Revealing Botnets Using Network Traffic Statistics



Similar documents
Detecting Botnets with NetFlow

Network Security Monitoring and Behavior Analysis Pavel Čeleda, Petr Velan, Tomáš Jirsík

Network Security Monitoring and Behavior Analysis Best Practice Document

Multifaceted Approach to Understanding the Botnet Phenomenon

About Botnet, and the influence that Botnet gives to broadband ISP

Network Security. Chapter 3. Cornelius Diekmann. Version: October 21, Lehrstuhl für Netzarchitekturen und Netzdienste Institut für Informatik

CSE 3482 Introduction to Computer Security. Denial of Service (DoS) Attacks

NfSen Plugin Supporting The Virtual Network Monitoring

Firewalls. Test your Firewall knowledge. Test your Firewall knowledge (cont) (March 4, 2015)

How To Mitigate A Ddos Attack

SECURING APACHE : DOS & DDOS ATTACKS - II

CS5008: Internet Computing

Seminar Computer Security

Exercise 7 Network Forensics

Agenda. Taxonomy of Botnet Threats. Background. Summary. Background. Taxonomy. Trend Micro Inc. Presented by Tushar Ranka

DDoS Attacks: The Latest Threat to Availability. Dr. Bill Highleyman Managing Editor Availability Digest

CMPT 471 Networking II

Network and Incident monitoring

Automatic Network Protection Scenarios Using NetFlow

Network forensics 101 Network monitoring with Netflow, nfsen + nfdump

Detecting peer-to-peer botnets

Denial of Service Attacks

Firewalls. Chapter 3

Security Toolsets for ISP Defense

Virtual private network. Network security protocols VPN VPN. Instead of a dedicated data link Packets securely sent over a shared network Internet VPN

Evading Infrastructure Security Mohamed Bedewi Penetration Testing Consultant

How To Classify A Dnet Attack

WHITE PAPER. FortiGate DoS Protection Block Malicious Traffic Before It Affects Critical Applications and Systems

Networking for Caribbean Development

CYBER ATTACKS EXPLAINED: PACKET CRAFTING

THE BEST WAY TO CATCH A THIEF. Patrick Bedwell, Vice President, Product Marketing

24/7 Visibility into Advanced Malware on Networks and Endpoints

Reverse Shells Enable Attackers To Operate From Your Network. Richard Hammer August 2006

Revealing and Analysing Modem Malware

Malicious Network Traffic Analysis

Watch your Flows with NfSen and NFDUMP 50th RIPE Meeting May 3, 2005 Stockholm Peter Haag

A Critical Investigation of Botnet

Insecurity breeds at home

Uncover security risks on your enterprise network

DDoS Attacks Can Take Down Your Online Services

Firewalls. Ingress Filtering. Ingress Filtering. Network Security. Firewalls. Access lists Ingress filtering. Egress filtering NAT

Chapter 8 Security Pt 2

Firewalls, IDS and IPS

CS 356 Lecture 16 Denial of Service. Spring 2013

IxLoad-Attack: Network Security Testing

BotNets- Cyber Torrirism

CERT-GOV-GE Activities & International Partnerships

Security workshop Protection against botnets. Belnet Aris Adamantiadis Brussels 18 th April 2013

DDoS Protection. How Cisco IT Protects Against Distributed Denial of Service Attacks. A Cisco on Cisco Case Study: Inside Cisco IT

Botnets. Botnets and Spam. Joining the IRC Channel. Command and Control. Tadayoshi Kohno

Networks and Security Lab. Network Forensics

MONITORING OF TRAFFIC OVER THE VICTIM UNDER TCP SYN FLOOD IN A LAN

Codes of Connection for Devices Connected to Newcastle University ICT Network

Port Scanning. Objectives. Introduction: Port Scanning. 1. Introduce the techniques of port scanning. 2. Use port scanning audit tools such as Nmap.

