Download presentation
Presentation is loading. Please wait.
Published byCori James Modified over 9 years ago
1
nullcon Goa 2010http://nullcon.net Botnet Mitigation, Monitoring and Management - Harshad Patil
2
Introduction Why they use Botnets? Attack vectors- Where are they used? Taxonomy of botnet and how it operates Detection and prevention of botnets Some recent botnets Current Botnet Mitigation efforts Botnet Monitoring nullcon Goa 2010http://nullcon.net Agenda
3
nullcon Goa 2010http://nullcon.net Introduction What are bots, botnets, botmasters, and zombies,IRC,P2P? Three characteristic attributes of bot a remote control facility, the implementation of several commands, and a spreading mechanism
4
What is DOS nullcon Goa 2010http://nullcon.net # About an hour and 15 minutes duration # Misuse Null TCP 6 # IP Protocol 6, TCP # No Flags - Null TCP 0.0.0.0/0 # Very well distributed or Source-spoofed IPs 0-65535 # Very well distributed source ports xx.xx.X.X/32 # Surprise, undernet IRC Server… 6667 # 6667 IRC Source: ISC
5
nullcon Goa 2010http://nullcon.net Why Botnets? Capability of botnet Botnet Economy Self propagation Robustness Efficiency Effectiveness Usage of different Encryption systems P2P botnet advantages!
6
nullcon Goa 2010http://nullcon.net Attack vectors Spamming Phishing Click Fraud, Google Adsense Sniffing traffic- Corporate Espionage, ID Theft Keystroke logging Data Mining Manipulating online MMOGs
7
nullcon Goa 2010http://nullcon.net How they operate How botmasters discover new bots 2 architectures: CnC and P2P Communication between the bot and the botmaster Botnet Complexity How they evade IDS/Honeypots
8
nullcon Goa 2010http://nullcon.net CnC Architecture Botmaster C & C Bots
9
nullcon Goa 2010http://nullcon.net P2P Architecture Botmaster C & C Bots
10
nullcon Goa 2010http://nullcon.net Concerning factors Complexity of the Internet. Shortest compromise time: few secs.. Extradition issues and different laws of different countries.. Easy to escape detection techniques by new encryption types.(MD6 encryption: Conficker)
11
nullcon Goa 2010http://nullcon.net Concerning factors Courtesy: McAfee
12
nullcon Goa 2010http://nullcon.net Concerning factors
13
nullcon Goa 2010http://nullcon.net Concerning factors
14
Protection Detection Remediation nullcon Goa 2010http://nullcon.net
15
nullcon Goa 2010http://nullcon.net Detection Nepenthes HoneyBow Observe the behavior of bots Network based behavior: Host-based behavior Bothunter: Vertical Correlation. Correlation on the behaviors of single host. Botsniffer: Horizontal Correlation. On centralized C&C botnets Botminer: Extension on Botsniffer, no limitations on the C&C types.
16
nullcon Goa 2010http://nullcon.net Protection Honeynets IDS Snort Tripwire OurMon CWSandbox Current Mitigation efforts:
17
nullcon Goa 2010http://nullcon.net Current Mitigation effort Current Mitigation efforts:
18
nullcon Goa 2010http://nullcon.net Botnet Monitoring System: Current Mitigation efforts:
19
Some current cases Torpig Conficker A current flash 0day attack. nullcon Goa 2010http://nullcon.net
20
Torpig details nullcon Goa 2010http://nullcon.net
21
nullcon Goa 2010http://nullcon.net Conclusion Bots pose a threat to individuals and corporate environments Use: DDoS attacks, to spam, steal, spy, hack, … Defense: Prevention- Honeypots, IPS, N/w analysis tools Detection: IDS, analysis tools Management: Understanding security failures is much like anticipating that houses catch on fire and smoke detectors save lives. Current Mitigation efforts:
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.