botnet population and intelligence gathering techniques
play

Botnet Population and Intelligence Gathering Techniques David Dagon - PowerPoint PPT Presentation

Jan 18, 2024 •21 likes •431 views

BlackHat DC 2008 Botnet Population and Intelligence Gathering Techniques David Dagon 1 & Chris Davis 2 dagon@cc.gatech.edu Georgia Institute of Technology College of Computing cdavis@damballa.com Damballa, Inc. BlackHat DC Meeting 2008

  1. BlackHat DC 2008 Botnet Population and Intelligence Gathering Techniques David Dagon 1 & Chris Davis 2 dagon@cc.gatech.edu Georgia Institute of Technology College of Computing cdavis@damballa.com Damballa, Inc. BlackHat DC Meeting 2008 David Dagon & Chris Davis Botnet Population Estimation

  2. BlackHat DC 2008 Introductions based on joint work with: UCF CS: Cliff Zou GaTech CS: Jason Trost, Wenke Lee ISC: Paul Vixie IOActive: Dan Kaminski Thanks: Nicholas Bourbaki The Spacious Georgia Tech Campus David Dagon & Chris Davis Botnet Population Estimation

  3. BlackHat DC 2008 Motivation Outline Motivation: Infer victim populations with limited probes IPID overview BIND Cache Overview Challenges in Modeling Solutions Further challenges Data needs: finding honest open recursives Cautions and conclusions David Dagon & Chris Davis Botnet Population Estimation

  4. BlackHat DC 2008 Motivation Basic Botnet Facts Most bot malware will utilize domain names so the bot 1 master can move around and the bots can still find him. Many types of bot malware use multiple staged downloads. 2 Many bot masters are just starting to understand how to 3 get their bots to egress from corporate networks. Alot of bot malware is shockingly easy to use 4 David Dagon & Chris Davis Botnet Population Estimation

  5. BlackHat DC 2008 Motivation Botnet Basics: Rats David Dagon & Chris Davis Botnet Population Estimation

  6. BlackHat DC 2008 Motivation Botnet Basics: Rats David Dagon & Chris Davis Botnet Population Estimation

  7. BlackHat DC 2008 Motivation Botnet Basics: Rats David Dagon & Chris Davis Botnet Population Estimation

  8. BlackHat DC 2008 Motivation Basic Botnet Facts Not Your Mom’s IRC Botnet anymore 1 IRC Botnets are on the decline. Remote Victim 2 Enumeration is becoming harder How do we understand the size and scope of a botnet 3 when we have a limited view? David Dagon & Chris Davis Botnet Population Estimation

  9. BlackHat DC 2008 Motivation Understanding IPID Each IP datagram header has an ID field, which is used 1 when reassembling fragmented datagrams. If no fragmentation takes place, the ID field is basically 2 unused, but operating systems still have to calculate its value for each packet. Some operating systems increment the value by a 3 constant for each datagram. Operating systems that increment by one: 4 Windows (All Versions) FreeBSD Some Linux Variants (2.2 and Earlier) Many other devices like print servers, webcams, etc... David Dagon & Chris Davis Botnet Population Estimation

  10. BlackHat DC 2008 Motivation Understanding IPID An example of a quiet server: 1 cdavis$ hping2 -i 1 -c 5 -S -p 80 XX.YY.ZZ.86 len=46 ip=XX.YY.ZZ.86 ttl=52 id=25542 sport=80 flags=SA seq=0 win=8192 rtt=42.2 ms len=46 ip=XX.YY.ZZ.86 ttl=52 id=25543 sport=80 flags=SA seq=1 win=8192 rtt=48.6 ms len=46 ip=XX.YY.ZZ.86 ttl=52 id=25544 sport=80 flags=SA seq=2 win=8192 rtt=48.1 ms len=46 ip=XX.YY.ZZ.86 ttl=52 id=25545 sport=80 flags=SA seq=3 win=8192 rtt=43.9 ms len=46 ip=XX.YY.ZZ.86 ttl=52 id=25546 sport=80 flags=SA seq=4 win=8192 rtt=42.1 ms David Dagon & Chris Davis Botnet Population Estimation

