2014 ASE BIGDATA/SOCIALCOM/CYBERSECURITY Conference, Stanford University, May 27-31, 2014 ASE 2014 ISBN:

Save this PDF as:
 WORD  PNG  TXT  JPG

Size: px
Start display at page:

Download "2014 ASE BIGDATA/SOCIALCOM/CYBERSECURITY Conference, Stanford University, May 27-31, 2014 ASE 2014 ISBN: 978-1-62561-000-3 1"

Transcription

1 ASE 2014 ISBN:

2 Network Traffic Analysis of ZeroAccess Bot Shree Garg, Anil K. Sarje, Sateesh K. Peddoju Department of Computer Science & Engineering Indian Institute of Technology Roorkee, Roorkee, India {shreedec, sarjefec, Abstract Botnets have become a general-purpose platform to perform malicious cyber-activity and extortion. Botnets use specially designed communication channels to receive commands from their operators and respond accordingly. In early design of botnets, botmasters used the centralized control. However, in order to overcome the failures due to centralized control, botnet community has started using distributed P2P architecture and also designing their own protocol to efficiently handle their bots. ZeroAccess botnet is one such an emerging P2P botnet. Its architecture has made it one of the most robust and durable botnets. Recent reports indicate that 1.9 million computers were infected with ZeroAccess by mid In view of the seriousness and impact of the threats imposed by ZeroAccess bot, this paper aims at network traffic analysis of ZeroAccess bot focusing on its protocol and network behaviour for easy and faster detection. The results achieved are analysed and presented. The paper concludes with discussion on directions for detection of this bot. Keywords: ZeroAccess; Botnet; Traffic analysis; Malware; peer-topeer; Bot; protocol 1. Introduction Botnets are the latest platform used for cybercrimes and threats to the Internet today by various attacks like click-fraud, bitcoin mining, spam, and credential theft. Botnets are the networks of compromised machines (bots) remotely controlled by attacker. Bots have started communicating through peer-topeer (P2P) networks. Distributed nature of P2P botnets has made them more difficult to detect compared to IRC and HTTP based botnets. In July 2011, an emerging botnet known as ZeroAccess (ZA) was discovered and is responsible for infecting more than 1.9 million computers worldwide. In late 2013, Microsoft [1] reported that the efforts are being made to disrupt and to stop malicious cyber-attacks and business running by ZA. However it is not removed completely. The detection has become difficult as it is based on distributed P2P architecture [2]. Hence, studying on this botnet has become need of the day. This paper aims in understanding the network behavior of ZA bot. Experiments were conducted and its network traffic was monitoring and analyzed for 40 hours. Our findings are reported in this paper. The remaining sections of this paper explain how ZA propagates and communicates over internet using network protocols. Related Work is discussed in Section 2. Section 3 explains the architecture of ZA botnet. Detailed network traffic analysis of ZA is given in Section 4. Future work and conclusion is provided in Section Related Work P2P botnets are becoming serious threat as they keep on changing the design of their protocols. Prior to ZeroAccess, similar botnets have been identified and detected. Holz et.al [3] presented measurements and mitigation of P2P based botnets and gave a case study on Storm Worm. Storm botnet was based on Kademlia protocol. Sinclair et.al [4] described the protocol and working of Waledac botnet. Waledac botnet uses a mix of HTTP protocol, P2P and fast-flux based DNS network. A recent work by Rossow et.al [5] described that Sality botnet uses unstructured P2P network to spread URLs where payloads are to be downloaded and contact their neighbors to exchange new URLs. Symantec gave infection analysis of ZA malware [6]. Different modules namely backup, infection tracker, network traffic inception, java script for search engine redirection, click fraud and backdoor are discussed. System level changes (registry, driver, files) made by ZA are described in detail. Our focus is to elucidate the network traffic behavior of ZA bot unlike [6]. 3. Architecture of ZeroAccess Bots can communicate with each other by using some protocol. They may use some existing protocol, for example - Storm botnet used Kademlia [3], or may design a new protocol. ZA uses its own protocol. ZA is a P2P botnet that has a layered architecture to distribute the commands, updates and necessary files over the network. There are two types of nodes in ZA botnet. The infected systems running on public IP will act as Super nodes while systems behind NAT are Normal nodes [7] as shown in Figure 1. Super nodes are capable of communicating with every other node in the botnet. They act as server and client both. Super nodes provide necessary files for download, other malicious plug-ins and IP addresses of currently active peers on the botnet, acting as server for other peers. Super nodes also act as a client by connecting and requesting for the same to other Super nodes on the botnet. Botmaster transfers all the necessary files, commands and updates only to the Super nodes. Super nodes are responsible for distributing files and commands in the botnet. Normal nodes can only request to Super nodes for commands, files and updates. Normal nodes cannot be contacted directly by other peers in the botnet. Initially nodes can only contact to hardcoded list of Super nodes in the binary. ASE 2014 ISBN:

3 Figure 1. Architecture of ZeroAccess Botnet 4. Traffic Analysis and Results This section presents the environment used for analyzing the traffic. Further, it also discusses the various stages of analysis, approach used, and the results achieved. 4.1 Analysis Enviornment In order to collect and analyze the network traffic, a system was infected with Zero Access malware md5: 5ba ddfbddf46f d8e8c39bb528613cd8baf a0fcce03dfe6 on a virtual machine in a 32-bit System running Windows environment with 256 MB RAM and 20GB Hard Disk. The system was assigned a private IP in the campus network but mapped to a public IP on the internet (Figure 2). Hence the infected monitoring system became a super node on the botnet. Wireshark is used to capture the network traffic of the monitoring system. Wireshark was started just before the system gets infected. The system was infected on 15 January 2014 at 6:30 PM IST. Figure 2. Experimental Setup Entire traffic collected for 40 hours is analyzed in two phases: initial phase and popular phase. During the Initial phase, the machine is trying to contact others peers in the botnet by sending/receiving traffic and in Popular phase, the host became a popular server of ZA botnet. Initial phase ran for 10 hours and popular phase for 25 hours (approximately one day) with 5-hours break in between to give a room for the infected machine to became popular. The timeline of experiment is shown in Figure 3. System gets infected and malware start installing on the host, described in Section 4.2. Figure 3. Timeline of Experiment Major focus was given to popular phase as analyzing of this traffic leads to understanding the network behavior of the ZA in a better manner, explained in Section Initial Phase Just after the infection, first packet it sends is a DNS query for "j.maxmind.com" to public DNS address ( :53). It is a geo-ip locator service used to locate the position of infected host. Further system kept on informing to a hardcoded Command and Control (CnC) server using some DNS (to port 53) packets using port numbers followed by 3 Simple Service Discovery Protocol (SSDP) packets to :1900 from source port For the initial communication with other bots in the botnet, every bot uses some rallying mechanism. Hardcoded list of initial peers is a very common method and it is used by ZA. The system gets a list of 256 IP addresses and start sending UDP packets with 16-byte payload to these 256 distinct IP addresses from source port 1062 to their destination port The source port number changes when a fresh system gets infected with ZA, it may be randomly or algorithmically generated by the malware. We have used the same experimental environment to infect another similar system running behind the NAT. It makes request to same 256 IP addresses but from source port 1169 to destination port number indicates the change of source port. System requests each host (from the list of 256-IPs) at the interval of one second (Figure 4) and it keeps on requesting to all 256 hosts in a loop until it gets the response from any of the hosts. Time pattern of requests made to a particular host by monitoring system is shown in Figure 5. For the first 8-hours of initial infection, it does not get any reply from the requested 256 hosts. Requested peers may be offline, shut down or cleaned by some method of system cleaning. In this duration, system kept on sending packets at the same frequency and interval. ASE 2014 ISBN:

