This document summarizes the history of bots and botnets, how botnets are controlled and used for criminal activities like DDoS attacks and spamming, and the large harms they cause. It discusses how botnets can include millions of compromised systems and generate huge amounts of attack traffic to bring down websites. The document also outlines approaches for detecting and mitigating botnets, including using darknets and honeypots to analyze anomalous traffic and identify infected systems.

1. 9th TWNIC IP Open Policy Meeting
2007/12/5, Taipei
Botnets & DDoS Introduction
Kae Hsu (IS-TW)

2. Agenda
• Bot
• Botnet and the mechanisms used in
• Botnets activities and economics
• Harms from Botnets
• DDoS mitigation
• Botnets detection and defense
• Reference
2007/12/5 2 Copyright 2007 - Trend Micro Inc.

3. Bot
• Brief history of Bot (summarized from “Botnets, THE KILLER WEB APP”)
– GM (1989)
• A robot user in an IRC channel.
– PrettyPark (1999)
• A Bot client on Windows95/98.
• Malicious IRC Bots.
– SubSeven Trojan/Bot
• Create backdoor in the system.
• SubSeven server could control SubSeven clients via IRC server.
– GT Bot (2000)
• Based on the mIRC client
– could trigger mIRC client to run scripts from IRC server.
– support raw TCP and UDP socket connections.
– SDBot (2002)
• Written in C++ and the author released the source code.
• Exploits and infects.
2007/12/5 3 Copyright 2007 - Trend Micro Inc.

4. Bot
• History brief (cont.)
– Agobot (2002)
• Modular design.
• Using P2P file-sharing applications to spread.
Characteristic-Based Families
– Spybot (2003)
• Open source Trojan and deviate from SDBot.
– RBot (2003)
• Most detections in Windows platform, with 1.9 million PCs. (2005)
– Polybot (2004)
• Derived from the AgoBot.
– Mytob (2005)
• Hybrid from MyDoom and bot IRC C&C functionality.
2007/12/5 4 Copyright 2007 - Trend Micro Inc.

5. Botnet and the mechanisms used in
• Botnet
– Some Bots controlled by a single one/organization (botherder)
and execute the commands from the botherder.
• Botnet Life Cycle
1. Exploit.
2. Report to the botherder (via C&C channel).
3. Retrieve the anti-antivirus module.
4. Rally and secure the Bot client.
5. Listen to the C&C channel and receive command.
6. Retrieve the payload module.
7. Execute the command.
8. Report result to the C&C channel.
9. Back to step 5.
10. Erase all evidence and abandon the Bot client.
2007/12/5 5 Copyright 2007 - Trend Micro Inc.

6. Botnet and the mechanisms used in
• C&C: Command and Control
– Botherder use C&C to collect Bot client information and delivery
the commands to Bot clients.
– IRC server is the most early and widely used C&C
• Interactive.
• Easy to build a IRC server.
• Easy to create and control several Botnets using one server.
• Easy to create redundancy.
– Web-based C&C servers.
– P2P Botnets.
– Random.
– IM C&C.
– Remote Administration.
– Drop Zone and FTP-based C&C.
2007/12/5 6 Copyright 2007 - Trend Micro Inc.

7. Botnets activities and economics
• Exploit new Bot client
• DDoS attack
– DDoS ransom - $$$
• Software installation
– adware - $$$
– clicks4hire - $$$
• Spam and phishing - $$$
• Storage and distribution of stolen or illegal data
• Ransomware - $$$
• Data mining - $$$
• Reporting results
• Erase the evidence, abandon the client
2007/12/5 7 Copyright 2007 - Trend Micro Inc.

8. Harms from Botnets
• Spam
– Botherder control Bot clients to email spam.
• DDoS – Distributed Denial of Service
– Flooding lots of anomaly traffic or launch lots of service request
to the DDoS target
• The service is blocked on victim cause of resource exhausted.
– bandwidth resource
– system resource
– DDoS is hard to prevent
• It is hard to classify normal or abnormal traffic.
– Anomaly TCP/UDP/ICMP flooding is easy to detect.
– Anomaly service access request is hard to detect.
• ISP uplink congestion will impact other customer
– Traffic scrubbing is helpless to uplink congestion.
2007/12/5 8 Copyright 2007 - Trend Micro Inc.

9. Harms from Botnets
• Botnets: the source of DDoS
– In a Botnet, zombie PCs would be used to generate the attack
traffic to the victims.
– If a Botnet have >100,000 zombie PCs, each PC generate
50kbps attack traffic to the victim; The total attack traffic could
reach more than 5Gbps!!!
• 5Gbps traffic could congest lots of links of enterprise and ISP.
– If a Botnet have >100,000 zombie PCs, each PC generate 1kpps
attack traffic to the victim; The total attack traffic could reach
more than 100Mpps!!!
• 100Mpps traffic could shutdown lots of equipments of enterprise
and ISP.
– Most ISPs use “black-hole” mechanism to drop the attack traffic,
but it will drop normal traffic flow to victim too
• ISPs help the cyber-criminal complete the attack.
2007/12/5 9 Copyright 2007 - Trend Micro Inc.

10. Harms from Botnets
• Scale of Botnet:
– Telenor takes down 'massive' botnet – more than 10,000 zombie
PC
• http://www.theregister.co.uk/2004/09/09/telenor_botnet_dismantled/
– Dutch Botnet suspects ran 1.5 million machines
• http://www.techweb.com/wire/security/172303160
– Of the 600 million computers currently on the internet, between
100 and 150 million were already part of these botnet…
– http://news.bbc.co.uk/1/hi/business/6298641.stm
• Strength of Botnet:
– Estonian government websites were shutdown cause serious
DDoS attack from Apr. 27, 2007
• At its peak on May 9, the attack shut down up to 58 sites at once.
• Computers from the United States, Canada, Brazil, Vietnam and
others have been used in the attacks.
2007/12/5 10 Copyright 2007 - Trend Micro Inc.