  11. BlackHat DC 2008 Motivation Motivation 80% of spam sent via zombies [St.Sauver 2005]; now 1 90+% [St.Sauver 2007] Volume of phish/malware complaints to ISPs is staggering 2 Need to prioritize 1 So-called IP-reputation is often merely CIDR-Reputation 3 DHCP auto-incrementing spam bots, and general lease 1 churn mitigates towards classful scoring, or based on whois OrgName or ASN, etc. Need to remotely assess risk of networks roughly (CIDR) 2 without relying on remote sensors . Motivating question: Can we estimate victim populations 4 using simple DNS metrics? David Dagon & Chris Davis Botnet Population Estimation

  12. BlackHat DC 2008 Motivation Cache Basics: I Epidemiological Studies via DNS Cache: TTL time No Query and cache recursive lookup populates cache David Dagon & Chris Davis Botnet Population Estimation

  13. BlackHat DC 2008 Motivation Cache Basics: II Epidemiological Studies via DNS Cache: TTL time Later, the cache decays David Dagon & Chris Davis Botnet Population Estimation

  14. BlackHat DC 2008 Motivation Cache Basics: III Epidemiological Studies via DNS Cache: Continuous line to represent discrete decay events TTL time David Dagon & Chris Davis Botnet Population Estimation

  15. BlackHat DC 2008 Motivation Intuitive Use Intuitive Difference in Relative Cache Rates Domain 1 TTL time Domain 2 TTL time David Dagon & Chris Davis Botnet Population Estimation

  16. BlackHat DC 2008 Motivation Conception Application of DNS Cache Snooping Probing Caching Servers for Same Domain network 1 network 2 network 3 R David Dagon & Chris Davis Botnet Population Estimation

  17. BlackHat DC 2008 Motivation Problems in Methodology Caching Inherently Hides Lookups Cause of cache: one query or many? TTL time David Dagon & Chris Davis Botnet Population Estimation

  18. BlackHat DC 2008 Motivation Solution: Boundary Estimates Assumptions Property 1 : Bot queries are independent Property 2 : DNS Cache queues follow a Poisson distribution with the arrival of uncached phases at rate λ Note: λ is the “birth process”, or arrival rate–the number of events/arrivals per time epoch. Are these properties correct? David Dagon & Chris Davis Botnet Population Estimation

  19. BlackHat DC 2008 Motivation Independence of Bot Queries Two events X i and X j , are independent if P ( X i X j ) = P ( X i ) P ( X j ) Given the property that P ( B | A ) = P ( BA ) / P ( A ) , then to show X i and X j are independent, we need to show P ( X i | X j ) = P ( X i ) In the general case, bot victims are randomly selected from potential victims. Absent synchronized behavior, one victim’s infection-phase DNS resolution is independent of any others. Example: two victims must visit a webpage to become infected; on a domain TTL-scale, this browsing is independent Thus, proptery 1 holds in the general case David Dagon & Chris Davis Botnet Population Estimation

  20. BlackHat DC 2008 Motivation Bot DNS Resolution Follows Poisson Distribution Does Property 2 hold? Consider: Intuitive View of DNS Cache Time-outs T1 T2 TTL time David Dagon & Chris Davis Botnet Population Estimation

  21. BlackHat DC 2008 Motivation Bot DNS Resolution Follows Poisson Distribution The arrival of victims in a queue is trivially modeled as a poisson process This is true of telephony networks, packet networks ...and its generally true of origination from large populations of independent actors (For some values of large) botnets are large population systems. OK, so keep in mind: botnet recruitment that triggers a DNS lookup is a poisson process. We use this point shortly... Our current problem: We can only measure cache idle periods however. Are these poisson processes? David Dagon & Chris Davis Botnet Population Estimation

  22. BlackHat DC 2008 Motivation Poisson Processes Definitions What’s a Poisson process? There are three definitions: One arrival occurs in the infinitesimal time dt 1 An interval t has a distribution of arrivals following P ( λ t ) 2 The interarrival times are independent with exponential 3 distribution. P { interarrival > t } = e − λ t Say, that third definition sure looks like a DNS cache line’s idle periods! ˆ N u , l = ˆ Textbooks then tell used: λ u , l /λ . (There are simple models for deriving populations from arrival rates.) Bad joke opportunity: DNS poisoning also relies on poisson processes David Dagon & Chris Davis Botnet Population Estimation

  23. BlackHat DC 2008 Motivation More Problems There are hazards in sampling Hidden masters Load balancers using independent caches Policy barriers Mandatory Obtain permission and follow RFC 1262 (DNS probes are the spam) Throttle request rates to respect server load balancing (or corrupt data); e.g., 4.2.2.2 throttles non-customers Select small set of suspect domains All of these corrupt data collection. (Solutions omitted for space) David Dagon & Chris Davis Botnet Population Estimation

  24. BlackHat DC 2008 Motivation Data Collection Problems Sampling is Blind to DNS Architecture Round Robin DNS Farm R David Dagon & Chris Davis Botnet Population Estimation

  25. BlackHat DC 2008 Motivation Sample Application Study of botnet in Single ISP DNS Cache David Dagon & Chris Davis Botnet Population Estimation

  26. BlackHat DC 2008 Motivation Demonstration Plot of output for tracking one botnet (animation may follow) David Dagon & Chris Davis Botnet Population Estimation

  27. BlackHat DC 2008 Motivation Issue: How to Locate Open Recursives? Probing open recursives for domain cache times requires a list of open resolvers. We could just ... scan IPv4 for such hosts However, simple queries don’t tell us the whole story of the open recursives needed for this task We must separate those that are open recursive from those that are open forwarding Further, some open resolvers (both full and forwarding) are DNS monetization engines, and don’t answer iterative queries truthfully DNS monetization resolvers may not uses caches We wish to identify them, so we can exclude them David Dagon & Chris Davis Botnet Population Estimation

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

MetaNet A botnet with Metasploit integration By : Matan Ramrazker, Guy Gelber What is a Botnet

MetaNet A botnet with Metasploit integration By : Matan Ramrazker, Guy Gelber What is a Botnet

MetaNet A botnet with Metasploit integration By : Matan Ramrazker, Guy Gelber What is a Botnet A Botnet is a software that is designed to perform simple automated and usually cyclical operations. Botnet management is performed remotely

507 views • 24 slides
Botnet Tracking: Tools, Techniques, and Lessons Learned Dr. Jose Nazario About Arbor Networks

Botnet Tracking: Tools, Techniques, and Lessons Learned Dr. Jose Nazario About Arbor Networks

Botnet Tracking: Tools, Techniques, and Lessons Learned Dr. Jose Nazario About Arbor Networks Founded in 2000 ~150 employees worldwide Peakflow product lines Peakflow SP for service providers Peakflow X for enterprises

879 views • 41 slides
Phoenix: DGA-based Botnet Tracking and Intelligence DIMVA 2014 July 11, 2014 Royal Holloway,

Phoenix: DGA-based Botnet Tracking and Intelligence DIMVA 2014 July 11, 2014 Royal Holloway,

Phoenix: DGA-based Botnet Tracking and Intelligence DIMVA 2014 July 11, 2014 Royal Holloway, University of London, UK Stefano Schiavoni Politecnico di Milano, Italy and Google, UK @sschiav, sschiavoni@google.com Federico Maggi ,

1.39k views • 60 slides
Bringing the Gathering Home How do we make this more than a five day experience? Before the

Bringing the Gathering Home How do we make this more than a five day experience? Before the

Bringing the Gathering Home How do we make this more than a five day experience? Before the Gathering Before the Gathering Use fundraisers to connect people to your group and the Gathering. Pre-Gathering Bible studies (Website Lead

347 views • 19 slides
Welcome to Storm ! The Storm botnet Reachability check Overnet (UDP) The Storm botnet

Welcome to Storm ! The Storm botnet Reachability check Overnet (UDP) The Storm botnet

Welcome to Storm ! The Storm botnet Reachability check Overnet (UDP) The Storm botnet Botmaster Hosted infrastructure HTTP proxies HTTP Proxy Infected machines bots TCP Workers The Storm botnet Botmaster Hosted infrastructure HTTP

