• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
nullcon 2010 - Botnet mitigation, monitoring and management
 

nullcon 2010 - Botnet mitigation, monitoring and management

on

  • 2,459 views

nullcon 2010 - Botnet mitigation, monitoring and management by Harshad Patil

nullcon 2010 - Botnet mitigation, monitoring and management by Harshad Patil

Statistics

Views

Total Views
2,459
Views on SlideShare
2,419
Embed Views
40

Actions

Likes
0
Downloads
81
Comments
0

3 Embeds 40

http://null.co.in 33
http://www.slideshare.net 6
http://www.computingportal.org 1

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    nullcon 2010 - Botnet mitigation, monitoring and management nullcon 2010 - Botnet mitigation, monitoring and management Presentation Transcript

    • Botnet Mitigation, Monitoring and Management - Harshad Patil nullcon Goa 2010 http://nullcon.net
      • Introduction
      • Why they use Botnets?
      • Attack vectors- Where are they used?
      • Taxonomy of botnet and how it operates
      • Detection and prevention of botnets
      • Some recent botnets
      • Current Botnet Mitigation efforts
      • Botnet Monitoring
      Agenda nullcon Goa 2010 http://nullcon.net
    • Introduction
      • What are bots, botnets, botmasters, and zombies,IRC,P2P?
      • Three characteristic attributes of bot
        • a remote control facility,
        • the implementation of several commands,
        • and a spreading mechanism
      nullcon Goa 2010 http://nullcon.net
    • What is DOS nullcon Goa 2010 http://nullcon.net
      • </attack>
      • <attack id=&quot;122002&quot; start=&quot;2006-10-14 02:21:47&quot; stop=&quot;2006-10-14 03:36:11&quot;> # About an hour and 15 minutes duration
      • <severity importance=&quot;1&quot; lrm=&quot;0.9077&quot; red_rate=&quot;1e+06&quot; unit=&quot;pps&quot;/>
      • <type class=&quot;3&quot; subclass=&quot;5&quot;/> # Misuse Null TCP
      • <direction type=&quot;Incoming&quot; name=&quot;anonymous&quot; gid=&quot;756&quot;/>
      • <protocols>6</protocols> # IP Protocol 6, TCP
      • <tcpflags></tcpflags> # No Flags - Null TCP
      • <source>
      • <ips>0.0.0.0/0</ips> # Very well distributed or Source-spoofed IPs
      • <ports>0-65535</ports> # Very well distributed source ports
      • </source>
      • <dst>
      • <ips>xx.xx.X.X/32</ips> # Surprise, undernet IRC Server…
      • <ports>6667</ports> # 6667 IRC
      • </dst>
      • <infrastructure num_routers=&quot;19&quot; num_interfaces=&quot;52&quot; sum_bps=&quot;622878440000&quot; sum_pps=&quot;15571961000&quot; max_bps=&quot;1980325333&quot; max_pps=&quot;6188517&quot;/>
      • </attack>
      • Source: ISC
    • Why Botnets?
      • Capability of botnet
      • Botnet Economy
      • Self propagation
      • Robustness
      • Efficiency
      • Effectiveness
      • Usage of different Encryption systems
      • P2P botnet advantages!
      nullcon Goa 2010 http://nullcon.net
    • Attack vectors
      • Spamming
      • Phishing
      • Click Fraud, Google Adsense
      • Sniffing traffic- Corporate Espionage, ID Theft
      • Keystroke logging
      • Data Mining
      • Manipulating online MMOGs
      nullcon Goa 2010 http://nullcon.net
    • How they operate
      • How botmasters discover new bots
      • 2 architectures: CnC and P2P
      • Communication between the bot and the botmaster
      • Botnet Complexity
      • How they evade IDS/Honeypots
      nullcon Goa 2010 http://nullcon.net
    • CnC Architecture nullcon Goa 2010 http://nullcon.net Botmaster C & C Bots Bots Bots
    • P2P Architecture nullcon Goa 2010 http://nullcon.net Botmaster C & C C & C Bots Bots Bots
    • Concerning factors
      • Complexity of the Internet.
      • Shortest compromise time: few secs..
      • Extradition issues and different laws of different countries..
      • Easy to escape detection techniques by new encryption types.(MD6 encryption: Conficker)
      nullcon Goa 2010 http://nullcon.net
    • Concerning factors nullcon Goa 2010 http://nullcon.net
      • Courtesy: McAfee
    • Concerning factors nullcon Goa 2010 http://nullcon.net
    • Concerning factors nullcon Goa 2010 http://nullcon.net
    • Protection Detection Remediation nullcon Goa 2010 http://nullcon.net
    • Detection
      • Nepenthes
      • HoneyBow
      • Observe the behavior of bots
        • Network based behavior:
        • Host-based behavior
      • Bothunter: Vertical Correlation. Correlation on the behaviors of single host.
      • Botsniffer: Horizontal Correlation. On centralized C&C botnets
      • Botminer: Extension on Botsniffer, no limitations on the C&C types.
      nullcon Goa 2010 http://nullcon.net
    • Protection
      • Honeynets
      • IDS
      • Snort
      • Tripwire
      • OurMon
      • CWSandbox
      nullcon Goa 2010 http://nullcon.net
      • Current Mitigation efforts:
    • Current Mitigation effort nullcon Goa 2010 http://nullcon.net
      • Current Mitigation efforts:
    • Botnet Monitoring System: nullcon Goa 2010 http://nullcon.net
      • Current Mitigation efforts:
    • Some current cases
      • Torpig
      • Conficker
      • A current flash 0day attack.
      nullcon Goa 2010 http://nullcon.net
    • Torpig details nullcon Goa 2010 http://nullcon.net
    • Conclusion
      • Bots pose a threat to individuals and corporate environments
      • Use: DDoS attacks, to spam, steal, spy, hack, …
      • Defense:
        • Prevention- Honeypots, IPS, N/w analysis tools
        • Detection: IDS, analysis tools
        • Management: Understanding security failures is much like anticipating that houses catch on fire and smoke detectors save lives.
      nullcon Goa 2010 http://nullcon.net
      • Current Mitigation efforts: