Presentation is loading. Please wait.

Presentation is loading. Please wait.

Zombie or not to be: Trough the meshes of Botnets - Guillaume Lovet AVAR 2005 Tianjin, China.

Similar presentations


Presentation on theme: "Zombie or not to be: Trough the meshes of Botnets - Guillaume Lovet AVAR 2005 Tianjin, China."— Presentation transcript:

1 Zombie or not to be: Trough the meshes of Botnets - Guillaume Lovet AVAR 2005 Tianjin, China

2 Agenda Presentation objectives Introduction: a quick overview of Botnets Attack scenarios Protecting from Botnets Q&A

3 Presentation objectives Identify the threats currently posed by Botnets company-wise, and recognize what to expect in a near future Generate consistent and effective security policies to protect against Botnets, from inside and outside the corporate network

4 Introduction A Botnet is a network of trojanized computers, reporting to and commanded via a Master Server. Botnets have existed for years Recent raise of their activity High deleterious potential and obvious financial value Botnets are the number 1 Internet security threat today

5 Threats posed by botnets Critical data compromise Proxying (attacks, spam, phish)‏ Hosting of illegal content Seeding new malwares Distributed denial of service

6 Scenario 1: The worm in the fruit Multiple infection vectors for bots to intrude in the corporate network: –Typical: Email, Webpage, IM systems –Bypassing gateways: CD (c.f. W32/YsRailee.A-tr), Laptops (c.f. W32/Dumador.DH)‏ Once a bot is inside: –Connect back to master server –Receive the order to spread inside the corp. net –Exfiltrate critical data Conclusion: strong firewall policies and AV/IPS systems at the edge of the network are not enough

7 Scenario 2: The Cyberterrorist strike Botnets are a perfect base to launch Distributed Denial of Service attacks Effectively protecting against DDoS is not trivial Companies which offer online services lose massive amounts of money if DDoSed (e.g. ebay)‏  Blackmail & Racket Ransom is officially deemed “security consulting costs” Conclusion: The Botnets problem must be coped with at its roots – it’s a bit of everyone’s responsability

8 One future possible scenario: The double-strike seed Factors to create a successful worldwide virus outbreak: –Size of the seeding vector –Length of the “Opportunity Window” Botnet A seeds: the new malware is mass-mailed Botnet B extends the opportunity window: DDoS update servers of AV vendors Conclusion: Tight update policies are not enough

9 Protecting from Botnets Some security policies eradicate or mitigate the impact of Botnets on the company’s resources Protection must be twofold From the “inside” to be immune to: –Data exfiltration –Being a vector of cyber-criminal activities (roots of the problem)‏ From the “outside” to be immune to: –Intrusion –DoS attacks

10 Protecting from bots inside the corporate network Pt I: Security 101 Use appropriate and consistent firewall rules –Goal: cut communication to the master server –Default rule for both inbound and outbound connections: Deny –Allow only needed services for outbound connections (e.g.:HTTP, SMTP, SSH)‏ –Enforce the use a HTTP proxy, so that port 80 is closed for users. –Will not always be sufficient, because of an expected diversification of bot/master protocols: e.g. W32/Dumador.DH is a “full HTTP” bot

11 Alternate Master/Slave communication channel

12

13

14 Protecting from bots inside the corporate network Pt II: Spot em’ Is my network hosting bots? –Sniffing outbound traffic on the gateway for keywords used in Bot/Master communications:.login.scan.status.sysinfo –Set up a DNS redirection to an in-house honeypot (or sinkhole) for blacklisted bot master servers => unveil the infected hosts –Bot masters RSL (Real-Time Sinkhole List) public server project for DNS records updating

15 Protecting from bots outside the corporate network Sums up to protect against known types of attacks, bots only being a vector for those: –DDoS: Some products exist but not much can be done against an attack performed by a large botnets. Note that IPS re-active technologies can backfire at their users –Spam: Antispam & RBL –Phish: AV integrated to email gateways –Malware mass-mailing: "push update" AV technology (c.f. MyTob's case) combined with a 0-hour detection solution

16 Questions? Contact: glovet@fortinet.com


Download ppt "Zombie or not to be: Trough the meshes of Botnets - Guillaume Lovet AVAR 2005 Tianjin, China."

Similar presentations


Ads by Google