Presentation is loading. Please wait.

Presentation is loading. Please wait.

Botnet Detection Based on ICMP Infiltrations Correlation Pattern Navaneethan C. Arjuman Phd Candidate and MyBrain Fellow National Advanced.

Similar presentations

Presentation on theme: "Botnet Detection Based on ICMP Infiltrations Correlation Pattern Navaneethan C. Arjuman Phd Candidate and MyBrain Fellow National Advanced."— Presentation transcript:

1 Botnet Detection Based on ICMP Infiltrations Correlation Pattern Navaneethan C. Arjuman Phd Candidate and MyBrain Fellow National Advanced IPv6 Centre February 2012 1 Copyright Nava 2012

2 Agenda Objective What are Botnets ? Botnet History Botnets Usage Botnet Command and Control (C&C) Mechanism Botnet Classification Botnet Detection Techniques Anomalies Detection Correlation Techniques Inbound Scanning Proposed new area on ICMP based scanning Mitigation Technique Research Outcome Copyright Nava 2012 2

3 What are Botnets? An Internet Relay Chat (IRC) based, command and control network of compromised hosts (bots) A bot is a client program that runs in the background of a compromised host Watches for certain strings on an IRC channel These are encoded commands for the bot Purpose DoS, ID Theft, Phishing, keylogging, spam Fun AND profit 3 Copyright Nava 2012

4 Botnet History First existence of botnet started in August 1988 when IRC invented at University of Oulu, Finland 1989 - First bot - GM -assist user to manage their own IRC Connections May 1999 – Pretty park Reported in June 1999 in Central Europe Internet Worm – a password stealing trojan 1999 – Subseven Remote controlled trojan 4 Copyright Nava 2012

5 Botnet History 2000 – GTbot (Global Threat) New capabilities - port scanning, flooding and cloning Support UDP and TCP socket connections Support IRC Server to run malicious script 2002 – SDbot Written by Russian Programmer by the name SD 40Kb – C++ Code First to publish the code for hackers via website Provided e-mail and chat for support 2002 – Agobot Modular update Spread through Kazaa, Grokser and etc 5 Copyright Nava 2012

6 Botnet History 2003 – Spybot or Milkit Derived from SDbot Come with spyware capabilities Spread via file sharing applications and e-mail 2003 – Rbot Backdoor trojan on IRC Compromised Microsoft vulnerable share Port 139 and 445 Based on MSRT Report in June 2006 by Microsoft - 1.9 million PCs affected worldwide 2004 – PolyBot Polymorphism capabilities Based on Agobot 6 Copyright Nava 2012

7 Botnet History 2005 – MyBot New version of SpyBot Hybrid coding Spread via file sharing applications and e-mail 2006 – P2P Based Bot 1 st generation - SpamThru, Nugache Basd on Gnutella file sharing 2 nd Generation – Peacomm Pure Distributed P2P 2007 – Storm Botnet Truly pure P2P No single point of failure Provided high resilience, scalability and difficulty in tracking List continue……. 7 Copyright Nav a 2012

8 What is the latest? 2010 – Stuxnet spreads via Microsoft Windows, and targets Siemens industrial software and equipment Microsoft WindowsSiemensindustrial malware that spies on and subverts industrial systems malware targeted five Iranian organizations - uranium enrichment infrastructure in Iranuranium enrichmentIran September 2011 – Duqu Duqu is a computer worm discovered oncomputer worm 1st September, 2011 Operation Duqu is the process of only using Duqu for unknown goals New trend – new worm and new botnet 8 Copyright Nav a 2012

9 Botnet Usage DDOS Spam Sniffing traffic Keylogging Installing Advertisement Addons and Browser Helper Objects (BHOs) Manipulating online polls/games Mass ID theft 9 Copyright Nava 2012

10 Botnet Command and Control (C&C) Mechanism From the Botmaster point of view Centralized Pro - easy to setup, fast commands dissemination Cons - easy to detect, single point of failure Peer-to-Peer Topology Pro – decentralized, not easy to detect, not single point of failure Cons – not easy to setup (more complex), message delivery not guaranteed and high latency 10 Copyright Nava 2012

11 Botnet Command and Control (C&C) Mechanism….. Unstructured Topology – extreme peer to peer topology, one to one communication Pro – easy to setup, decentralized, not easy to detect, not single point of failure Cons –message delivery not guaranteed and high latency 11 Copyright Nava 2012

12 Botnet Classification Command & Control (C&C) IRC Based – C&C using IRC Server HTTP Based – C&C using Web Server P2P Based – C&C on peer-to-peer protocol DNS Based – C&C use Fast-flux networks 12 Copyright Nava 2012