4 the system started getting large number of requests. In this phase, abundance of the traffic shows that this system became a prevalent node over the botnet. The monitoring system was online through the initial infection. Figure 4. Pattern of unique hosts contacted during initial phase Figure 6 shows the number of unique incoming and outgoing IP addresses that were contacted over monitoring period. Within a minute, around 1800 unique IP addresses were contacted and number reached to within an hour, and which further increased linearly. As time progressed, infected system running on a public IP became popular and more and more different IP addresses contacted to it. Network protocol distribution among the traces collected is given in the Table 1. It mostly used UDP to generate the traffic and very few TCP packets were seen. The system gets packets from 140K unique IP addresses while it sent packets to 99K IPs only. Table1: Summary of Network Traffic Figure 5. Request time pattern to a host - in initial phase After this duration system gets the first packet from the list of 256 IPs. Not all but only 7% of the total requested IPs responded from the list within next one hour. This might be due to the case that these 7% IPs belong to a common time zone and all the machines were logged-on in this period of one hour. This may be due to diurnal nature of bot activity depending on time zone [7]. To check the geographic information of responded hosts, we used a geo-location database [8]. This database provides the country, subdivisions, city, postal code, latitude, and longitude associated with IPv4 addresses worldwide. Most of the hosts that has responded to infected system, approximately 61%, are in Europe, 27% are in America. This indicates that bot-host that has responded to our monitoring system belongs to same locality and similar time zones. System gets the packets with payload 848 bytes from the source port and it starts communicating with other hosts (except from 256 initial list of IPs). Within around half-an-hour, system also starts getting requests at port number and it started responding. During the next two hours of monitoring the system, it was observed that the system was communicating with lots of different IP addresses. It was sending more packets than it received. Longer duration of infection will allow us to see new unique IPs as the nature of P2P is very dynamic. 4.3 Popular Phase In order to let the monitoring Super node become popular in the botnet a 5-hours break was given. Soon after the Super node became popular, the analysis was carried out for the next 25 hours (16 January :30 AM IST to 17 January :30 AM IST). It was observed that during the popular phase Network Protocol Size in MB Number of Packets UDP M TCP 6 38K ICMP K DNS UDP Traffic The monitoring system got UDP requests from 140K different. It responded approximately to only 98K (70% of incoming IPs) hosts quickly which made the request for port number The rest un-replied UDP requests were made for port numbers as listed in Table 2. Encrypted payloads of all such reply packets are either 848 bytes, 148 bytes or 16 bytes may be chosen from updated P2P addresses list. Table 2: Un-replied UDP request at different port numbers Requested UDP Port Numbers % of un-replied UDP requests (out of 42K) 16464, and % % 13774, 33436, 33437, 33438, 33439, 33440, 33441, 49153, 53, 5353, % Figure 6. Popularity of infected system over time ASE 2014 ISBN:

5 Apart from 98K responses, it has contacted additional 0.8K unique super nodes, leading to a total of approximately 99K contacted hosts. Although there is no response received for these requests for 0.8K hosts. The periodicity pattern of contacting different hosts is different as shown in figure 7. It is observed that this contacting rate was ranging between 1 to 8 hosts in one second. On average it sends more than 650 packets to one such IP alone and the payload remains 16 bytes. It is found that its Bot-ID remain same during the whole capture. Figure 7. Pattern of unique hosts requested during popular phase It keeps on sending the request to one host at a pattern of time, shown below in Figure 8. It is observed that ZA kept on changing its network behaviour timing to mimics on the network to bypass the fixed pattern based security mechanism. 98K (requested at UDP) using 3.6K different source port numbers. TCP is used to download click fraud plug-in, malicious DLL and other requested files DNS Traffic System generates only 12 DNS packets. First packet is a request while the rest packets are malformed as DNS. ZA used DNS to send its existence on the network to their botmaster for the first time of infection when the bots were initially infected. No other DNS packets were seen during the whole monitoring. DNS is abused by lots of malware, ZA is one of them. 5. Peer Communication Patterns Once the Super node has become popular, two way communication is set-up and system starts responding to other peer nodes. It receive a UDP packet (16 byte payload) at port number. This request contains the BOTID, requesting file, timestamp and size of file. In most of the cases system replied back to endpoint (IP address and port number) from port number with 848 byte payload. Soon after another UDP packet (16 byte payload) was sent from veracity (1062) port number to the port. A diagrammatic flow of this conversation is shown below in figure 9a. Figure 9a. Conversation between two infected host over UDP (left side system is a Super node) Figure 8. Request time pattern to a host - in popular phase ICMP Traffic For the rest 42K hosts (30% of total requested hosts) super nodes did not responded with UDP packets. It sends an ICMP port unreachable packet to all such requests except requests for port number It is observed that 99.9% of such requests are from ZA-like port numbers 16470, 16465, and 16471as shown in Table 2. The system used for experiments is running over 32-bit environment and might have opened only port number for the reply/service TCP Traffic Monitoring system replies to all TCP-SYN request, either with a RST+ACK or SYN+ACK. Requests for port numbers made successful TCP handshakes as SYN/ACK was sent in return while rest of the requested ports were replied with a RST+ACK. Each host makes lots of connections to the system using many different port numbers. We got connection request (TCP-SYN) at from 293 distinct host out of In most cases, an ICMP-port-unreachable packet was received in the return of responded (2 nd packet) packet as shown in figure 9b. Data payload of this ICMP packet is 590 byte which is different from standard size of 8 bytes. Peer repeats this process (fig: 6b) from same source port. This seems to be some kind of acknowledgement or reply from the requested peer because communication is repeated similarly further on same port. Figure 9b. Conversation between two infected host over UDP and ICMP (left side system is a Super node) ASE 2014 ISBN:

