Botnets are collections of internet-connected programs that communicate together to perform tasks for their operators. They originated as tools to automate tasks but evolved into tools for malicious attacks like spam and DDoS. Botnets infect victims through various means and form centralized or hierarchical structures controlled through command and control servers using protocols like HTTP and IRC. They are used to carry out spam, phishing, and DDoS attacks. Detection relies on analyzing network traffic, application logs, and using honeypots while defense focuses on prevention, monitoring, and user education.

1. AungThu Rha Hein (g5536871)
1

2.  What is a botnet?
 History of Botnet
 What are they used for?
 How do they work?
 Infection Procedure
 CommandTopologies
 Communication Methods
 Propagation Methods
 Defense
 Detection methods
 Defense Strategy
 Conclusion
2

3.  A botnet is a collection of internet-connected
programs communicating with other similar
programs in order to perform tasks.
 Wikipedia
 A collection of compromised computers that
is slowly built up then unleashed as a DDOS
attack or used to send very large quantities of
spam.
 WolframAlpha
3

4.  Bots originally used to automate tasks
 IRC,IM, MUDS, online-games
 Evolved into a way to automate malicious
attacks
 Spam, control a pc, propagate etc…
 Botnets started with DOS against servers
 Stacheldraht,Trinoo, Kelihos
4

5.  DOS attacks
 Spam
 Phishing
 Identity theft
 Click Fraud
 Others….
5

6. 1. Botmaster infected victims with bot
botmaster victim
C&C server
6

7. 2.bot connects to the C&C
server using HTTP,IRC or
other protocol
victim
C&C server
botmaster
7

8. 3.Botmaster sends
commands
through C&C server to
zombie
botmaster victim
C&C server
8

9. 4.Repeat these process and
botmaster have bot army to
Control from a single point
botmaster
Victims, zombies
C&C server
9

10. 10

11.  Star
 Bots tied to centralized C&C server
 Multi-Server
 Same as Star but with multiple C&C server
 Hierarchical
 Parent bot control child bots
 Random
 Full P2P support
11

12.  HTTP
 Easy for attacker to blend in
 IRC
 Harder to hide compared with HTTP
 Custom
 Makes use of new application protocols
12

13.  E-Mail attachments; Social Engineering
 Trojan horses
 Drive-by downloads
 Scanning
 Horizontal: Single port
 Vertical :Single IP address
13

14.  Three Main Issues
 How to Detect them?
 How to Response them?
 How to Negate the threat?
14

15.  No single method
 “Defense in depth” principle
 Methods
 Network traffic analysis (NetFlow)
 Packet analysis(IDS)
 Analysis of application log files (Antivirus, firewall)
 Honeypots
 Others…
15

16.  DefenseAgainst infection by bot (DAIBB)
 Prevent from entering into the system
 Updates and patches, security levels
 Defense against attacks by bot (DAABB)
 Prevent from being victim of botnet attacks
 IPS,TLS, SSL
 Monitoring, detection & studying of Bot (MDSBB)
 Detection methods, monitoring log files
16

17.  Education of users (EOU)
 Raise the security awareness of users
 Legislative protection (LP)
 legislative-punishment policies
THANKYOU!
17