120 likes | 265 Views
Offense: Brute Force. A Multifaceted Approach to Understanding the Botnet Phenomenon (Rajab/Zarfoss/Monrose/Terzis). Enough Data?. Research paper states: 800,000 DNS domains examined 85,000 servers botnet-infected 65 IRC server domain names Is above data statistically significant?
E N D
Offense: Brute Force A Multifaceted Approach to Understanding the Botnet Phenomenon(Rajab/Zarfoss/Monrose/Terzis)
Enough Data? • Research paper states: • 800,000 DNS domains examined • 85,000 servers botnet-infected • 65 IRC server domain names • Is above data statistically significant? • 450,000,000 hosts via DNS (isc.org) • Over 150,000,000 domain names exist • 47,700,000 .com domains (1% probed)
Realtime Tracking Source: Shadowserver.org
Longitudinal Tracking • Research paper states: • 65 IRC server domain names • 85,000 servers infected by bots • Type-II botnets only • Shadowserver.org tracking (2+ years): • 1800 active botnets daily • 3,000,000 active bots daily • Updates every 15 minutes
Where’s the 40%? • Research paper exclusively WinTel • Easier to obtain bot binaries? • Most internet servers are Linux-based • Hard to ignore the majority • Worm or Trojan backdoors exploited • Defenses are already weakened
Botnet size • Footprint vs. effective size • The paper complains that the footprint is much larger than the effective size. • So? Bots are trying to stay off DNSBL (black lists) and be more stealthy. • Sections of footprint may be rented out
Botmaster concerns Source: swatit.org
C&C Stealth • Botmasters want to remain hidden • IRC-based isn’t the only way • Peer-to-peer systems hide IP source addr • Virtualization of C&C • Dynamic web servers • Network creation/reconfiguration • Come and go quickly • Difficult to trace • Works for honeypots, why not botnets?
Gray-box testing • Only binary bot behavior studied • Results limited by mimicing IRC state • Research emphasized automation over thoroughness • Source code or disassembly reveals more • Behavior may be different in honeynet
Botnet evolution • Polymorphic bot code • Gmail as control protocol • SSL usage • Invisible to network inspection • XML/RSS messages • Exploit IPv6 flaws