REAL WORLD SCENARIO How can botnets be used : -• Distributed Denial of Ser vice Attacks (DDoS)• Spamming• Snif fing Traf fic & Key logging.• Identity Thef t• Attacking IRC Chat Networks• Hosting of Illegal Sof tware• Google AdSense Abuse & Adver tisement Addons• Manipulating online polls
DETECTION TECHNIQUES PassiveData gathered through observation. • Packet Inspection • Analysis of flow records • Analysis of SPAM Attacks ActiveDetection by being involved i.e. interacting with the botnet.(drawback)Can result in DDOS attack against the analyst,changing of ip’s, protocols etc. • Sink holding • Infiltration • Peer-to-peer botnet enumeration
PASSIVE DETECTION Packet InspectionInspect network data packets• Match various protocol fields.• Match payload against a predefined pattern of suspicious content.Drawbacks:-• Wouldn’t scale• Only known patterns are detected
PASSIVE DETECTION Analysis of flow recordsTracing network traf fic at an abstract level.Instead of inspecting individual packets communicationstreams are considered in aggregate form.We look into:- • Source, destination address • Related port no’s • Duration of session • Cumulative size and no of transmitted packets. • Protocol used inside packets.Advantage:- higher amount of traf fic can be monitored.Eg. ‘Net Flow’ protocol from cisco.
PASSIVE DETECTION Analysis of SPAM attacks• Spam mails are analyzed and similar templates are grouped.• These templates can then be matched to a corresponding botnet.For this special Honey pots called honey tokens are used .
PASSIVE DETECTION Honeypot:- It is a trap to detect, deflect or in some manner counter act an attempt at unauthorized use of Information system. Honey Token:- Spam traps consisting of email addresses with no productive function other than to receive unsolicited emails.
PASSIVE DETECTION Other Techniques:-• Analysis of log files.• Evaluation of anti-virus software feedback.• DNS based approaches.
ACTIVE TECHNIQUES Sink Holding• Technical countermeasure for cutting of f a malicious control source from rest of the botnet.• Eg. By changing the targeted malicious domain name so that it points to machine controlled by a trusted party.
ACTIVE DETECTION InfiltrationAims to take control of the botnet.• Hardware- if ip address is known all communications can be wiretapped with the help of hosting company.• Software- Imitating the communication mechanisms used by the botnet.
ACTIVE DETECTION Peer-to-peer botnet enumerationRepeatedly querying peers for their neighbor list.This includes reverse engineering.• Creating a implementation of the botnet to perform the enumeration task.
TECHNICAL COUNTERMEASURES Blacklisting• Block all traf fic from included addresses.• Search engine or browser can filter or mark such websites. Distribution of fake/traceable credentials.• Populate fake data into our records like credit card details.• Fake data lowers quality of stolen information• Generate mistrust among criminals.
TECHNICAL COUNTERMEASURES BGP Block holingNull routing malicious hosts to deny traf fic from or to theirnetwork.Null-Routing:- It is a process of silently dropping the packetsoriginated from or destined for such addresses. DNS based countermeasure• Malicious domains can be shut down.• Require court warrant.• Sometimes twitter and rss feeds are used to give commands, doesn’t work in that case.
TECHNICAL COUNTERMEASURES Port 25 BlockingSpam mails would not be sent. Peer to peer counter measurePollute the peer-to-peer listResults in• Loss of overall connectivity• Due to size limitations older original peers will get replaced by fake peers.
SOCIAL COUNTERMEASURES Dedicated laws. User awareness. Use of anti-virus software etc.