240 likes | 407 Views
Fighting Against Botnets: Hands-On Laboratory Exercises. Dr. Jim Chen, John Smet, Barry Williams, Victor Tsao, Alkalifa A. Samake, Lamin Kamara, Tokunbo Olojo, Nicole Regobert March 2007. What is a Botnet?.
E N D
Fighting Against Botnets: Hands-On Laboratory Exercises Dr. Jim Chen, John Smet, Barry Williams, Victor Tsao, Alkalifa A. Samake, Lamin Kamara,Tokunbo Olojo, Nicole Regobert March 2007
What is a Botnet? • A collection of software applications, or robots, which runs automated tasks over the Internet • Possible malicious purpose, such as taking over a remote machine (victim1) and using it to attack another machine (victim2) • A collection of compromised machines (victim1) under a common command and control infrastructure, through a means such as IRC Secure IT 2007 Conference
Challenges • (1) How to show the botnet to the students? • (2) How to know if your computer has been turned into a zombie machine? • (3) How to get rid of the malicious Trojan codes that serve that function? Secure IT 2007 Conference
Solution • Set up a closed lab with a few computers, a hub, a switch, and a router • Selected some open-source software packages • Designed and developed some hands-on laboratory exercises Secure IT 2007 Conference
3 Lab Exercises • Lab 1: Shows a botnet [addressing Challenge #(1)] • Lab 2: Shows the detection of a zombie machine [addressing Challenge #(2)] • Lab 3: Shows some countermeasures [addressing Challenge #(3)] Secure IT 2007 Conference
Objectives of Lab 1 • Show the botnet Secure IT 2007 Conference
Lab 1: Botnet • One computer with intrusive software tool running on it • Two computers with Snort and Ethereal running on them • One Web server computer with Snort and Ethereal running on it • Connect these computers together via a hub, a switch, or a router to form a network Secure IT 2007 Conference
Botnet • Demo Secure IT 2007 Conference
Lab 1: Lesson Learned • It is not difficult to explore a vulnerability within a computer system. • Some intrusions may not be detected automatically. Secure IT 2007 Conference
Objectives of Lab 2 • Detect a zombie machine • Learn to do the analysis and to use different detection tools Secure IT 2007 Conference
Lab 2: Zombie Machine Detection • Use the tools in the Windows system • Use Ethereal to capture and analyze the traffic • Use the Snort intrusion detection system Secure IT 2007 Conference
Zombie Machine Detection • Demo Secure IT 2007 Conference
Abnormal Behavior Detection • Use the tools in the Windows system Secure IT 2007 Conference
Traffic Capture and Analysis • Use Ethereal / WireShark to capture and analyze the traffic Secure IT 2007 Conference
Botnet Detection Using Snort • Use the Snort intrusion detection system Secure IT 2007 Conference
Lab 2: Lesson Learned • It is essential to find out any abnormal behavior in the system. • It is important to identify the patterns and characteristics of the suspicious traffic before writing any Snort rules. Secure IT 2007 Conference
Objectives of Lab 3 • Learn to use some countermeasures Secure IT 2007 Conference
Lab 3: Countermeasures • Use Trojan remover software • Use anti-virus software • Modify firewall settings • Use other tools Secure IT 2007 Conference
Lab 3: Countermeasures • Demo Secure IT 2007 Conference
Lab 3: Lesson Learned • Different tools can be used to get rid of the malicious Trojan codes that serve the botnet function. • Multiple tools may be used together to deal with some specific types of botnets. • New tools need to be designed and developed in fighting against botnets. Secure IT 2007 Conference
Pedagogical Implication • The challenges in teaching how to fight against botnets can be addressed using hands-on labs. • Critical thinking skills and creativity are promoted in putting students in an environment in which they need to find out the limitations of available tools used in fighting against botnets and figure out their new solutions. • More effective and efficient tools can be designed and developed using the life-cycle approach. Secure IT 2007 Conference
Summary • Hands-on lab exercises can be designed and developed to teach students how to fight against botnets. • The actual needs may motivate students to create new tools. Secure IT 2007 Conference
References • Beale, J., Baker, A., Caswell, B., Poor, M., and others. (2004). Snort 2.1 Intrusion Detection (2nd Edition). Rockland, MA: Syngress Publishing, Inc. • Cox, K. & Gerg, C. (2004). Managing Security with Snort and IDS Tools. Sebastopol, CA: O’Reilly Media, Inc. • Ethereal, http://www.ethereal.com • Smith, P. & Ragan, T. (1999). Instructional Design. Hoboken, NJ: John Wiley & Sons, Inc. • Snort, http://www.snort.org • Wireshark, http://www.wireshark.org • Xiang, Y., Zhou, W. (2006). "An Intrusion Surveillance System to Detect IRC-based DDoS Attacks" in IEEE Proceedings of the International Multi-Conference on Computing in the Global Information Technology (ICCGI'06), P65. Secure IT 2007 Conference