“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...
Botnet Detection Techniques
1. BotNet Detection Techniques
By
Team Firefly
Technical Support For System Errors
And Security Issues
Cyber Security Awareness Program
On Friday, October 18, 2013
3. Introduction to Botnet
A Botnet is a network of compromised
computers under the control of a remote attacker.
Botnet Terminology
Bot Herder (Bot Master)
Bot
Bot Client
IRC Server
Command and Control Channel (C&C)
Page 3
4. Introduction to Botnet (Terminology)
IRC Server
IRC Channel
Code Server
Bot Master
IRC Channel
C&C Traffic
Updates
Attack
Victim
Page 4
Bots
9. Botnet In Network Security
Internet users are getting infected by bots
Many times corporate and end users are trapped in botnet attacks
Today 16-25% of the computers connected to the internet are
members of a botnet
In this network bots are located in various locations
It will become difficult to track illegal activities
This behavior makes botnet an attractive tool for intruders and
increase threat against network security
Page 9
11. How Botnet is Used?
Distributed Denial of Service (DDoS) attacks
Sending Spams
Phishing (fake websites)
Addware (Trojan horse)
Spyware (keylogging, information harvesting)
Click Fraud
So It is really Important to Detect this attack
Page 11
12. Botnet Detection
Two approaches for botnet detection based on
Setting up honeynets
Passive traffic monitoring
Signature based
Anomaly based
DNS based
Mining based
Page 12
13. Botnet Detection: Setting up Honeynets
Windows Honeypot
Honeywall Responsibilities:
DNS/IP-address of IRC server and port number
(optional) password to connect to IRC-server
Nickname of bot
Channel to join and (optional) channel-password
Page 13
15. Botnet Detection: Traffic Monitoring
Signature based: Detection of known botnets
Anomaly based: Detect botnet using following
anomalies
• High network latency
• High volume of traffic
• Traffic on unusual port
• Unusual system behaviour
DNS based: Analysis of DNS traffic generated by
botnets
Page 15
16. Botnet Detection: Traffic Monitoring
Mining based:
• Botnet C&C traffic is difficult to detect
• Anomaly based techniques are not useful
• Data Mining techniques – Classification, Clustering
Page 16
17. Botnet Detection
Determining the source of a botnet-based attack is challenging:
Traditional approach:
Every zombie host is an attacker
Botnets can exist in a benign state for an arbitrary amount of
time before they are used for a specific attack
New trend:
P2P networks
Page 17
18. Preventing Botnet Infections
Use a Firewall
Patch regularly and promptly
Use Antivirus (AV) software
Deploy an Intrusion Prevention System (IPS)
Implement application-level content filtering
Define a Security Policy and
Share Policies with your users systematically
Page 18
19. Botnet Research
Logging onto herder IRC server to get info
Passive monitoring
Either listening between infected machine and
herder or spoofing infected PC
Active monitoring: Poking around in the IRC server
Sniffing traffic between bot & control channel
Page 19
21. Conclusion
Botnets pose a significant and growing threat against cyber
security
It provides key platform for many cyber crimes (DDOS)
As network security has become integral part of our life and
botnets have become the most serious threat to it
It is very important to detect botnet attack and find the solution
for it
Page 21
22. References
B. Saha and A, Gairola, “Botnet: An overview,” CERT-In White PaperCIWP-2005-05, 2005
Peer to Peer Botnet detection for cyber-security: A data mining approach - ACM Portal
Mohammad M. Masud, Jing Gao, Latifur Khan, Jiawei Han, Bhavani Thuraisingham
A Survey of Botnet and Botnet Detection Feily, M.; Shahrestani, A.; Ramadass, S.;
Emerging Security Information, Systems and Technologies, 2009. SECURWARE '09. Third
International Conference on Digital Object Publication Year: 2009 , Page(s): 268 – 273 IEEE
CONFERENCES
Honeynet-based Botnet Scan Traffic Analysis Zhichun Li, Anup Goyal, and Yan Chen
Northwestern University, Evanston, IL 60208
Detecting Botnets Using Command and Control Traffic AsSadhan, B.; Moura, J.M.F.;
Lapsley, D.; Jones, C.; Strayer, W.T.; Network Computing and Applications, 2009. NCA
2009. Eighth IEEE International Symposium. Publication Year: 2009 , Page(s): 156 – 162
IEEE CONFERENCES
Spamming botnets: signatures and characteristics Yinglian Xie, Fang Yu
Page 22