11. Harms from Botnets
• DDoS example
– ISPs Bot client
BOTNETS
attack
traffic
VICTIMS
link
congestion
2007/12/5 11 Copyright 2007 - Trend Micro Inc.

12. Harms from Botnets
– All of the packets forward to victim were dropped.
BOTNETS
attack
traffic
VICTIMS
2007/12/5 12 Copyright 2007 - Trend Micro Inc.

13. DDoS mitigation
• Scrub the traffic, accept and forward the normal packets
and drop the abnormal packets
– Build the traffic scrubbing system in your netowrk
• Congestion still would be happened on ISP border router.
VICTIMS
link
congestion
– Order scrubbing service from upstream ISP or scrubbing service
provider.
scrubbing service provider
VICTIMS
link
congestion
2007/12/5 13 Copyright 2007 - Trend Micro Inc.

14. Botnets detection and defense
• Internet projects to detect Bot/Botnets
– Darknet
• A subnet that no any machine host in.
• There should not be any normal traffic flow to this subnet
– Anomaly traffic flow sent by malware almost.
• It is possible to trace the compromised machine by analyzing those
anomaly traffic.
enable promiscuous mode
Bot client
Internet
.4
analyze exploit traffic and catch Bot client IP
.1
.3
R(config)#ip route 172.17.12.128 255.255.255.128 172.17.12.4 .2
172.17.12.0/24
2007/12/5 14 Copyright 2007 - Trend Micro Inc.

15. Botnets detection and defense
• Internet projects to detect Bot/Botnets
– Honeypots
• A machine that exploit by malware on purpose.
– Botnets life cycle:
» 2) Report to the botherder (via C&C channel).
» 5) Listen to the C&C channel and receive command.
» 6) Retrieve the payload module.
» 8) Report result to the C&C channel.
– To sniff and analyze the connections of Bot, we could catch:
» the IP address of C&C
» the IP address of victims
C&C
172.31.1.1
Internet
.4
catch the C&C IP: 172.31.1.1
.1
.3
port mirror
honeypot
.2
2007/12/5 15 Copyright 2007 - Trend Micro Inc.

16. Botnets detection and defense
– Honeypot (cont.)
• In theories, off-line the C&C would destroy the whole Botnet
– It is the vulnerability of centralized C&C.
C&C
Internet
.4
.1
.3
port mirror
honeypot
.2
R(config)#ip route 172.31.1.1 255.255.255.255 null0
• Use black-hole to block the C&C IP on the Internet
– But botherder would not structure their Botnet by only one C&C
» Use DNS to improvement C&C surviving.
2007/12/5 16 Copyright 2007 - Trend Micro Inc.

17. Botnets detection and defense
• BGP flow-spec
– A new BGP NLRI
• The reason to use BGP: re-use
– protocol algorithms.
– operational experience.
– administrative processes such as inter-provider peering agreements.
– Distribute traffic flow specifications and action.
• Flow-spec NLRI
– Type 1 – destination prefix
– Type 2 – source prefix
– Type 3 – IP protocol
– Type 4 – port
– Type 5 – destination port
– Type 6 – source port
– Type 7 – ICMP type
– Type 8 – ICMP core
2007/12/5 17 Copyright 2007 - Trend Micro Inc.

18. Botnets detection and defense
• Flow-spec NLRI (cont.)
– Type 9 –TCP flags
– Type 10 – packet length
– Type 11 – DSCP
– Type 12 – fragment
• Traffic filtering actions
– Traffic-rate
– Traffic-action
» Terminal action
» Sample
– Redirect
– Use BGP flow-spec in your network
Bot client D
Normal
client B
Normal
client C
Server A
2007/12/5 18 Copyright 2007 - Trend Micro Inc.

19. Botnets detection and defense
– Use BGP flow-spec in your network
• Update BGP flow-spec route to border router
– ‘SRC=D, DST=A, action=drop’
Bot client D
Normal
client B
Normal
client C
Server A
• Update BGP flow-spec route to peering partner
– ‘SRC=D, DST=A, action=drop’
Bot client D
Normal
client B
Normal
client C
Server A
2007/12/5 19 Copyright 2007 - Trend Micro Inc.

20. Reference
• “Botnets, THE KILLER WEB APP”
– by Craig A. Schiller etc.; Syngress Publishing Inc., 2007
• The Team Cymru Darknet Project
– http://www.cymru.com/Darknet/index.html
• The Honeynet Project
– http://www.honeynet.org/index.html
• “Dissemination of flow specification rules”
– draft-marques-idr-flow-spec-04.txt
• “Configuring a flow route”
– http://www.juniper.net/techpubs/software/junos/junos85/swconfig85-
routing/id-10317421.html#id-10317421
• “Inferring Internet Denial-of-Service Activity”
– by David Moore etc.
• “The Zombie Roundup: Understanding, Detecting, and Disrupting
Botnets”
– by Evan Cooke etc.
• “How CNCERT/CC fighting to Botnets”
– by Mingqi Chen.; CNCERT/CC
2007/12/5 20 Copyright 2007 - Trend Micro Inc.

21. Thank You
Classification 2007/12/6
2007/12/5 21 Copyright 2007 - Trend Micro Inc.