1 / 21

Botnet Mitigation, Monitoring and Management

Botnet Mitigation, Monitoring and Management. - Harshad Patil. Agenda. Introduction Why they use Botnets? Attack vectors- Where are they used? Taxonomy of botnet and how it operates Detection and prevention of botnets Some recent botnets Current Botnet Mitigation efforts

colin-patton
Download Presentation

Botnet Mitigation, Monitoring and Management

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Botnet Mitigation, Monitoring and Management - Harshad Patil http://nullcon.net

  2. Agenda • Introduction • Why they use Botnets? • Attack vectors- Where are they used? • Taxonomy of botnet and how it operates • Detection and prevention of botnets • Some recent botnets • Current Botnet Mitigation efforts • Botnet Monitoring http://nullcon.net

  3. Introduction • What are bots, botnets, botmasters, and zombies,IRC,P2P? • Three characteristic attributes of bot • a remote control facility, • the implementation of several commands, • and a spreading mechanism http://nullcon.net

  4. Source: ISC What is DOS • </attack> • <attack id="122002" start="2006-10-14 02:21:47" stop="2006-10-14 03:36:11"> # About an hour and 15 minutes duration • <severity importance="1" lrm="0.9077" red_rate="1e+06" unit="pps"/> • <type class="3" subclass="5"/> # Misuse Null TCP • <direction type="Incoming" name="anonymous" gid="756"/> • <protocols>6</protocols> # IP Protocol 6, TCP • <tcpflags></tcpflags> # No Flags - Null TCP • <source> • <ips>0.0.0.0/0</ips> # Very well distributed or Source-spoofed IPs • <ports>0-65535</ports> # Very well distributed source ports • </source> • <dst> • <ips>xx.xx.X.X/32</ips> # Surprise, undernet IRC Server… • <ports>6667</ports> # 6667 IRC • </dst> • <infrastructure num_routers="19" num_interfaces="52" sum_bps="622878440000" sum_pps="15571961000" max_bps="1980325333" max_pps="6188517"/> • </attack> http://nullcon.net

  5. Why Botnets? • Capability of botnet • Botnet Economy • Self propagation • Robustness • Efficiency • Effectiveness • Usage of different Encryption systems • P2P botnet advantages! http://nullcon.net

  6. Attack vectors • Spamming • Phishing • Click Fraud, Google Adsense • Sniffing traffic- Corporate Espionage, ID Theft • Keystroke logging • Data Mining • Manipulating online MMOGs http://nullcon.net

  7. How they operate • How botmasters discover new bots • 2 architectures: CnC and P2P • Communication between the bot and the botmaster • Botnet Complexity • How they evade IDS/Honeypots http://nullcon.net

  8. CnC Architecture Botmaster C & C Bots Bots Bots http://nullcon.net

  9. P2P Architecture Botmaster C & C C & C Bots Bots Bots http://nullcon.net

  10. Concerning factors • Complexity of the Internet. • Shortest compromise time: few secs.. • Extradition issues and different laws of different countries.. • Easy to escape detection techniques by new encryption types.(MD6 encryption: Conficker) http://nullcon.net

  11. Concerning factors • Courtesy: McAfee http://nullcon.net

  12. Concerning factors http://nullcon.net

  13. Concerning factors http://nullcon.net

  14. Protection Detection Remediation http://nullcon.net

  15. Detection • Nepenthes • HoneyBow • Observe the behavior of bots • Network based behavior: • Host-based behavior • Bothunter: Vertical Correlation. Correlation on the behaviors of single host. • Botsniffer: Horizontal Correlation. On centralized C&C botnets • Botminer: Extension on Botsniffer, no limitations on the C&C types. http://nullcon.net

  16. Current Mitigation efforts: Protection • Honeynets • IDS • Snort • Tripwire • OurMon • CWSandbox http://nullcon.net

  17. Current Mitigation efforts: Current Mitigation effort http://nullcon.net

  18. Current Mitigation efforts: Botnet Monitoring System: http://nullcon.net

  19. Some current cases • Torpig • Conficker • A current flash 0day attack. http://nullcon.net

  20. Torpig details http://nullcon.net

  21. Current Mitigation efforts: Conclusion • Bots pose a threat to individuals and corporate environments • Use: DDoS attacks, to spam, steal, spy, hack, … • Defense: • Prevention- Honeypots, IPS, N/w analysis tools • Detection: IDS, analysis tools • Management: Understanding security failures is much like anticipating that houses catch on fire and smoke detectors save lives. http://nullcon.net

More Related