Revealing Botnets Using Network Traffic Statistics
|
|
- Gerard McBride
- 8 years ago
- Views:
Transcription
1 Revealing Botnets Using Network Traffic Statistics P. Čeleda, R. Krejčí, V. Krmíček {celeda Security and Protection of Information 2011, May 2011, Brno, Czech Republic
2 Part I Introduction P. Čeleda et al. Revealing Botnets Using Network Traffic Statistics 2 / 19
3 Modern Home With a Network Connected Devices Internet Web services and web content Commonly protected local devices P. Čeleda et al. Revealing Botnets Using Network Traffic Statistics 3 / 19
4 Modern Home With a Network Connected Devices Internet Web services and web content Commonly protected local devices P. Čeleda et al. Revealing Botnets Using Network Traffic Statistics 3 / 19
5 Modern Home With a Network Connected Devices Web services and web content Internet Unprotected local network devices & systems Commonly protected local devices P. Čeleda et al. Revealing Botnets Using Network Traffic Statistics 3 / 19
6 Modern Home With a Network Connected Devices Attacker Internet Unprotected local network devices & systems Web services and web content Commonly protected local devices P. Čeleda et al. Revealing Botnets Using Network Traffic Statistics 3 / 19
7 Insecurity of Embedded Network Devices Embedded Network Devices Threats DDoS attacks large-scale denial of service attacks. Data leakage MITM attacks, traffic sniffing, log analysis. Missing anti-virus or anti-malware software to protect them. P. Čeleda et al. Revealing Botnets Using Network Traffic Statistics 4 / 19
8 Insecurity of Embedded Network Devices Embedded Network Devices Threats DDoS attacks large-scale denial of service attacks. Data leakage MITM attacks, traffic sniffing, log analysis. Missing anti-virus or anti-malware software to protect them. Number of Vulnerable Embedded Devices 1 540,000 publicly accessible embedded devices configured with factory default root passwords. 96 % of 102,000 vulnerable devices remain vulnerable after a 4-month period. 1 Ang Cui and Salvatore J. Stolfo: A Quantitative Analysis of the Insecurity of Embedded Network Devices: Results of a Wide-Area Scan. P. Čeleda et al. Revealing Botnets Using Network Traffic Statistics 4 / 19
9 Part II Unix-like Embedded Malware P. Čeleda et al. Revealing Botnets Using Network Traffic Statistics 5 / 19
10 Unix-like Embedded Malware Linux as cheap and customizable system for SOHO devices. Weak attention is paid to the security. Outdated software (e.g. Linux kernel 2.4) with known flaws. General Linux malware can be used as a cross-platform malware for embedded devices. P. Čeleda et al. Revealing Botnets Using Network Traffic Statistics 6 / 19
11 Unix-like Embedded Malware Overview I Kaiten Simple IRC client with an ability for DDoS attacks. P. Čeleda et al. Revealing Botnets Using Network Traffic Statistics 7 / 19
12 Unix-like Embedded Malware Overview I Kaiten Hydra Simple IRC client with an ability for DDoS attacks. Similar functions to Kaiten, but Hydra in addition scans for vulnerable devices. P. Čeleda et al. Revealing Botnets Using Network Traffic Statistics 7 / 19
13 Unix-like Embedded Malware Overview I Kaiten Hydra Simple IRC client with an ability for DDoS attacks. Similar functions to Kaiten, but Hydra in addition scans for vulnerable devices. Publicly available source code. Originally Linux malware used on commodity PCs. Currently used as a base for about a dozen of botnets wa-goraku, m0dd3d, PsIk0,... P. Čeleda et al. Revealing Botnets Using Network Traffic Statistics 7 / 19
14 Unix-like Embedded Malware Overview II PSYB0T The first botnet targeting SOHO devices. Operated in spring 2009 with estimated size about thousands of bots. P. Čeleda et al. Revealing Botnets Using Network Traffic Statistics 8 / 19
15 Unix-like Embedded Malware Overview II PSYB0T The first botnet targeting SOHO devices. Operated in spring 2009 with estimated size about thousands of bots. Chuck Norris Botnet Disclosed in December 2009, operates with some modifications till this time. Originally used only Telnet, newly supports infection via SSH. P. Čeleda et al. Revealing Botnets Using Network Traffic Statistics 8 / 19
16 Architecture of Unix-like Embedded Botnets vulnerable device 1 1 Initial infection. botnet P. Čeleda et al. Revealing Botnets Using Network Traffic Statistics 9 / 19
17 Architecture of Unix-like Embedded Botnets vulnerable device 2 web server Initial infection. 2 Bot update. botnet P. Čeleda et al. Revealing Botnets Using Network Traffic Statistics 9 / 19
18 Architecture of Unix-like Embedded Botnets C&C server 3 vulnerable device 2 web server botnet 1 Initial infection. 2 Bot update. 3 Listening (usually via IRC) for orders from C&C center. P. Čeleda et al. Revealing Botnets Using Network Traffic Statistics 9 / 19
19 Architecture of Unix-like Embedded Botnets botmaster C&C server vulnerable device web server botnet 1 Initial infection. 2 Bot update. 3 Listening (usually via IRC) for orders from C&C center. 4 Maintenance and malicious commands from botmaster. P. Čeleda et al. Revealing Botnets Using Network Traffic Statistics 9 / 19
20 Part III Embedded Malware Detection Chuck Norris Botnet Use Case P. Čeleda et al. Revealing Botnets Using Network Traffic Statistics 10 / 19
21 NetFlow Based CNBv2 Detection Methods Chuck Norris Botnet Version 2 Detection Methods scanning detection. initialization and update detection. communication with C&C centers detection. DNS spoofing attack detection. Detection Corresponds to Botnet Lifecycle Applied to NetFlow Data Defined as NFDUMP filters. Implemented to NfSen collector. P. Čeleda et al. Revealing Botnets Using Network Traffic Statistics 11 / 19
