network security botnet
play

Network Security: Botnet Seungwon Shin GSIS, KAIST many slides from - PowerPoint PPT Presentation

Jul 15, 2023 •257 likes •659 views

Network Security: Botnet Seungwon Shin GSIS, KAIST many slides from Dr. Yan Chen Definition Bot a software application that runs automated tasks over the Internet Botnet a collection of Internet-connected programs communicating with other

  1. Network Security: Botnet Seungwon Shin GSIS, KAIST many slides from Dr. Yan Chen

  2. Definition Bot a software application that runs automated tasks over the Internet Botnet a collection of Internet-connected programs communicating with other similar programs in order to perform tasks wikipedia.com

  3. Botnet f-secure.com

  4. Botnet Threat Botnets are a major threat to the Internet because: Consist of a large pool of compromised computers that are organized by a master. a.k.a., Zombie Armies Carry out sophisticated attacks to disrupt, gather sensitive data, or increase armies Armies are in the 1000’s to aggregate computing power Communication network allows bots to evolve on a compromised host

  5. Bot Infection - Mariposa

  6. Bot Infection - Conficker

  7. Botnet example - AgoBot Most sophisticated 20,000 lines C/C++ code IRC based command/control Large collection of target exploits Capable of many DoS attack types Shell encoding/polymorphic obfuscation Traffic sniffers/key logging Defend/fortify compromised system Ability to frustrate dissassembly

  8. Botnet example - SDBot Simpler than Agobot, 2,000 lines C code Non-malicious at base Utilize IRC-based command/control Easily extended for malicious purposes Scanning DoS Attacks Sniffers Information harvesting

  9. Botnet Taxonomy ! Attacking Behavior ! C&C Models ! Rally Mechanisms ! Communication Protocols ! Observable botnet activities ! Evasion Techniques

  10. Attacking Behavior

  11. Attack Behaviors Infecting new hosts Social engineering and distribution of malicious emails or other electronic communications (i.e. Instant Messaging) Example - Email sent with botnet diguised as a harmless attachment. Stealing personal information Keylogger and Network sniffer technology used on compromised systems to spy on users and compile personal information Phishing and spam proxy Aggregated computing power and proxy capability make allow spammers to impact larger groups without being traced. Distributed Denial of Service (DDoS) Impair or eliminate availability of a network to extort or disrupt business

  12. C&C Model

  13. Command and Control Essential for operation and support of botnet 3 Styles Centralized P2P Randomized Weakest link of the botnet because: Elimination of botmaster takes out the botnet High level of activity by botmaster makes them easier to detect than their bots

  14. Centralized C&C Simple to deploy, cheap, short latency for large scale attacks Easiest to eliminate pcworld.com

  15. P2P C&C Resilient to failures, hard to discover, hard to defend. Hard to launch large scale attacks because P2P technologies are currently only capable of supporting very small groups (< 50 peers)

  16. P2P C&C: Storm Bot The Overnet network that Storm uses is extremely dynamic. Peers come and go and can change OIDs frequently. In order to stay “well connected” peers must periodically search for themselves to find nearby peers: Storm Node

  17. P2P C&C: Storm Bot Strom Bot message passing Connect: A peer uses connect messages to report their OID to other peers and to receive a list of peers somewhat close to the peer. Search: A peer uses search messages to find resources and other nodes based on OID. Publicize: A peer uses publicize messages to report ownership of network resources (OIDs) so that other peers can find the resource later.

  18. P2P C&C: Zeus Bot abuse.ch

  19. Randomized C&C Theoretical architecture Evan Cooke, et al describe the model Easy implementation and resilient to discovery and destruction Scalability limitations make it impractical for large scale attacks. Bots sleep and are not activated until Bot Master is ready to attack

  20. Rally Mechanism

  21. Rally Mechanism Hard-coded IP address The bot communicates using C&C IP addresses that are hard-coded in it’s binary files. Easy to defend against, as IP addresses are easily detectable and blocked, which makes the bot useless.

  22. Rallying Mechanism Dynamic DNS Domain Name Hard-coded C&C domains assigned by dynamical DNS providers. Detection harder when botmaster randomly changes the location Easier to resume attack with new, unblocked Domain Name If connection fails the bot performs DNS queries to obtain the new C&C address for redirection.