Glasnost or Tyranny? You Can Have Secure and Open Networks!

Nemea: Searching for Botnet Footprints

DISTRIBUTED DENIAL OF SERVICE OBSERVATIONS

[ X OR DDoS T h r e a t A d v i sory] akamai.com

AT&T Real-Time Network Security Overview

Radware Security Research. Reverse Engineering a Sophisticated DDoS Attack Bot. Author: Zeev Ravid

Team Cymru. Network Forensics. Ryan Connolly, <

HONEYD (OPEN SOURCE HONEYPOT SOFTWARE)

DDos. Distributed Denial of Service Attacks. by Mark Schuchter

Attack and Defense Techniques

A S B

Definition of firewall

Distributed Denial of Service protection

Firewalls. Ola Flygt Växjö University, Sweden Firewall Design Principles

Cyber Essentials. Test Specification

1. Introduction. 2. DoS/DDoS. MilsVPN DoS/DDoS and ISP. 2.1 What is DoS/DDoS? 2.2 What is SYN Flooding?

1. Firewall Configuration

Chapter 5. Figure 5-1: Border Firewall. Firewalls. Figure 5-1: Border Firewall. Figure 5-1: Border Firewall. Figure 5-1: Border Firewall

Web Application Security. Radovan Gibala Senior Field Systems Engineer F5 Networks

How to Hack Millions of Routers. Craig Heffner, Seismic LLC

Denial Of Service. Types of attacks

Guide to DDoS Attacks December 2014 Authored by: Lee Myers, SOC Analyst

How To Stop A Ddos Attack On A Website From Being Successful

Payment Card Industry (PCI) Executive Report. Pukka Software

Firewall Testing. Cameron Kerr Telecommunications Programme University of Otago. May 16, 2005

NETASQ & PCI DSS. Is NETASQ compatible with PCI DSS? NG Firewall version 9

Malware Analysis Quiz 6

CERT-GOV-GE Activities & Services

Global Partner Management Notice

VIRUS TRACKER CHALLENGES OF RUNNING A LARGE SCALE SINKHOLE OPERATION

Solution of Exercise Sheet 5

New Systems and Services Security Guidance

Telecom Testing and Security Certification. A.K.MITTAL DDG (TTSC) Department of Telecommunication Ministry of Communication & IT

Firewalls and Software Updates

STATISTICS ON BOTNET-ASSISTED DDOS ATTACKS IN Q1 2015

School of Information Science (IS 2935 Introduction to Computer Security, 2003)

Shellshock. Oz Elisyan & Maxim Zavodchik

Network attack and defense

SECURITY PRACTICES FOR ADVANCED METERING INFRASTRUCTURE Elif Üstündağ Soykan, Seda Demirağ Ersöz , ICSG 2014

1 Introduction. Agenda Item: Work Item:

Flow Based Traffic Analysis

CSCI Firewalls and Packet Filtering

CIT 480: Securing Computer Systems. Firewalls

Transcription:

Revealing Botnets Using Network Traffic Statistics P. Čeleda, R. Krejčí, V. Krmíček {celeda vojtec}@ics.muni.cz, radek.krejci@mail.muni.cz Security and Protection of Information 2011, 10-12 May 2011, Brno, Czech Republic

Part I Introduction P. Čeleda et al. Revealing Botnets Using Network Traffic Statistics 2 / 19

Modern Home With a Network Connected Devices Internet Web services and web content Commonly protected local devices P. Čeleda et al. Revealing Botnets Using Network Traffic Statistics 3 / 19

Modern Home With a Network Connected Devices Internet Web services and web content Commonly protected local devices P. Čeleda et al. Revealing Botnets Using Network Traffic Statistics 3 / 19

Modern Home With a Network Connected Devices Web services and web content Internet Unprotected local network devices & systems Commonly protected local devices P. Čeleda et al. Revealing Botnets Using Network Traffic Statistics 3 / 19