22 Detection of CNBv2 Scanning Incoming and outgoing TCP SYN scans on port 22 and 23. infected device NFDUMP detection filter P. Čeleda et al. Revealing Botnets Using Network Traffic Statistics 12 / 19
23 Detection of CNBv2 Scanning Incoming and outgoing TCP SYN scans on port 22 and 23. infected device local network NFDUMP detection filter (net local_network) P. Čeleda et al. Revealing Botnets Using Network Traffic Statistics 12 / 19
24 Detection of CNBv2 Scanning Incoming and outgoing TCP SYN scans on port 22 and 23. list of C class networks to scan infected device x x x x local network NFDUMP detection filter (net local_network) P. Čeleda et al. Revealing Botnets Using Network Traffic Statistics 12 / 19
25 Detection of CNBv2 Scanning Incoming and outgoing TCP SYN scans on port 22 and 23. list of C class networks to scan infected device TCP/22, x x x x local network NFDUMP detection filter (net local_network) and (dst port 22 or dst port 23) and (proto TCP) P. Čeleda et al. Revealing Botnets Using Network Traffic Statistics 12 / 19
26 Detection of CNBv2 Scanning Incoming and outgoing TCP SYN scans on port 22 and 23. list of C class networks to scan infected device TCP/22, x x x x x local network x NFDUMP detection filter (net local_network) and (dst port 22 or dst port 23) and (proto TCP) P. Čeleda et al. Revealing Botnets Using Network Traffic Statistics 12 / 19
27 Detection of CNBv2 Scanning Incoming and outgoing TCP SYN scans on port 22 and 23. list of C class networks to scan infected device TCP/22,23 SYN/RESET flags x x x x x local network x NFDUMP detection filter (net local_network) and (dst port 22 or dst port 23) and (proto TCP) and ((flags S and not flags ARPUF) or (flags SR and not flags APUF)) P. Čeleda et al. Revealing Botnets Using Network Traffic Statistics 12 / 19
28 Detection of CNBv2 Initialization and Update Bot s web download requests from infected host. local network NFDUMP detection filter P. Čeleda et al. Revealing Botnets Using Network Traffic Statistics 13 / 19
29 Detection of CNBv2 Initialization and Update Bot s web download requests from infected host. infected device local network NFDUMP detection filter (src net local_network) P. Čeleda et al. Revealing Botnets Using Network Traffic Statistics 13 / 19
30 Detection of CNBv2 Initialization and Update Bot s web download requests from infected host. botnet distribution web server botnet distribution web server local network infected device botnet distribution web server NFDUMP detection filter (src net local_network) and (dst ip web_servers 2 ) 2 IP addresses of attacker s botnet distribution web servers P. Čeleda et al. Revealing Botnets Using Network Traffic Statistics 13 / 19
31 Detection of CNBv2 Initialization and Update Bot s web download requests from infected host. botnet distribution web server botnet distribution web server local network TCP/80 infected device botnet distribution web server NFDUMP detection filter (src net local_network) and (dst ip web_servers 2 ) and (dst port 80) and (proto TCP) 2 IP addresses of attacker s botnet distribution web servers P. Čeleda et al. Revealing Botnets Using Network Traffic Statistics 13 / 19
32 Detection of CNBv2 Initialization and Update Bot s web download requests from infected host. botnet distribution web server botnet distribution web server local network TCP/80 SYN/ACK flags infected device botnet distribution web server NFDUMP detection filter (src net local_network) and (dst ip web_servers 2 ) and (dst port 80) and (proto TCP) and (flags SA and not flag R) 2 IP addresses of attacker s botnet distribution web servers P. Čeleda et al. Revealing Botnets Using Network Traffic Statistics 13 / 19
33 Detection of CNBv2 Communication with C&C Bot s IRC traffic with command and control center. local network NFDUMP detection filter P. Čeleda et al. Revealing Botnets Using Network Traffic Statistics 14 / 19
34 Detection of CNBv2 Communication with C&C Bot s IRC traffic with command and control center. infected device local network NFDUMP detection filter (src net local_network) P. Čeleda et al. Revealing Botnets Using Network Traffic Statistics 14 / 19
35 Detection of CNBv2 Communication with C&C Bot s IRC traffic with command and control center. botnet C&C server :6667 botnet C&C server :6667 infected device local network botnet C&C server :12000 NFDUMP detection filter (src net local_network) and (dst ip IRC_server and dst port IRC_server_port 3 ) 3 IP addresses and ports of an attacker s IRC server (Botnet C&C centers) P. Čeleda et al. Revealing Botnets Using Network Traffic Statistics 14 / 19
36 Detection of CNBv2 Communication with C&C Bot s IRC traffic with command and control center. botnet C&C server :6667 botnet C&C server :6667 TCP infected device local network botnet C&C server :12000 NFDUMP detection filter (src net local_network) and (dst ip IRC_server and dst port IRC_server_port 3 ) and (proto TCP) 3 IP addresses and ports of an attacker s IRC server (Botnet C&C centers) P. Čeleda et al. Revealing Botnets Using Network Traffic Statistics 14 / 19
37 Detection of CNBv2 Communication with C&C Bot s IRC traffic with command and control center. botnet C&C server :6667 botnet C&C server :6667 TCP SYN/ACK flags infected device local network botnet C&C server :12000 NFDUMP detection filter (src net local_network) and (dst ip IRC_server and dst port IRC_server_port 3 ) and (proto TCP) and (flags SA and not flag R) 3 IP addresses and ports of an attacker s IRC server (Botnet C&C centers) P. Čeleda et al. Revealing Botnets Using Network Traffic Statistics 14 / 19