  23. Rallying Mechanism Distributed DNS Service Hardest to detect & destroy. Newest mechanism. Sophisticated. Botnets run own DNS service out of reach of authorities Bots use the DNS addresses to resolve the C&C servers Use high port numbers to avoid detection by security devices and gateways

  24. FastFlux

  25. Communication Protocol

  26. Communication Protocol In most cases botnets use well defined and accepted Communication Protocols. Understanding the communication protocols used helps to: Determine the origins of a botnet attack and the software being used Allow researchers to decode conversations happening between the bots and the masters There are two main Communication Protocols used for bot attacks: IRC HTTP P2P Custom protocol

  27. IRC Protocol IRC Botnets were the predominant version IRC mainly designed for one to many conversations but can also handle one to one IRC servers are: freely available easy to manage Attackers have experience with IRC IRC bots usually have a way to remotely upgrade victims with new payloads to stay ahead of security efforts Most corporate networks does not allow any IRC traffic so any IRC requests can determine and external or internal bot Outbound IRC requests means an already infected computer on the network Inbound IRC requests mean that a network computer is being recruited

  28. IRC Botnet

  29. HTTP Protocol Due to prevalence of HTTP usage it is harder to track a botnet that uses HTTP Protocols Using HTTP can allow a botnet to skirt the firewall restrictions that hamper IRC botnets Detecting HTTP botnets is harder but not impossible since the header fields and the payload do not match usual transmissions Some new options emerging are IM and P2P protocols and expect growth here in the future

  30. Botnet Activities

  31. Botnet Activities Three categories of observable Botnet behaviors: Network-based Host-based Global Correlated

  32. Network Activities Network patterns can be used to detect Botnets IRC & HTTP are the most common forms of Botnet communications Detectable by identifying abnormal traffic patterns. IRC communications in unwanted areas IRC conversations that human’s can not understand DNS domain names DNS queries to locate C&C server Hosts query improper domain names IP address associated with a domain name keeps changing periodically Traffic Bursty at times, and idle the rest of the time Abnormally fast responses compared to a human Attacks E.g., (Denial of Service) Large amounts of invalid TCP SYN Packets with invalid source IP addresses

  33. Host Activities Botnet behavior can be observed on the host machine. Exhibit virus like activities When executed, Botnets run a sequence of routines. Modifying registries Modifying system files Creating unknown network connections Disabling Antivirus programs

  34. Global Activities Global characteristics are tied to the fundamentals Botnets Not likely to change unless Botnets are completely redesigned and re- implemented Most valuable way to detect Botnets Behavior the same regardless if the Botnets are communicating via IRC or HTTP Global DNS queries increase due to assignment of new C&C servers Network Flow disruptions

  35. Evasion Technique

  36. Evasion Ways Sophistication of Botnets allow them to evade AV Engines Signature base intrusion detection systems (IDS) Anomaly-based detection systems Techniques Executable packers Rootkits Protocols

  37. Evasion Ways Moving away from IRC Taking control of HTTP VoIP IPV6 ICMP Skype protocols

  38. Collect Bot Samples

  39. BotLab - Collect Storm Bot

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

A Date with Data Botnet Command and Control Through Tinder A Date with Data Botnet Command and

A Date with Data Botnet Command and Control Through Tinder A Date with Data Botnet Command and

A Date with Data Botnet Command and Control Through Tinder A Date with Data Botnet Command and Control Through Tinder (Almost) $whoami Nathaniel Beckstead Interests Blue team Homelab Network Security Find Me github.com/becksteadn

500 views • 22 slides
Stegobot: a covert social-network botnet Shishir Nagaraja Network and Distributed Systems

Stegobot: a covert social-network botnet Shishir Nagaraja Network and Distributed Systems

Stegobot: a covert social-network botnet Shishir Nagaraja Network and Distributed Systems Security Group IIIT Delhi, India http://www.hatswitch.org/~sn275 IH 2011 nagaraja@iiitd.ac.in Shishir, Vijit (IIIT) Amir, Nikita (UIUC) Botnets

747 views • 16 slides
MetaNet A botnet with Metasploit integration By : Matan Ramrazker, Guy Gelber What is a Botnet

MetaNet A botnet with Metasploit integration By : Matan Ramrazker, Guy Gelber What is a Botnet

MetaNet A botnet with Metasploit integration By : Matan Ramrazker, Guy Gelber What is a Botnet A Botnet is a software that is designed to perform simple automated and usually cyclical operations. Botnet management is performed remotely

507 views • 24 slides
What is network security? Friends and enemies: Alice, Bob, Trudy What is network security?

What is network security? Friends and enemies: Alice, Bob, Trudy What is network security?

