Botnet Mitigation, Monitoring and Management - Harshad Patil nullcon Goa 2010 http://nullcon.net
<ul><li>Introduction </li></ul><ul><li>Why they use Botnets? </li></ul><ul><li>Attack vectors- Where are they used? </li><...
Introduction <ul><li>What are bots, botnets, botmasters, and zombies,IRC,P2P? </li></ul><ul><li>Three characteristic attri...
What is DOS nullcon Goa 2010 http://nullcon.net <ul><li></attack> </li></ul><ul><li><attack id=&quot;122002&quot; start=&q...
Why Botnets? <ul><li>Capability of botnet </li></ul><ul><li>Botnet Economy </li></ul><ul><li>Self propagation </li></ul><u...
Attack vectors <ul><li>Spamming </li></ul><ul><li>Phishing </li></ul><ul><li>Click Fraud, Google Adsense </li></ul><ul><li...
How they operate <ul><li>How botmasters discover new bots </li></ul><ul><li>2 architectures: CnC and P2P </li></ul><ul><li...
CnC Architecture nullcon Goa 2010 http://nullcon.net Botmaster C & C Bots Bots Bots
P2P Architecture nullcon Goa 2010 http://nullcon.net Botmaster C & C C & C Bots Bots Bots
Concerning factors <ul><li>Complexity of the Internet.  </li></ul><ul><li>Shortest compromise time: few secs.. </li></ul><...
Concerning factors nullcon Goa 2010 http://nullcon.net <ul><li>Courtesy: McAfee </li></ul>
Concerning factors nullcon Goa 2010 http://nullcon.net
Concerning factors nullcon Goa 2010 http://nullcon.net
Protection Detection Remediation nullcon Goa 2010 http://nullcon.net
Detection <ul><li>Nepenthes </li></ul><ul><li>HoneyBow </li></ul><ul><li>Observe the behavior of bots </li></ul><ul><ul><l...
Protection <ul><li>Honeynets </li></ul><ul><li>IDS </li></ul><ul><li>Snort </li></ul><ul><li>Tripwire </li></ul><ul><li>Ou...
Current Mitigation effort nullcon Goa 2010 http://nullcon.net <ul><li>Current Mitigation efforts: </li></ul>
Botnet Monitoring System: nullcon Goa 2010 http://nullcon.net <ul><li>Current Mitigation efforts: </li></ul>
Some current cases <ul><li>Torpig </li></ul><ul><li>Conficker </li></ul><ul><li>A current flash 0day attack. </li></ul>nul...
Torpig details nullcon Goa 2010 http://nullcon.net
Conclusion <ul><li>Bots pose a threat to individuals and corporate environments </li></ul><ul><li>Use: DDoS attacks, to sp...
Upcoming SlideShare
Loading in …5
×

nullcon 2010 - Botnet mitigation, monitoring and management

2,032 views
1,890 views

Published on

nullcon 2010 - Botnet mitigation, monitoring and management by Harshad Patil

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
2,032
On SlideShare
0
From Embeds
0
Number of Embeds
46
Actions
Shares
0
Downloads
87
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

