1 / 12

Offense: Brute Force

Offense: Brute Force. A Multifaceted Approach to Understanding the Botnet Phenomenon (Rajab/Zarfoss/Monrose/Terzis). Enough Data?. Research paper states: 800,000 DNS domains examined 85,000 servers botnet-infected 65 IRC server domain names Is above data statistically significant?

tevy
Download Presentation

Offense: Brute Force

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Offense: Brute Force A Multifaceted Approach to Understanding the Botnet Phenomenon(Rajab/Zarfoss/Monrose/Terzis)

  2. Enough Data? • Research paper states: • 800,000 DNS domains examined • 85,000 servers botnet-infected • 65 IRC server domain names • Is above data statistically significant? • 450,000,000 hosts via DNS (isc.org) • Over 150,000,000 domain names exist • 47,700,000 .com domains (1% probed)

  3. Realtime Tracking Source: Shadowserver.org

  4. Longitudinal Tracking • Research paper states: • 65 IRC server domain names • 85,000 servers infected by bots • Type-II botnets only • Shadowserver.org tracking (2+ years): • 1800 active botnets daily • 3,000,000 active bots daily • Updates every 15 minutes

  5. Where’s the 40%? • Research paper exclusively WinTel • Easier to obtain bot binaries? • Most internet servers are Linux-based • Hard to ignore the majority • Worm or Trojan backdoors exploited • Defenses are already weakened

  6. Botnet size • Footprint vs. effective size • The paper complains that the footprint is much larger than the effective size. • So? Bots are trying to stay off DNSBL (black lists) and be more stealthy. • Sections of footprint may be rented out

  7. Botmaster concerns Source: swatit.org

  8. C&C Stealth • Botmasters want to remain hidden • IRC-based isn’t the only way • Peer-to-peer systems hide IP source addr • Virtualization of C&C • Dynamic web servers • Network creation/reconfiguration • Come and go quickly • Difficult to trace • Works for honeypots, why not botnets?

  9. Gray-box testing • Only binary bot behavior studied • Results limited by mimicing IRC state • Research emphasized automation over thoroughness • Source code or disassembly reveals more • Behavior may be different in honeynet

  10. Agobot C&C

  11. Botnet evolution • Polymorphic bot code • Gmail as control protocol • SSL usage • Invisible to network inspection • XML/RSS messages • Exploit IPv6 flaws

  12. ? ? ?

More Related