Network security Network security Foundations: what is security? cryptography Network Security Network Security authentication message integrity key distribution and certification Security in practice: Srinidhi Varadarajan

332 views • 6 slides
Network Security Network Security Srinidhi Varadarajan Network security Network security

Network Security Network Security Srinidhi Varadarajan Network security Network security

Network Security Network Security Srinidhi Varadarajan Network security Network security Foundations: what is security? cryptography authentication message integrity key distribution and certification Security in practice:

634 views • 36 slides
Botnet Detection and Response The Network is the Infection David Dagon dagon@cc.gatech.edu

Botnet Detection and Response The Network is the Infection David Dagon dagon@cc.gatech.edu

Motivation/Overview Taxonomy Detection Response Botnet Detection and Response The Network is the Infection David Dagon dagon@cc.gatech.edu Georgia Institute of Technology College of Computing OARC Workshop, 2005 David Dagon Botnet

675 views • 45 slides
UNCOVERING AND VISUALIZING BOTNET INFRASTRUCTURE AND BEHAVIOR ANDREA SCARFO (SECURITY RESEARCHER)

UNCOVERING AND VISUALIZING BOTNET INFRASTRUCTURE AND BEHAVIOR ANDREA SCARFO (SECURITY RESEARCHER)

UNCOVERING AND VISUALIZING BOTNET INFRASTRUCTURE AND BEHAVIOR ANDREA SCARFO (SECURITY RESEARCHER) Security Research Analyst @ Cisco Umbrella (formerly OpenDNS) in San Francisco since 2015 Previously a System Administrator for 12 years JOSH

1.51k views • 114 slides
BotSniffer: Detecting Botnet Command and Control Channels in Network Traffic Guofei Gu, Junjie

BotSniffer: Detecting Botnet Command and Control Channels in Network Traffic Guofei Gu, Junjie

BotSniffer: Detecting Botnet Command and Control Channels in Network Traffic Guofei Gu, Junjie Zhang, and Wenke Lee College of Computing Georgia Institute of Technology 2008-2-25 Guofei Gu NDSS08 BotSniffer: Detecting Botnet C&amp;C

379 views • 27 slides
Linux IoT Botnet Wars and the Lack of Security Hardening Drew Moseley Solutions Architect

Linux IoT Botnet Wars and the Lack of Security Hardening Drew Moseley Solutions Architect

Linux IoT Botnet Wars and the Lack of Security Hardening Drew Moseley Solutions Architect Mender.io Session overview Case-studies of 3 botnets Mirai (August 2016) Hajime (October 2016) BrickerBot (March 2017) Common security

902 views • 28 slides
Botnet Detection through Analyzing Network Traffic using Statistical Signal Processing Methods

Botnet Detection through Analyzing Network Traffic using Statistical Signal Processing Methods

Botnet Detection through Analyzing Network Traffic using Statistical Signal Processing Methods Basil AsSadhan Department of Electrical Engineering &amp; Center of Excellence in Information Assurance King Saud University April 13-14, 2014

609 views • 39 slides
BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet

BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet

BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection Guofei Gu 1,2 , Roberto Perdisci 3 , Junjie Zhang 1 , and Wenke Lee 1 1 Georgia Tech 3 Damballa, Inc. 2 Texas A&amp;M University 2008-7-31

549 views • 22 slides
Peer-to-Peer Botnet Detection Using NetFlow Connor Dillon System and Network Engineering

Peer-to-Peer Botnet Detection Using NetFlow Connor Dillon System and Network Engineering

Peer-to-Peer Botnet Detection Using NetFlow Connor Dillon System and Network Engineering University of Amsterdam Master thesis presentation, July 3 rd 2014 Supervisor: Pepijn Janssen RedSocks Botnets Large group of infected computers,

610 views • 23 slides
1 Domain Flux-based DGA Botnet Detection Using Feedforward Neural Network Md. Ishtiaq Ashiq

1 Domain Flux-based DGA Botnet Detection Using Feedforward Neural Network Md. Ishtiaq Ashiq

1 Domain Flux-based DGA Botnet Detection Using Feedforward Neural Network Md. Ishtiaq Ashiq Khan, Protick Bhowmick, Md. Shohrab Hossain, and Husnu S. Narman 2 Outlines Motivation Problem Contribution Results Conclusions 3

733 views • 34 slides
Economics of network security Harald Vranken 1 Economics of network security Note that

Economics of network security Harald Vranken 1 Economics of network security Note that

Advanced Network Security (2019-2020) Economics of network security Harald Vranken 1 Economics of network security Note that network in this lecture means Physical communication network (eg. Internet, telephony, fax, telegraph)

769 views • 49 slides
Welcome to Storm ! The Storm botnet Reachability check Overnet (UDP) The Storm botnet

Welcome to Storm ! The Storm botnet Reachability check Overnet (UDP) The Storm botnet

