A botnet is a group of infected computers (aka bots or zombie machines) controlled by a hacker, the botmaster. Botnets are a major threat for every server. They are the fundamentals of the cybercrime in the dark industry of hackers. Zombie machines can be personal computers, mobile devices or even servers. Today we will focus on botnets formed by infected linux servers. Server based botnets are especially valuable for the bad guys as servers has typically high amount of various resources like cpu, memory, and what is the most important, internet bandwidth with trusted and in many cases unrestricted upload traffic capacity. Servers typically operate 24 hour a day, 7 days a week and have at least one fixed IP address. In many cases servers already have every component for the hackers to operate. As there is a huge demand for high capacity botnets in the dark markets for different purposes like sending spams, different DoS attacks and similar cybercrimes there are more and more botnet infections that servers have to face.

1. BITNINJA.IO
HONEYPOTS, THEY ARE NOT JUST
FOR WINNIE THE POOH ANYMORE!
George Egri

2. B i t N i nj a.I O
WHAT IS A HONEYPOT?
Attract Catch
Analyze

3. B i t N i nj a.I O
REAL WORLD EXAMPLE

4. B i t N i nj a.I O
SERVER HONEYPOT DESIGNS
Low interaction High interaction
Server
FAKE DAEMON
Interaction measures the amount of activity an attacker can have with a honeypot
HONEYPOT VM
Server

5. B i t N i nj a.I O
TYPES OF ATTACK
Automatic Manual

6. B i t N i nj a.I O
ATTACK CYCLE

7. B i t N i nj a.I O
1. SCAN
1. Scan for vulnerable services
DIRECT DISTRIBUTED

8. B i t N i nj a.I O
> DIRECT SCAN

9. B i t N i nj a.I O
> DISTRIBUTED SCAN

10. B i t N i nj a.I O
> PORT HONEYPOT

11. B i t N i nj a.I O
1. SCAN
PROTECTION:
> PORT HONEYPOTS
> WEB HONEYPOTS
> LOG ANALYSIS
> DISTRIBUTED LOG ANALYSIS

12. B i t N i nj a.I O
2. EXPLOIT
 SQL injection
 Code injection
 Login after successful bruteforce
 Etc.
PROTECTION:
> WEB APPLICATION FIREWALL
> IP REPUTATION

13. B i t N i nj a.I O
3. INFECT
PROTECTION:
> WEB APPLICATION FIREWALL
> VIRUS/MALWARE DETECTION… BUT
THE ATTACKER IS ALREADY IN!

14. B i t N i nj a.I O
4. REGISTER COMMAND AND CONTROL
PROTECTION:
> IP REPUTATION (LISTED C&C SERVERS)
> OUTGOING TRAFFIC ANALYSIS (LIKE WAF)

15. B i t N i nj a.I O
4. REGISTER COMMAND AND CONTROL

16. B i t N i nj a.I O
5. POST EXPLOIT HACKING
PROTECTION:
> WAF
> OUTGOING TRAFFIC ANALYSIS
> INFORMATION HONEYPOT
ATTACKER
EXPLOITED
SERVER
FIREWALL
REAL TARGETSERVER

17. B i t N i nj a.I O
5. INFO HONEYPOT
Files on a server
 readable for everyone
 looks like a real mistake
 contains address and credentials for other systems
 watched for processes opening it
 honeypot trap for the actual usage of the credentials
/backup.sh
#!/bin/bash
IP = 10.3.11.74
USER = backuppc
PASSWORD = 453fwTfGSDwe
lftp -e "mirror -R /etc /backup/server/etc; exit" -u $USER, $PASSWORD $IP

18. B i t N i nj a.I O
6. RESOURCE USE

19. B i t N i nj a.I O
6. RESOURCE USE
PROTECTION:
> OUTGOING WAF
> OUTGOING SPAM FILTER
> OUTGOING DOS MITIGATION RULES
> IP REPUTATION (LISTED C&C SERVERS)

20. B i t N i nj a.I O
7. EXPAND

21. B i t N i nj a.I O
7. EXPAND
PROTECTION:
> OUTGOING WAF
> IP REPUTATION (LISTED C&C SERVERS)

22. B i t N i nj a.I O

23. B i t N i nj a.I O
HONEYNETS, HONEYFARMS

24. B i t N i nj a.I O
REACT
Block/Drop disadvantages:
- Can’t collect further info for analysis
- Timing based restriction is easy to automate
- Lack of false positive management
IP Greylisting by BitNinja advantages:
- Distribute IP reputation info to all your servers within
2 seconds (general IP reputation use 1,2,4 hour or daily
lists)
- Dramatically reduce false positives by different Captcha
modules
- Managed automatically
- Gain advantages of the infos of the worldwide bitninja
honeyfarm community (all users and bn honeypots)

25. Q & A
BITNINJA.IO
George Egri
george@bitninja.io
+1 805-628-4196
/zsoltegri
/bitninjaio