION
Infiltration
Aims to take control of the botnet.
• Hardware- if ip address is known all communications can be
wiretapped with the help of hosting company.
• Software- Imitating the communication mechanisms used by
the botnet.
23. ACTIVE DETECTION
Peer-to-peer botnet enumeration
Repeatedly querying peers for their neighbor list.
This includes reverse engineering.
• Creating a implementation of the botnet to perform the
enumeration task.
24. TECHNICAL COUNTERMEASURES
Blacklisting
• Block all traf fic from included addresses.
• Search engine or browser can filter or mark such websites.
Distribution of fake/traceable credentials.
• Populate fake data into our records like credit card details.
• Fake data lowers quality of stolen information
• Generate mistrust among criminals.
25. TECHNICAL COUNTERMEASURES
BGP Block holing
Null routing malicious hosts to deny traf fic from or to their
network.
Null-Routing:- It is a process of silently dropping the packets
originated from or destined for such addresses.
DNS based countermeasure
• Malicious domains can be shut down.
• Require court warrant.
• Sometimes twitter and rss feeds are used to give commands,
doesn’t work in that case.
26. TECHNICAL COUNTERMEASURES
Port 25 Blocking
Spam mails would not be sent.
Peer to peer counter measure
Pollute the peer-to-peer list
Results in
• Loss of overall connectivity
• Due to size limitations older original peers will get replaced
by fake peers.