6 In few cases, after a conversation on UDP/ICMP we saw many TCP SYN packets (Figure 9c) from different source port numbers coming from other peers. Monitoring Super node acknowledges all such SYN requests at TCP port number and set-up proper TCP connection. Data is transferred from the super node. The traffic analysis of ZeroAccess bots demonstrates implementation of their distributed P2P functionality. The bot uses their own network to get the address of other active peers over UDP. It is a very busty protocol. CnC address is called many times during installation of bots using forgery DNS packets. Only few TCP connections are made to download plug-ins and other malicious files. Time pattern to request the service from super nodes changes until the bot becomes part of botnet. The detection and mitigation of bots using their network behavior is a very prevalent method. The combination of size of packets, time interval between the packets, in-degree, outdegree of a node, usage of source-port numbers and destination port numbers, or in combination will help to identify the infected hosts. In future we will focus on these issues to build a framework to detect these bots using network traffic. Acknowledgement We would like to thank Chris Lee for providing ZeroAccess samples, used in our experiments. Figure 9c. Conversation between two infected host over UDP, ICMP and TCP (left side system is a Super node) 6. Conclusions References [1] Microsoft, the FBI, Europol and industry partners disrupt the notorious ZeroAccess botnet [2] J. Wyke. Technical Report, ZeroAccess, SophosLabs UK. [3] T. Holz, M. Steiner, F. Dahl, E. Biersack, and F. Freiling Measurements and mitigation of peer-to-peer-based botnets: a case study on storm worm, USENIX Association Berkeley, CA,USA, [4] G. Sinclair, C. Nunnery, and B.B.H Kang, The waledac protocol: The how and why, MALWARE, idefense, Univ. of North Carolina at Charlotte, Charlotte, NC, USA pp , [5] C. Rossow, D. Andriesse, T. Werner, B. Stone-Gross, D. Plohmann, C. J. Dietrich, and H. Bos, SoK: P2PWNED - Modeling and Evaluating the Resilience of Peer-to-Peer Botnets, Security & Privacy, Inst. for Internet Security, Gelsenkirchen, Germany, pp , [6] S. Hittel, and R. Zhou, Trojan.ZeroAccess Infection Analysis, Symantec White paper, [7] J. Wyke, The ZeroAccess Botnet Mining and Fraud for Massive Financial Gain, Sophos Technical Paper, [8] WebService, MaxMind: GeoIP2 Precision Web Services, ASE 2014 ISBN:

Agenda. Taxonomy of Botnet Threats. Background. Summary. Background. Taxonomy. Trend Micro Inc. Presented by Tushar Ranka

Agenda. Taxonomy of Botnet Threats. Background. Summary. Background. Taxonomy. Trend Micro Inc. Presented by Tushar Ranka Taxonomy of Botnet Threats Trend Micro Inc. Presented by Tushar Ranka Agenda Summary Background Taxonomy Attacking Behavior Command & Control Rallying Mechanisms Communication Protocols Evasion Techniques

More information

A Critical Investigation of Botnet

A Critical Investigation of Botnet Global Journal of Computer Science and Technology Network, Web & Security Volume 13 Issue 9 Version 1.0 Year 2013 Type: Double Blind Peer Reviewed International Research Journal Publisher: Global Journals

More information

Implementation of Botcatch for Identifying Bot Infected Hosts

Implementation of Botcatch for Identifying Bot Infected Hosts Implementation of Botcatch for Identifying Bot Infected Hosts GRADUATE PROJECT REPORT Submitted to the Faculty of The School of Engineering & Computing Sciences Texas A&M University-Corpus Christi Corpus

More information

Multifaceted Approach to Understanding the Botnet Phenomenon

Multifaceted Approach to Understanding the Botnet Phenomenon Multifaceted Approach to Understanding the Botnet Phenomenon Christos P. Margiolas University of Crete A brief presentation for the paper: Multifaceted Approach to Understanding the Botnet Phenomenon Basic

More information

Lessons learned: Sinkholing the Zeroaccess botnet. Ross Gibb. Attack Investigations Team Symantec Security Response.

Lessons learned: Sinkholing the Zeroaccess botnet. Ross Gibb. Attack Investigations Team Symantec Security Response. Lessons learned: Sinkholing the Zeroaccess botnet Ross Gibb Attack Investigations Team Symantec Security Response AIT - Zeroaccess 1 Agenda 1 Introduction to Zeroaccess 2 Details of the P2P protocol 3

More information

Storm Worm & Botnet Analysis

Storm Worm & Botnet Analysis Storm Worm & Botnet Analysis Jun Zhang Security Researcher, Websense Security Labs June 2008 Introduction This month, we caught a new Worm/Trojan sample on ours labs. This worm uses email and various phishing

More information

Operation Liberpy : Keyloggers and information theft in Latin America

Operation Liberpy : Keyloggers and information theft in Latin America Operation Liberpy : Keyloggers and information theft in Latin America Diego Pérez Magallanes Malware Analyst Pablo Ramos HEAD of LATAM Research Lab 7/7/2015 version 1.1 Contents Introduction... 3 Operation

More information

Detecting peer-to-peer botnets

Detecting peer-to-peer botnets Detecting peer-to-peer botnets Reinier Schoof & Ralph Koning System and Network Engineering University of Amsterdam mail: reinier.schoof@os3.nl, ralph.koning@os3.nl February 4, 2007 1 Introduction Spam,

More information

A Review of ZeroAccess peer-to-peer Botnet

A Review of ZeroAccess peer-to-peer Botnet A Review of ZeroAccess peer-to-peer Botnet Ms. Cheenu M.TECH & Graphic Era Hill University Dehradun India Abstract Today ZeroAccess is one of the widespread threats over the internet. The total number

More information

Network Security Monitoring and Behavior Analysis Pavel Čeleda, Petr Velan, Tomáš Jirsík

Network Security Monitoring and Behavior Analysis Pavel Čeleda, Petr Velan, Tomáš Jirsík Network Security Monitoring and Behavior Analysis Pavel Čeleda, Petr Velan, Tomáš Jirsík {celeda velan jirsik}@ics.muni.cz Part I Introduction P. Čeleda et al. Network Security Monitoring and Behavior

