Presentation is loading. Please wait.

Presentation is loading. Please wait.

Botnet Detection Based on ICMP Infiltrations Correlation Pattern

Similar presentations

Presentation on theme: "Botnet Detection Based on ICMP Infiltrations Correlation Pattern"— Presentation transcript:

1 Botnet Detection Based on ICMP Infiltrations Correlation Pattern
Navaneethan C. Arjuman Phd Candidate and MyBrain Fellow .my National Advanced IPv6 Centre February 2012 Copyright Nava 2012

2 Agenda Objective Inbound Scanning What are Botnets ?
Botnet History Botnets Usage Botnet Command and Control (C&C) Mechanism Botnet Classification Botnet Detection Techniques Anomalies Detection Correlation Techniques Inbound Scanning Proposed new area on ICMP based scanning Mitigation Technique Research Outcome Copyright Nava 2012

3 What are Botnets? An Internet Relay Chat (IRC) based, command and control network of compromised hosts (bots) A bot is a client program that runs in the background of a compromised host Watches for certain strings on an IRC channel These are encoded commands for the bot Purpose DoS, ID Theft, Phishing, keylogging, spam Fun AND profit Copyright Nava 2012

4 Botnet History First existence of botnet started in August 1988 when IRC invented at University of Oulu, Finland First bot - “GM” -assist user to manage their own IRC Connections May 1999 – Pretty park Reported in June 1999 in Central Europe Internet Worm – a password stealing trojan 1999 – Subseven Remote controlled trojan Copyright Nava 2012

5 Botnet History 2000 – GTbot (Global Threat) 2002 – SDbot 2002 – Agobot
New capabilities - port scanning, flooding and cloning Support UDP and TCP socket connections Support IRC Server to run malicious script 2002 – SDbot Written by Russian Programmer by the name ‘SD’ 40Kb – C++ Code First to publish the code for hackers via website Provided and chat for support 2002 – Agobot Modular update Spread through Kazaa, Grokser and etc Copyright Nava 2012

6 Botnet History 2003 – Spybot or Milkit 2003 – Rbot 2004 – PolyBot
Derived from SDbot Come with spyware capabilities Spread via file sharing applications and 2003 – Rbot Backdoor trojan on IRC Compromised Microsoft vulnerable share Port 139 and 445 Based on MSRT Report in June 2006 by Microsoft million PCs affected worldwide 2004 – PolyBot Polymorphism capabilities Based on Agobot Copyright Nava 2012

7 Botnet History 2005 – MyBot 2006 – P2P Based Bot 2007 – “Storm Botnet”
New version of SpyBot Hybrid coding Spread via file sharing applications and 2006 – P2P Based Bot 1st generation - “SpamThru”, “Nugache” Basd on “Gnutella” file sharing 2nd Generation – “Peacomm’ Pure Distributed P2P 2007 – “Storm Botnet” Truly pure P2P No single point of failure Provided high resilience, scalability and difficulty in tracking List continue……. Copyright Nav a 2012

8 What is the latest? New trend – new worm and new botnet 2010 – Stuxnet
spreads via Microsoft Windows, and targets Siemens industrial software and equipment   malware that spies on and subverts industrial systems  targeted five Iranian organizations - uranium enrichment infrastructure in Iran September 2011 – Duqu Duqu is a computer worm discovered on 1st September, 2011 Operation Duqu is the process of only using Duqu for unknown goals New trend – new worm and new botnet Copyright Nav a 2012

9 Botnet Usage DDOS Spam Sniffing traffic Keylogging
Installing Advertisement Addons and Browser Helper Objects (BHOs) Manipulating online polls/games Mass ID theft Copyright Nava 2012

10 Botnet Command and Control (C&C) Mechanism
From the Botmaster point of view Centralized Pro - easy to setup, fast commands dissemination Cons - easy to detect , single point of failure Peer-to-Peer Topology Pro – decentralized, not easy to detect , not single point of failure Cons – not easy to setup (more complex), message delivery not guaranteed and high latency Copyright Nava 2012

11 Botnet Command and Control (C&C) Mechanism…..
Unstructured Topology – extreme peer to peer topology, one to one communication Pro – easy to setup, decentralized, not easy to detect , not single point of failure Cons –message delivery not guaranteed and high latency Copyright Nava 2012

12 Botnet Classification
Command & Control (C&C) IRC Based – C&C using IRC Server HTTP Based – C&C using Web Server P2P Based – C&C on peer-to-peer protocol DNS Based – C&C use Fast-flux networks Copyright Nava 2012