nullcon 2010 - Botnet mitigation, monitoring and management

  1. 1. Botnet Mitigation, Monitoring and Management - Harshad Patil nullcon Goa 2010 http://nullcon.net
  2. 2. <ul><li>Introduction </li></ul><ul><li>Why they use Botnets? </li></ul><ul><li>Attack vectors- Where are they used? </li></ul><ul><li>Taxonomy of botnet and how it operates </li></ul><ul><li>Detection and prevention of botnets </li></ul><ul><li>Some recent botnets </li></ul><ul><li>Current Botnet Mitigation efforts </li></ul><ul><li>Botnet Monitoring </li></ul>Agenda nullcon Goa 2010 http://nullcon.net
  3. 3. Introduction <ul><li>What are bots, botnets, botmasters, and zombies,IRC,P2P? </li></ul><ul><li>Three characteristic attributes of bot </li></ul><ul><ul><li>a remote control facility, </li></ul></ul><ul><ul><li>the implementation of several commands, </li></ul></ul><ul><ul><li>and a spreading mechanism </li></ul></ul>nullcon Goa 2010 http://nullcon.net
  4. 4. What is DOS nullcon Goa 2010 http://nullcon.net <ul><li></attack> </li></ul><ul><li><attack id=&quot;122002&quot; start=&quot;2006-10-14 02:21:47&quot; stop=&quot;2006-10-14 03:36:11&quot;> # About an hour and 15 minutes duration </li></ul><ul><li><severity importance=&quot;1&quot; lrm=&quot;0.9077&quot; red_rate=&quot;1e+06&quot; unit=&quot;pps&quot;/> </li></ul><ul><li><type class=&quot;3&quot; subclass=&quot;5&quot;/> # Misuse Null TCP </li></ul><ul><li><direction type=&quot;Incoming&quot; name=&quot;anonymous&quot; gid=&quot;756&quot;/> </li></ul><ul><li><protocols>6</protocols> # IP Protocol 6, TCP </li></ul><ul><li><tcpflags></tcpflags> # No Flags - Null TCP </li></ul><ul><li><source> </li></ul><ul><li><ips>0.0.0.0/0</ips> # Very well distributed or Source-spoofed IPs </li></ul><ul><li><ports>0-65535</ports> # Very well distributed source ports </li></ul><ul><li></source> </li></ul><ul><li><dst> </li></ul><ul><li><ips>xx.xx.X.X/32</ips> # Surprise, undernet IRC Server… </li></ul><ul><li><ports>6667</ports> # 6667 IRC </li></ul><ul><li></dst> </li></ul><ul><li><infrastructure num_routers=&quot;19&quot; num_interfaces=&quot;52&quot; sum_bps=&quot;622878440000&quot; sum_pps=&quot;15571961000&quot; max_bps=&quot;1980325333&quot; max_pps=&quot;6188517&quot;/> </li></ul><ul><li></attack> </li></ul><ul><li>Source: ISC </li></ul>
  5. 5. Why Botnets? <ul><li>Capability of botnet </li></ul><ul><li>Botnet Economy </li></ul><ul><li>Self propagation </li></ul><ul><li>Robustness </li></ul><ul><li>Efficiency </li></ul><ul><li>Effectiveness </li></ul><ul><li>Usage of different Encryption systems </li></ul><ul><li>P2P botnet advantages! </li></ul>nullcon Goa 2010 http://nullcon.net
  6. 6. Attack vectors <ul><li>Spamming </li></ul><ul><li>Phishing </li></ul><ul><li>Click Fraud, Google Adsense </li></ul><ul><li>Sniffing traffic- Corporate Espionage, ID Theft </li></ul><ul><li>Keystroke logging </li></ul><ul><li>Data Mining </li></ul><ul><li>Manipulating online MMOGs </li></ul>nullcon Goa 2010 http://nullcon.net
  7. 7. How they operate <ul><li>How botmasters discover new bots </li></ul><ul><li>2 architectures: CnC and P2P </li></ul><ul><li>Communication between the bot and the botmaster </li></ul><ul><li>Botnet Complexity </li></ul><ul><li>How they evade IDS/Honeypots </li></ul>nullcon Goa 2010 http://nullcon.net
  8. 8. CnC Architecture nullcon Goa 2010 http://nullcon.net Botmaster C & C Bots Bots Bots
  9. 9. P2P Architecture nullcon Goa 2010 http://nullcon.net Botmaster C & C C & C Bots Bots Bots
  10. 10. Concerning factors <ul><li>Complexity of the Internet. </li></ul><ul><li>Shortest compromise time: few secs.. </li></ul><ul><li>Extradition issues and different laws of different countries.. </li></ul><ul><li>Easy to escape detection techniques by new encryption types.(MD6 encryption: Conficker) </li></ul>nullcon Goa 2010 http://nullcon.net
  11. 11. Concerning factors nullcon Goa 2010 http://nullcon.net <ul><li>Courtesy: McAfee </li></ul>
  12. 12. Concerning factors nullcon Goa 2010 http://nullcon.net
  13. 13. Concerning factors nullcon Goa 2010 http://nullcon.net
  14. 14. Protection Detection Remediation nullcon Goa 2010 http://nullcon.net
  15. 15. Detection <ul><li>Nepenthes </li></ul><ul><li>HoneyBow </li></ul><ul><li>Observe the behavior of bots </li></ul><ul><ul><li>Network based behavior: </li></ul></ul><ul><ul><li>Host-based behavior </li></ul></ul><ul><li>Bothunter: Vertical Correlation. Correlation on the behaviors of single host. </li></ul><ul><li>Botsniffer: Horizontal Correlation. On centralized C&C botnets </li></ul><ul><li>Botminer: Extension on Botsniffer, no limitations on the C&C types. </li></ul>nullcon Goa 2010 http://nullcon.net
  16. 16. Protection <ul><li>Honeynets </li></ul><ul><li>IDS </li></ul><ul><li>Snort </li></ul><ul><li>Tripwire </li></ul><ul><li>OurMon </li></ul><ul><li>CWSandbox </li></ul>nullcon Goa 2010 http://nullcon.net <ul><li>Current Mitigation efforts: </li></ul>
  17. 17. Current Mitigation effort nullcon Goa 2010 http://nullcon.net <ul><li>Current Mitigation efforts: </li></ul>
  18. 18. Botnet Monitoring System: nullcon Goa 2010 http://nullcon.net <ul><li>Current Mitigation efforts: </li></ul>
  19. 19. Some current cases <ul><li>Torpig </li></ul><ul><li>Conficker </li></ul><ul><li>A current flash 0day attack. </li></ul>nullcon Goa 2010 http://nullcon.net
  20. 20. Torpig details nullcon Goa 2010 http://nullcon.net
  21. 21. Conclusion <ul><li>Bots pose a threat to individuals and corporate environments </li></ul><ul><li>Use: DDoS attacks, to spam, steal, spy, hack, … </li></ul><ul><li>Defense: </li></ul><ul><ul><li>Prevention- Honeypots, IPS, N/w analysis tools </li></ul></ul><ul><ul><li>Detection: IDS, analysis tools </li></ul></ul><ul><ul><li>Management: Understanding security failures is much like anticipating that houses catch on fire and smoke detectors save lives. </li></ul></ul>nullcon Goa 2010 http://nullcon.net <ul><li>Current Mitigation efforts: </li></ul>

×