Botnets & DDoS Introduction

9th TWNIC IP Open Policy Meeting 2007/12/5, Taipei Botnets & DDoS Introduction Kae Hsu (IS-TW)

Agenda • Bot • Botnet and the mechanisms used in • Botnets activities and economics • Harms from Botnets • DDoS mitigation • Botnets detection and defense • Reference 2007/12/5 2 Copyright 2007 - Trend Micro Inc.

Bot • Brief history of Bot (summarized from “Botnets, THE KILLER WEB APP”) – GM (1989) • A robot user in an IRC channel. – PrettyPark (1999) • A Bot client on Windows95/98. • Malicious IRC Bots. – SubSeven Trojan/Bot • Create backdoor in the system. • SubSeven server could control SubSeven clients via IRC server. – GT Bot (2000) • Based on the mIRC client – could trigger mIRC client to run scripts from IRC server. – support raw TCP and UDP socket connections. – SDBot (2002) • Written in C++ and the author released the source code. • Exploits and infects. 2007/12/5 3 Copyright 2007 - Trend Micro Inc.

Bot • History brief (cont.) – Agobot (2002) • Modular design. • Using P2P file-sharing applications to spread. Characteristic-Based Families – Spybot (2003) • Open source Trojan and deviate from SDBot. – RBot (2003) • Most detections in Windows platform, with 1.9 million PCs. (2005) – Polybot (2004) • Derived from the AgoBot. – Mytob (2005) • Hybrid from MyDoom and bot IRC C&C functionality. 2007/12/5 4 Copyright 2007 - Trend Micro Inc.

Botnet and the mechanisms used in • Botnet – Some Bots controlled by a single one/organization (botherder) and execute the commands from the botherder. • Botnet Life Cycle 1. Exploit. 2. Report to the botherder (via C&C channel). 3. Retrieve the anti-antivirus module. 4. Rally and secure the Bot client. 5. Listen to the C&C channel and receive command. 6. Retrieve the payload module. 7. Execute the command. 8. Report result to the C&C channel. 9. Back to step 5. 10. Erase all evidence and abandon the Bot client. 2007/12/5 5 Copyright 2007 - Trend Micro Inc.

Botnet and the mechanisms used in • C&C: Command and Control – Botherder use C&C to collect Bot client information and delivery the commands to Bot clients. – IRC server is the most early and widely used C&C • Interactive. • Easy to build a IRC server. • Easy to create and control several Botnets using one server. • Easy to create redundancy. – Web-based C&C servers. – P2P Botnets. – Random. – IM C&C. – Remote Administration. – Drop Zone and FTP-based C&C. 2007/12/5 6 Copyright 2007 - Trend Micro Inc.

Botnets activities and economics • Exploit new Bot client • DDoS attack – DDoS ransom - $$$ • Software installation – adware - $$$ – clicks4hire - $$$ • Spam and phishing - $$$ • Storage and distribution of stolen or illegal data • Ransomware - $$$ • Data mining - $$$ • Reporting results • Erase the evidence, abandon the client 2007/12/5 7 Copyright 2007 - Trend Micro Inc.

Harms from Botnets • Spam – Botherder control Bot clients to email spam. • DDoS – Distributed Denial of Service – Flooding lots of anomaly traffic or launch lots of service request to the DDoS target • The service is blocked on victim cause of resource exhausted. – bandwidth resource – system resource – DDoS is hard to prevent • It is hard to classify normal or abnormal traffic. – Anomaly TCP/UDP/ICMP flooding is easy to detect. – Anomaly service access request is hard to detect. • ISP uplink congestion will impact other customer – Traffic scrubbing is helpless to uplink congestion. 2007/12/5 8 Copyright 2007 - Trend Micro Inc.

Harms from Botnets • Botnets: the source of DDoS – In a Botnet, zombie PCs would be used to generate the attack traffic to the victims. – If a Botnet have >100,000 zombie PCs, each PC generate 50kbps attack traffic to the victim; The total attack traffic could reach more than 5Gbps!!! • 5Gbps traffic could congest lots of links of enterprise and ISP. – If a Botnet have >100,000 zombie PCs, each PC generate 1kpps attack traffic to the victim; The total attack traffic could reach more than 100Mpps!!! • 100Mpps traffic could shutdown lots of equipments of enterprise and ISP. – Most ISPs use “black-hole” mechanism to drop the attack traffic, but it will drop normal traffic flow to victim too • ISPs help the cyber-criminal complete the attack. 2007/12/5 9 Copyright 2007 - Trend Micro Inc.