Modern Home With a Network Connected Devices Attacker Internet Unprotected local network devices & systems Web services and web content Commonly protected local devices P. Čeleda et al. Revealing Botnets Using Network Traffic Statistics 3 / 19

Insecurity of Embedded Network Devices Embedded Network Devices Threats DDoS attacks large-scale denial of service attacks. Data leakage MITM attacks, traffic sniffing, log analysis. Missing anti-virus or anti-malware software to protect them. P. Čeleda et al. Revealing Botnets Using Network Traffic Statistics 4 / 19

Insecurity of Embedded Network Devices Embedded Network Devices Threats DDoS attacks large-scale denial of service attacks. Data leakage MITM attacks, traffic sniffing, log analysis. Missing anti-virus or anti-malware software to protect them. Number of Vulnerable Embedded Devices 1 540,000 publicly accessible embedded devices configured with factory default root passwords. 96 % of 102,000 vulnerable devices remain vulnerable after a 4-month period. 1 Ang Cui and Salvatore J. Stolfo: A Quantitative Analysis of the Insecurity of Embedded Network Devices: Results of a Wide-Area Scan. P. Čeleda et al. Revealing Botnets Using Network Traffic Statistics 4 / 19

Part II Unix-like Embedded Malware P. Čeleda et al. Revealing Botnets Using Network Traffic Statistics 5 / 19

Unix-like Embedded Malware Linux as cheap and customizable system for SOHO devices. Weak attention is paid to the security. Outdated software (e.g. Linux kernel 2.4) with known flaws. General Linux malware can be used as a cross-platform malware for embedded devices. P. Čeleda et al. Revealing Botnets Using Network Traffic Statistics 6 / 19

Unix-like Embedded Malware Overview I Kaiten Simple IRC client with an ability for DDoS attacks. P. Čeleda et al. Revealing Botnets Using Network Traffic Statistics 7 / 19

Unix-like Embedded Malware Overview I Kaiten Hydra Simple IRC client with an ability for DDoS attacks. Similar functions to Kaiten, but Hydra in addition scans for vulnerable devices. P. Čeleda et al. Revealing Botnets Using Network Traffic Statistics 7 / 19

Unix-like Embedded Malware Overview I Kaiten Hydra Simple IRC client with an ability for DDoS attacks. Similar functions to Kaiten, but Hydra in addition scans for vulnerable devices. Publicly available source code. Originally Linux malware used on commodity PCs. Currently used as a base for about a dozen of botnets wa-goraku, m0dd3d, PsIk0,... P. Čeleda et al. Revealing Botnets Using Network Traffic Statistics 7 / 19

Unix-like Embedded Malware Overview II PSYB0T The first botnet targeting SOHO devices. Operated in spring 2009 with estimated size about 80-100 thousands of bots. P. Čeleda et al. Revealing Botnets Using Network Traffic Statistics 8 / 19

Unix-like Embedded Malware Overview II PSYB0T The first botnet targeting SOHO devices. Operated in spring 2009 with estimated size about 80-100 thousands of bots. Chuck Norris Botnet Disclosed in December 2009, operates with some modifications till this time. Originally used only Telnet, newly supports infection via SSH. P. Čeleda et al. Revealing Botnets Using Network Traffic Statistics 8 / 19

Architecture of Unix-like Embedded Botnets vulnerable device 1 1 Initial infection. botnet P. Čeleda et al. Revealing Botnets Using Network Traffic Statistics 9 / 19

Architecture of Unix-like Embedded Botnets vulnerable device 2 web server 1 2 1 Initial infection. 2 Bot update. botnet P. Čeleda et al. Revealing Botnets Using Network Traffic Statistics 9 / 19

Architecture of Unix-like Embedded Botnets C&C server 3 vulnerable device 2 web server 3 1 2 botnet 1 Initial infection. 2 Bot update. 3 Listening (usually via IRC) for orders from C&C center. P. Čeleda et al. Revealing Botnets Using Network Traffic Statistics 9 / 19

