A botnet is a group of infected computers (aka bots or zombie machines) controlled by a hacker, the botmaster. Botnets are a major threat for every server. They are the fundamentals of the cybercrime in the dark industry of hackers. Zombie machines can be personal computers, mobile devices or even servers. Today we will focus on botnets formed by infected linux servers. Server based botnets are especially valuable for the bad guys as servers has typically high amount of various resources like cpu, memory, and what is the most important, internet bandwidth with trusted and in many cases unrestricted upload traffic capacity. Servers typically operate 24 hour a day, 7 days a week and have at least one fixed IP address. In many cases servers already have every component for the hackers to operate. As there is a huge demand for high capacity botnets in the dark markets for different purposes like sending spams, different DoS attacks and similar cybercrimes there are more and more botnet infections that servers have to face.
4. B i t N i nj a.I O
SERVER HONEYPOT DESIGNS
Low interaction High interaction
Server
FAKE DAEMON
Interaction measures the amount of activity an attacker can have with a honeypot
HONEYPOT VM
Server
5. B i t N i nj a.I O
TYPES OF ATTACK
Automatic Manual
11. B i t N i nj a.I O
1. SCAN
PROTECTION:
> PORT HONEYPOTS
> WEB HONEYPOTS
> LOG ANALYSIS
> DISTRIBUTED LOG ANALYSIS
12. B i t N i nj a.I O
2. EXPLOIT
SQL injection
Code injection
Login after successful bruteforce
Etc.
PROTECTION:
> WEB APPLICATION FIREWALL
> IP REPUTATION
13. B i t N i nj a.I O
3. INFECT
PROTECTION:
> WEB APPLICATION FIREWALL
> VIRUS/MALWARE DETECTION… BUT
THE ATTACKER IS ALREADY IN!
14. B i t N i nj a.I O
4. REGISTER COMMAND AND CONTROL
PROTECTION:
> IP REPUTATION (LISTED C&C SERVERS)
> OUTGOING TRAFFIC ANALYSIS (LIKE WAF)
15. B i t N i nj a.I O
4. REGISTER COMMAND AND CONTROL
16. B i t N i nj a.I O
5. POST EXPLOIT HACKING
PROTECTION:
> WAF
> OUTGOING TRAFFIC ANALYSIS
> INFORMATION HONEYPOT
ATTACKER
EXPLOITED
SERVER
FIREWALL
REAL TARGETSERVER
17. B i t N i nj a.I O
5. INFO HONEYPOT
Files on a server
readable for everyone
looks like a real mistake
contains address and credentials for other systems
watched for processes opening it
honeypot trap for the actual usage of the credentials
/backup.sh
#!/bin/bash
IP = 10.3.11.74
USER = backuppc
PASSWORD = 453fwTfGSDwe
lftp -e "mirror -R /etc /backup/server/etc; exit" -u $USER, $PASSWORD $IP
19. B i t N i nj a.I O
6. RESOURCE USE
PROTECTION:
> OUTGOING WAF
> OUTGOING SPAM FILTER
> OUTGOING DOS MITIGATION RULES
> IP REPUTATION (LISTED C&C SERVERS)
24. B i t N i nj a.I O
REACT
Block/Drop disadvantages:
- Can’t collect further info for analysis
- Timing based restriction is easy to automate
- Lack of false positive management
IP Greylisting by BitNinja advantages:
- Distribute IP reputation info to all your servers within
2 seconds (general IP reputation use 1,2,4 hour or daily
lists)
- Dramatically reduce false positives by different Captcha
modules
- Managed automatically
- Gain advantages of the infos of the worldwide bitninja
honeyfarm community (all users and bn honeypots)