13 Botnet Detection Signature Based – able to detect only known bots
Anomaly Based – detect bots based traffic anomalies DNS Based – detect based DNS information Mining Based – detect based machine learning, classification and clustering Copyright Nava 2012

14 Anomaly Based Detection
Detect based on traffic anomalies such as High Network Latency High Volumes of Traffic Traffic on unusual ports Unusual System Behaviour Major Advantage Solve the unknown bots Copyright Nava 2012

15 Correlation Techniques
Inbound Scanning Exploit Usage Egg Downloading Outbound bots coordination dialog Outbound attack propagation Malware P2P communication Copyright Nava 2012

16 Scanning for recruits Black – C&C Red – Scan info
VASCAN 2005 Copyright Marchany 2005

17 Bot Attack Strategy Recruitment of the agent network
Finding vulnerable systems Breaking into vulnerable systems Protocol attack Middleware attack Application or resource attack Controlling the agent network Direct, Indirect commands Updating malware Unwitting agents Copyright Nava 2012

18 Finding Vulnerable Systems
Blended threat scanning Program(s) that provide command & control using IRC bots IRC commands tells bot(e.g. Power) to do a netblock scan Bot builds list of vulnerable hosts, informs attacker via botnet Attacker gets file and adds to master list Copyright Nava 2012

19 Inbound Scanning There several inbound ports scanning methods
available. All port scanning methods work if target host satisfied the RFC 793 – Transmission Control Protocol (TCP). Internet Control Message Protocol (ICMP) Transmission Control Protocol (TCP) User Datagram Protocol (UDP) SYN ACK Window FIN Copyright Nava 2012

20 Inbound Scanning….. Other Types (Uncommon) X-mas and Null Protocol
Proxy Idle CatSCAN Copyright Nava 2012

21 Why use ICMP Scanning ? Understanding ICMP Based Attacks
Attackers preferred to do inbound scanning based on ICMP because ICMP scanning provide high level target scanning Elimination of Target Network (Type 3, Code 0- Destination network unreachable) Copyright Nava 2012

22 Why use ICMP Scanning ? …. Elimination target host networks - Type 3, Code 1-Destination host unreachable Elimination of particular protocol – Type 3, Code 2 - Destination protocol unreachable Elimination of particular port – Type 3, Code 3- Destination port unreachable Copyright Nava 2012

23 Why use ICMP Scanning ?...... Smaller payload - unnoticeable in terms of volume increment for detection More reliable in reply – return by error message compare to TCP and UDP Copyright Nava 2012

24 Understanding ICMP Currently there are two (2) types ICMPv4 ICMPv6
Copyright Nava 2012

25 ICMPv4 Core Protocol of Internet Protocol Suite Defined under RFC 792
Mainly used to provide error message  ICMP messages are typically generated in response to errors in IP datagrams (as specified in RFC 1122) or for diagnostic or routing purposes ICMP errors are always reported to the original source IP address of the originating datagram. Copyright Nava 2012

26 ICMPv4 – IP Datagram Type – ICMP type as specified below.
Code – Subtype to the given type. Checksum – Error checking data. Calculated from the ICMP header+data, with value 0 for this field. The checksum algorithm is specified in RFC 1071. Rest of Header – Four byte field. Will vary based on the ICMP type and code. Bits 0-7 8-15 16-23 24-31 TYPE CODE CHECKSUM 32 REST OF HEADER Copyright Nava 2012

27 ICMPv4 - Type Type Range There are 0-255 types
0 till 41 – already defined 42 till 255 – reserved Special attention focused on the following type Type 3 Type 9 and 10 Type 15 and 16 Type 17 and 18 Type 37 and 38 Copyright Nava 2012

28 ICMPv4 - Type 3 Below are special codes that required main attention
Code Range 0 - Destination network unreachable 1 - Destination host unreachable 2 - Destination protocol unreachable 3 - Destination port unreachable 6 - Destination network unknown 7 - Destination host unknown Copyright Nava 2012

29 ICMPv4 - Type 3 8 - Source host isolated
9 - Network administratively prohibited 10 - Host administratively prohibited 11 - Network unreachable for TOS 12 - Host unreachable for TOS 13 - Communication administratively prohibited Copyright Nava 2012

30 ICMPv4 - Others Type Type 9, Code 0 -Router Advertisement
Type 10, Code 0 - Router discovery/selection/ solicitation Type 15, Code 0 - Information Request Type 16, Code 0 - Information Reply Type 17, Code 0 - Address Mask Request Type 18, Code 0 - Address Mask Reply Type 37, Code 0 - Domain Name Request Type 38, Code 0 - Domain Name Reply Copyright Nava 2012