Architecture of Unix-like Embedded Botnets botmaster C&C server vulnerable device 4 4 3 2 web server 3 1 2 botnet 1 Initial infection. 2 Bot update. 3 Listening (usually via IRC) for orders from C&C center. 4 Maintenance and malicious commands from botmaster. P. Čeleda et al. Revealing Botnets Using Network Traffic Statistics 9 / 19

Part III Embedded Malware Detection Chuck Norris Botnet Use Case P. Čeleda et al. Revealing Botnets Using Network Traffic Statistics 10 / 19

NetFlow Based CNBv2 Detection Methods Chuck Norris Botnet Version 2 Detection Methods scanning detection. initialization and update detection. communication with C&C centers detection. DNS spoofing attack detection. Detection Corresponds to Botnet Lifecycle Applied to NetFlow Data Defined as NFDUMP filters. Implemented to NfSen collector. P. Čeleda et al. Revealing Botnets Using Network Traffic Statistics 11 / 19

Detection of CNBv2 Scanning Incoming and outgoing TCP SYN scans on port 22 and 23. infected device NFDUMP detection filter P. Čeleda et al. Revealing Botnets Using Network Traffic Statistics 12 / 19

Detection of CNBv2 Scanning Incoming and outgoing TCP SYN scans on port 22 and 23. infected device local network NFDUMP detection filter (net local_network) P. Čeleda et al. Revealing Botnets Using Network Traffic Statistics 12 / 19

Detection of CNBv2 Scanning Incoming and outgoing TCP SYN scans on port 22 and 23. list of C class networks to scan infected device 147.251.20.x 147.251.18.x 147.251.3.x 147.251.4.x local network NFDUMP detection filter (net local_network) P. Čeleda et al. Revealing Botnets Using Network Traffic Statistics 12 / 19

Detection of CNBv2 Scanning Incoming and outgoing TCP SYN scans on port 22 and 23. list of C class networks to scan infected device TCP/22,23 147.251.20.x 147.251.18.x 147.251.3.x 147.251.4.x local network NFDUMP detection filter (net local_network) and (dst port 22 or dst port 23) and (proto TCP) P. Čeleda et al. Revealing Botnets Using Network Traffic Statistics 12 / 19

Detection of CNBv2 Scanning Incoming and outgoing TCP SYN scans on port 22 and 23. list of C class networks to scan infected device TCP/22,23 147.251.20.x 147.251.18.x 147.251.3.x 196.142.8.x 147.251.4.x local network 214.12.83.x NFDUMP detection filter (net local_network) and (dst port 22 or dst port 23) and (proto TCP) P. Čeleda et al. Revealing Botnets Using Network Traffic Statistics 12 / 19

Detection of CNBv2 Scanning Incoming and outgoing TCP SYN scans on port 22 and 23. list of C class networks to scan infected device TCP/22,23 SYN/RESET flags 147.251.20.x 147.251.18.x 147.251.3.x 196.142.8.x 147.251.4.x local network 214.12.83.x NFDUMP detection filter (net local_network) and (dst port 22 or dst port 23) and (proto TCP) and ((flags S and not flags ARPUF) or (flags SR and not flags APUF)) P. Čeleda et al. Revealing Botnets Using Network Traffic Statistics 12 / 19

Detection of CNBv2 Initialization and Update Bot s web download requests from infected host. local network NFDUMP detection filter P. Čeleda et al. Revealing Botnets Using Network Traffic Statistics 13 / 19

Detection of CNBv2 Initialization and Update Bot s web download requests from infected host. infected device local network NFDUMP detection filter (src net local_network) P. Čeleda et al. Revealing Botnets Using Network Traffic Statistics 13 / 19