38 Detection of CNBv2 DNS Spoofing Attack Detecting Attacker s DNS or OpenDNS Queries Common DNS requests forwarded to OpenDNS servers. Targeted DNS requests forwarded to attacker s DNS. local network NFDUMP detection filter P. Čeleda et al. Revealing Botnets Using Network Traffic Statistics 15 / 19
39 Detection of CNBv2 DNS Spoofing Attack Detecting Attacker s DNS or OpenDNS Queries Common DNS requests forwarded to OpenDNS servers. Targeted DNS requests forwarded to attacker s DNS. infected device local network NFDUMP detection filter (src net local_network) P. Čeleda et al. Revealing Botnets Using Network Traffic Statistics 15 / 19
40 Detection of CNBv2 DNS Spoofing Attack Detecting Attacker s DNS or OpenDNS Queries Common DNS requests forwarded to OpenDNS servers. Targeted DNS requests forwarded to attacker s DNS. OpenDNS server infected device local network NFDUMP detection filter (src net local_network) and ((dst ip OpenDNS servers 4 ) or 4 IP addresses of a common OpenDNS servers P. Čeleda et al. Revealing Botnets Using Network Traffic Statistics 15 / 19
41 Detection of CNBv2 DNS Spoofing Attack Detecting Attacker s DNS or OpenDNS Queries Common DNS requests forwarded to OpenDNS servers. Targeted DNS requests forwarded to attacker s DNS. spoofed DNS server OpenDNS server infected device local network NFDUMP detection filter (src net local_network) and ((dst ip OpenDNS servers 4 ) or (dst ip DNS servers 5 )) 4 IP addresses of a common OpenDNS servers 5 IP addresses of a spoofed attacker s DNS servers P. Čeleda et al. Revealing Botnets Using Network Traffic Statistics 15 / 19
42 Detection of CNBv2 DNS Spoofing Attack Detecting Attacker s DNS or OpenDNS Queries Common DNS requests forwarded to OpenDNS servers. Targeted DNS requests forwarded to attacker s DNS. spoofed DNS server OpenDNS server DNS UDP/53 infected device local network NFDUMP detection filter (src net local_network) and ((dst ip OpenDNS servers 4 ) or (dst ip DNS servers 5 )) and (proto UDP) and (dst port 53) 4 IP addresses of a common OpenDNS servers 5 IP addresses of a spoofed attacker s DNS servers P. Čeleda et al. Revealing Botnets Using Network Traffic Statistics 15 / 19
43 Part IV Conclusion P. Čeleda et al. Revealing Botnets Using Network Traffic Statistics 16 / 19
44 Conclusion I Irresponsible Operators and Poor Configured Networks Large networks exist with installed vulnerable devices. Trivially exploitable devices with default factory passwords. Unattended large-scale attacks nobody care about it! P. Čeleda et al. Revealing Botnets Using Network Traffic Statistics 17 / 19
45 Conclusion I Irresponsible Operators and Poor Configured Networks Large networks exist with installed vulnerable devices. Trivially exploitable devices with default factory passwords. Unattended large-scale attacks nobody care about it! Unix-like Embedded Botnets Spread worldwide with focus on poor configured networks. Operating on the last mile ISP home network. Hard to detect by end user, unsolved by network operator. P. Čeleda et al. Revealing Botnets Using Network Traffic Statistics 17 / 19
46 Conclusion II How to Fight with Embedded Botnets Current embedded botnets still use well-known techniques. Flow data can detect illicit activities of embedded devices. Nobody will stop botnet operators to do their business. Vulnerable devices must be fixed and secured. P. Čeleda et al. Revealing Botnets Using Network Traffic Statistics 18 / 19
47 Conclusion II How to Fight with Embedded Botnets Current embedded botnets still use well-known techniques. Flow data can detect illicit activities of embedded devices. Nobody will stop botnet operators to do their business. Vulnerable devices must be fixed and secured. Perfect Embedded Malware Devices with built-in malware firmware no way to disinfect. Stealthy malware working undetected as long as possible. Robust C&C to make efforts to shut down botnet hard. P. Čeleda et al. Revealing Botnets Using Network Traffic Statistics 18 / 19
48 Thank You For Your Attention! Revealing Botnets Using Network Traffic Statistics Pavel Čeleda et al. Project CYBER This material is based upon work supported by the Czech Ministry of Defence under Contract No. OVMASUN P. Čeleda et al. Revealing Botnets Using Network Traffic Statistics 19 / 19
Detecting Botnets with NetFlow
Detecting Botnets with NetFlow V. Krmíček, T. Plesník {vojtec plesnik}@ics.muni.cz FloCon 2011, January 12, Salt Lake City, Utah Presentation Outline NetFlow Monitoring at MU Chuck Norris Botnet in a Nutshell
More informationNetwork Security Monitoring and Behavior Analysis Pavel Čeleda, Petr Velan, Tomáš Jirsík
Network Security Monitoring and Behavior Analysis Pavel Čeleda, Petr Velan, Tomáš Jirsík {celeda velan jirsik}@ics.muni.cz Part I Introduction P. Čeleda et al. Network Security Monitoring and Behavior
More informationNetwork Security Monitoring and Behavior Analysis Best Practice Document
Network Security Monitoring and Behavior Analysis Best Practice Document Produced by CESNET led working group on network monitoring (CBPD133) Author: Pavel Čeleda September 2011 TERENA 2011. All rights
More informationMultifaceted Approach to Understanding the Botnet Phenomenon
Multifaceted Approach to Understanding the Botnet Phenomenon Christos P. Margiolas University of Crete A brief presentation for the paper: Multifaceted Approach to Understanding the Botnet Phenomenon Basic
