BOTNETS Sravanthi Vattikuti Sri Harsha Devabhaktuni What will we cover? • What are botnets? • What are they used for? • How do they work? • Attacks • Detection • Prevention Methods • Future Challenges Botnets • “A botnet is a large collection of well-connected compromised machines, that interact to take part in some distributed task.” Bots (Zombies) Botmaster (Bot herder) Command and Control Server (C&C) What are they used for? • Communication • Resource Sharing • Curiosity • Fun • Financial Gain How do they work? How do they work? How do they work? How do they work? Botnet Attacks • Distributed Denial of Service (DDoS) Disable network services by consuming bandwidths • Information Leakage Retrieve sensitive information by Key logging • Click Fraud Obtain Higher click through rate (CTR) • Identity Fraud Phishing Mail Distributed Denial of Service (DDoS) Click Fraud Detection Methods Honeypot and Honeynet Attackers Attack Data HoneyPot A Gateway Prevent Detect Response Monitor Detection Methods • IRC-based Detection Detection based on traffic analysis Detection based on anomaly activities Detection Methods • DNS Tracking Distinguish botnet based on a similarity value • Monitor anti-virus and firewall logs • Use IDS to watch for: IRC/P2P/Botnet activity Attacks and DoS traffic coming FROM your network You’ve detected it, now what? • Begin incident response Treat it like a virus infection • First priority is removal of malware • If possible, determine how it got on This will help prevent further infections • Prevent it from happening again Patch, user awareness, etc. Botnet Prevention • Countermeasures for Public Firewall Equipment • Countermeasures for Home Users Use anti-virus Attention while downloading Back-up all systems • Countermeasures for System Administrator Monitor logs regularly Use network packet sniffer Isolate the malicious subnet Scan individual machine The Future of Botnets • Attackers are going to get better • More complicated botnets will appear • In-Depth analysis at different levels • Flash Botnets • Hard to distinguish malicious packages from regular traffic. References • www.korelogic.com/Resources/Presentations/bo tnets_issa.pdf • Nicholas Ianelli, Aaron Hackworth, Botnets as a Vehicle for Online Crime, Carnegie Mellon University 2005. • Wikipedia, “Botnet,” http://en.wikipedia.org/wiki/Botnet • R. Puri, “Bots and botnets: an overview,” Tech. Rep., SANS Institute, 2003. • Google bots, botnets, botmaster Questions?