botnets 101
DESCRIPTION
Introduction to Botnet...TRANSCRIPT
1
Botnet 101Aung Thu Rha Hein (g5536871)
2
Agenda
What is a botnet? History of Botnet What are they used for? How do they work? Infection Procedure Command Topologies Communication Methods Propagation Methods Defense
Detection methods Defense Strategy
Conclusion
3
What is a botnet?
A botnet is a collection of internet-connected programs communicating with other similar programs in order to perform tasks.
Wikipedia
A collection of compromised computers that is slowly built up then unleashed as a DDOS attack or used to send very large quantities of spam.
WolframAlpha
4
History of Botnet
Bots originally used to automate tasks IRC,IM, MUDS, online-games
Evolved into a way to automate malicious attacks Spam, control a pc, propagate etc…
Botnets started with DOS against servers Stacheldraht, Trinoo, Kelihos
5
What are they used for?
DOS attacks Spam Phishing Identity theft Click Fraud Others….
6
How do they work?
1. Botmaster infected victims with bot
botmaster
victim
C&C server
7
How do they work?
2.bot connects to the C&C server using HTTP,IRC or other protocol
victim
C&C server
botmaster
8
How do they work?
3.Botmaster sends commands through C&C server to zombie
botmaster
victim
C&C server
9
How do they work?
4.Repeat these process and botmaster have bot army to Control from a single point
botmaster
Victims, zombies
C&C server
10
Infection Procedure
11
Command Topologies
Star Bots tied to centralized C&C server
Multi-Server Same as Star but with multiple C&C
server Hierarchical
Parent bot control child bots Random
Full P2P support
12
Communication Methods
HTTP Easy for attacker to blend in
IRC Harder to hide compared with HTTP
Custom Makes use of new application protocols
13
Propagation Methods
E-Mail attachments; Social Engineering
Trojan horses Drive-by downloads Scanning
Horizontal: Single port Vertical :Single IP address
14
Defense
Three Main Issues How to Detect them? How to Response them? How to Negate the threat?
15
Detection Methods
No single method “Defense in depth” principle Methods
Network traffic analysis (NetFlow) Packet analysis(IDS) Analysis of application log files
(Antivirus, firewall) Honeypots Others…
16
Defense Strategy
Defense Against infection by bot (DAIBB) Prevent from entering into the system Updates and patches, security levels
Defense against attacks by bot (DAABB) Prevent from being victim of botnet
attacks IPS, TLS, SSL
Monitoring, detection & studying of Bot (MDSBB) Detection methods, monitoring log files
17
Defense Strategy(cont.)
Education of users (EOU) Raise the security awareness of users
Legislative protection (LP) legislative-punishment policies
THANK YOU!