1 The Botherd is Coming! Part II The Technical Response Justin Azoff University at Albany EDUCAUSE Live! June 21 st, 2006.

Slides:



Advertisements
Similar presentations
Botnets ECE 4112 Lab 10 Group 19.
Advertisements

BotMiner Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology.
CDNs & Replication Prof. Vern Paxson EE122 Fall 2007 TAs: Lisa Fowler, Daniel Killebrew, Jorge Ortiz.
Beth Johnson April 27, What is a Firewall Firewall mechanisms are used to control internet access An organization places a firewall at each external.
Botnets Abhishek Debchoudhury Jason Holmes. What is a botnet? A network of computers running software that runs autonomously. In a security context we.
1 Web Content Delivery Reading: Section and COS 461: Computer Networks Spring 2007 (MW 1:30-2:50 in Friend 004) Ioannis Avramopoulos Instructor:
Practical Networking. Introduction  Interfaces, network connections  Netstat tool  Tcpdump: Popular network debugging tool  Used to intercept and.
Network Attacks. Network Trust Issues – TCP Congestion control – IP Src Spoofing – Wireless transmission Denial of Service Attacks – TCP-SYN – Name Servers.
1. Introduction The underground Internet economy Web-based malware The system analyzing the post-infection network behavior of web-based malware How do.
Instant Messaging Security Flaws By: Shadow404 Southern Poly University.
Norman SecureSurf Protect your users when surfing the Internet.
China Science & Technology Network Computer Emergency Response Team Botnet Detection and Network Security Alert Tao JING CSTCERT,CNIC.
Botnets An Introduction Into the World of Botnets Tyler Hudak
Introduction to Honeypot, Botnet, and Security Measurement
Module 7: Configuring TCP/IP Addressing and Name Resolution.
Intranet, Extranet, Firewall. Intranet and Extranet.
Outline  Infections  1) r57 shell  2) rogue software  What Can We Do?  1) Seccheck  2) Virus total  3) Sandbox  Prevention  1) Personal Software.
Attacks on Computer Systems
B OTNETS T HREATS A ND B OTNETS DETECTION Mona Aldakheel
 Collection of connected programs communicating with similar programs to perform tasks  Legal  IRC bots to moderate/administer channels  Origin of.
Introduction to SQL Server 2000 Security Dave Watts CTO, Fig Leaf Software
Step-by-Step Intrusion Detection using TCPdump SHADOW.
Speaker:Chiang Hong-Ren Botnet Detection by Monitoring Group Activities in DNS Traffic.
Trend Micro Confidential 9/23/2015 Threat Rules Sharing Advanced Threats Research.
Honeypot and Intrusion Detection System
Jeong, Hyun-Cheol. 2 Contents DDoS Attacks in Korea 1 1 Countermeasures against DDoS Attacks in Korea Countermeasures against DDoS Attacks in.
Topics to be covered 1. What are bots,botnet ? 2.How does it work? 4.Prevention of botnet. 3.Types of botnets.
University of Montana - Missoula Adam Ormesher & Chase Maier.
Wireless Networks and the NetSentron By: Darren Critchley.
DNS Security Pacific IT Pros Nov. 5, Topics DoS Attacks on DNS Servers DoS Attacks by DNS Servers Poisoning DNS Records Monitoring DNS Traffic Leakage.
Virus Detection Mechanisms Final Year Project by Chaitanya kumar CH K.S. Karthik.
A Multifaceted Approach to Understanding the Botnet Phenomenon Authors : Moheeb Abu Rajab, Jay Zarfoss, Fabian Monrose, Andreas Terzis Computer Science.
1 CHAPTER 3 CLASSES OF ATTACK. 2 Denial of Service (DoS) Takes place when availability to resource is intentionally blocked or degraded Takes place when.
Security Assessments The Baylor University Experience.
Hacker’s Strategies Revealed WEST CHESTER UNIVERSITY Computer Science Department Yuchen Zhou March 22, 2002.
Network and Perimeter Security Paula Kiernan Senior Consultant Ward Solutions.
Beginning Network Security Monitor and control flow into and out of the LAN Ingress Egress Only let in the good guys Only let out the corp. business.
CHAPTER 3 Classes of Attack. INTRODUCTION Network attacks come from both inside and outside firewall. Kinds of attacks: 1. Denial-of-service 2. Information.
1 Quick Overview Overview Network –IPTables –Snort Intrusion Detection –Tripwire –AIDE –Samhain Monitoring & Configuration –Beltaine –Lemon –Prelude Conclusions.
7400 Samsung Confidential & Proprietary Information Copyright 2006, All Rights Reserved. -0/17- OfficeServ 7400 Enterprise IP Solutions Quick Install Guide.
A Brief Documentation.  Provides basic information about connection, server, and client.
1 Honeypot, Botnet, Security Measurement, Spam Cliff C. Zou CDA /01/07.
Automated Web Patrol with Strider HoneyMonkeys: Finding Web Sites That Exploit Browser Vulnerabilities Yi-Min Wang, Doug Beck, Xuxian Jiang, Roussi Roussev,
Botnets: Infrastructure and Attacks Slides courtesy of Nick Feamster as taught as Georgia Tech/CS6262.
Integrating and Troubleshooting Citrix Access Gateway.
Switch Features Most enterprise-capable switches have a number of features that make the switch attractive for large organizations. The following is a.
FTP File Transfer Protocol Graeme Strachan. Agenda  An Overview  A Demonstration  An Activity.
Security and Firewalls Ref: Keeping Your Site Comfortably Secure: An Introduction to Firewalls John P. Wack and Lisa J. Carnahan NIST Special Publication.
1 Firewall Rules. 2 Firewall Configuration l Firewalls can generally be configured in one of two fundamental ways. –Permit all that is not expressly denied.
CTC228 Nov Today... Catching up with group projects URLs and DNS Nmap Review for Test.
Firewalls. Intro to Firewalls Basically a firewall is a barrier to keep destructive forces away from your computer network.
Slammer Worm By : Varsha Gupta.P 08QR1A1216.
Computer Communication: An example What happens when I click on
A Multifaceted Approach to Understanding the Botnet Phenomenon Aurthors: Moheeb Abu Rajab, Jay Zarfoss, Fabian Monrose, Andreas Terzis Publication: Internet.
Role Of Network IDS in Network Perimeter Defense.
WINS Monthly Meeting 06/05/2003 WINS Monthly Meeting 06/05/2003.
Session 11: Cookies, Sessions ans Security iNET Academy Open Source Web Development.
1 Botnets Group 28: Sean Caulfield and Fredrick Young ECE 4112 Internetwork Security Prof. Henry Owen.
SMOOTHWALL FIREWALL By Nitheish Kumarr. INTRODUCTION  Smooth wall Express is a Linux based firewall produced by the Smooth wall Open Source Project Team.
NAT、DHCP、Firewall、FTP、Proxy
Instructor Materials Chapter 7 Network Security
FORTINET Network Security NSE8 Dumps - 100% Success
Future Internet Presenter : Eung Jun Cho
Network Load Balancing
Firewall – Survey Purpose of a Firewall Characteristic of a firewall
Introduction to SQL Server 2000 Security
Information Security Session October 24, 2005
Network hardening Chapter 14.
Test 3 review FTP & Cybersecurity
Presentation transcript:

1 The Botherd is Coming! Part II The Technical Response Justin Azoff University at Albany EDUCAUSE Live! June 21 st, 2006

2 Early or “Why is the Internet so slow?” ● Packetshaper dying every night, why? ● Dump flows every 10 minutes to find out – Handful of machines with 80,000 HTTP flows and one IRC flow ● What does this mean? – DDoS attacks using IRC Command and Control servers(C&C's)

3 Port 6667 or “How not to block IRC” ● Port 6667 is the usual IRC Port. ● Compromised machines are... – Not your usual IRC client – Not going to use port 6667 ● But the PacketShaper recognizes IRC on any port (like an IDS would)! – Change the policy on all IRC classes to never- admit – Copy the IRC class. Restrict this class to a host list of “OK” IRC servers.

4 StnyFtpd 0wns j0 or “How do you find infected machines?” ● Ask the PacketShaper for the list of IPs that have flows in the IRC classes. ● Do a full port scan on each and fetch all the banners. ● Compare the fetched banners to a list of “bad” ones - – “: USERID : UNIX : ”, “StnyFtpd”, “Bot Server” – Any machine with one of these banners gets disconnected from the network.

5 Service Pack 2 or “Where did all the hacked machines go?” ● Built-in firewall in SP2 makes port scanning useless. ● Infected machines cannot be detected by scanning – no open ports ● Clean machines on the other hand are much safer than before ● This means no more worms, right? :-)

6 “LOL this looks JUST like you!!” or “Social engineering applied to Gen-Y” ● With SP2, machines can't be infected from the outside ● Everyone and their mother has an AOL ® Instant Messenger ® account ● AIM ® Provides a nice platform for attackers- injects malware directly into PC. – Lack of virus/malware filters ● Any mail service these days does this – No accountability from AOL ® ● see

7 Types of botnets or “2^32 or a lot more” ● IRC Bots generally come in 2 flavors – IP Based – DNS Based ● IP Based – Bots have one or more C&C IP addresses embedded in them. ● DNS Based – Bots have one or more C&C host names embedded in them.

8 IP Based Botnets or “Why dns was invented in the first place” ● An easy game of whack-a-mole ● Shut down or block access to the IP address and the botnet dies. ● Not as popular as DNS based botnets. ● Easy to detect – Snort – Netflow

9 DNS Based Botnets or “Highly available, load balanced, redundant botnets” ● Additional level of redirection ● Bots can be configured with multiple names, each resolving to a pool of C&C's ● Shutting down a domain is harder than shutting down an IP – hopping between registrars.

10 You.GotPwndBy.Us or “Why you should log dns queries” ● When DNS based bots wake up, they have to resolve the C&C hostname to an IP address. ● They will likely use your DNS servers to do so. ● Even if the botnet is shutdown or dormant, they will still resolve the name.

11 200,000 queries a day or “Please make it stop!” ● How do you log DNS queries? ● Have the DNS server do it? – requires reconfiguration, various issues ● Sniff the packets? – Works, but where to put the data? ● Privacy issues? – what to log, and for how long?

12 DNSDB or “it mostly works” ● SNORT can do it, but its db has a lot of overhead – many many tables. ● Create a custom db instead - time, src, dst, name ● Another table to store bad names – the name, why it's bad, and if resolving it is sufficient for suspension. ● Have logging program only log names that appear in the “bad” table – solves privacy issues.

13 Sandboxes and VMs or “Sources of bad names” ● Watching known-infected machines ● Analysis of queries ● only possible if you log all queries – hosts repeatedly resolving the same name – hosts resolving names not ending in.com,.net,.org,.edu ● Malware analysis – VMWARE etc – Norman Sandbox - sandbox.norman.no

14 Norman Sandbox or “A great resource, but proprietary” ● Runs an executable in a controlled environment and gives you a report ● ● [ Changes to filesystem ] * Creates file C:\WINDOWS\svchost.exe. * Deletes file c:\sample.exe.... [ Network services ] * Opens URL: * Connects to "squid.oxxname.com" on port 4280 (TCP).

15 Questions? or “huh?” ● Slides online at

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.