More informationAbout Botnet, and the influence that Botnet gives to broadband ISP
About net, and the influence that net gives to broadband ISP Masaru AKAI BB Technology / SBB-SIRT Agenda Who are we? What is net? About Telecom-ISAC-Japan Analyzing code How does net work? BB Technology
More informationNetwork Security. Chapter 3. Cornelius Diekmann. Version: October 21, 2015. Lehrstuhl für Netzarchitekturen und Netzdienste Institut für Informatik
Network Security Chapter 3 Cornelius Diekmann Lehrstuhl für Netzarchitekturen und Netzdienste Institut für Informatik Version: October 21, 2015 IN2101, WS 15/16, Network Security 1 Security Policies and
More informationCSE 3482 Introduction to Computer Security. Denial of Service (DoS) Attacks
CSE 3482 Introduction to Computer Security Denial of Service (DoS) Attacks Instructor: N. Vlajic, Winter 2015 Learning Objectives Upon completion of this material, you should be able to: Explain the basic
More informationNfSen Plugin Supporting The Virtual Network Monitoring
NfSen Plugin Supporting The Virtual Network Monitoring Vojtěch Krmíček krmicek@liberouter.org Pavel Čeleda celeda@ics.muni.cz Jiří Novotný novotny@cesnet.cz Part I Monitoring of Virtual Network Environments
More informationFirewalls. Test your Firewall knowledge. Test your Firewall knowledge (cont) (March 4, 2015)
s (March 4, 2015) Abdou Illia Spring 2015 Test your knowledge Which of the following is true about firewalls? a) A firewall is a hardware device b) A firewall is a software program c) s could be hardware
More informationHow To Mitigate A Ddos Attack
VERISIGN DISTRIBUTED DENIAL OF SERVICE TRENDS REPORT ISSUE 3 3RD QUARTER 2014 CONTENTS EXECUTIVE SUMMARY 3 VERISIGN-OBSERVED DDoS ATTACK TRENDS 4 Mitigations by Attack Size 4 Mitigations by Industry 5
More informationSECURING APACHE : DOS & DDOS ATTACKS - II
SECURING APACHE : DOS & DDOS ATTACKS - II How DDoS attacks are performed A DDoS attack has to be carefully prepared by the attackers. They first recruit the zombie army, by looking for vulnerable machines,
More informationCS5008: Internet Computing
CS5008: Internet Computing Lecture 22: Internet Security A. O Riordan, 2009, latest revision 2015 Internet Security When a computer connects to the Internet and begins communicating with others, it is
More informationSeminar Computer Security
Seminar Computer Security DoS/DDoS attacks and botnets Hannes Korte Overview Introduction What is a Denial of Service attack? The distributed version The attacker's motivation Basics Bots and botnets Example
More informationExercise 7 Network Forensics
Exercise 7 Network Forensics What Will You Learn? The network forensics exercise is aimed at introducing you to the post-mortem analysis of pcap file dumps and Cisco netflow logs. In particular you will:
More informationAgenda. Taxonomy of Botnet Threats. Background. Summary. Background. Taxonomy. Trend Micro Inc. Presented by Tushar Ranka
Taxonomy of Botnet Threats Trend Micro Inc. Presented by Tushar Ranka Agenda Summary Background Taxonomy Attacking Behavior Command & Control Rallying Mechanisms Communication Protocols Evasion Techniques
More informationDDoS Attacks: The Latest Threat to Availability. Dr. Bill Highleyman Managing Editor Availability Digest
DDoS Attacks: The Latest Threat to Availability Dr. Bill Highleyman Managing Editor Availability Digest The Anatomy of a DDoS Attack Sombers Associates, Inc. 2013 2 What is a Distributed Denial of Service
More informationCMPT 471 Networking II
CMPT 471 Networking II Firewalls Janice Regan, 2006-2013 1 Security When is a computer secure When the data and software on the computer are available on demand only to those people who should have access
More informationNetwork and Incident monitoring
August, 2013 Network and Incident monitoring Koichiro (Sparky) Komiyama Sam Sasaki JPCERT Coordination Center, Japan Agenda 1. Introduction of TSUBAME 2. Recent Observation cases 2 1. INTRODUCTION OF TSUBAME
More informationAutomatic Network Protection Scenarios Using NetFlow
Automatic Network Protection Scenarios Using NetFlow Vojt ch Krmí ek, Jan Vykopal {krmicek vykopal}@ics.muni.cz FloCon 2012 January 9-12, Austin, Texas Part I Flow-based Network Protection Krmicek et al.
More informationNetwork forensics 101 Network monitoring with Netflow, nfsen + nfdump
Network forensics 101 Network monitoring with Netflow, nfsen + nfdump www.enisa.europa.eu Agenda Intro to netflow Metrics Toolbox (Nfsen + Nfdump) Demo www.enisa.europa.eu 2 What is Netflow Netflow = Netflow
More informationDetecting peer-to-peer botnets
Detecting peer-to-peer botnets Reinier Schoof & Ralph Koning System and Network Engineering University of Amsterdam mail: reinier.schoof@os3.nl, ralph.koning@os3.nl February 4, 2007 1 Introduction Spam,
More informationDenial of Service Attacks
2 Denial of Service Attacks : IT Security Sirindhorn International Institute of Technology Thammasat University Prepared by Steven Gordon on 13 August 2013 its335y13s2l06, Steve/Courses/2013/s2/its335/lectures/malicious.tex,
More informationFirewalls. Chapter 3
Firewalls Chapter 3 1 Border Firewall Passed Packet (Ingress) Passed Packet (Egress) Attack Packet Hardened Client PC Internet (Not Trusted) Hardened Server Dropped Packet (Ingress) Log File Internet Border
More informationSecurity Toolsets for ISP Defense
Security Toolsets for ISP Defense Backbone Practices Authored by Timothy A Battles (AT&T IP Network Security) What s our goal? To provide protection against anomalous traffic for our network and it s customers.
More informationVirtual private network. Network security protocols VPN VPN. Instead of a dedicated data link Packets securely sent over a shared network Internet VPN
Virtual private network Network security protocols COMP347 2006 Len Hamey Instead of a dedicated data link Packets securely sent over a shared network Internet VPN Public internet Security protocol encrypts
More informationEvading Infrastructure Security Mohamed Bedewi Penetration Testing Consultant
Evading Infrastructure Security Mohamed Bedewi Penetration Testing Consultant What infrastructure security really means? Infrastructure Security is Making sure that your system services are always running
More informationHow To Classify A Dnet Attack
Analysis of Computer Network Attacks Nenad Stojanovski 1, Marjan Gusev 2 1 Bul. AVNOJ 88-1/6, 1000 Skopje, Macedonia Nenad.stojanovski@gmail.com 2 Faculty of Natural Sciences and Mathematics, Ss. Cyril
More informationWHITE PAPER. FortiGate DoS Protection Block Malicious Traffic Before It Affects Critical Applications and Systems
WHITE PAPER FortiGate DoS Protection Block Malicious Traffic Before It Affects Critical Applications and Systems Abstract: Denial of Service (DoS) attacks have been a part of the internet landscape for
More informationNetworking for Caribbean Development
Networking for Caribbean Development BELIZE NOV 2 NOV 6, 2015 w w w. c a r i b n o g. o r g N E T W O R K I N G F O R C A R I B B E A N D E V E L O P M E N T BELIZE NOV 2 NOV 6, 2015 w w w. c a r i b n
More informationCYBER ATTACKS EXPLAINED: PACKET CRAFTING
CYBER ATTACKS EXPLAINED: PACKET CRAFTING Protect your FOSS-based IT infrastructure from packet crafting by learning more about it. In the previous articles in this series, we explored common infrastructure
More informationTHE BEST WAY TO CATCH A THIEF. Patrick Bedwell, Vice President, Product Marketing
THE BEST WAY TO CATCH A THIEF Patrick Bedwell, Vice President, Product Marketing AlienVault Vision Accelerating and simplifying threat detection and incident response for IT teams with limited resources,
More information24/7 Visibility into Advanced Malware on Networks and Endpoints
WHITEPAPER DATA SHEET 24/7 Visibility into Advanced Malware on Networks and Endpoints Leveraging threat intelligence to detect malware and exploitable vulnerabilities Oct. 24, 2014 Table of Contents Introduction
More informationReverse Shells Enable Attackers To Operate From Your Network. Richard Hammer August 2006
Reverse Shells Enable Attackers To Operate From Your Network Richard Hammer August 2006 Reverse Shells? Why should you care about reverse shells? How do reverse shells work? How do reverse shells get installed
More informationRevealing and Analysing Modem Malware
Revealing and Analysing Modem Malware Pavel Celeda Institute of Computer Science Masaryk University Botanicka 68a, 602 00 Brno celeda@ics.muni.cz Radek Krejci CESNET, z.s.p.o. Zikova 4,160 00 Praha 6 rkrejci@cesnet.cz
More informationMalicious Network Traffic Analysis
Malicious Network Traffic Analysis Uncover system intrusions by identifying malicious network activity. There are a tremendous amount of network based attacks to be aware of on the internet today and the
More informationWatch your Flows with NfSen and NFDUMP 50th RIPE Meeting May 3, 2005 Stockholm Peter Haag
Watch your Flows with NfSen and NFDUMP 50th RIPE Meeting May 3, 2005 Stockholm Peter Haag 2005 SWITCH What I am going to present: The Motivation. What are NfSen and nfdump? The Tools in Action. Outlook
More informationA Critical Investigation of Botnet
Global Journal of Computer Science and Technology Network, Web & Security Volume 13 Issue 9 Version 1.0 Year 2013 Type: Double Blind Peer Reviewed International Research Journal Publisher: Global Journals
More informationInsecurity breeds at home
Insecurity breeds at home - Vulnerabilities in SOHO routers Amrita Center for Cyber Security Amrita University Small Office Home Office(SOHO) Routers 2 Problem at hand No technology available to detect/prevent
More informationUncover security risks on your enterprise network
Uncover security risks on your enterprise network Sign up for Check Point s on-site Security Checkup. About this presentation: The key message of this presentation is that organizations should sign up
More informationDDoS Attacks Can Take Down Your Online Services
DDoS Attacks Can Take Down Your Online Services Dr. Bill Highleyman Managing Editor, Availability Digest Continuity Insights New York 2014 October 8, 2014 editor@availabilitydigest.com Who Am I? Dr. Bill
More informationFirewalls. Ingress Filtering. Ingress Filtering. Network Security. Firewalls. Access lists Ingress filtering. Egress filtering NAT
Network Security s Access lists Ingress filtering s Egress filtering NAT 2 Drivers of Performance RequirementsTraffic Volume and Complexity of Static IP Packet Filter Corporate Network The Complexity of
More informationChapter 8 Security Pt 2
Chapter 8 Security Pt 2 IC322 Fall 2014 Computer Networking: A Top Down Approach 6 th edition Jim Kurose, Keith Ross Addison-Wesley March 2012 All material copyright 1996-2012 J.F Kurose and K.W. Ross,
More informationFirewalls, IDS and IPS
Session 9 Firewalls, IDS and IPS Prepared By: Dr. Mohamed Abd-Eldayem Ref.: Corporate Computer and Network Security By: Raymond Panko Basic Firewall Operation 2. Internet Border Firewall 1. Internet (Not