More information

VERISIGN DISTRIBUTED DENIAL OF SERVICE TRENDS REPORT ISSUE 3 3RD QUARTER 2014

VERISIGN DISTRIBUTED DENIAL OF SERVICE TRENDS REPORT ISSUE 3 3RD QUARTER 2014 VERISIGN DISTRIBUTED DENIAL OF SERVICE TRENDS REPORT ISSUE 3 3RD QUARTER 2014 CONTENTS EXECUTIVE SUMMARY 3 VERISIGN-OBSERVED DDoS ATTACK TRENDS 4 Mitigations by Attack Size 4 Mitigations by Industry 5

More information

ENEE 757 CMSC 818V. Prof. Tudor Dumitraș Assistant Professor, ECE University of Maryland, College Park

ENEE 757 CMSC 818V. Prof. Tudor Dumitraș Assistant Professor, ECE University of Maryland, College Park 21. Botnets ENEE 757 CMSC 818V Prof. Tudor Dumitraș Assistant Professor, ECE University of Maryland, College Park http://ter.ps/757 https://www.facebook.com/sdsatumd Today s Lecture Where we ve been AuthenDcaDon

More information

Description: Course Details:

Description: Course Details: Course: Malicious Network Traffic Analysis Duration: 5 Day Hands-On Lab & Lecture Course Price: $ 3,495.00 Description: There are a tremendous amount of network based attacks to be aware of on the internet

More information

2010 Carnegie Mellon University. Malware and Malicious Traffic

2010 Carnegie Mellon University. Malware and Malicious Traffic Malware and Malicious Traffic What We Will Cover Introduction Your Network Fundamentals of networks, flow, and protocols Malicious traffic External Events & Trends Malware Networks in the Broad Working

More information

Malicious Network Traffic Analysis

Malicious Network Traffic Analysis Malicious Network Traffic Analysis Uncover system intrusions by identifying malicious network activity. There are a tremendous amount of network based attacks to be aware of on the internet today and the

More information

Seminar Computer Security

Seminar Computer Security Seminar Computer Security DoS/DDoS attacks and botnets Hannes Korte Overview Introduction What is a Denial of Service attack? The distributed version The attacker's motivation Basics Bots and botnets Example

More information

STATISTICS ON BOTNET-ASSISTED DDOS ATTACKS IN Q1 2015

STATISTICS ON BOTNET-ASSISTED DDOS ATTACKS IN Q1 2015 STATISTICS ON BOTNET-ASSISTED DDOS ATTACKS IN Q1 2015 www.kaspersky.com 2 CONTENTS Methodology 3 Main findings 4 Geography of attacks 5 Time variations in the number of DDoS attacks 7 Types and duration

More information

Protecting DNS Query Communication against DDoS Attacks

Protecting DNS Query Communication against DDoS Attacks Protecting DNS Query Communication against DDoS Attacks Ms. R. Madhuranthaki 1, Ms. S. Umarani, M.E., (Ph.D) 2 II M.Tech (IT), IT Department, Maharaja Engineering College, Avinashi, India 1 HOD, IT Department,

More information

VIRUS TRACKER CHALLENGES OF RUNNING A LARGE SCALE SINKHOLE OPERATION

VIRUS TRACKER CHALLENGES OF RUNNING A LARGE SCALE SINKHOLE OPERATION VIRUS TRACKER CHALLENGES OF RUNNING A LARGE SCALE SINKHOLE OPERATION Kleissner & Associates Botconf 14, 3-5 Dec 2014, Nancy/France Worlds largest botnet monitoring system Since September 2012 Originally

More information

An Anomaly-based Botnet Detection Approach for Identifying Stealthy Botnets

An Anomaly-based Botnet Detection Approach for Identifying Stealthy Botnets An Anomaly-based Botnet Detection Approach for Identifying Stealthy Botnets Sajjad Arshad 1, Maghsoud Abbaspour 1, Mehdi Kharrazi 2, Hooman Sanatkar 1 1 Electrical and Computer Engineering Department,

More information

CYBER SCIENCE 2015 AN ANALYSIS OF NETWORK TRAFFIC CLASSIFICATION FOR BOTNET DETECTION

CYBER SCIENCE 2015 AN ANALYSIS OF NETWORK TRAFFIC CLASSIFICATION FOR BOTNET DETECTION CYBER SCIENCE 2015 AN ANALYSIS OF NETWORK TRAFFIC CLASSIFICATION FOR BOTNET DETECTION MATIJA STEVANOVIC PhD Student JENS MYRUP PEDERSEN Associate Professor Department of Electronic Systems Aalborg University,

More information

Botnet Detection Based on Degree Distributions of Node Using Data Mining Scheme

Botnet Detection Based on Degree Distributions of Node Using Data Mining Scheme Botnet Detection Based on Degree Distributions of Node Using Data Mining Scheme Chunyong Yin 1,2, Yang Lei 1, Jin Wang 1 1 School of Computer & Software, Nanjing University of Information Science &Technology,

More information

Firewall Firewall August, 2003

Firewall Firewall August, 2003 Firewall August, 2003 1 Firewall and Access Control This product also serves as an Internet firewall, not only does it provide a natural firewall function (Network Address Translation, NAT), but it also

More information

Detecting Bots with Automatically Generated Network Signatures

Detecting Bots with Automatically Generated Network Signatures Detecting Bots with Automatically Generated Network Signatures Peter Wurzinger, Leyla Bilge, Thorsten Holz, Jan Goebel, Christopher Kruegel, Engin Kirda,, {pw,tho}@seclab.tuwien.ac.at Institute Eurecom,

More information

Innovations in Network Security

Innovations in Network Security Innovations in Network Security Michael Singer April 18, 2012 AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies.