Harms from Botnets • Scale of Botnet: – Telenor takes down 'massive' botnet – more than 10,000 zombie PC • http://www.theregister.co.uk/2004/09/09/telenor_botnet_dismantled/ – Dutch Botnet suspects ran 1.5 million machines • http://www.techweb.com/wire/security/172303160 – Of the 600 million computers currently on the internet, between 100 and 150 million were already part of these botnet… – http://news.bbc.co.uk/1/hi/business/6298641.stm • Strength of Botnet: – Estonian government websites were shutdown cause serious DDoS attack from Apr. 27, 2007 • At its peak on May 9, the attack shut down up to 58 sites at once. • Computers from the United States, Canada, Brazil, Vietnam and others have been used in the attacks. 2007/12/5 10 Copyright 2007 - Trend Micro Inc.

DDoS mitigation • Scrub the traffic, accept and forward the normal packets and drop the abnormal packets – Build the traffic scrubbing system in your netowrk • Congestion still would be happened on ISP border router. VICTIMS link congestion – Order scrubbing service from upstream ISP or scrubbing service provider. scrubbing service provider VICTIMS link congestion 2007/12/5 13 Copyright 2007 - Trend Micro Inc.

Botnets detection and defense • Internet projects to detect Bot/Botnets – Darknet • A subnet that no any machine host in. • There should not be any normal traffic flow to this subnet – Anomaly traffic flow sent by malware almost. • It is possible to trace the compromised machine by analyzing those anomaly traffic. enable promiscuous mode Bot client Internet .4 analyze exploit traffic and catch Bot client IP .1 .3 R(config)#ip route 172.17.12.128 255.255.255.128 172.17.12.4 .2 172.17.12.0/24 2007/12/5 14 Copyright 2007 - Trend Micro Inc.

Botnets detection and defense • Internet projects to detect Bot/Botnets – Honeypots • A machine that exploit by malware on purpose. – Botnets life cycle: » 2) Report to the botherder (via C&C channel). » 5) Listen to the C&C channel and receive command. » 6) Retrieve the payload module. » 8) Report result to the C&C channel. – To sniff and analyze the connections of Bot, we could catch: » the IP address of C&C » the IP address of victims C&C 172.31.1.1 Internet .4 catch the C&C IP: 172.31.1.1 .1 .3 port mirror honeypot .2 2007/12/5 15 Copyright 2007 - Trend Micro Inc.

Botnets detection and defense – Honeypot (cont.) • In theories, off-line the C&C would destroy the whole Botnet – It is the vulnerability of centralized C&C. C&C Internet .4 .1 .3 port mirror honeypot .2 R(config)#ip route 172.31.1.1 255.255.255.255 null0 • Use black-hole to block the C&C IP on the Internet – But botherder would not structure their Botnet by only one C&C » Use DNS to improvement C&C surviving. 2007/12/5 16 Copyright 2007 - Trend Micro Inc.

Botnets detection and defense • BGP flow-spec – A new BGP NLRI • The reason to use BGP: re-use – protocol algorithms. – operational experience. – administrative processes such as inter-provider peering agreements. – Distribute traffic flow specifications and action. • Flow-spec NLRI – Type 1 – destination prefix – Type 2 – source prefix – Type 3 – IP protocol – Type 4 – port – Type 5 – destination port – Type 6 – source port – Type 7 – ICMP type – Type 8 – ICMP core 2007/12/5 17 Copyright 2007 - Trend Micro Inc.

Botnets detection and defense • Flow-spec NLRI (cont.) – Type 9 –TCP flags – Type 10 – packet length – Type 11 – DSCP – Type 12 – fragment • Traffic filtering actions – Traffic-rate – Traffic-action » Terminal action » Sample – Redirect – Use BGP flow-spec in your network Bot client D Normal client B Normal client C Server A 2007/12/5 18 Copyright 2007 - Trend Micro Inc.

Botnets detection and defense – Use BGP flow-spec in your network • Update BGP flow-spec route to border router – ‘SRC=D, DST=A, action=drop’ Bot client D Normal client B Normal client C Server A • Update BGP flow-spec route to peering partner – ‘SRC=D, DST=A, action=drop’ Bot client D Normal client B Normal client C Server A 2007/12/5 19 Copyright 2007 - Trend Micro Inc.

Reference • “Botnets, THE KILLER WEB APP” – by Craig A. Schiller etc.; Syngress Publishing Inc., 2007 • The Team Cymru Darknet Project – http://www.cymru.com/Darknet/index.html • The Honeynet Project – http://www.honeynet.org/index.html • “Dissemination of flow specification rules” – draft-marques-idr-flow-spec-04.txt • “Configuring a flow route” – http://www.juniper.net/techpubs/software/junos/junos85/swconfig85- routing/id-10317421.html#id-10317421 • “Inferring Internet Denial-of-Service Activity” – by David Moore etc. • “The Zombie Roundup: Understanding, Detecting, and Disrupting Botnets” – by Evan Cooke etc. • “How CNCERT/CC fighting to Botnets” – by Mingqi Chen.; CNCERT/CC 2007/12/5 20 Copyright 2007 - Trend Micro Inc.

Botnets & DDoS Introduction

0 comments

Notes on slide 1

Favorites, Groups & Events