Defense against botnets
Upcoming SlideShare
Loading in...5
×
 

Defense against botnets

on

  • 1,414 views

botnet introduction, types, ways to detect and countermeasures

botnet introduction, types, ways to detect and countermeasures

Statistics

Views

Total Views
1,414
Views on SlideShare
1,413
Embed Views
1

Actions

Likes
1
Downloads
26
Comments
0

1 Embed 1

http://www.slashdocs.com 1

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Defense against botnets Defense against botnets Presentation Transcript

  • DEFENSE AGAINST BOTNETS
  • STRUCTUREBotnets :- Introduction Types of Botnets Real World ScenariosDefense :- Detection of Botnets Counter Measures
  • INTRODUCTION
  • T YPES OF BOTNETS IRC Botnets HTTP Botnets Peer-to-Peer Botnets
  • IRC BOTNETS Internet Relay Chat(IRC) is a type of a messaging service. IRC Botnets use IRC servers to issue commands.
  • IRC BOTNETS
  • IRC BOTNETS
  • IRC BOTNETS
  • IRC BOTNETS
  • IRC BOTNETS
  • HTTP BOTNETS
  • HTTP BOTNETS
  • PEER-TO-PEER BOTNETS
  • REAL WORLD SCENARIO How can botnets be used : -• Distributed Denial of Ser vice Attacks (DDoS)• Spamming• Snif fing Traf fic & Key logging.• Identity Thef t• Attacking IRC Chat Networks• Hosting of Illegal Sof tware• Google AdSense Abuse & Adver tisement Addons• Manipulating online polls
  • DETECTION TECHNIQUES PassiveData gathered through observation. • Packet Inspection • Analysis of flow records • Analysis of SPAM Attacks ActiveDetection by being involved i.e. interacting with the botnet.(drawback)Can result in DDOS attack against the analyst,changing of ip’s, protocols etc. • Sink holding • Infiltration • Peer-to-peer botnet enumeration
  • PASSIVE DETECTION Packet InspectionInspect network data packets• Match various protocol fields.• Match payload against a predefined pattern of suspicious content.Drawbacks:-• Wouldn’t scale• Only known patterns are detected
  • PASSIVE DETECTION Analysis of flow recordsTracing network traf fic at an abstract level.Instead of inspecting individual packets communicationstreams are considered in aggregate form.We look into:- • Source, destination address • Related port no’s • Duration of session • Cumulative size and no of transmitted packets. • Protocol used inside packets.Advantage:- higher amount of traf fic can be monitored.Eg. ‘Net Flow’ protocol from cisco.
  • PASSIVE DETECTION Analysis of SPAM attacks• Spam mails are analyzed and similar templates are grouped.• These templates can then be matched to a corresponding botnet.For this special Honey pots called honey tokens are used .
  • PASSIVE DETECTION Honeypot:- It is a trap to detect, deflect or in some manner counter act an attempt at unauthorized use of Information system. Honey Token:- Spam traps consisting of email addresses with no productive function other than to receive unsolicited emails.
  • PASSIVE DETECTION Other Techniques:-• Analysis of log files.• Evaluation of anti-virus software feedback.• DNS based approaches.
  • ACTIVE TECHNIQUES Sink Holding• Technical countermeasure for cutting of f a malicious control source from rest of the botnet.• Eg. By changing the targeted malicious domain name so that it points to machine controlled by a trusted party.
  • ACTIVE DETECTION InfiltrationAims to take control of the botnet.• Hardware- if ip address is known all communications can be wiretapped with the help of hosting company.• Software- Imitating the communication mechanisms used by the botnet.
  • ACTIVE DETECTION Peer-to-peer botnet enumerationRepeatedly querying peers for their neighbor list.This includes reverse engineering.• Creating a implementation of the botnet to perform the enumeration task.
  • TECHNICAL COUNTERMEASURES Blacklisting• Block all traf fic from included addresses.• Search engine or browser can filter or mark such websites. Distribution of fake/traceable credentials.• Populate fake data into our records like credit card details.• Fake data lowers quality of stolen information• Generate mistrust among criminals.
  • TECHNICAL COUNTERMEASURES BGP Block holingNull routing malicious hosts to deny traf fic from or to theirnetwork.Null-Routing:- It is a process of silently dropping the packetsoriginated from or destined for such addresses. DNS based countermeasure• Malicious domains can be shut down.• Require court warrant.• Sometimes twitter and rss feeds are used to give commands, doesn’t work in that case.
  • TECHNICAL COUNTERMEASURES Port 25 BlockingSpam mails would not be sent. Peer to peer counter measurePollute the peer-to-peer listResults in• Loss of overall connectivity• Due to size limitations older original peers will get replaced by fake peers.
  • SOCIAL COUNTERMEASURES Dedicated laws. User awareness. Use of anti-virus software etc.
  • QUERIES ?
  • STAY SECURE!!! THANKS…