More information

LASTLINE WHITEPAPER. Using Passive DNS Analysis to Automatically Detect Malicious Domains

LASTLINE WHITEPAPER. Using Passive DNS Analysis to Automatically Detect Malicious Domains LASTLINE WHITEPAPER Using Passive DNS Analysis to Automatically Detect Malicious Domains Abstract The domain name service (DNS) plays an important role in the operation of the Internet, providing a two-way

More information

CloudFlare advanced DDoS protection

CloudFlare advanced DDoS protection CloudFlare advanced DDoS protection Denial-of-service (DoS) attacks are on the rise and have evolved into complex and overwhelming security challenges. 1 888 99 FLARE enterprise@cloudflare.com www.cloudflare.com

More information

WHITE PAPER. Understanding How File Size Affects Malware Detection

WHITE PAPER. Understanding How File Size Affects Malware Detection WHITE PAPER Understanding How File Size Affects Malware Detection FORTINET Understanding How File Size Affects Malware Detection PAGE 2 Summary Malware normally propagates to users and computers through

More information

On Botnets that use DNS for Command and Control

On Botnets that use DNS for Command and Control On Botnets that use DNS for Command and Control Christian J. Dietrich, Christian Rossow, Felix C. Freiling, Herbert Bos, Maarten van Steen and Norbert Pohlmann Computer Systems Group Vrije Universiteit

More information

Networks and Security Lab. Network Forensics

Networks and Security Lab. Network Forensics Networks and Security Lab Network Forensics Network Forensics - continued We start off from the previous week s exercises and analyze each trace file in detail. Tools needed: Wireshark and your favorite

More information

Index Terms Denial-of-Service Attack, Intrusion Prevention System, Internet Service Provider. Fig.1.Single IPS System

Index Terms Denial-of-Service Attack, Intrusion Prevention System, Internet Service Provider. Fig.1.Single IPS System Detection of DDoS Attack Using Virtual Security N.Hanusuyakrish, D.Kapil, P.Manimekala, M.Prakash Abstract Distributed Denial-of-Service attack (DDoS attack) is a machine which makes the network resource

More information

Nemea: Searching for Botnet Footprints

Nemea: Searching for Botnet Footprints Nemea: Searching for Botnet Footprints Tomas Cejka 1, Radoslav Bodó 1, Hana Kubatova 2 1 CESNET, a.l.e. 2 FIT, CTU in Prague Zikova 4, 160 00 Prague 6 Thakurova 9, 160 00 Prague 6 Czech Republic Czech

More information

Botnets. Botnets and Spam. Joining the IRC Channel. Command and Control. Tadayoshi Kohno

Botnets. Botnets and Spam. Joining the IRC Channel. Command and Control. Tadayoshi Kohno CSE 490K Lecture 14 Botnets and Spam Tadayoshi Kohno Some slides based on Vitaly Shmatikov s Botnets! Botnet = network of autonomous programs capable of acting on instructions Typically a large (up to

More information

Acquia Cloud Edge Protect Powered by CloudFlare

Acquia Cloud Edge Protect Powered by CloudFlare Acquia Cloud Edge Protect Powered by CloudFlare Denial-of-service (DoS) Attacks Are on the Rise and Have Evolved into Complex and Overwhelming Security Challenges TECHNICAL GUIDE TABLE OF CONTENTS Introduction....

More information

BotNets- Cyber Torrirism

BotNets- Cyber Torrirism BotNets- Cyber Torrirism Battling the threats of internet Assoc. Prof. Dr. Sureswaran Ramadass National Advanced IPv6 Center - Director Why Talk About Botnets? Because Bot Statistics Suggest Assimilation

More information

Current Threat Scenario and Recent Attack Trends

Current Threat Scenario and Recent Attack Trends Current Threat Scenario and Recent Attack Trends Anil Sagar Additional Director Indian Computer Emergency Response Team (CERT-In) Objectives Current Cyber space Nature of cyberspace and associated risks

More information

Networking for Caribbean Development

Networking for Caribbean Development Networking for Caribbean Development BELIZE NOV 2 NOV 6, 2015 w w w. c a r i b n o g. o r g N E T W O R K I N G F O R C A R I B B E A N D E V E L O P M E N T BELIZE NOV 2 NOV 6, 2015 w w w. c a r i b n

More information

Rise of the ibots: 0wning a telco network

Rise of the ibots: 0wning a telco network Berlin Institute of Technology FG Security in Telecommunications Rise of the ibots: 0wning a telco network 5th IEEE International Conference on Malicious and Unwanted Software (MALWARE), Nancy, France,

More information

Symptoms Based Detection and Removal of Bot Processes

Symptoms Based Detection and Removal of Bot Processes Symptoms Based Detection and Removal of Bot Processes 1 T Ravi Prasad, 2 Adepu Sridhar Asst. Prof. Computer Science and engg. Vignan University, Guntur, India 1 Thati.Raviprasad@gmail.com, 2 sridharuce@gmail.com

More information

An Efficient Methodology for Detecting Spam Using Spot System

An Efficient Methodology for Detecting Spam Using Spot System Available Online at www.ijcsmc.com International Journal of Computer Science and Mobile Computing A Monthly Journal of Computer Science and Information Technology IJCSMC, Vol. 3, Issue. 1, January 2014,

More information

LASTLINE WHITEPAPER. The Holy Grail: Automatically Identifying Command and Control Connections from Bot Traffic

LASTLINE WHITEPAPER. The Holy Grail: Automatically Identifying Command and Control Connections from Bot Traffic LASTLINE WHITEPAPER The Holy Grail: Automatically Identifying Command and Control Connections from Bot Traffic Abstract A distinguishing characteristic of bots is their ability to establish a command and

More information

HoneyBOT User Guide A Windows based honeypot solution

HoneyBOT User Guide A Windows based honeypot solution HoneyBOT User Guide A Windows based honeypot solution Visit our website at http://www.atomicsoftwaresolutions.com/ Table of Contents What is a Honeypot?...2 How HoneyBOT Works...2 Secure the HoneyBOT Computer...3

More information

Peer-to-Peer Botnet Detection Using NetFlow Master Thesis

Peer-to-Peer Botnet Detection Using NetFlow Master Thesis Peer-to-Peer Botnet Detection Using NetFlow Master Thesis Connor Dillon System and Network Engineering University of Amsterdam July 11, 2014. Abstract.. Traditional botnets use a centralized communications

More information

Detecting P2P-Controlled Bots on the Host

Detecting P2P-Controlled Bots on the Host Detecting P2P-Controlled Bots on the Host Antti Nummipuro Helsinki University of Technology anummipu # cc.hut.fi Abstract Storm Worm is a trojan that uses a Peer-to-Peer (P2P) protocol as a command and

More information

1 hours, 30 minutes, 38 seconds Heavy scan. All scanned network resources. Copyright 2001, FTP access obtained

1 hours, 30 minutes, 38 seconds Heavy scan. All scanned network resources. Copyright 2001, FTP access obtained home Network Vulnerabilities Detail Report Grouped by Vulnerability Report Generated by: Symantec NetRecon 3.5 Licensed to: X Serial Number: 0182037567 Machine Scanned from: ZEUS (192.168.1.100) Scan Date:

More information

Detecting Botnets with NetFlow

Detecting Botnets with NetFlow Detecting Botnets with NetFlow V. Krmíček, T. Plesník {vojtec plesnik}@ics.muni.cz FloCon 2011, January 12, Salt Lake City, Utah Presentation Outline NetFlow Monitoring at MU Chuck Norris Botnet in a Nutshell

More information

CSE 3482 Introduction to Computer Security. Denial of Service (DoS) Attacks

CSE 3482 Introduction to Computer Security. Denial of Service (DoS) Attacks CSE 3482 Introduction to Computer Security Denial of Service (DoS) Attacks Instructor: N. Vlajic, Winter 2015 Learning Objectives Upon completion of this material, you should be able to: Explain the basic

More information

NAT and Firewall Traversal with STUN / TURN / ICE

NAT and Firewall Traversal with STUN / TURN / ICE NAT and Firewall Traversal with STUN / TURN / ICE Simon Perreault Viagénie {mailto sip}:simon.perreault@viagenie.ca http://www.viagenie.ca Credentials Consultant in IP networking and VoIP at Viagénie.

More information

Wharf T&T Limited DDoS Mitigation Service Customer Portal User Guide

Wharf T&T Limited DDoS Mitigation Service Customer Portal User Guide Table of Content I. Note... 1 II. Login... 1 III. Real-time, Daily and Monthly Report... 3 Part A: Real-time Report... 3 Part 1: Traffic Details... 4 Part 2: Protocol Details... 5 Part B: Daily Report...

More information

Guide to DDoS Attacks December 2014 Authored by: Lee Myers, SOC Analyst

Guide to DDoS Attacks December 2014 Authored by: Lee Myers, SOC Analyst INTEGRATED INTELLIGENCE CENTER Technical White Paper William F. Pelgrin, CIS President and CEO Guide to DDoS Attacks December 2014 Authored by: Lee Myers, SOC Analyst This Center for Internet Security

More information

CS5008: Internet Computing

CS5008: Internet Computing CS5008: Internet Computing Lecture 22: Internet Security A. O Riordan, 2009, latest revision 2015 Internet Security When a computer connects to the Internet and begins communicating with others, it is

More information

Hands-on Network Traffic Analysis. 2015 Cyber Defense Boot Camp

Hands-on Network Traffic Analysis. 2015 Cyber Defense Boot Camp Hands-on Network Traffic Analysis 2015 Cyber Defense Boot Camp What is this about? Prerequisite: network packet & packet analyzer: (header, data) Enveloped letters inside another envelope Exercises Basic

More information

Guide to Network Defense and Countermeasures Third Edition. Chapter 2 TCP/IP

Guide to Network Defense and Countermeasures Third Edition. Chapter 2 TCP/IP Guide to Network Defense and Countermeasures Third Edition Chapter 2 TCP/IP Objectives Explain the fundamentals of TCP/IP networking Describe IPv4 packet structure and explain packet fragmentation Describe

More information

Description: Objective: Attending students will learn:

Description: Objective: Attending students will learn: Course: Introduction to Cyber Security Duration: 5 Day Hands-On Lab & Lecture Course Price: $ 3,495.00 Description: In 2014 the world has continued to watch as breach after breach results in millions of

More information

Distributed Denial of Service Attack Tools

Distributed Denial of Service Attack Tools Distributed Denial of Service Attack Tools Introduction: Distributed Denial of Service Attack Tools Internet Security Systems (ISS) has identified a number of distributed denial of service tools readily

More information

Measurement Study of Wuala, a Distributed Social Storage Service

Measurement Study of Wuala, a Distributed Social Storage Service Measurement Study of Wuala, a Distributed Social Storage Service Thomas Mager - Master Thesis Advisors: Prof. Ernst Biersack Prof. Thorsten Strufe Prof. Pietro Michiardi Illustration: Maxim Malevich 15.12.2010

More information

Botnet Detection by Abnormal IRC Traffic Analysis

Botnet Detection by Abnormal IRC Traffic Analysis Botnet Detection by Abnormal IRC Traffic Analysis Gu-Hsin Lai 1, Chia-Mei Chen 1, and Ray-Yu Tzeng 2, Chi-Sung Laih 2, Christos Faloutsos 3 1 National Sun Yat-Sen University Kaohsiung 804, Taiwan 2 National

More information

Adaptability of IRC Botnet Detection Method to P2P Botnet Detection

Adaptability of IRC Botnet Detection Method to P2P Botnet Detection Adaptability of IRC Botnet Detection Method to P2P Botnet Detection Ji, Yuan Department of Electrical Engineering and Computer Science University of California, Irvine yji1@uci.edu John, Robin Department

More information

Arbor s Solution for ISP

Arbor s Solution for ISP Arbor s Solution for ISP Recent Attack Cases DDoS is an Exploding & Evolving Trend More Attack Motivations Geopolitical Burma taken offline by DDOS attack Protests Extortion Visa, PayPal, and MasterCard

More information

A Literature Survey About Recent Botnet Trends

A Literature Survey About Recent Botnet Trends A Literature Survey About Recent Botnet Trends GÉANT 3 JRA2 T4: Internal deliverable Emre YÜCE ULAKBİM, Turkey emre@ulakbim.gov.tr June 19, 2011 Abstract Today botnets are seen to be one of the main sources

More information

Malware Detection in Android by Network Traffic Analysis

Malware Detection in Android by Network Traffic Analysis Malware Detection in Android by Network Traffic Analysis Mehedee Zaman, Tazrian Siddiqui, Mohammad Rakib Amin and Md. Shohrab Hossain Department of Computer Science and Engineering, Bangladesh University

More information

The ZeroAccess Botnet Mining and Fraud for Massive Financial Gain

The ZeroAccess Botnet Mining and Fraud for Massive Financial Gain The ZeroAccess Botnet Mining and Fraud for Massive Financial Gain By James Wyke, Senior Threat Researcher, SophosLabs Introduction: Since our last paper on ZeroAccess, The ZeroAccess Rootkit [1], its authors

More information

Flow-based detection of RDP brute-force attacks

Flow-based detection of RDP brute-force attacks Flow-based detection of RDP brute-force attacks Martin Vizváry vizvary@ics.muni.cz Institute of Computer Science Masaryk University Brno, Czech Republic Jan Vykopal vykopal@ics.muni.cz Institute of Computer