Detection of CNBv2 Initialization and Update Bot s web download requests from infected host. botnet distribution web server botnet distribution web server local network infected device botnet distribution web server NFDUMP detection filter (src net local_network) and (dst ip web_servers 2 ) 2 IP addresses of attacker s botnet distribution web servers P. Čeleda et al. Revealing Botnets Using Network Traffic Statistics 13 / 19

Detection of CNBv2 Initialization and Update Bot s web download requests from infected host. botnet distribution web server botnet distribution web server local network TCP/80 infected device botnet distribution web server NFDUMP detection filter (src net local_network) and (dst ip web_servers 2 ) and (dst port 80) and (proto TCP) 2 IP addresses of attacker s botnet distribution web servers P. Čeleda et al. Revealing Botnets Using Network Traffic Statistics 13 / 19

Detection of CNBv2 Initialization and Update Bot s web download requests from infected host. botnet distribution web server botnet distribution web server local network TCP/80 SYN/ACK flags infected device botnet distribution web server NFDUMP detection filter (src net local_network) and (dst ip web_servers 2 ) and (dst port 80) and (proto TCP) and (flags SA and not flag R) 2 IP addresses of attacker s botnet distribution web servers P. Čeleda et al. Revealing Botnets Using Network Traffic Statistics 13 / 19

Detection of CNBv2 Communication with C&C Bot s IRC traffic with command and control center. local network NFDUMP detection filter P. Čeleda et al. Revealing Botnets Using Network Traffic Statistics 14 / 19

Detection of CNBv2 Communication with C&C Bot s IRC traffic with command and control center. infected device local network NFDUMP detection filter (src net local_network) P. Čeleda et al. Revealing Botnets Using Network Traffic Statistics 14 / 19

Detection of CNBv2 Communication with C&C Bot s IRC traffic with command and control center. botnet C&C server 62.211.73.229:6667 botnet C&C server 62.211.73.230:6667 infected device local network botnet C&C server 93.184.100.76:12000 NFDUMP detection filter (src net local_network) and (dst ip IRC_server and dst port IRC_server_port 3 ) 3 IP addresses and ports of an attacker s IRC server (Botnet C&C centers) P. Čeleda et al. Revealing Botnets Using Network Traffic Statistics 14 / 19

Detection of CNBv2 Communication with C&C Bot s IRC traffic with command and control center. botnet C&C server 62.211.73.229:6667 botnet C&C server 62.211.73.230:6667 TCP infected device local network botnet C&C server 93.184.100.76:12000 NFDUMP detection filter (src net local_network) and (dst ip IRC_server and dst port IRC_server_port 3 ) and (proto TCP) 3 IP addresses and ports of an attacker s IRC server (Botnet C&C centers) P. Čeleda et al. Revealing Botnets Using Network Traffic Statistics 14 / 19

Detection of CNBv2 Communication with C&C Bot s IRC traffic with command and control center. botnet C&C server 62.211.73.229:6667 botnet C&C server 62.211.73.230:6667 TCP SYN/ACK flags infected device local network botnet C&C server 93.184.100.76:12000 NFDUMP detection filter (src net local_network) and (dst ip IRC_server and dst port IRC_server_port 3 ) and (proto TCP) and (flags SA and not flag R) 3 IP addresses and ports of an attacker s IRC server (Botnet C&C centers) P. Čeleda et al. Revealing Botnets Using Network Traffic Statistics 14 / 19

Detection of CNBv2 DNS Spoofing Attack Detecting Attacker s DNS or OpenDNS Queries Common DNS requests forwarded to OpenDNS servers. Targeted DNS requests forwarded to attacker s DNS. local network NFDUMP detection filter P. Čeleda et al. Revealing Botnets Using Network Traffic Statistics 15 / 19

Detection of CNBv2 DNS Spoofing Attack Detecting Attacker s DNS or OpenDNS Queries Common DNS requests forwarded to OpenDNS servers. Targeted DNS requests forwarded to attacker s DNS. infected device local network NFDUMP detection filter (src net local_network) P. Čeleda et al. Revealing Botnets Using Network Traffic Statistics 15 / 19

