240 likes | 417 Views
The case for in-the-lab botnet experimentation: creating and taking down a 3000-node botnet. Joan Calvet , Carlton R. Davis, Jose M. Fernandez, Jean-Yves Marion, Pier-Luc St- Onge , Wadie Guizani , Pierre-Marc Bureau, Anil Somayaji ACSAC 2010. A Presentation at Advanced Defense Lab.
E N D
The case for in-the-lab botnet experimentation: creating and taking down a 3000-node botnet Joan Calvet, Carlton R. Davis, Jose M. Fernandez, Jean-Yves Marion, Pier-Luc St-Onge, WadieGuizani, Pierre-Marc Bureau, Anil Somayaji ACSAC 2010 A Presentation at Advanced Defense Lab
Outline • Introduction • Related Work • Botnet Emulation • The WALEDAC Experiment • Experiment Results • Conclusion Advanced Defense Lab
Introduction • Presents an “in the lab” experiments involving at-scale emulated botnets. • Experiments with “in-the-wild” botnets can be problematic • (i) Researchers need to create entities which join the botnet. • (ii) There are legal and ethical issues involved in performing such botnet research. • (iii) It is difficult to get statistically significant results. • (iv) It is not repeatable. • At-scale emulation studies, where conditions as close as possible to the real-world are the best alternative to in-the-wild studies. Advanced Defense Lab
Introduction • In emulation experiments, botnet entities that are either identical or slightly adapted versions of their real-world counterparts, are executed in controlled environments. • Such experiment allows researchers the privilege of hiding their ammunition from botnets operators, until the mitigation schemes are fully developed and optimised. • Recreating in thee lab an isolated version of the Waledacbotnet consisting of approximately 3,000 nodes. Advanced Defense Lab
Outline • Introduction • Related Work • Botnet Emulation • The WALEDAC Experiment • Experiment Results • Conclusion Advanced Defense Lab
Related Work • The idea of using laboratory experimentation facilities for botnet research is not new. • PlanetLab • Emulab • DETER Advanced Defense Lab
Outline • Introduction • Related Work • Botnet Emulation • The WALEDAC Experiment • Experiment Results • Conclusion Advanced Defense Lab
Botnet Emulation – Design Criteria • Highly secured • Building a emulation platform based on an isolated cluster within highly secured facilities. (floor-to-ceiling walls, reinforced doors, etc…) • Scale • Virtualisation allowed researchers to have upwards of 30 virtual bots per physical machine. • Realism • The malware binaries must be identical or close to identical in functionality to those found in the wild. • Flexibility • The desire to have an emulation platform that is capable of reproducing any botnet. • Sterilisability • Re-installation of VMs. Advanced Defense Lab
Botnet Emulation – HW and Tools • Isolated cluster (小雲) • 98 blades • 4-core, 8 GB RAM, dual 136 GB SCSI disks, network card with 4 separate gigabit Ethernet ports for each blade. Advanced Defense Lab
Botnet Emulation – HW and Tools • The blades are contained in two 42U racks, and interconnected with two separate sets of switches. • Virtualisation: • VMWare ESX product. • Configuration and management: • Extreme Cloud Administration Toolkit (xCAT) mkvmvm[001-098] Advanced Defense Lab
Botnet Emulation • Capture of botnetclient code, through various methods. • Gather information on the botnet • Passively monitoring the botnet by observing infected machines and/or joining the botnet. • Construction of a surrogate C&C infrastructure. • Construction of realistic operating environment for the botnetin the lab. • Determination of metrics to be measured. • Implementation of methods for measuring these metrics. Advanced Defense Lab
Outline • Introduction • Related Work • Botnet Emulation • The WALEDAC Experiment • Experiment Results • Conclusion Advanced Defense Lab
The Waledac Experiment – binary overview • A prominent botnet ! First appeared in Nov, 2008. • Mode of operation (by reverse engineering) • P2P network infrastructure for its C&C • 4 layered C&C architecture. • Hardcoded with a list consisting of 100 to 500 contact information of repeaters - RList. Advanced Defense Lab
The Waledac Experiment - RList Select 1 Entry randomly to Share Rlist. • Constant sharing with other peers 3 B S 77 1 Select 100 entries randomly 1 … 2 B 2 44 … … 7 500 500 38 Select 100 entries randomly … 302 Advanced Defense Lab
The Waledac Experiment - Encryption From a referenced paper Advanced Defense Lab
The Waledac Experiment - Emulation • Create VM templates • Add the IP of 500 repeaters to the Rlists • Add script to issue commands to the VMs • Deploy the VM templates • Setup C&C Server • Constitute the botnet • Setup environment Advanced Defense Lab
The Waledac Experiment – Mitigation Scheme • Flushes the Rlist with ours by launching sybil attacks !! • Waledac bots do not check the Rlist received carefully. • If the bot is a repeater • A race Condition situation arises. • If the bot is a spammer • More effective Advanced Defense Lab
Outline • Introduction • Related Work • Botnet Emulation • The WALEDAC Experiment • Experiment Results • Conclusion Advanced Defense Lab
Experiment Results • Spam output • Over a fixed time period, before and after we launch the attack. • Connectivity of the botnet • Measure the number of NOTIFY messages the C&C server receives over a fixed time period. • Percentage of sybils in Rlist • Dumps Rlist to a file each time it is modified, and send these files to an FTP server via the control network. Advanced Defense Lab
Experiment Results Advanced Defense Lab
Experiment Results Advanced Defense Lab
Outline • Introduction • Related Work • Botnet Emulation • The WALEDAC Experiment • Experiment Results • Conclusion Advanced Defense Lab
Conclusion • Using the isolated security testbeds based on virtualisation. • Measure performance metrics for both the botnet and attacks against it. Advanced Defense Lab
BOTNET DEMO… Advanced Defense Lab