1 / 24

The case for in-the-lab botnet experimentation: creating and taking down a 3000-node botnet

The case for in-the-lab botnet experimentation: creating and taking down a 3000-node botnet. Joan Calvet , Carlton R. Davis, Jose M. Fernandez, Jean-Yves Marion, Pier-Luc St- Onge , Wadie Guizani , Pierre-Marc Bureau, Anil Somayaji ACSAC 2010. A Presentation at Advanced Defense Lab.

benito
Download Presentation

The case for in-the-lab botnet experimentation: creating and taking down a 3000-node botnet

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. The case for in-the-lab botnet experimentation: creating and taking down a 3000-node botnet Joan Calvet, Carlton R. Davis, Jose M. Fernandez, Jean-Yves Marion, Pier-Luc St-Onge, WadieGuizani, Pierre-Marc Bureau, Anil Somayaji ACSAC 2010 A Presentation at Advanced Defense Lab

  2. Outline • Introduction • Related Work • Botnet Emulation • The WALEDAC Experiment • Experiment Results • Conclusion Advanced Defense Lab

  3. Introduction • Presents an “in the lab” experiments involving at-scale emulated botnets. • Experiments with “in-the-wild” botnets can be problematic • (i) Researchers need to create entities which join the botnet. • (ii) There are legal and ethical issues involved in performing such botnet research. • (iii) It is difficult to get statistically significant results. • (iv) It is not repeatable. • At-scale emulation studies, where conditions as close as possible to the real-world are the best alternative to in-the-wild studies. Advanced Defense Lab

  4. Introduction • In emulation experiments, botnet entities that are either identical or slightly adapted versions of their real-world counterparts, are executed in controlled environments. • Such experiment allows researchers the privilege of hiding their ammunition from botnets operators, until the mitigation schemes are fully developed and optimised. • Recreating in thee lab an isolated version of the Waledacbotnet consisting of approximately 3,000 nodes. Advanced Defense Lab

  5. Outline • Introduction • Related Work • Botnet Emulation • The WALEDAC Experiment • Experiment Results • Conclusion Advanced Defense Lab

  6. Related Work • The idea of using laboratory experimentation facilities for botnet research is not new. • PlanetLab • Emulab • DETER Advanced Defense Lab

  7. Outline • Introduction • Related Work • Botnet Emulation • The WALEDAC Experiment • Experiment Results • Conclusion Advanced Defense Lab

  8. Botnet Emulation – Design Criteria • Highly secured • Building a emulation platform based on an isolated cluster within highly secured facilities. (floor-to-ceiling walls, reinforced doors, etc…) • Scale • Virtualisation allowed researchers to have upwards of 30 virtual bots per physical machine. • Realism • The malware binaries must be identical or close to identical in functionality to those found in the wild. • Flexibility • The desire to have an emulation platform that is capable of reproducing any botnet. • Sterilisability • Re-installation of VMs. Advanced Defense Lab

  9. Botnet Emulation – HW and Tools • Isolated cluster (小雲) • 98 blades • 4-core, 8 GB RAM, dual 136 GB SCSI disks, network card with 4 separate gigabit Ethernet ports for each blade. Advanced Defense Lab

  10. Botnet Emulation – HW and Tools • The blades are contained in two 42U racks, and interconnected with two separate sets of switches. • Virtualisation: • VMWare ESX product. • Configuration and management: • Extreme Cloud Administration Toolkit (xCAT) mkvmvm[001-098] Advanced Defense Lab

  11. Botnet Emulation • Capture of botnetclient code, through various methods. • Gather information on the botnet • Passively monitoring the botnet by observing infected machines and/or joining the botnet. • Construction of a surrogate C&C infrastructure. • Construction of realistic operating environment for the botnetin the lab. • Determination of metrics to be measured. • Implementation of methods for measuring these metrics. Advanced Defense Lab

  12. Outline • Introduction • Related Work • Botnet Emulation • The WALEDAC Experiment • Experiment Results • Conclusion Advanced Defense Lab

  13. The Waledac Experiment – binary overview • A prominent botnet ! First appeared in Nov, 2008. • Mode of operation (by reverse engineering) • P2P network infrastructure for its C&C • 4 layered C&C architecture. • Hardcoded with a list consisting of 100 to 500 contact information of repeaters - RList. Advanced Defense Lab

  14. The Waledac Experiment - RList Select 1 Entry randomly to Share Rlist. • Constant sharing with other peers 3 B S 77 1 Select 100 entries randomly 1 … 2 B 2 44 … … 7 500 500 38 Select 100 entries randomly … 302 Advanced Defense Lab

  15. The Waledac Experiment - Encryption From a referenced paper Advanced Defense Lab

  16. The Waledac Experiment - Emulation • Create VM templates • Add the IP of 500 repeaters to the Rlists • Add script to issue commands to the VMs • Deploy the VM templates • Setup C&C Server • Constitute the botnet • Setup environment Advanced Defense Lab

  17. The Waledac Experiment – Mitigation Scheme • Flushes the Rlist with ours by launching sybil attacks !! • Waledac bots do not check the Rlist received carefully. • If the bot is a repeater • A race Condition situation arises. • If the bot is a spammer • More effective Advanced Defense Lab

  18. Outline • Introduction • Related Work • Botnet Emulation • The WALEDAC Experiment • Experiment Results • Conclusion Advanced Defense Lab

  19. Experiment Results • Spam output • Over a fixed time period, before and after we launch the attack. • Connectivity of the botnet • Measure the number of NOTIFY messages the C&C server receives over a fixed time period. • Percentage of sybils in Rlist • Dumps Rlist to a file each time it is modified, and send these files to an FTP server via the control network. Advanced Defense Lab

  20. Experiment Results Advanced Defense Lab

  21. Experiment Results Advanced Defense Lab

  22. Outline • Introduction • Related Work • Botnet Emulation • The WALEDAC Experiment • Experiment Results • Conclusion Advanced Defense Lab

  23. Conclusion • Using the isolated security testbeds based on virtualisation. • Measure performance metrics for both the botnet and attacks against it. Advanced Defense Lab

  24. BOTNET DEMO… Advanced Defense Lab

More Related