More information

Malware B-Z: Inside the Threat From Blackhole to ZeroAccess

Malware B-Z: Inside the Threat From Blackhole to ZeroAccess Malware B-Z: Inside the Threat From Blackhole to ZeroAccess By Richard Wang, Manager, SophosLabs U.S. Over the last few years the volume of malware has grown dramatically, thanks mostly to automation and

More information

Bit Chat: A Peer-to-Peer Instant Messenger

Bit Chat: A Peer-to-Peer Instant Messenger Bit Chat: A Peer-to-Peer Instant Messenger Shreyas Zare shreyas@technitium.com https://technitium.com December 20, 2015 Abstract. Bit Chat is a peer-to-peer instant messaging concept, allowing one-to-one

More information

An Anomaly-Based Method for DDoS Attacks Detection using RBF Neural Networks

An Anomaly-Based Method for DDoS Attacks Detection using RBF Neural Networks 2011 International Conference on Network and Electronics Engineering IPCSIT vol.11 (2011) (2011) IACSIT Press, Singapore An Anomaly-Based Method for DDoS Attacks Detection using RBF Neural Networks Reyhaneh

More information

DDoS Attacks: The Latest Threat to Availability. Dr. Bill Highleyman Managing Editor Availability Digest

DDoS Attacks: The Latest Threat to Availability. Dr. Bill Highleyman Managing Editor Availability Digest DDoS Attacks: The Latest Threat to Availability Dr. Bill Highleyman Managing Editor Availability Digest The Anatomy of a DDoS Attack Sombers Associates, Inc. 2013 2 What is a Distributed Denial of Service

More information

1. LAB SNIFFING LAB ID: 10

1. LAB SNIFFING LAB ID: 10 H E R A LAB ID: 10 SNIFFING Sniffing in a switched network ARP Poisoning Analyzing a network traffic Extracting files from a network trace Stealing credentials Mapping/exploring network resources 1. LAB

More information

Inside the Storm: Protocols and Encryption of the Storm Botnet

Inside the Storm: Protocols and Encryption of the Storm Botnet Inside the Storm: Protocols and Encryption of the Storm Botnet Joe Stewart, GCIH Director of Malware Research, SecureWorks To be covered in this talk: Quick-and-dirty unpacking of Storm Structure of the

More information

20-CS-6053-00X Network Security Spring, 2014. An Introduction To. Network Security. Week 1. January 7

20-CS-6053-00X Network Security Spring, 2014. An Introduction To. Network Security. Week 1. January 7 20-CS-6053-00X Network Security Spring, 2014 An Introduction To Network Security Week 1 January 7 Attacks Criminal: fraud, scams, destruction; IP, ID, brand theft Privacy: surveillance, databases, traffic

More information

Botnets: The Advanced Malware Threat in Kenya's Cyberspace

Botnets: The Advanced Malware Threat in Kenya's Cyberspace Botnets: The Advanced Malware Threat in Kenya's Cyberspace AfricaHackon 28 th February 2014 Who we Are! Paula Musuva-Kigen Research Associate Director, Centre for Informatics Research and Innovation (CIRI)

More information

SECURING APACHE : DOS & DDOS ATTACKS - II

SECURING APACHE : DOS & DDOS ATTACKS - II SECURING APACHE : DOS & DDOS ATTACKS - II How DDoS attacks are performed A DDoS attack has to be carefully prepared by the attackers. They first recruit the zombie army, by looking for vulnerable machines,

More information

Denial of Service. Tom Chen SMU tchen@engr.smu.edu

Denial of Service. Tom Chen SMU tchen@engr.smu.edu Denial of Service Tom Chen SMU tchen@engr.smu.edu Outline Introduction Basics of DoS Distributed DoS (DDoS) Defenses Tracing Attacks TC/BUPT/8704 SMU Engineering p. 2 Introduction What is DoS? 4 types

More information

Malware Trend Report, Q2 2014 April May June

Malware Trend Report, Q2 2014 April May June Malware Trend Report, Q2 2014 April May June 5 August 2014 Copyright RedSocks B.V. 2014. All Rights Reserved. Table of Contents 1. Introduction... 3 2. Overview... 4 2.1. Collecting Malware... 5 2.2. Processing...

More information

From Centralization to Distribution: A Comparison of File Sharing Protocols

From Centralization to Distribution: A Comparison of File Sharing Protocols From Centralization to Distribution: A Comparison of File Sharing Protocols Xu Wang, Teng Long and Alan Sussman Department of Computer Science, University of Maryland, College Park, MD, 20742 August, 2015

More information

Analysis of Network Beaconing Activity for Incident Response

Analysis of Network Beaconing Activity for Incident Response Analysis of Network Beaconing Activity for Incident Response FloCon2008 Peter Balland, P. O. Box 808, Livermore, CA 94551 This work performed under the auspices of the U.S. Department of Energy by under

More information

Denial of Service Attacks

Denial of Service Attacks 2 Denial of Service Attacks : IT Security Sirindhorn International Institute of Technology Thammasat University Prepared by Steven Gordon on 13 August 2013 its335y13s2l06, Steve/Courses/2013/s2/its335/lectures/malicious.tex,

More information

About Firewall Protection

About Firewall Protection 1. This guide describes how to configure basic firewall rules in the UTM to protect your network. The firewall then can provide secure, encrypted communications between your local network and a remote

More information

WORMS : attacks, defense and models. Presented by: Abhishek Sharma Vijay Erramilli

WORMS : attacks, defense and models. Presented by: Abhishek Sharma Vijay Erramilli WORMS : attacks, defense and models Presented by: Abhishek Sharma Vijay Erramilli What is a computer worm? Is it not the same as a computer virus? A computer worm is a program that selfpropagates across

More information

Network attack and defense

Network attack and defense Network attack and defense CS 594 Special Topics/Kent Law School: Computer and Network Privacy and Security: Ethical, Legal, and Technical Consideration 2007, 2008 Robert H. Sloan 1 Outline 1. Overview

More information

DNS (Domain Name System) is the system & protocol that translates domain names to IP addresses.

