0
DEFENSE AGAINST       BOTNETS
STRUCTUREBotnets :- Introduction Types of Botnets Real World ScenariosDefense :- Detection of Botnets Counter Measures
INTRODUCTION
T YPES OF BOTNETS IRC Botnets HTTP Botnets Peer-to-Peer Botnets
IRC BOTNETS Internet Relay Chat(IRC) is a type of a messaging service. IRC Botnets use IRC servers to issue commands.
IRC BOTNETS
IRC BOTNETS
IRC BOTNETS
IRC BOTNETS
IRC BOTNETS
HTTP BOTNETS
HTTP BOTNETS
PEER-TO-PEER BOTNETS
REAL WORLD SCENARIO How can botnets be used : -•   Distributed Denial of Ser vice Attacks (DDoS)•   Spamming•   Snif fing...
DETECTION TECHNIQUES PassiveData gathered through observation.  • Packet Inspection  • Analysis of flow records  • Analys...
PASSIVE DETECTION Packet InspectionInspect network data packets• Match various protocol fields.• Match payload against a ...
PASSIVE DETECTION Analysis of flow recordsTracing network traf fic at an abstract level.Instead of inspecting individual ...
PASSIVE DETECTION Analysis of SPAM attacks• Spam mails are analyzed and similar templates are grouped.• These templates c...
PASSIVE DETECTION Honeypot:- It is a trap to detect, deflect or in some manner  counter act an attempt at unauthorized us...
PASSIVE DETECTION   Other Techniques:-•   Analysis of log files.•   Evaluation of anti-virus software feedback.•   DNS ba...
ACTIVE TECHNIQUES Sink Holding• Technical countermeasure for cutting of f a malicious control  source from rest of the bo...
ACTIVE DETECTION InfiltrationAims to take control of the botnet.• Hardware- if ip address is known all communications can...
ACTIVE DETECTION Peer-to-peer botnet enumerationRepeatedly querying peers for their neighbor list.This includes reverse e...
TECHNICAL COUNTERMEASURES Blacklisting• Block all traf fic from included addresses.• Search engine or browser can filter ...
TECHNICAL COUNTERMEASURES BGP Block holingNull routing malicious hosts to deny traf fic from or to theirnetwork.Null-Rout...
TECHNICAL COUNTERMEASURES Port 25 BlockingSpam mails would not be sent. Peer to peer counter measurePollute the peer-to-...
SOCIAL COUNTERMEASURES Dedicated laws. User awareness. Use of anti-virus software etc.
QUERIES ?
STAY SECURE!!!  THANKS…
Defense against botnets
Upcoming SlideShare
Loading in...5
×

Defense against botnets

1,369

Published on

botnet introduction, types, ways to detect and countermeasures

0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
1,369
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
37
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

Transcript of "Defense against botnets"

  1. 1. DEFENSE AGAINST BOTNETS
  2. 2. STRUCTUREBotnets :- Introduction Types of Botnets Real World ScenariosDefense :- Detection of Botnets Counter Measures
  3. 3. INTRODUCTION
  4. 4. T YPES OF BOTNETS IRC Botnets HTTP Botnets Peer-to-Peer Botnets
  5. 5. IRC BOTNETS Internet Relay Chat(IRC) is a type of a messaging service. IRC Botnets use IRC servers to issue commands.
  6. 6. IRC BOTNETS
  7. 7. IRC BOTNETS
  8. 8. IRC BOTNETS
  9. 9. IRC BOTNETS
  10. 10. IRC BOTNETS
  11. 11. HTTP BOTNETS
  12. 12. HTTP BOTNETS
  13. 13. PEER-TO-PEER BOTNETS
  14. 14. REAL WORLD SCENARIO How can botnets be used : -• Distributed Denial of Ser vice Attacks (DDoS)• Spamming• Snif fing Traf fic & Key logging.• Identity Thef t• Attacking IRC Chat Networks• Hosting of Illegal Sof tware• Google AdSense Abuse & Adver tisement Addons• Manipulating online polls
  15. 15. DETECTION TECHNIQUES PassiveData gathered through observation. • Packet Inspection • Analysis of flow records • Analysis of SPAM Attacks ActiveDetection by being involved i.e. interacting with the botnet.(drawback)Can result in DDOS attack against the analyst,changing of ip’s, protocols etc. • Sink holding • Infiltration • Peer-to-peer botnet enumeration
  16. 16. PASSIVE DETECTION Packet InspectionInspect network data packets• Match various protocol fields.• Match payload against a predefined pattern of suspicious content.Drawbacks:-• Wouldn’t scale• Only known patterns are detected
  17. 17. PASSIVE DETECTION Analysis of flow recordsTracing network traf fic at an abstract level.Instead of inspecting individual packets communicationstreams are considered in aggregate form.We look into:- • Source, destination address • Related port no’s • Duration of session • Cumulative size and no of transmitted packets. • Protocol used inside packets.Advantage:- higher amount of traf fic can be monitored.Eg. ‘Net Flow’ protocol from cisco.
  18. 18. PASSIVE DETECTION Analysis of SPAM attacks• Spam mails are analyzed and similar templates are grouped.• These templates can then be matched to a corresponding botnet.For this special Honey pots called honey tokens are used .
  19. 19. PASSIVE DETECTION Honeypot:- It is a trap to detect, deflect or in some manner counter act an attempt at unauthorized use of Information system. Honey Token:- Spam traps consisting of email addresses with no productive function other than to receive unsolicited emails.
  20. 20. PASSIVE DETECTION Other Techniques:-• Analysis of log files.• Evaluation of anti-virus software feedback.• DNS based approaches.
  21. 21. ACTIVE TECHNIQUES Sink Holding• Technical countermeasure for cutting of f a malicious control source from rest of the botnet.• Eg. By changing the targeted malicious domain name so that it points to machine controlled by a trusted party.
  22. 22. ACTIVE DETECTION InfiltrationAims to take control of the botnet.• Hardware- if ip address is known all communications can be wiretapped with the help of hosting company.• Software- Imitating the communication mechanisms used by the botnet.
  23. 23. ACTIVE DETECTION Peer-to-peer botnet enumerationRepeatedly querying peers for their neighbor list.This includes reverse engineering.• Creating a implementation of the botnet to perform the enumeration task.
  24. 24. TECHNICAL COUNTERMEASURES Blacklisting• Block all traf fic from included addresses.• Search engine or browser can filter or mark such websites. Distribution of fake/traceable credentials.• Populate fake data into our records like credit card details.• Fake data lowers quality of stolen information• Generate mistrust among criminals.
  25. 25. TECHNICAL COUNTERMEASURES BGP Block holingNull routing malicious hosts to deny traf fic from or to theirnetwork.Null-Routing:- It is a process of silently dropping the packetsoriginated from or destined for such addresses. DNS based countermeasure• Malicious domains can be shut down.• Require court warrant.• Sometimes twitter and rss feeds are used to give commands, doesn’t work in that case.
  26. 26. TECHNICAL COUNTERMEASURES Port 25 BlockingSpam mails would not be sent. Peer to peer counter measurePollute the peer-to-peer listResults in• Loss of overall connectivity• Due to size limitations older original peers will get replaced by fake peers.
  27. 27. SOCIAL COUNTERMEASURES Dedicated laws. User awareness. Use of anti-virus software etc.
  28. 28. QUERIES ?
  29. 29. STAY SECURE!!! THANKS…
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×