nullcon 2010 - Botnet mitigation, monitoring and management

nullcon Goa 2010 http://nullcon.net

Botnet Mitigation, Monitoring and Management

- Harshad Patil

Introduction

Why they use Botnets?

Attack vectors- Where are they used?

Taxonomy of botnet and how it operates

Detection and prevention of botnets

Some recent botnets

Current Botnet Mitigation efforts

Botnet Monitoring


Agenda


Introduction

What are bots, botnets, botmasters, and zombies,IRC,P2P?

Three characteristic attributes of bota remote control facility,

the implementation of several commands,

and a spreading mechanism

What is DOS


• </attack>• <attack id="122002" start="2006-10-14 02:21:47" stop="2006-10-14 03:36:11"> # About an hour and 15 minutes duration• <severity importance="1" lrm="0.9077" red_rate="1e+06" unit="pps"/>• <type class="3" subclass="5"/> # Misuse Null TCP• <direction type="Incoming" name="anonymous" gid="756"/>• <protocols>6</protocols> # IP Protocol 6, TCP• <tcpflags></tcpflags> # No Flags - Null TCP• <source>• <ips>0.0.0.0/0</ips> # Very well distributed or Source-spoofed IPs• <ports>0-65535</ports> # Very well distributed source ports• </source>• <dst>• <ips>xx.xx.X.X/32</ips> # Surprise, undernet IRC Server…• <ports>6667</ports> # 6667 IRC• </dst>• <infrastructure num_routers="19" num_interfaces="52" sum_bps="622878440000" sum_pps="15571961000" max_bps="1980325333" max_pps="6188517"/>• </attack>

•Source: ISC


Why Botnets?

Capability of botnet

Botnet Economy

Self propagation

Robustness

Efficiency

Effectiveness

Usage of different Encryption systems

P2P botnet advantages!


Attack vectors

Spamming

Phishing

Click Fraud, Google Adsense

Sniffing traffic- Corporate Espionage, ID Theft

Keystroke logging

Data Mining

Manipulating online MMOGs


How they operate

How botmasters discover new bots

2 architectures: CnC and P2P

Communication between the bot and the botmaster

Botnet Complexity

How they evade IDS/Honeypots


CnC Architecture

Botmaster

C & C

Bots Bots Bots


P2P Architecture

Botmaster

C & C C & C

Bots Bots Bots


Concerning factors

Complexity of the Internet.

Shortest compromise time: few secs..

Extradition issues and different laws of different countries..

Easy to escape detection techniques by new encryption types.(MD6 encryption: Conficker)


Concerning factors

•Courtesy: McAfee


Concerning factors


Concerning factors

Protection Detection Remediation



DetectionNepenthes

HoneyBow

Observe the behavior of botsNetwork based behavior:

Host-based behavior

Bothunter: Vertical Correlation. Correlation on the behaviors of single host.

Botsniffer: Horizontal Correlation. On centralized C&C botnets

Botminer: Extension on Botsniffer, no limitations on the C&C types.


Protection

Honeynets

IDS

Snort

Tripwire

OurMon

CWSandbox

•Current Mitigation efforts:


Current Mitigation effort



Botnet Monitoring System:


Some current cases

Torpig

Conficker

A current flash 0day attack.


Torpig details



Conclusion

Bots pose a threat to individuals and corporate environments

Use: DDoS attacks, to spam, steal, spy, hack, …

Defense: Prevention- Honeypots, IPS, N/w analysis tools Detection: IDS, analysis tools

Management: Understanding security failures is much like anticipating that houses catch on fire and smoke detectors save lives.


nullcon 2010 - Botnet mitigation, monitoring and management

Technology

factors nullcon goa

conficker nullcon goa

idshoneypots nullcon

dos nullcon goa

p2p architecture nullcon

cnc architecture nullcon

torpig details nullcon

online mmogs nullcon