More informationDescription: Course Details:
Course: Malicious Network Traffic Analysis Duration: 5 Day Hands-On Lab & Lecture Course Price: $ 3,495.00 Description: There are a tremendous amount of network based attacks to be aware of on the internet
More informationCS 356 Lecture 16 Denial of Service. Spring 2013
CS 356 Lecture 16 Denial of Service Spring 2013 Review Chapter 1: Basic Concepts and Terminology Chapter 2: Basic Cryptographic Tools Chapter 3 User Authentication Chapter 4 Access Control Lists Chapter
More informationIxLoad-Attack: Network Security Testing
IxLoad-Attack: Network Security Testing IxLoad-Attack tests network security appliances determining that they effectively and accurately block attacks while delivering high end-user quality of experience
More informationBotNets- Cyber Torrirism
BotNets- Cyber Torrirism Battling the threats of internet Assoc. Prof. Dr. Sureswaran Ramadass National Advanced IPv6 Center - Director Why Talk About Botnets? Because Bot Statistics Suggest Assimilation
More informationCERT-GOV-GE Activities & International Partnerships
CERT-GOV-GE Activities & International Partnerships Zurich, Switzerland 2014 CERT-GOV-GE Manager David Kvatadze www.dea.gov.ge CERT-GOV-GE - Structural unit was formed within the Information Security and
More informationSecurity workshop Protection against botnets. Belnet Aris Adamantiadis Brussels 18 th April 2013
Security workshop Belnet Aris Adamantiadis Brussels 18 th April 2013 Agenda What is a botnet? Symptoms How does it work? Life cycle How to fight against botnets? Proactive and reactive NIDS 2 What is a
More informationDDoS Protection. How Cisco IT Protects Against Distributed Denial of Service Attacks. A Cisco on Cisco Case Study: Inside Cisco IT
DDoS Protection How Cisco IT Protects Against Distributed Denial of Service Attacks A Cisco on Cisco Case Study: Inside Cisco IT 1 Overview Challenge: Prevent low-bandwidth DDoS attacks coming from a broad
More informationBotnets. Botnets and Spam. Joining the IRC Channel. Command and Control. Tadayoshi Kohno
CSE 490K Lecture 14 Botnets and Spam Tadayoshi Kohno Some slides based on Vitaly Shmatikov s Botnets! Botnet = network of autonomous programs capable of acting on instructions Typically a large (up to
More informationNetworks and Security Lab. Network Forensics
Networks and Security Lab Network Forensics Network Forensics - continued We start off from the previous week s exercises and analyze each trace file in detail. Tools needed: Wireshark and your favorite
More informationMONITORING OF TRAFFIC OVER THE VICTIM UNDER TCP SYN FLOOD IN A LAN
MONITORING OF TRAFFIC OVER THE VICTIM UNDER TCP SYN FLOOD IN A LAN Kanika 1, Renuka Goyal 2, Gurmeet Kaur 3 1 M.Tech Scholar, Computer Science and Technology, Central University of Punjab, Punjab, India
More informationCodes of Connection for Devices Connected to Newcastle University ICT Network
Code of Connection (CoCo) for Devices Connected to the University s Author Information Security Officer (Technical) Version V1.1 Date 23 April 2015 Introduction This Code of Connection (CoCo) establishes
More informationPort Scanning. Objectives. Introduction: Port Scanning. 1. Introduce the techniques of port scanning. 2. Use port scanning audit tools such as Nmap.
Port Scanning Objectives 1. Introduce the techniques of port scanning. 2. Use port scanning audit tools such as Nmap. Introduction: All machines connected to a LAN or connected to Internet via a modem
More informationGlasnost or Tyranny? You Can Have Secure and Open Networks!
AT&T is a proud sponsor of StaySafe Online Glasnost or Tyranny? You Can Have Secure and Open Networks! Steven Hurst CISSP Director - AT&T Security Services and Technology AT&T Chief Security Office 2009
More informationNemea: Searching for Botnet Footprints
Nemea: Searching for Botnet Footprints Tomas Cejka 1, Radoslav Bodó 1, Hana Kubatova 2 1 CESNET, a.l.e. 2 FIT, CTU in Prague Zikova 4, 160 00 Prague 6 Thakurova 9, 160 00 Prague 6 Czech Republic Czech
More informationDISTRIBUTED DENIAL OF SERVICE OBSERVATIONS
: DDOS ATTACKS DISTRIBUTED DENIAL OF SERVICE OBSERVATIONS 1 DISTRIBUTED DENIAL OF SERVICE OBSERVATIONS NTT is one of the largest Internet providers in the world, with a significant share of the world s
More information[ X OR DDoS T h r e a t A d v i sory] akamai.com
[ X OR DDoS T h r e a t A d v i sory] akamai.com What is the XOR DDoS threat The XOR DDoS botnet has produced DDoS attacks from a few Gbps to 150+ Gbps The gaming sector has been the primary target, followed
More informationAT&T Real-Time Network Security Overview
AT&T Real-Time Network Security Overview Dan Solero Director of Security Technology, AT&T Know Your Enemy: Security Threats Extend Beyond Viruses & Worms Distributed Denial of Service Spam for Hire Social
More informationRadware Security Research. Reverse Engineering a Sophisticated DDoS Attack Bot. Author: Zeev Ravid
Reverse Engineering a Sophisticated DDoS Attack Bot Author: Zeev Ravid July 2015 Introduction In July 2015, Radware s Emergency Response Team (ERT) noticed a significant increased usage of the Tsunami
More informationTeam Cymru. Network Forensics. Ryan Connolly, ryan@cymru.com <http://www.cymru.com>
Team Cymru Network Forensics Ryan Connolly, ryan@cymru.com Network Forensics what does it mean? network forensics is the analysis of network events in order to discover the source