13 Botnet Detection Signature Based – able to detect only known bots Anomaly Based – detect bots based traffic anomalies DNS Based – detect based DNS information Mining Based – detect based machine learning, classification and clustering 13 Copyright Nava 2012

14 Anomaly Based Detection Detect based on traffic anomalies such as High Network Latency High Volumes of Traffic Traffic on unusual ports Unusual System Behaviour Major Advantage Solve the unknown bots 14 Copyright Nava 2012

15 Correlation Techniques Inbound Scanning Exploit Usage Egg Downloading Outbound bots coordination dialog Outbound attack propagation Malware P2P communication 15 Copyright Nava 2012

16 Scanning for recruits VASCAN 2005 Copyright Marchany 200516 Black – C&C Red – Scan info

17 Bot Attack Strategy Recruitment of the agent network Finding vulnerable systems Breaking into vulnerable systems Protocol attack Middleware attack Application or resource attack Controlling the agent network Direct, Indirect commands Updating malware Unwitting agents 17 Copyright Nava 2012

18 Finding Vulnerable Systems Blended threat scanning Program(s) that provide command & control using IRC bots IRC commands tells bot(e.g. Power) to do a netblock scan Bot builds list of vulnerable hosts, informs attacker via botnet Attacker gets file and adds to master list 18 Copyright Nava 2012

19 Inbound Scanning There several inbound ports scanning methods available. All port scanning methods work if target host satisfied the RFC 793 – Transmission Control Protocol (TCP). Internet Control Message Protocol (ICMP) Transmission Control Protocol (TCP) User Datagram Protocol (UDP) SYN ACK Window FIN 19 Copyright Nava 2012

20 Inbound Scanning….. Other Types (Uncommon) X-mas and Null Protocol Proxy Idle CatSCAN 20 Copyright Nava 2012

21 Why use ICMP Scanning ? Understanding ICMP Based Attacks Attackers preferred to do inbound scanning based on ICMP because ICMP scanning provide high level target scanning Elimination of Target Network (Type 3, Code 0- Destination network unreachable) 21 Copyright Nava 2012

22 Why use ICMP Scanning ? …. Elimination target host networks - Type 3, Code 1-Destination host unreachable Elimination of particular protocol – Type 3, Code 2 - Destination protocol unreachable Elimination of particular port – Type 3, Code 3- Destination port unreachable 22 Copyright Nava 2012

23 Why use ICMP Scanning ?...... Smaller payload - unnoticeable in terms of volume increment for detection More reliable in reply – return by error message compare to TCP and UDP 23 Copyright Nava 2012

24 Understanding ICMP Currently there are two (2) types ICMPv4 ICMPv6 24 Copyright Nava 2012

25 ICMPv4 Core Protocol of Internet Protocol Suite Defined under RFC 792 Mainly used to provide error message ICMP messages are typically generated in response to errors in IP datagrams (as specified in RFC 1122) or for diagnostic or routing purposesIPdatagramsRFC 1122 ICMP errors are always reported to the original source IP address of the originating datagram. 25 Copyright Nava 2012

26 ICMPv4 – IP Datagram Type – ICMP type as specified below. Code – Subtype to the given type. Checksum – Error checking data. Calculated from the ICMP header+data, with value 0 for this field. The checksum algorithm is specified in RFC 1071.RFC 1071 Rest of Header – Four byte field. Will vary based on the ICMP type and code. 26 Bits0-78-15 16-23 24-31 0TYPECODECHECKSUM 32REST OF HEADER Copyright Nava 2012

27 ICMPv4 - Type Type Range There are 0-255 types 0 till 41 – already defined 42 till 255 – reserved Special attention focused on the following type Type 3 Type 9 and 10 Type 15 and 16 Type 17 and 18 Type 37 and 38 27 Copyright Nava 2012

28 ICMPv4 - Type 3 Below are special codes that required main attention Code Range 0 - Destination network unreachable 1 - Destination host unreachable 2 - Destination protocol unreachable 3 - Destination port unreachable 6 - Destination network unknown 7 - Destination host unknown 28 Copyright Nava 2012

29 ICMPv4 - Type 3 8 - Source host isolated 9 - Network administratively prohibited 10 - Host administratively prohibited 11 - Network unreachable for TOS 12 - Host unreachable for TOS 13 - Communication administratively prohibited 29 Copyright Nava 2012

30 ICMPv4 - Others Type Type 9, Code 0 -Router Advertisement Type 10, Code 0 - Router discovery/selection/ solicitation Type 15, Code 0 - Information Request Type 16, Code 0 - Information Reply Type 17, Code 0 - Address Mask Request Type 18, Code 0 - Address Mask Reply Type 37, Code 0 - Domain Name Request Type 38, Code 0 - Domain Name Reply 30 Copyright Nava 2012

