11/20/09 ONR MURI Project Kick- Off 1 Network-Level Monitoring for Tracking Botnets Nick Feamster School of Computer Science Georgia Institute of Technology ONR MURI N000140911042 Project Kick-off Meeting November 20, 2009
Mar 27, 2015
11/20/09 ONR MURI Project Kick-Off 1
Network-Level Monitoring for Tracking Botnets
Nick FeamsterSchool of Computer Science
Georgia Institute of Technology
ONR MURI N000140911042Project Kick-off Meeting
November 20, 2009
11/20/09 ONR MURI Project Kick-Off 2
Two Problems: From Axioms to Theories to Practice
• Problem #1: Tracking Bots– Bots are compromised computers– Bot traffic is not sent/authorized by users
• Correlating host activities
• Problem #2: Tracking Network Agility (BGP & DNS)– Bots are long-term resources
• Reuse, mechanisms/protocols to support agility
11/20/09 ONR MURI Project Kick-Off 3
Problem #1: Tracking Bot Propagation
• Malware enters enterprise over the network (e.g., remote exploit, Web application), mobile device.
• Administrators rely on virus scanners, AV, etc.– Problem: Payloads may change, hard to keep
AV up-to-date
Axiom: Bot traffic is not sent by humans/users.
11/20/09 ONR MURI Project Kick-Off 4
Annotate Traffic with Provenance
• Idea: Annotate network traffic with “taints” – The process that generated the traffic– Inputs that the process has taken (i.e., what
other resources it has read)• As malware spreads, traffic accumulates a
common set of taints.– Identify taints corresponding to bad operation– Block traffic if it carries a known bad taint
Theory: We can trace botnet traffic based on how it was sent, not what the botnet is sending.
11/20/09 ONR MURI Project Kick-Off 5
Pedigree Design
• Trusted tagging component on host
• Arbiter on network switch
Practice: Tag traffic with provenance; block traffic at network switches.
NSF-TC 0916732: Taint-Based Information Tracking in Networked Systems
Student: Anirudh Ramachandran
11/20/09 ONR MURI Project Kick-Off 6
Status and Challenges
• Status– Implementation and application to information-
flow control in enterprises
• Challenges– Discover taints corresponding to the malware– Defend against attacks on the taint set (e.g.,
overflow)– Protecting integrity of tagger
11/20/09 ONR MURI Project Kick-Off 7
Problem #2: Tracking Network Agility
• DNS: Remap DNS names to new IP addresses– Fast-flux / Double-Flux
• BGP: Hijack IP address space– Allow hosts to operate from new IP addresses
Axiom: Botnets have only finite resources.These resources must be reused or recycled.
11/20/09 ONR MURI Project Kick-Off 8
Example: DNS Agility
Theory: Places of change are much faster than for legitimate load-balanced sites.
Maria Konte et al., “Dynamics of Online Scam Hosting Infrastructure”, PAM 2009. Best Paper.
11/20/09 ONR MURI Project Kick-Off 9
Rates of Change
• Domains that exhibit fast flux change more rapidly than legitimate domains
• Rates of change are inconsistent with actual TTL values
Theory: Rates of change are faster than for legitimate load-balanced sites.
11/20/09 ONR MURI Project Kick-Off 10
Fingerprinting DNS Agility
• Step 1 (simple idea) – Changes to name server assignment– Characteristics of new domains
• Step 2: Graph Comparison– Lookups from recursive resolvers to “fresh”
domains will look similar– Build fingerprints based on graph and point-set
comparison techniques
Practice: Develop “fingerprints” of DNS dynamics.Identify underlying infrastructure, not attacks.
Student: Shuang Hao
11/20/09 ONR MURI Project Kick-Off 11
~ 10 minutes
Example: BGP Agility
• Hijack address space, send spam withdraw prefix
61.0.0.0/8 4678 66.0.0.0/8 2156282.0.0.0/8 8717
Theory: Different prefixes follow similar patterns.
Anirudh Ramachandran et al., “Understanding the Network-Level Behavior of Spammers”, SIGCOMM 2006. Best Student Paper.
11/20/09 ONR MURI Project Kick-Off 12
Fingerprinting BGP Agility
Spam Trap
BGP FeedSpam Prefix & Origin AS
Bogus AS IAR Recently Registered
Scam Hosting
New Prefixes
Heuristics
Practice: Bootstrap suspicious prefix discovery. Look for
“similar” prefixes.
Student: Maria Konte