1 / 20

Botnets

Botnets. Abhishek Debchoudhury Jason Holmes. What is a botnet?. A network of computers running software that runs autonomously. In a security context we are interested in botnets in which the computers have been compromised and are under the control of a malicious adversary. .

mio
Download Presentation

Botnets

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Botnets Abhishek Debchoudhury Jason Holmes

  2. What is a botnet? A network of computers running software that runs autonomously. In a security context we are interested in botnets in which the computers have been compromised and are under the control of a malicious adversary. 

  3. What are botnets used for? • Spam • ~85% of email is spam • DDoS attacks • Identity theft • Cost in 2006: $15.6 billion • Phishing attacks • 4500 active sites at any given time, 1 million previously active sites

  4. What are botnets used for? • Hosting pirated software • Hosting and distributing malware • Click fraud • ~14% of all advertisement clicks are fraudulent • Packet sniffing

  5. What's a botmaster? • Person(s) controlling the botnet • Business person • Often paid by customers • Willing to rent out botnet • Glory Hound • Brags about size of botnet • Willing to talk to researchers • Script kiddies • Inexperienced

  6. Command Topologies • Star • Bots tied to centralized C&C server. • Multi-Server  • Same as star but with multiple C&C servers  • Hierarchical • Parent bot control child bots • Random • Full P2P support

  7. Topology Tradeoffs Control vs. Survivability • More Control  •     Easier to get botnet to do your bidding •     Easier to shut down • Survivability •     Harder to shut down •     Less control

  8. Communication Methods • HTTP • Easy for attacker to blend in • IRC •  Harder to hide since IRC is much less used than HTTP • Custom • Makes use of new application protocols

  9. Propagation Methods • Scanning • 0-day attacks • Worm-like behavior • Infected e-mail attachments • Drive-by-downloads • Trojan horses

  10. Infection Procedure

  11. History and Notable Botnets • 1999 - Sub7 • 2000 - GTbot a bot based on mIRC  • 2002 - SDbot small c++ binary with widely available source code • 2002 - Agobot staged attacked with modular payload • 2003 - Sinit first peer-to-peer botnet  • 2004 - Bagle and Bobax first spamming botnets • 2007 - Storm botnet  • 2009 - Waledac botnet • 2009 - Zeus botnet

  12. Defense Three main issues: •   How to find them  •   Decide how to fight them (defense vs offense) •   How to negate the threat

  13. Detection: Analyze Network Traffic • Temporal • Same repeated traffic pattern from node • Spatial • Nodes in same subnet likely infected

  14. Detection: Packet Analysis • Using statistical analysis on network traffic flows • Classify packets based on payload signature and destination port • Looking for clusters of similar data packets  •  n-gram byte distribution • IRC botnet traffic it is not very diverse compared to traffic generated by humans

  15. Strategy Active: attack the source • Shut down C&C server • Re-route DNS • Pushback Passive: defend at the target • Filters • Human attestation • Collective defense

  16. Defense - Change DNS routing Defender figures out domain that attacker is using and takes control Pros: • Central point of attack • Severs botmaster's ability to communicate with the botnet Cons: •  Not all bot nets have C&C server •  C&C domain changes often • > 97% turn over per week

  17. Defense -Black Lists Defender creates list of attackers. Used primarily as spam fighting technique Pros: •  Allows for broad knowledge sharing •  Easy to maintain/understand Cons:  •  List has to be continually updated •  Innocent service providers get blocked

  18. Defense -Human Attestation Defender requests that client prove his humanity. • Requires the client to have a trusted attester • Accomplished through the use of a Trusted Platform Module • Several methods for an attester to determine that the actions were initiated by  a human • Through the use of secure input devices which cryptographically sign their output • CAPTCHA or secure prompt • Analyze keystrokes and mouse movement

  19. Defense - Collective defense We must all hang together or assuredly we shall all hang separately.                             -- Benjamin Franklin •  Key contentions  • Most end users don't know/care about security • The best way to secure the internet is through a collective effort without relying on end users • Compromised hardware must be quarantined until healthy • Authenticate healthiness before network access • Public Health Model for Internet • Allow everyone but identify suspicious behavior • Japan's Cyber Clean Center • Finnish national Computer Emergency Response Team

  20. Thanks

More Related