31 ICMPv4 – ICMP Fault Monitoring Features Sample Capture
Copyright Nava 2012

32 ICMPv6 Internet Control Message Protocol (ICMP) for Internet Protocol version 6 (IPv6) Defined under  RFC 4443 Mainly used for error message Several extensions have been published, defining new ICMPv6 message types as well as new options for existing ICMPv6 message types  Neighbor Discovery Protocol (NDP) is a node discovery protocol in IPv6 which replaces and enhances functions of ARP Copyright Nava 2012

33 ICMPv6  Secure Neighbor Discovery Protocol(SEND) is an extension of NDP with extra security.  Multicast Router Discovery (MRD) allows discovery of multicast routers. ICMPv6 messages may be classified into two categories: error messages and information messages  ICMPv6 messages are transported by IPv6 packets in which the IPv6 Next Header value for ICMPv6 is set to 58. Copyright Nava 2012

34 ICMPv6 – IP Datagram Type – ICMP type as specified below.
Code – Subtype to the given type. Checksum – Error checking data. Calculated from the ICMP header+data, with value 0 for this field. Bit Offset 0-7 8-15 16-31 Type Code Checksum 32 Message Body Copyright Nava 2012

35 ICMPv6 - Type Special attention focused on the following type Type 1
Type 128 and 137 Type 139 and 153 Copyright Nava 2012

36 ICMPv6 - Type 1 Below is special codes that required attention
when scanning take place Code Range 0 - no route to destination 1 - communication with destination administratively prohibited 2 - beyond scope of source address 3 - address unreachable 4 - port unreachable Copyright Nava 2012

37 ICMPv6 - Type 1 7 - source address failed ingress/egress policy
8 - reject route to destination Copyright Nava 2012

38 ICMPv6 - Others Type Type 128, Code 0 - Echo Request
Type 129, Code 0 – Echo Reply Type 130, Code 0 - Multicast Listener Query Type 133, Code 0 - Router Solicitation (NDP) Type 134, Code 0 - Router Advertisement (NDP) Type 135, Code 0 - Neighbor Solicitation (NDP) Type 136, Code 0 - Neighbor Advertisement (NDP) Copyright Nava 2012

39 ICMPv6 - Others Type Type 139, Code 0 till 2 - ICMP Node Information Query Type 140, Code 0 till 2 - ICMP Node Information Response Type 141, Code 0 - Inverse Neighbor Discovery Solicitation Message Type 142, Code 0 - Inverse Neighbor Discovery Advertisement Message Type 144, Code 0 - Home Agent Address Discovery Request Message Copyright Nava 2012

40 ICMPv6 - Others Type Type 145, Code 0 - Home Agent Address Discovery Reply Message Type 146, Code 0 till 2 - Mobile Prefix Solicitation Type 147, Code 0 - Mobile Prefix Advertisement Type 151- Multicast Router Advertisement (MRD) Type Multicast Router Solicitation (MRD) Copyright Nava 2012

41 Mitigating ICMP Based Scanning Attacks
Capturing this ICMP error message can lead to high probability attacks take place Proposed new Profiling Algorithm Proposed new ICMP Based Scanning Profiling Applications Need to improve the existing iNetmon ICMP Default Monitoring features Copyright Nava 2012

42 Mitigating ICMP Based Scanning Attacks….
Integration with Profiling system required to correlate with other the correlation factors such as Exploit Usage Egg Downloading Outbound bots coordination dialog Outbound attack propagation Malware P2P communication There are already systems are available such as Bot Hunter (SNORT based correlation engine) that does correlation for the above mentioned correlation features. Copyright Nava 2012

43 Proposed Research Outcome
Publish Papers (focus on ISI Standard) and Journal based on this techniques Develop the ICMP Based Scanning Profile Algorithm Build ICMP Based Scanning Profile Solution (can modify NMap and add ICMP profiling algorithm) Copyright Nava 2012

44 References www.sunbelt-
WIN.html parameters resources/idfaq/icmp_misuse.php “Know your Enemy: Tracking Botnets”, Lance Spitzner, Copyright Nava 2012

45 References
Message_Protocol Copyright Nava 2012

46 Thank You Copyright Nava 2012

Download ppt "Botnet Detection Based on ICMP Infiltrations Correlation Pattern"

Similar presentations

Ads by Google