Botnet Detection & Countermeasures

About Me – Kiran Ratnaker IT Security Researcher Certified Ethical Hacker Certified Forensic Investigator Certified Security Analyst WatchGuard Certified Professional Contact Twitter - @kiranratnakar

Agenda What is BotNet Botnet Detection Countermeasures

Close Encounter with Botnet Network of 150 Machines Dead No Internet, No Local Server Access

Mac Flooding, ARP Poison, MITM, DDoS… uses ports 16464, 16465, 16470, and / or 16471. The 

Worst Things No bot detection by AV Websense failed Firewall proxy bottleneck IP in exploit blacklist Rootkit prevented detection, connecting the HDD to other fresh clean machine detected Botnet Zero Access, i.e. AV was compromised

How We Restored Network Operations? Enabled Security features on LAN ARP Spoofing Prevention, DoS Attack Prevention Settings, Broadcast...Multicast...Unicast Traps Reduced network speed > Check for port utilizing high bandwidth > Shut it down > Format the machines

Challenges in Dev & QA Environment Developer needs Admin Access Innovation needs openness QA Needs old versions Port based applications is history p2p apps on top & so as attacks

What is BotNet Botnet: Bot + Network BotMaster Botnet: Bot + Network Compromised machine install programs which performs autonomus tasks, these Networked bots controlled by single botmaster with multiple command & control centers……. builds Botnet C&C C&C Reference Video - https://www.youtube.com/watch?v=s0sgiY93w9c Bots Bots

How Botnet Spreads itself ? Peer to Peer

Cyber Crimes Ransomware Feck Id

2016 Cyberattack Denial-of-service attack on DYN (Distributed Network Services, Inc.) On 21 October 2016 Dyn’s network attacked with DDos with load of 1.2 Terabits per second Twitter,Reddit,GitHub,Amazon.com,Netflix,Spotify,BBC,PayPal,CNN become unreachable Mirai botnet was used to launch a DDos attack Mirai botnet consisting of more than 100,000 infected devices Internet of Things-enabled(IoT) devices included in attack (Surveillance Cameras,Printers,Residential Gateways) Mirai infected devices were spotted in 164 countries Mirai’s C&C(command and control) code is coded in Go while its bots are coded in C programming. Ref- https://www.tripwire.com/state-of-security/latest-security-news/100000-bots-infected-mirai-malware-caused-dyn-ddos-attack/ Mirai botnet - https://www.incapsula.com/blog/malware-analysis-mirai-ddos-botnet.html

Detection Symptoms Benchmark Machine Log L3 Switch Log Firewall Log OS, AV, Wireshark

Benchmark TCP/IP Connections on Machine & Firewall 100 x 50 = 5000 Connections What are the total Number of Machines as per Inventory & Logs ARP on Switch = Number of Machines ARP on L3, Firewall

Machine IP + Mac Address + VLAN Route + VLAN Broadcast on L3 Switch

Process Explorer

Wireshark

Countermeasures Daily Checks Enable AV Firewall + IPS IP Black List, Concurrent Connections, Botnet Ports, Deny Packets, Geolocation, DNS Enable AV Firewall + IPS Update Security Patches Firmware Updates Machines, Network Switches, Printers, WAP, Firewall Install only required applications

Process Explorer Microsoft Netmon Questions ? Questions

Ashish Shanker ashish.shanker@synerzip.com @ShankerAshish +1. 214.507.2843 22

Synerzip Your trusted outsourcing partner for Agile software product development. Accelerate the delivery of your product roadmap Address technology skill gaps Save at least 50% with offshore software development Augment your team with optional on-site professionals

Synerzip Clients

linkedin.com/company/synerzip Connect with Synerzip @Synerzip linkedin.com/company/synerzip facebook.com/Synerzip

Next Webinar Manging Software People & Teams on Thursday, March 16, 2017 at Noon CST Webinar Presenter: Ron Lichty, Author & Agile Consultant