Detection of CNBv2 DNS Spoofing Attack Detecting Attacker s DNS or OpenDNS Queries Common DNS requests forwarded to OpenDNS servers. Targeted DNS requests forwarded to attacker s DNS. OpenDNS server infected device local network NFDUMP detection filter (src net local_network) and ((dst ip OpenDNS servers 4 ) or 4 IP addresses of a common OpenDNS servers P. Čeleda et al. Revealing Botnets Using Network Traffic Statistics 15 / 19

Detection of CNBv2 DNS Spoofing Attack Detecting Attacker s DNS or OpenDNS Queries Common DNS requests forwarded to OpenDNS servers. Targeted DNS requests forwarded to attacker s DNS. spoofed DNS server OpenDNS server infected device local network NFDUMP detection filter (src net local_network) and ((dst ip OpenDNS servers 4 ) or (dst ip DNS servers 5 )) 4 IP addresses of a common OpenDNS servers 5 IP addresses of a spoofed attacker s DNS servers P. Čeleda et al. Revealing Botnets Using Network Traffic Statistics 15 / 19

Detection of CNBv2 DNS Spoofing Attack Detecting Attacker s DNS or OpenDNS Queries Common DNS requests forwarded to OpenDNS servers. Targeted DNS requests forwarded to attacker s DNS. spoofed DNS server OpenDNS server DNS UDP/53 infected device local network NFDUMP detection filter (src net local_network) and ((dst ip OpenDNS servers 4 ) or (dst ip DNS servers 5 )) and (proto UDP) and (dst port 53) 4 IP addresses of a common OpenDNS servers 5 IP addresses of a spoofed attacker s DNS servers P. Čeleda et al. Revealing Botnets Using Network Traffic Statistics 15 / 19

Part IV Conclusion P. Čeleda et al. Revealing Botnets Using Network Traffic Statistics 16 / 19

Conclusion I Irresponsible Operators and Poor Configured Networks Large networks exist with installed vulnerable devices. Trivially exploitable devices with default factory passwords. Unattended large-scale attacks nobody care about it! P. Čeleda et al. Revealing Botnets Using Network Traffic Statistics 17 / 19

Conclusion I Irresponsible Operators and Poor Configured Networks Large networks exist with installed vulnerable devices. Trivially exploitable devices with default factory passwords. Unattended large-scale attacks nobody care about it! Unix-like Embedded Botnets Spread worldwide with focus on poor configured networks. Operating on the last mile ISP home network. Hard to detect by end user, unsolved by network operator. P. Čeleda et al. Revealing Botnets Using Network Traffic Statistics 17 / 19

Conclusion II How to Fight with Embedded Botnets Current embedded botnets still use well-known techniques. Flow data can detect illicit activities of embedded devices. Nobody will stop botnet operators to do their business. Vulnerable devices must be fixed and secured. P. Čeleda et al. Revealing Botnets Using Network Traffic Statistics 18 / 19

Conclusion II How to Fight with Embedded Botnets Current embedded botnets still use well-known techniques. Flow data can detect illicit activities of embedded devices. Nobody will stop botnet operators to do their business. Vulnerable devices must be fixed and secured. Perfect Embedded Malware Devices with built-in malware firmware no way to disinfect. Stealthy malware working undetected as long as possible. Robust C&C to make efforts to shut down botnet hard. P. Čeleda et al. Revealing Botnets Using Network Traffic Statistics 18 / 19

Thank You For Your Attention! Revealing Botnets Using Network Traffic Statistics Pavel Čeleda et al. celeda@ics.muni.cz Project CYBER http://www.muni.cz/ics/cyber This material is based upon work supported by the Czech Ministry of Defence under Contract No. OVMASUN200801. P. Čeleda et al. Revealing Botnets Using Network Traffic Statistics 19 / 19

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information