31 ICMPv4 – ICMP Fault Monitoring Features Sample Capture 31 Copyright Nava 2012

32 ICMPv6 Internet Control Message Protocol (ICMP) for Internet Protocol version 6 (IPv6) Internet Control Message ProtocolInternet Protocol version 6 Defined under RFC 4443RFC 4443 Mainly used for error message Several extensions have been published, defining new ICMPv6 message types as well as new options for existing ICMPv6 message types Neighbor Discovery Protocol (NDP) is a node discovery protocol in IPv6 which replaces and enhances functions of ARP Neighbor Discovery Protocol 32 Copyright Nava 2012

33 ICMPv6 Secure Neighbor Discovery Protocol(SEND) is an extension of NDP with extra security.Secure Neighbor Discovery Protocol Multicast Router Discovery (MRD) allows discovery of multicast routers.Multicast Router Discovery ICMPv6 messages may be classified into two categories: error messages and information messages ICMPv6 messages are transported by IPv6 packets in which the IPv6 Next Header value for ICMPv6 is set to 58.IPv6 Next Header 33 Copyright Nava 2012

34 ICMPv6 – IP Datagram Type – ICMP type as specified below. Code – Subtype to the given type. Checksum – Error checking data. Calculated from the ICMP header+data, with value 0 for this field. 34 Copyright Nava 2012 Bit Offset 0-7 8-15 16-31 0 Type CodeChecksum 32Message Body

35 ICMPv6 - Type Special attention focused on the following type Type 1 Type 128 and 137 Type 139 and 153 35 Copyright Nava 2012

36 ICMPv6 - Type 1 Below is special codes that required attention when scanning take place Code Range 0 - no route to destination 1 - communication with destination administratively prohibited 2 - beyond scope of source address 3 - address unreachable 4 - port unreachable 36 Copyright Nava 2012

37 ICMPv6 - Type 1 7 - source address failed ingress/egress policy 8 - reject route to destination 37 Copyright Nava 2012

38 ICMPv6 - Others Type Type 128, Code 0 - Echo RequestEcho Request Type 129, Code 0 – Echo ReplyEcho Reply Type 130, Code 0 - Multicast Listener QueryMulticast Listener Query Type 133, Code 0 - Router Solicitation (NDP)NDP Type 134, Code 0 - Router Advertisement (NDP) Type 135, Code 0 - Neighbor Solicitation (NDP) Type 136, Code 0 - Neighbor Advertisement (NDP) 38 Copyright Nava 2012

39 ICMPv6 - Others Type Type 139, Code 0 till 2 - ICMP Node Information Query Type 140, Code 0 till 2 - ICMP Node Information Response Type 141, Code 0 - Inverse Neighbor Discovery Solicitation Message Type 142, Code 0 - Inverse Neighbor Discovery Advertisement Message Type 144, Code 0 - Home Agent Address Discovery Request Message 39 Copyright Nava 2012

40 ICMPv6 - Others Type Type 145, Code 0 - Home Agent Address Discovery Reply Message Type 146, Code 0 till 2 - Mobile Prefix Solicitation Type 147, Code 0 - Mobile Prefix Advertisement Type 151- Multicast Router Advertisement (MRD)MRD Type 152 - Multicast Router Solicitation (MRD) 40 Copyright Nava 2012

41 Mitigating ICMP Based Scanning Attacks Capturing this ICMP error message can lead to high probability attacks take place Proposed new Profiling Algorithm Proposed new ICMP Based Scanning Profiling Applications Need to improve the existing iNetmon ICMP Default Monitoring features 41 Copyright Nava 2012

42 Mitigating ICMP Based Scanning Attacks…. Integration with Profiling system required to correlate with other the correlation factors such as Exploit Usage Egg Downloading Outbound bots coordination dialog Outbound attack propagation Malware P2P communication There are already systems are available such as Bot Hunter (SNORT based correlation engine) that does correlation for the above mentioned correlation features. 42 Copyright Nava 2012

43 Proposed Research Outcome Publish Papers (focus on ISI Standard) and Journal based on this techniques Develop the ICMP Based Scanning Profile Algorithm Build ICMP Based Scanning Profile Solution (can modify NMap and add ICMP profiling algorithm) 43 Copyright Nava 2012

44 References www.sunbelt- www.sunbelt- WIN.html WIN.html parameters parameters resources/idfaq/icmp_misuse.php resources/idfaq/icmp_misuse.php Know your Enemy: Tracking Botnets, Lance Spitzner, 44 Copyright Nava 2012

45 References Message_Protocol Message_Protocol 45 Copyright Nava 2012

46 46 Thank You Copyright Nava 2012

Download ppt "Botnet Detection Based on ICMP Infiltrations Correlation Pattern Navaneethan C. Arjuman Phd Candidate and MyBrain Fellow National Advanced."

Similar presentations

Ads by Google