Your SlideShare is downloading. ×
Defense against botnets
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Saving this for later?

Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime - even offline.

Text the download link to your phone

Standard text messaging rates apply

Defense against botnets

1,234
views

Published on

botnet introduction, types, ways to detect and countermeasures

botnet introduction, types, ways to detect and countermeasures


0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
1,234
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
34
Comments
0
Likes
2
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. DEFENSE AGAINST BOTNETS
  • 2. STRUCTUREBotnets :- Introduction Types of Botnets Real World ScenariosDefense :- Detection of Botnets Counter Measures
  • 3. INTRODUCTION
  • 4. T YPES OF BOTNETS IRC Botnets HTTP Botnets Peer-to-Peer Botnets
  • 5. IRC BOTNETS Internet Relay Chat(IRC) is a type of a messaging service. IRC Botnets use IRC servers to issue commands.
  • 6. IRC BOTNETS
  • 7. IRC BOTNETS
  • 8. IRC BOTNETS
  • 9. IRC BOTNETS
  • 10. IRC BOTNETS
  • 11. HTTP BOTNETS
  • 12. HTTP BOTNETS
  • 13. PEER-TO-PEER BOTNETS
  • 14. REAL WORLD SCENARIO How can botnets be used : -• Distributed Denial of Ser vice Attacks (DDoS)• Spamming• Snif fing Traf fic & Key logging.• Identity Thef t• Attacking IRC Chat Networks• Hosting of Illegal Sof tware• Google AdSense Abuse & Adver tisement Addons• Manipulating online polls
  • 15. DETECTION TECHNIQUES PassiveData gathered through observation. • Packet Inspection • Analysis of flow records • Analysis of SPAM Attacks ActiveDetection by being involved i.e. interacting with the botnet.(drawback)Can result in DDOS attack against the analyst,changing of ip’s, protocols etc. • Sink holding • Infiltration • Peer-to-peer botnet enumeration
  • 16. PASSIVE DETECTION Packet InspectionInspect network data packets• Match various protocol fields.• Match payload against a predefined pattern of suspicious content.Drawbacks:-• Wouldn’t scale• Only known patterns are detected
  • 17. PASSIVE DETECTION Analysis of flow recordsTracing network traf fic at an abstract level.Instead of inspecting individual packets communicationstreams are considered in aggregate form.We look into:- • Source, destination address • Related port no’s • Duration of session • Cumulative size and no of transmitted packets. • Protocol used inside packets.Advantage:- higher amount of traf fic can be monitored.Eg. ‘Net Flow’ protocol from cisco.
  • 18. PASSIVE DETECTION Analysis of SPAM attacks• Spam mails are analyzed and similar templates are grouped.• These templates can then be matched to a corresponding botnet.For this special Honey pots called honey tokens are used .
  • 19. PASSIVE DETECTION Honeypot:- It is a trap to detect, deflect or in some manner counter act an attempt at unauthorized use of Information system. Honey Token:- Spam traps consisting of email addresses with no productive function other than to receive unsolicited emails.
  • 20. PASSIVE DETECTION Other Techniques:-• Analysis of log files.• Evaluation of anti-virus software feedback.• DNS based approaches.
  • 21. ACTIVE TECHNIQUES Sink Holding• Technical countermeasure for cutting of f a malicious control source from rest of the botnet.• Eg. By changing the targeted malicious domain name so that it points to machine controlled by a trusted party.
  • 22. ACTIVE DETECTION InfiltrationAims to take control of the botnet.• Hardware- if ip address is known all communications can be wiretapped with the help of hosting company.• Software- Imitating the communication mechanisms used by the botnet.
  • 23. ACTIVE DETECTION Peer-to-peer botnet enumerationRepeatedly querying peers for their neighbor list.This includes reverse engineering.• Creating a implementation of the botnet to perform the enumeration task.
  • 24. TECHNICAL COUNTERMEASURES Blacklisting• Block all traf fic from included addresses.• Search engine or browser can filter or mark such websites. Distribution of fake/traceable credentials.• Populate fake data into our records like credit card details.• Fake data lowers quality of stolen information• Generate mistrust among criminals.
  • 25. TECHNICAL COUNTERMEASURES BGP Block holingNull routing malicious hosts to deny traf fic from or to theirnetwork.Null-Routing:- It is a process of silently dropping the packetsoriginated from or destined for such addresses. DNS based countermeasure• Malicious domains can be shut down.• Require court warrant.• Sometimes twitter and rss feeds are used to give commands, doesn’t work in that case.
  • 26. TECHNICAL COUNTERMEASURES Port 25 BlockingSpam mails would not be sent. Peer to peer counter measurePollute the peer-to-peer listResults in• Loss of overall connectivity• Due to size limitations older original peers will get replaced by fake peers.
  • 27. SOCIAL COUNTERMEASURES Dedicated laws. User awareness. Use of anti-virus software etc.
  • 28. QUERIES ?
  • 29. STAY SECURE!!! THANKS…