More informationHONEYD (OPEN SOURCE HONEYPOT SOFTWARE)
HONEYD (OPEN SOURCE HONEYPOT SOFTWARE) Author: Avinash Singh Avinash Singh is a Technical Evangelist currently worksing at Appin Technology Lab, Noida. Educational Qualification: B.Tech from Punjab Technical
More informationNFSEN - Update 13th TF-CSIRT Meeting 23. September 2004 Malta Peter Haag
NFSEN - Update 13th TF-CSIRT Meeting 23. September 2004 Malta Peter Haag 2004 SWITCH NFSEN ( NetFlow Sensor ) 12th TF-CSIRT Meeting Hamburg: 2004 SWITCH 2 NFSEN http://www.terena.nl/tech/task-forces/tf-csirt/meeting12/nfsen-haag.pdf
More informationDDos. Distributed Denial of Service Attacks. by Mark Schuchter
DDos Distributed Denial of Service Attacks by Mark Schuchter Overview Introduction Why? Timeline How? Typical attack (UNIX) Typical attack (Windows) Introduction limited and consumable resources (memory,
More informationAttack and Defense Techniques
Network Security Attack and Defense Techniques Anna Sperotto, Ramin Sadre Design and Analysis of Communication Networks (DACS) University of Twente The Netherlands Attack Taxonomy Many different kind of
More informationA1.1.1.11.1.1.2 1.1.1.3S B
CS Computer 640: Network AdityaAkella Lecture Introduction Networks Security 25 to Security DoS Firewalls and The D-DoS Vulnerabilities Road Ahead Security Attacks Protocol IP ICMP Routing TCP Security
More informationDefinition of firewall
Internet Firewalls Definitions: firewall, policy, router, gateway, proxy NAT: Network Address Translation Source NAT, Destination NAT, Port forwarding NAT firewall compromise via UPnP/IGD Packet filtering
More informationDistributed Denial of Service protection
Distributed Denial of Service protection The cost in terms of lost business caused by a successful DDoS attacks can be significant. Our solution recognises when a DDoS attack is happening and identifies
More informationFirewalls. Ola Flygt Växjö University, Sweden http://w3.msi.vxu.se/users/ofl/ Ola.Flygt@vxu.se +46 470 70 86 49. Firewall Design Principles
Firewalls Ola Flygt Växjö University, Sweden http://w3.msi.vxu.se/users/ofl/ Ola.Flygt@vxu.se +46 470 70 86 49 1 Firewall Design Principles Firewall Characteristics Types of Firewalls Firewall Configurations
More informationCyber Essentials. Test Specification
Cyber Essentials Test Specification Contents Scope of the Audit...2 Assumptions...3 Success Criteria...3 External systems...4 Required tests...4 Test Details...4 Internal systems...7 Tester pre-requisites...8
More information1. Introduction. 2. DoS/DDoS. MilsVPN DoS/DDoS and ISP. 2.1 What is DoS/DDoS? 2.2 What is SYN Flooding?
Page 1 of 5 1. Introduction The present document explains about common attack scenarios to computer networks and describes with some examples the following features of the MilsGates: Protection against
More information1. Firewall Configuration
1. Firewall Configuration A firewall is a method of implementing common as well as user defined security policies in an effort to keep intruders out. Firewalls work by analyzing and filtering out IP packets
More informationChapter 5. Figure 5-1: Border Firewall. Firewalls. Figure 5-1: Border Firewall. Figure 5-1: Border Firewall. Figure 5-1: Border Firewall
Figure 5-1: Border s Chapter 5 Revised March 2004 Panko, Corporate Computer and Network Security Copyright 2004 Prentice-Hall Border 1. (Not Trusted) Attacker 1 1. Corporate Network (Trusted) 2 Figure
More informationWeb Application Security. Radovan Gibala Senior Field Systems Engineer F5 Networks r.gibala@f5.com
Web Application Security Radovan Gibala Senior Field Systems Engineer F5 Networks r.gibala@f5.com Security s Gaping Hole 64% of the 10 million security incidents tracked targeted port 80. Information Week
More informationHow to Hack Millions of Routers. Craig Heffner, Seismic LLC
How to Hack Millions of Routers Craig Heffner, Seismic LLC SOHO Router Security? Common Attack Techniques Cross Site Request Forgery No trust relationship between browser and router Can t forge Basic Authentication
More informationDenial Of Service. Types of attacks
Denial Of Service The goal of a denial of service attack is to deny legitimate users access to a particular resource. An incident is considered an attack if a malicious user intentionally disrupts service
More informationGuide to DDoS Attacks December 2014 Authored by: Lee Myers, SOC Analyst
INTEGRATED INTELLIGENCE CENTER Technical White Paper William F. Pelgrin, CIS President and CEO Guide to DDoS Attacks December 2014 Authored by: Lee Myers, SOC Analyst This Center for Internet Security
More informationHow To Stop A Ddos Attack On A Website From Being Successful
White paper Combating DoS/DDoS Attacks Using Cyberoam Eliminating the DDoS Threat by Discouraging the Spread of Botnets www.cyberoam.com Introduction Denial of Service (DoS) and Distributed Denial of Service
More informationPayment Card Industry (PCI) Executive Report. Pukka Software
Payment Card Industry (PCI) Executive Report For Pukka Software Primary Contact: Brian Ghidinelli none Los Gatos, California United States of America 415.462.5603 Payment Card Industry (PCI) Executive
More informationFirewall Testing. Cameron Kerr Telecommunications Programme University of Otago. May 16, 2005