Welcome to Storm ! The Storm botnet Reachability check Overnet (UDP) The Storm botnet Botmaster Hosted infrastructure HTTP proxies HTTP Proxy Infected machines bots TCP Workers The Storm botnet Botmaster Hosted infrastructure HTTP

517 views • 31 slides
Intro, history, hacking Network Security Lecture 1 Welcome to Network Security Should be able

Intro, history, hacking Network Security Lecture 1 Welcome to Network Security Should be able

Intro, history, hacking Network Security Lecture 1 Welcome to Network Security Should be able to Skills identify design and Ability to analyze the implementation security of networked vulnerabilities in network systems protocols

564 views • 33 slides
Botnets A collection of compromised machines Under control of a single person Organized

Botnets A collection of compromised machines Under control of a single person Organized

Botnets A collection of compromised machines Under control of a single person Organized using distributed system techniques Used to perform various forms of attacks Usually those requiring lots of power Lecture 12 Page 1 CS

753 views • 16 slides
CS136 Fall 2012 - Tutorial 1 CS136 Tutors cs136@student.cs.uwaterloo.ca September 14, 2012

CS136 Fall 2012 - Tutorial 1 CS136 Tutors cs136@student.cs.uwaterloo.ca September 14, 2012

CS136 Fall 2012 - Tutorial 1 CS136 Tutors cs136@student.cs.uwaterloo.ca September 14, 2012 CS136 Tutorscs136@student.cs.uwaterloo.ca CS136 Fall 2012 - Tutorial 1 RunC Environment We will use gedit under Ubuntu for both C and Racket coding.

502 views • 14 slides
BotMagnifier : Locating Spambots on the Internet Gianluca Stringhini Thorsten Holz Brett

BotMagnifier : Locating Spambots on the Internet Gianluca Stringhini Thorsten Holz Brett

BotMagnifier : Locating Spambots on the Internet Gianluca Stringhini Thorsten Holz Brett Stone-Gross Christopher Kruegel Giovanni Vigna USENIX Security Symposium August 12, 2011 Spam is a big problem Spam is sneaky Spam is sneaky Tracking

550 views • 32 slides
Information Hiding in Email Services Based on Confused Document Encrypting Schemes Wei-Shyun Pan

Information Hiding in Email Services Based on Confused Document Encrypting Schemes Wei-Shyun Pan

Information Hiding in Email Services Based on Confused Document Encrypting Schemes Wei-Shyun Pan Quincy Wu Graduate Institute of Communication Graduate Institute of Communication Engineering Engineering National Chi Nan University, Nantou

297 views • 4 slides
CS 3700 Networks and Distributed Systems Logistics (a.k.a. The boring slides) Revised

CS 3700 Networks and Distributed Systems Logistics (a.k.a. The boring slides) Revised

CS 3700 Networks and Distributed Systems Logistics (a.k.a. The boring slides) Revised 1/5/2020 Hello! 2 Welcome to CS 3700 Are you in the right classroom? Okay, good. Who am I? Professor Alden Jackson

861 views • 29 slides
An Intelligent Discussion-Bot for Guiding Student Interactions in Threaded Discussions Jihie Kim

An Intelligent Discussion-Bot for Guiding Student Interactions in Threaded Discussions Jihie Kim

An Intelligent Discussion-Bot for Guiding Student Interactions in Threaded Discussions Jihie Kim Erin Shaw ? Grace Chern Donghui Feng University of Southern California Information Sciences Institute PedDiscourse Kim et al. Outline

319 views • 19 slides
Pr Probability obability an and d Ti Time: e: Hi Hidden dden Mark arkov ov Mod odels

Pr Probability obability an and d Ti Time: e: Hi Hidden dden Mark arkov ov Mod odels

Pr Probability obability an and d Ti Time: e: Hi Hidden dden Mark arkov ov Mod odels els (H (HMMs) MMs) Co Computer ter Sc Science ce cpsc3 c322, 22, Lectur ture e 32 (Te Text xtbo book ok Chpt 6.5.2) .2) April, l, 7,

355 views • 22 slides
Robotic Testing (to the rescue) Bert Chang and Paul Du Bois Double Fine Productions About us

Robotic Testing (to the rescue) Bert Chang and Paul Du Bois Double Fine Productions About us

Robotic Testing (to the rescue) Bert Chang and Paul Du Bois Double Fine Productions About us Paul: Senior Programmer Bert: Software Test Engineer RoBert: Robot brainchild Automated tester 120-second pitch Unit testing is well

1.09k views • 60 slides

More recommend