the case for in-the-lab botnet experimentation: creating and taking down a 3000-node botnet
DESCRIPTION
The case for in-the-lab botnet experimentation: creating and taking down a 3000-node botnet. Joan Calvet , Carlton R. Davis, Jose M. Fernandez, Jean-Yves Marion, Pier-Luc St- Onge , Wadie Guizani , Pierre-Marc Bureau, Anil Somayaji ACSAC 2010. A Presentation at Advanced Defense Lab. - PowerPoint PPT PresentationTRANSCRIPT
The case for in-the-lab botnet experimentation: creating and taking down a 3000-node botnet
Joan Calvet, Carlton R. Davis, Jose M. Fernandez, Jean-Yves Marion, Pier-Luc St-Onge, Wadie Guizani, Pierre-Marc Bureau, Anil Somayaji
ACSAC 2010
A Presentation at Advanced Defense Lab
Advanced Defense Lab 2
OutlineIntroductionRelated WorkBotnet EmulationThe WALEDAC ExperimentExperiment ResultsConclusion
3
IntroductionPresents an “in the lab” experiments involving at-scale
emulated botnets.Experiments with “in-the-wild” botnets can be problematic
(i) Researchers need to create entities which join the botnet.(ii) There are legal and ethical issues involved in performing
such botnet research.(iii) It is difficult to get statistically significant results.(iv) It is not repeatable.
At-scale emulation studies, where conditions as close as possible to the real-world are the best alternative to in-the-wild studies.
Advanced Defense Lab
4
IntroductionIn emulation experiments, botnet entities that are either
identical or slightly adapted versions of their real-world counterparts, are executed in controlled environments.
Such experiment allows researchers the privilege of hiding their ammunition from botnets operators, until the mitigation schemes are fully developed and optimised.
Recreating in thee lab an isolated version of the Waledac botnet consisting of approximately 3,000 nodes.
Advanced Defense Lab
Advanced Defense Lab 5
OutlineIntroductionRelated WorkBotnet EmulationThe WALEDAC ExperimentExperiment ResultsConclusion
6
Related WorkThe idea of using laboratory experimentation facilities for
botnet research is not new.PlanetLabEmulabDETER
Advanced Defense Lab
Advanced Defense Lab 7
OutlineIntroductionRelated WorkBotnet EmulationThe WALEDAC ExperimentExperiment ResultsConclusion
8
Botnet Emulation – Design CriteriaHighly secured
Building a emulation platform based on an isolated cluster within highly secured facilities. (floor-to-ceiling walls, reinforced doors, etc…)
ScaleVirtualisation allowed researchers to have upwards of 30 virtual bots
per physical machine.Realism
The malware binaries must be identical or close to identical in functionality to those found in the wild.
FlexibilityThe desire to have an emulation platform that is capable of
reproducing any botnet.Sterilisability
Re-installation of VMs.
Advanced Defense Lab
9
Botnet Emulation – HW and ToolsIsolated cluster (小雲 )
98 blades4-core, 8 GB RAM, dual 136 GB SCSI disks, network card
with 4 separate gigabit Ethernet ports for each blade.
Advanced Defense Lab
10
Botnet Emulation – HW and ToolsThe blades are contained in two 42U
racks, and interconnected with two separate sets of switches.
Virtualisation:VMWare ESX product.
Configuration and management:Extreme Cloud Administration Toolkit
(xCAT) mkvm vm[001-098]
Advanced Defense Lab
11
Botnet EmulationCapture of botnet client code, through various methods.Gather information on the botnetPassively monitoring the botnet by observing infected
machines and/or joining the botnet.Construction of a surrogate C&C infrastructure.Construction of realistic operating environment for the
botnet in the lab.Determination of metrics to be measured.Implementation of methods for measuring these metrics.
Advanced Defense Lab
Advanced Defense Lab 12
OutlineIntroductionRelated WorkBotnet EmulationThe WALEDAC ExperimentExperiment ResultsConclusion
13
The Waledac Experiment – binary overviewA prominent botnet ! First appeared in Nov, 2008.Mode of operation (by reverse engineering)
P2P network infrastructure for its C&C4 layered C&C architecture.Hardcoded with a list consisting of 100 to 500 contact
information of repeaters - RList.
Advanced Defense Lab
14
S
The Waledac Experiment - RListConstant sharing with other peers
Advanced Defense Lab
12…
500
12…
500
B3
77
…
44
Select 100entries randomly B
7
38
…
302
Select 100entries randomly
Select 1 Entry randomly to Share Rlist.
15
The Waledac Experiment - Encryption
Advanced Defense Lab
From areferenced paper
16
The Waledac Experiment - EmulationCreate VM templatesAdd the IP of 500
repeaters to the RlistsAdd script to issue
commands to the VMsDeploy the VM
templatesSetup C&C ServerConstitute the botnetSetup environment
Advanced Defense Lab
17
The Waledac Experiment – Mitigation SchemeFlushes the Rlist with ours by launching sybil attacks !!Waledac bots do not check the Rlist received carefully.
If the bot is a repeater A race Condition situation arises.
If the bot is a spammer More effective
Advanced Defense Lab
Advanced Defense Lab 18
OutlineIntroductionRelated WorkBotnet EmulationThe WALEDAC ExperimentExperiment ResultsConclusion
19
Experiment ResultsSpam output
Over a fixed time period, before and after we launch the attack.
Connectivity of the botnetMeasure the number of NOTIFY messages the C&C server
receives over a fixed time period.Percentage of sybils in Rlist
Dumps Rlist to a file each time it is modified, and send these files to an FTP server via the control network.
Advanced Defense Lab
20
Experiment Results
Advanced Defense Lab
21
Experiment Results
Advanced Defense Lab
Advanced Defense Lab 22
OutlineIntroductionRelated WorkBotnet EmulationThe WALEDAC ExperimentExperiment ResultsConclusion
23
ConclusionUsing the isolated security testbeds based on
virtualisation.Measure performance metrics for both the botnet and
attacks against it.
Advanced Defense Lab
24
BOTNET DEMO…
Advanced Defense Lab