Firewall Testing Cameron Kerr Telecommunications Programme University of Otago May 16, 2005 Abstract Writing a custom firewall is a complex task, and is something that requires a significant amount of
More informationNETASQ & PCI DSS. Is NETASQ compatible with PCI DSS? NG Firewall version 9
NETASQ & PCI DSS Is NETASQ compatible with PCI DSS? We have often been asked this question. Unfortunately, even the best firewall is but an element in the process of PCI DSS certification. This document
More informationMalware Analysis Quiz 6
Malware Analysis Quiz 6 1. Are these files packed? If so, which packer? The file is not packed, as running the command strings shelll reveals a number of interesting character sequences, such as: irc.ircnet.net
More informationCERT-GOV-GE Activities & Services
CERT-GOV-GE Activities & Services Tbilisi, Georgia 2014 CERT-GOV-GE Manager David Kvatadze www.dea.gov.ge CERT-GOV-GE - Structural unit was formed within the Information Security and Policy division of
More informationGlobal Partner Management Notice
Global Partner Management Notice Subject: Critical Vulnerabilities Identified to Alert Payment System Participants of Data Compromise Trends Dated: May 4, 2009 Announcement: To support compliance with
More informationVIRUS TRACKER CHALLENGES OF RUNNING A LARGE SCALE SINKHOLE OPERATION
VIRUS TRACKER CHALLENGES OF RUNNING A LARGE SCALE SINKHOLE OPERATION Kleissner & Associates Botconf 14, 3-5 Dec 2014, Nancy/France Worlds largest botnet monitoring system Since September 2012 Originally
More informationSolution of Exercise Sheet 5
Foundations of Cybersecurity (Winter 15/16) Prof. Dr. Michael Backes CISPA / Saarland University saarland university computer science Protocols = {????} Client Server IP Address =???? IP Address =????
More informationNew Systems and Services Security Guidance
New Systems and Services Security Guidance Version Version Number Date Author Type of modification / Notes 0.1 29/05/2012 Donna Waymouth First draft 0.2 21/06/2012 Donna Waymouth Update re certificates
More informationTelecom Testing and Security Certification. A.K.MITTAL DDG (TTSC) Department of Telecommunication Ministry of Communication & IT
Telecom Testing and Security Certification A.K.MITTAL DDG (TTSC) Department of Telecommunication Ministry of Communication & IT 1 Need for Security Testing and Certification Telecom is a vital infrastructure
More informationFirewalls and Software Updates
Firewalls and Software Updates License This work by Z. Cliffe Schreuders at Leeds Metropolitan University is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License. Contents General
More informationSTATISTICS ON BOTNET-ASSISTED DDOS ATTACKS IN Q1 2015
STATISTICS ON BOTNET-ASSISTED DDOS ATTACKS IN Q1 2015 www.kaspersky.com 2 CONTENTS Methodology 3 Main findings 4 Geography of attacks 5 Time variations in the number of DDoS attacks 7 Types and duration
More informationSchool of Information Science (IS 2935 Introduction to Computer Security, 2003)
Student Name : School of Information Science (IS 2935 Introduction to Computer Security, 2003) Firewall Configuration Part I: Objective The goal of this lab is to allow students to exploit an active attack
More informationIntroduction. thm@informatik.uni-rostock.de http://wwwiuk.informatik.uni-rostock.de/
Introduction thm@informatik.uni-rostock.de http://wwwiuk.informatik.uni-rostock.de/ Content Introduction Identifying Risks Taxonomy of Possible Attacks Security Fundamentals and Defense Components Attack
More informationShellshock. Oz Elisyan & Maxim Zavodchik
Shellshock By Oz Elisyan & Maxim Zavodchik INTRODUCTION Once a high profile vulnerability is released to the public, there will be a lot of people who will use the opportunity to take advantage on vulnerable
More informationNetwork attack and defense
Network attack and defense CS 594 Special Topics/Kent Law School: Computer and Network Privacy and Security: Ethical, Legal, and Technical Consideration 2007, 2008 Robert H. Sloan 1 Outline 1. Overview
More informationSECURITY PRACTICES FOR ADVANCED METERING INFRASTRUCTURE Elif Üstündağ Soykan, Seda Demirağ Ersöz 08.05.2014, ICSG 2014
SECURITY PRACTICES FOR ADVANCED METERING INFRASTRUCTURE Elif Üstündağ Soykan, Seda Demirağ Ersöz 08.05.2014, ICSG 2014 Table of Contents Introduction AMI Communication Architecture Security Threats Security
More information1 Introduction. Agenda Item: 7.23. Work Item:
3GPP TSG SA WG3 Security S3#34 S3-040583 6-9 Jul 2004 updated S3-040566 Acapulco, Mexico Title: Selective Disabling of UE Capabilities; updated S3-040566 based on the comments on SA3 mailing list Source:
More informationFlow Based Traffic Analysis
Flow based Traffic Analysis Muraleedharan N C-DAC Bangalore Electronics City murali@ncb.ernet.in Challenges in Packet level traffic Analysis Network traffic grows in volume and complexity Capture and decode
More informationCSCI 7000-001 Firewalls and Packet Filtering
CSCI 7000-001 Firewalls and Packet Filtering November 1, 2001 Firewalls are the wrong approach. They don t solve the general problem, and they make it very difficult or impossible to do many things. On
More informationCIT 480: Securing Computer Systems. Firewalls
CIT 480: Securing Computer Systems Firewalls Topics 1. What is a firewall? 2. Types of Firewalls 1. Packet filters (stateless) 2. Stateful firewalls 3. Proxy servers 4. Application layer firewalls 3. Configuring
More information