DNS (Domain Name System) is the system & protocol that translates domain names to IP addresses. Lab Exercise DNS Objective DNS (Domain Name System) is the system & protocol that translates domain names to IP addresses. Step 1: Analyse the supplied DNS Trace Here we examine the supplied trace of a

More information

An apparatus for P2P classification in Netflow traces

An apparatus for P2P classification in Netflow traces An apparatus for P2P classification in Netflow traces Andrew M Gossett, Ioannis Papapanagiotou and Michael Devetsikiotis Electrical and Computer Engineering, North Carolina State University, Raleigh, USA

More information

Firewalls, Tunnels, and Network Intrusion Detection

Firewalls, Tunnels, and Network Intrusion Detection Firewalls, Tunnels, and Network Intrusion Detection 1 Part 1: Firewall as a Technique to create a virtual security wall separating your organization from the wild west of the public internet 2 1 Firewalls

More information

ERT Attack Report. Attacks on Large US Bank During Operation Ababil. March 2013

ERT Attack Report. Attacks on Large US Bank During Operation Ababil. March 2013 Attacks on Large US Bank During Operation Ababil March 2013 Table of Contents Executive Summary... 3 Background: Operation Ababil... 3 Servers Enlisted to Launch the Attack... 3 Attack Vectors... 4 Variations

More information

WildFire Reporting. WildFire Administrator s Guide 55. Copyright 2007-2015 Palo Alto Networks

WildFire Reporting. WildFire Administrator s Guide 55. Copyright 2007-2015 Palo Alto Networks WildFire Reporting When malware is discovered on your network, it is important to take quick action to prevent spread of the malware to other systems. To ensure immediate alerts to malware discovered on

More information

Release Notes for Websense Email Security v7.2

Release Notes for Websense Email Security v7.2 Release Notes for Websense Email Security v7.2 Websense Email Security version 7.2 is a feature release that includes support for Windows Server 2008 as well as support for Microsoft SQL Server 2008. Version

More information

A Measurement of NAT & Firewall Characteristics in Peer to Peer Systems

A Measurement of NAT & Firewall Characteristics in Peer to Peer Systems A Measurement of NAT & Firewall Characteristics in Peer to Peer Systems L. D Acunto, J.A. Pouwelse, and H.J. Sips Department of Computer Science Delft University of Technology, The Netherlands l.dacunto@tudelft.nl

More information

ZeroAccess. James Wyke. SophosLabs UK

ZeroAccess. James Wyke. SophosLabs UK ZeroAccess James Wyke SophosLabs UK Abstract ZeroAccess is a sophisticated kernel-mode rootkit that is rapidly becoming one of the most widespread threats in the current malware ecosystem. ZeroAccess ability

More information

Course Overview: Learn the essential skills needed to set up, configure, support, and troubleshoot your TCP/IP-based network.

Course Overview: Learn the essential skills needed to set up, configure, support, and troubleshoot your TCP/IP-based network. Course Name: TCP/IP Networking Course Overview: Learn the essential skills needed to set up, configure, support, and troubleshoot your TCP/IP-based network. TCP/IP is the globally accepted group of protocols

More information

Decoding DNS data. Using DNS traffic analysis to identify cyber security threats, server misconfigurations and software bugs

Decoding DNS data. Using DNS traffic analysis to identify cyber security threats, server misconfigurations and software bugs Decoding DNS data Using DNS traffic analysis to identify cyber security threats, server misconfigurations and software bugs The Domain Name System (DNS) is a core component of the Internet infrastructure,

More information

Technical Note. ForeScout CounterACT: Virtual Firewall

Technical Note. ForeScout CounterACT: Virtual Firewall ForeScout CounterACT: Contents Introduction... 3 What is the vfw?.... 3 Technically, How Does vfw Work?.... 4 How Does vfw Compare to a Real Firewall?.... 4 How Does vfw Compare to other Blocking Methods?...

More information

Guidance Regarding Skype and Other P2P VoIP Solutions

Guidance Regarding Skype and Other P2P VoIP Solutions Guidance Regarding Skype and Other P2P VoIP Solutions Ver. 1.1 June 2012 Guidance Regarding Skype and Other P2P VoIP Solutions Scope This paper relates to the use of peer-to-peer (P2P) VoIP protocols,

More information

Protecting the Infrastructure: Symantec Web Gateway

Protecting the Infrastructure: Symantec Web Gateway Protecting the Infrastructure: Symantec Web Gateway 1 Why Symantec for Web Security? Flexibility and Choice Best in class hosted service, appliance, and virtual appliance (upcoming) deployment options

More information

Virtual private network. Network security protocols VPN VPN. Instead of a dedicated data link Packets securely sent over a shared network Internet VPN

Virtual private network. Network security protocols VPN VPN. Instead of a dedicated data link Packets securely sent over a shared network Internet VPN Virtual private network Network security protocols COMP347 2006 Len Hamey Instead of a dedicated data link Packets securely sent over a shared network Internet VPN Public internet Security protocol encrypts

More information

Understanding Slow Start

Understanding Slow Start Chapter 1 Load Balancing 57 Understanding Slow Start When you configure a NetScaler to use a metric-based LB method such as Least Connections, Least Response Time, Least Bandwidth, Least Packets, or Custom

More information

TDC s perspective on DDoS threats

TDC s perspective on DDoS threats TDC s perspective on DDoS threats DDoS Dagen Stockholm March 2013 Lars Højberg, Technical Security Manager, TDC TDC in Sweden TDC in the Nordics 9 300 employees (2012) Turnover: 26,1 billion DKK (2012)

More information

Measurement of the Usage of Several Secure Internet Protocols from Internet Traces

Measurement of the Usage of Several Secure Internet Protocols from Internet Traces Measurement of the Usage of Several Secure Internet Protocols from Internet Traces Yunfeng Fei, John Jones, Kyriakos Lakkas, Yuhong Zheng Abstract: In recent years many common applications have been modified

More information

Combating DoS/DDoS Attacks Using Cyberoam

Combating DoS/DDoS Attacks Using Cyberoam White paper Combating DoS/DDoS Attacks Using Cyberoam Eliminating the DDoS Threat by Discouraging the Spread of Botnets www.cyberoam.com Introduction Denial of Service (DoS) and Distributed Denial of Service

More information

Lab 2. CS-335a. Fall 2012 Computer Science Department. Manolis Surligas surligas@csd.uoc.gr

Lab 2. CS-335a. Fall 2012 Computer Science Department. Manolis Surligas surligas@csd.uoc.gr Lab 2 CS-335a Fall 2012 Computer Science Department Manolis Surligas surligas@csd.uoc.gr 1 Summary At this lab we will cover: Basics of Transport Layer (TCP, UDP) Broadcast ARP DNS More Wireshark filters

More information

Firewalls and Intrusion Detection

Firewalls and Intrusion Detection Firewalls and Intrusion Detection What is a Firewall? A computer system between the internal network and the rest of the Internet A single computer or a set of computers that cooperate to perform the firewall

More information