Defense against botnets
Upcoming SlideShare
Loading in...5
×
 

Like this? Share it with your network

Share

Defense against botnets

on

  • 1,502 views

botnet introduction, types, ways to detect and countermeasures

botnet introduction, types, ways to detect and countermeasures

Statistics

Views

Total Views
1,502
Views on SlideShare
1,501
Embed Views
1

Actions

Likes
1
Downloads
27
Comments
0

1 Embed 1

http://www.slashdocs.com 1

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Defense against botnets Presentation Transcript

  • 1. DEFENSE AGAINST BOTNETS
  • 2. STRUCTUREBotnets :- Introduction Types of Botnets Real World ScenariosDefense :- Detection of Botnets Counter Measures
  • 3. INTRODUCTION
  • 4. T YPES OF BOTNETS IRC Botnets HTTP Botnets Peer-to-Peer Botnets
  • 5. IRC BOTNETS Internet Relay Chat(IRC) is a type of a messaging service. IRC Botnets use IRC servers to issue commands.
  • 6. IRC BOTNETS
  • 7. IRC BOTNETS
  • 8. IRC BOTNETS
  • 9. IRC BOTNETS
  • 10. IRC BOTNETS
  • 11. HTTP BOTNETS
  • 12. HTTP BOTNETS
  • 13. PEER-TO-PEER BOTNETS
  • 14. REAL WORLD SCENARIO How can botnets be used : -• Distributed Denial of Ser vice Attacks (DDoS)• Spamming• Snif fing Traf fic & Key logging.• Identity Thef t• Attacking IRC Chat Networks• Hosting of Illegal Sof tware• Google AdSense Abuse & Adver tisement Addons• Manipulating online polls
  • 15. DETECTION TECHNIQUES PassiveData gathered through observation. • Packet Inspection • Analysis of flow records • Analysis of SPAM Attacks ActiveDetection by being involved i.e. interacting with the botnet.(drawback)Can result in DDOS attack against the analyst,changing of ip’s, protocols etc. • Sink holding • Infiltration • Peer-to-peer botnet enumeration
  • 16. PASSIVE DETECTION Packet InspectionInspect network data packets• Match various protocol fields.• Match payload against a predefined pattern of suspicious content.Drawbacks:-• Wouldn’t scale• Only known patterns are detected
  • 17. PASSIVE DETECTION Analysis of flow recordsTracing network traf fic at an abstract level.Instead of inspecting individual packets communicationstreams are considered in aggregate form.We look into:- • Source, destination address • Related port no’s • Duration of session • Cumulative size and no of transmitted packets. • Protocol used inside packets.Advantage:- higher amount of traf fic can be monitored.Eg. ‘Net Flow’ protocol from cisco.
  • 18. PASSIVE DETECTION Analysis of SPAM attacks• Spam mails are analyzed and similar templates are grouped.• These templates can then be matched to a corresponding botnet.For this special Honey pots called honey tokens are used .
  • 19. PASSIVE DETECTION Honeypot:- It is a trap to detect, deflect or in some manner counter act an attempt at unauthorized use of Information system. Honey Token:- Spam traps consisting of email addresses with no productive function other than to receive unsolicited emails.
  • 20. PASSIVE DETECTION Other Techniques:-• Analysis of log files.• Evaluation of anti-virus software feedback.• DNS based approaches.
  • 21. ACTIVE TECHNIQUES Sink Holding• Technical countermeasure for cutting of f a malicious control source from rest of the botnet.• Eg. By changing the targeted malicious domain name so that it points to machine controlled by a trusted party.
  • 22. ACTIVE DETECTION InfiltrationAims to take control of the botnet.• Hardware- if ip address is known all communications can be wiretapped with the help of hosting company.• Software- Imitating the communication mechanisms used by the botnet.
  • 23. ACTIVE DETECTION Peer-to-peer botnet enumerationRepeatedly querying peers for their neighbor list.This includes reverse engineering.• Creating a implementation of the botnet to perform the enumeration task.
  • 24. TECHNICAL COUNTERMEASURES Blacklisting• Block all traf fic from included addresses.• Search engine or browser can filter or mark such websites. Distribution of fake/traceable credentials.• Populate fake data into our records like credit card details.• Fake data lowers quality of stolen information• Generate mistrust among criminals.
  • 25. TECHNICAL COUNTERMEASURES BGP Block holingNull routing malicious hosts to deny traf fic from or to theirnetwork.Null-Routing:- It is a process of silently dropping the packetsoriginated from or destined for such addresses. DNS based countermeasure• Malicious domains can be shut down.• Require court warrant.• Sometimes twitter and rss feeds are used to give commands, doesn’t work in that case.
  • 26. TECHNICAL COUNTERMEASURES Port 25 BlockingSpam mails would not be sent. Peer to peer counter measurePollute the peer-to-peer listResults in• Loss of overall connectivity• Due to size limitations older original peers will get replaced by fake peers.
  • 27. SOCIAL COUNTERMEASURES Dedicated laws. User awareness. Use of anti-virus software etc.
  • 28. QUERIES ?
  • 29. STAY SECURE!!! THANKS…