517 views • 31 slides
A Date with Data Botnet Command and Control Through Tinder A Date with Data Botnet Command and

A Date with Data Botnet Command and Control Through Tinder A Date with Data Botnet Command and

A Date with Data Botnet Command and Control Through Tinder A Date with Data Botnet Command and Control Through Tinder (Almost) $whoami Nathaniel Beckstead Interests Blue team Homelab Network Security Find Me github.com/becksteadn

500 views • 22 slides
Digital Intelligence Gathering Using The Powers Of OSINT For Both Blue And Red Teams BSidesSF

Digital Intelligence Gathering Using The Powers Of OSINT For Both Blue And Red Teams BSidesSF

Digital Intelligence Gathering Using The Powers Of OSINT For Both Blue And Red Teams BSidesSF February 2016 1 / 71 Ethan Dodge DFIR @ Nuna Health. DFIR professional and perpetual learner. @__eth0 dodgesec.com 2 / 71 Nuna Health

861 views • 71 slides
Search Techniques for Artificial Intelligence Search is a central topic in Artificial

Search Techniques for Artificial Intelligence Search is a central topic in Artificial

Search Techniques LP&ZT 2005 Search Techniques for Artificial Intelligence Search is a central topic in Artificial Intelligence. This part of the course will show why search is such an important topic, present a general approach to

10.79k views • 72 slides
Botnets Leonidas Stylianou CS 682 23/04/2020 Lifecycle of a bot Infected host Botnet malware

Botnets Leonidas Stylianou CS 682 23/04/2020 Lifecycle of a bot Infected host Botnet malware

Botnets Leonidas Stylianou CS 682 23/04/2020 Lifecycle of a bot Infected host Botnet malware Botmaster controls becomes a bot and infects a host. the botnet. joins the botnet . Coordination of f bots with C&C server Bots query the

1k views • 58 slides
Dawn Song dawnsong@cs.berkeley.edu 1 What is a botnet? An army of compromised hosts

Dawn Song dawnsong@cs.berkeley.edu 1 What is a botnet? An army of compromised hosts

Botnet Analysis & Defense Dawn Song dawnsong@cs.berkeley.edu 1 What is a botnet? An army of compromised hosts (bots) coordinated via a command and control center (C&C). The perpetrator is usually called a botmaster.

409 views • 11 slides
Extracting Information from the Web (Web Services and Friends) Artificial Intelligence

Extracting Information from the Web (Web Services and Friends) Artificial Intelligence

Extracting Information from the Web (Web Services and Friends) Artificial Intelligence Variety of techniques for making machines able to achieve goals in the world in ways that mimic human abilities Techniques do not necessarily have to

447 views • 44 slides
Extracting Information from the Web (Web Services and Friends) Artificial Intelligence

Extracting Information from the Web (Web Services and Friends) Artificial Intelligence

Extracting Information from the Web (Web Services and Friends) Artificial Intelligence Variety of techniques for making machines able to achieve goals in the world in ways that mimic human abilities Techniques do not necessarily have to

980 views • 46 slides
A Framework for Understanding Botnets Justin Leonard, Shouhuai Xu, Ravi Sandhu University of T

A Framework for Understanding Botnets Justin Leonard, Shouhuai Xu, Ravi Sandhu University of T

A Framework for Understanding Botnets Justin Leonard, Shouhuai Xu, Ravi Sandhu University of T exas at San Antonio Overview Botnet Lifecycle Botnet Architecture Command and Control Mechanisms (C&C) Dynamic Graph Model Botnet

195 views • 18 slides
Take a deep breath: a Stealthy, Resilient and Cost-Effective Botnet Using Skype Antonio Nappa -

Take a deep breath: a Stealthy, Resilient and Cost-Effective Botnet Using Skype Antonio Nappa -

Introduction Advantages Skype Supernodes Botnet Our Model Features Communication protocol Experiments Limitations Countermeasures Take a deep breath: a Stealthy, Resilient and Cost-Effective Botnet Using Skype Antonio Nappa - Universit`

483 views • 16 slides
An Open Botnet Analysis Framework for An Open Botnet Analysis Framework for Automatic Tracking

An Open Botnet Analysis Framework for An Open Botnet Analysis Framework for Automatic Tracking

An Open Botnet Analysis Framework for An Open Botnet Analysis Framework for Automatic Tracking and Activity Visualization Automatic Tracking and Activity Visualization marco riccardi Italian Chapter - The Honeynet Project marco cremonini

393 views • 36 slides
Information Gathering Information Gathering Information Gathering Lesson No. 5 ENV H 471

Information Gathering Information Gathering Information Gathering Lesson No. 5 ENV H 471

Lesson 5. Information Gathering January 27, 2004 Information Gathering Information Gathering Information Gathering Lesson No. 5 ENV H 471 Environmental Health Regulation Winter Quarter 2004 Lesson Overview Lesson Overview Lesson Overview

537 views • 9 slides
Interpretation of Ground-Based Magnetometer Measurements During Enhanced Auroral Activity

Interpretation of Ground-Based Magnetometer Measurements During Enhanced Auroral Activity

Interpretation of Ground-Based Magnetometer Measurements During Enhanced Auroral Activity Nathaniel Berliner Hugh A. Gallagher Jr. SUNY College at Oneonta Overview In the current project: A systematic analysis of the response of the

299 views • 15 slides
Brings OpenStack networking and storage to containers Kubernetes Neutron Networking

Brings OpenStack networking and storage to containers Kubernetes Neutron Networking

Brings OpenStack networking and storage to containers Kubernetes Neutron Networking Native OpenStack infrastructure for mixed workloads spec: podSelector: matchLabels: role: db policyTypes: -

773 views • 8 slides
Camden Integrated Digital Record (CIDR) CIDR Camden Integrated Digital Record (CIDR) Camden

Camden Integrated Digital Record (CIDR) CIDR Camden Integrated Digital Record (CIDR) Camden

Camden Integrated Digital Record (CIDR) CIDR Camden Integrated Digital Record (CIDR) Camden CCG has developed an online record that links health and social care data together, working in partnership with health and social care providers in

248 views • 21 slides
Innovation in Public Employment Programmes: Urban Management City Improvement Districts

Innovation in Public Employment Programmes: Urban Management City Improvement Districts

Innovation in Public Employment Programmes: Urban Management City Improvement Districts working with communities & people on the street 18 May 2017 Urban Management Concerns Cities showing increasing concern on role of Urban

307 views • 11 slides
Internet-Scale Event Notification: Architecture Alternatives Jie Ren Information and Computer

Internet-Scale Event Notification: Architecture Alternatives Jie Ren Information and Computer

Internet-Scale Event Notification: Architecture Alternatives Jie Ren Information and Computer Science University of California, Irvine 05/08/2000 Before Routing Event Types: protocol or business? Routing Paradigm: on subject, or

198 views • 3 slides
Overview of Future Internet Routing Activities Michael Menth www3.informatik.uni-wuerzburg.de

Overview of Future Internet Routing Activities Michael Menth www3.informatik.uni-wuerzburg.de

Institute of Computer Science Department of Distributed Systems Prof. Dr.-Ing. P. Tran-Gia Overview of Future Internet Routing Activities Michael Menth www3.informatik.uni-wuerzburg.de Overview Why does the Internet not scale?

219 views • 19 slides
The Internets Not a Big Truck: Toward Quantifying Network Neutrality Robert Beverly, Steven

The Internets Not a Big Truck: Toward Quantifying Network Neutrality Robert Beverly, Steven

The Internets Not a Big Truck: Toward Quantifying Network Neutrality Robert Beverly, Steven Bauer, Arthur Berger {rbeverly,bauer,awberger}@csail.mit.edu PAM 2007 It's not a big truck. It's a series of tubes! Network Neutrality:

362 views • 33 slides
Cayuga: An Event Monitoring System Data Centric Networking: Open Source Project Study Computer

Cayuga: An Event Monitoring System Data Centric Networking: Open Source Project Study Computer

Cayuga: An Event Monitoring System Data Centric Networking: Open Source Project Study Computer Laboratory Ee Lee NG Cayuga: Introduction Real-time processing of event

345 views • 5 slides

More recommend