Threat infrastructure: proxies, botnets, fast-flux

Slides:



Advertisements
Similar presentations
ICANN SSAC, Cairo Nov 2008 Page 1 Summary of Fast Flux Dave Piscitello ICANN SSAC.
Advertisements

A look into Bullet Proof Hosting November DefCamp 5 Silviu Sofronie – Head of Forensics
Botnets. Botnet Threat Botnets are a major threat to the Internet because: Consist of a large pool of compromised computers that are organized by a master.
RB-Seeker: Auto-detection of Redirection Botnet Presenter: Yi-Ren Yeh Authors: Xin Hu, Matthew Knysz, Kang G. Shin NDSS 2009 The slides is modified from.
MOSQUITO BREEDING ATTACK: Spread of bots using Peer To Peer INSTRUCTOR: Dr.Cliff Zou PRESENTED BY : BHARAT SOUNDARARAJAN & AMIT SHRIVATSAVA.
A Hierarchical Hybrid Structure for Botnet Control and Command A Hierarchical Hybrid Structure for Botnet Control and Command Zhiqi Zhang, Baochen Lu,
Taxonomy of Botnets Team Mag Five Valerie Buitron Jaime Calahorrano Derek Chow Julia Marsh Mark Zogbaum.
BotMiner Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology.
Rheeve: A Plug-n-Play Peer- to-Peer Computing Platform Wang-kee Poon and Jiannong Cao Department of Computing, The Hong Kong Polytechnic University ICDCSW.
Hitesh Ballani, Paul Francis(Cornell University) Presenter: Zhenhua Liu Date: Mar. 16 th, 2009.
Peer-to-Peer Technology and Security Issues By Raul Rodriguez, Arash Zarrinbakhsh, Cynthia Roger and Phillip Shires College of Business Administration.
FRIENDS: File Retrieval In a dEcentralized Network Distribution System Steven Huang, Kevin Li Computer Science and Engineering University of California,
Botnet Dection system. Introduction  Botnet problem  Challenges for botnet detection.
Botnets Abhishek Debchoudhury Jason Holmes. What is a botnet? A network of computers running software that runs autonomously. In a security context we.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 7: Planning a DNS Strategy.
What’s New in WatchGuard XCS 10.0 Update 3 WatchGuard Training.
Borrowed from Brent ByungHoon Kang, GMU. A Network of Compromised Computers on the Internet IP locations of the Waledac botnet. Borrowed from Brent ByungHoon.
Barracuda Web Filter Overview March 26, 2008 Alan Pearson, Monroe County School District Marcus Burge, Network Engineer.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Application Layer Functionality and Protocols Network Fundamentals – Chapter.
Bayesian Bot Detection Based on DNS Traffic Similarity Ricardo Villamarín-Salomón, José Carlos Brustoloni Department of Computer Science University of.
1 Chapter Overview Understanding Windows Name Resolution Using WINS.
CAP6135: Malware and Software Vulnerability Analysis Examples of Term Projects Cliff Zou Spring 2012.
1 Measurements and Mitigation of Peer-to-Peer-based Botnets: A Case Study on Storm Worm T. Holz, M. Steiner, F. Dahl, E. Biersack, and F. Freiling - Proceedings.
MSIT 458 – The Chinchillas. Offense Overview Botnet taxonomies need to be updated constantly in order to remain “complete” and are only as good as their.
1 Napster & Gnutella An Overview. 2 About Napster Distributed application allowing users to search and exchange MP3 files. Written by Shawn Fanning in.
Introduction Widespread unstructured P2P network
Speaker : YUN–KUAN,CHANG Date : 2009/10/13 Working the botnet: how dynamic DNS is revitalising the zombie army.
B OTNETS T HREATS A ND B OTNETS DETECTION Mona Aldakheel
Got DNS? A review of Domain Name Services and how it impacts website developers. By Jason Baker Digital North.
 Collection of connected programs communicating with similar programs to perform tasks  Legal  IRC bots to moderate/administer channels  Origin of.
1 Telematica di Base Applicazioni P2P. 2 The Peer-to-Peer System Architecture  peer-to-peer is a network architecture where computer resources and services.
Amir Houmansadr CS660: Advanced Information Assurance Spring 2015
Speaker:Chiang Hong-Ren Botnet Detection by Monitoring Group Activities in DNS Traffic.
Topics to be covered 1. What are bots,botnet ? 2.How does it work? 4.Prevention of botnet. 3.Types of botnets.
Vulnerabilities in peer to peer communications Web Security Sravan Kunnuri.
70-291: MCSE Guide to Managing a Microsoft Windows Server 2003 Network Chapter 6: Name Resolution.
70-291: MCSE Guide to Managing a Microsoft Windows Server 2003 Network, Enhanced Chapter 6: Name Resolution.
1 Detecting Malicious Flux Service Networks through Passive Analysis of Recursive DNS Traces Speaker: Jun-Yi Zheng 2010/03/29.
October 8, 2015 University of Tulsa - Center for Information Security Microsoft Windows 2000 DNS October 8, 2015.
FluXOR: Detecting and Monitoring Fast-Flux Service Networks Emanuele Passerini, Roberto Paleari, Lorenzo Martignoni, and Danilo Bruschi 5th international.
2012 4th International Conference on Cyber Conflict C. Czosseck, R. Ottis, K. Ziolkowski (Eds.) 2012 © NATO CCD COE Publications, Tallinn 朱祐呈.
DNS Security Pacific IT Pros Nov. 5, Topics DoS Attacks on DNS Servers DoS Attacks by DNS Servers Poisoning DNS Records Monitoring DNS Traffic Leakage.
A Multifaceted Approach to Understanding the Botnet Phenomenon Authors : Moheeb Abu Rajab, Jay Zarfoss, Fabian Monrose, Andreas Terzis Computer Science.
1 An Advanced Hybrid Peer-to-Peer Botnet Ping Wang, Sherri Sparks, Cliff C. Zou School of Electrical Engineering & Computer Science University of Central.
Appear in IEEE TDSC 2008 Presented by Wei-Cheng Xiao.
BOTNETS Presented By : Ramesh kumar Ramesh kumar 08EBKIT049 08EBKIT049 A BIGGEST THREAT TO INERNET.
Network and Perimeter Security Paula Kiernan Senior Consultant Ward Solutions.
Not So Fast Flux Networks for Concealing Scam Servers Theodore O. Cochran; James Cannady, Ph.D. Risks and Security of Internet and Systems (CRiSIS), 2010.
Week 10-11c Attacks and Malware III. Remote Control Facility distinguishes a bot from a worm distinguishes a bot from a worm worm propagates itself and.
Peer to Peer Botnets by Mehedy Masud. Botnets ● Introduction ● History ● Taxonomy ● Overview ● Case studies ● New technique ● Detection and Prevention.
Fast-Flux Service Networks. Speaker Founder of the Honeynet Project. Information security eleven years, four as senior security architect for Sun Microsystems.
URL Obscuring COEN 252 Computer Forensics  Thomas Schwarz, S.J
Understanding the Network-Level Behavior of Spammers Author: Anirudh Ramachandran, Nick Feamster SIGCOMM ’ 06, September 11-16, 2006, Pisa, Italy Presenter:
Walowdac:Analysis of a Peer-to-Peer Botnet 林佳宜 NTOU CSIE 11/19/
Security fundamentals Topic 10 Securing the network perimeter.
ADVANCED COMPUTER NETWORKS Peer-Peer (P2P) Networks 1.
Measurements and Mitigation of Peer-to-peer Botnets: A Case Study on Storm Worm Thorsten Holz, Moritz Steiner, Frederic Dahl, Ernst Biersack, Felix Freiling.
Firewalls. Intro to Firewalls Basically a firewall is a barrier to keep destructive forces away from your computer network.
Algorithms and Techniques in Structured Scalable Peer-to-Peer Networks
A Multifaceted Approach to Understanding the Botnet Phenomenon Aurthors: Moheeb Abu Rajab, Jay Zarfoss, Fabian Monrose, Andreas Terzis Publication: Internet.
Speaker: Hom-Jay Hom Date:2009/10/20 Botnet Research Survey Zhaosheng Zhu. et al July 28-August
2012 Malnet Report: Breaking the Vicious Cycle Grant Asplund Senior Technology Evangelist.
Botnets Borrowed from Brent ByungHoon Kang, GMU. A Network of Compromised Computers on the Internet IP locations of the Waledac botnet. Borrowed from.
Brett Stone-Gross, Marco Cova, Lorenzo Cavallaro, Bob Gilbert, Martin Szydlowski, Richard Kemmerer, Christopher Kruegel, and Giovanni Vigna Proceedings.
Fast Flux Hosting and DNS ICANN SSAC What is Fast Flux Hosting? An evasion technique Goal of all fast flux variants –Avoid detection and take down of.
Presented by : Matthew Sulkosky COSC 316 (Host Security) BOTNETS A.K.A ZOMBIE COMPUTING.
MAN-IN-THE-MIDDLE ATTACK STEGANOGRAPHY Lab# MAC Addresses and ARP  32-bit IP address:  network-layer address  used to get datagram to destination.
Security fundamentals
Your Botnet is My Botnet: Analysis of a Botnet Takeover
Attack Mechanism using botnets
Presentation transcript:

Threat infrastructure: proxies, botnets, fast-flux

Botnets Concept “network of infected systems controlled by an administrator called Botmaster” Centralized infrastructure Basic Botmaster (only one Command and Control server) Multi-server Botmaster (one Botmaster but many C&C servers) Asprox botnet an example. Hierachical Botmaster (use Proxy servers to hide Botmaster location) Waledac botnet an example.

Botnets (centralized) Proxy servers

Botnets Command and Control communications Most bots do not listen on ports, because administrators could block these ports. Bots will initiate communications with C&C server to appear legitimate. How bots locate C&C server: fixed IP list (weak) and DNS lookup of the C&C server (reliable). Defense beyond anti-virus: take down the domain (s) , block DNS access (?!?!). The economics of botnets.

Botnets Decentralized Botnet architecture (P2P) No C&C server, rather uses peer-to-peer communications to send commands

Source: Wang et al P2P Botnet stages Recruiting: P2P malware such as Gnuman , WORM_PITUPI.K , and Koobface. Forming the botnet: parasite P2P botnet: all the bots are from an existing P2P network, and it uses this available P2P network for command and control. leeching P2P botnet: bot members join an existing P2P network and depend on this P2P network for C&C communication. bot-only P2P botnet: builds its own network, all members are bots, such as Storm botnet and Nugache. Standing by for instructions (using P2P Protocols): P2P file-sharing have a file index used by peers to locate the desired content, may be centralized (e.g., Napster), distributed over part of the file-sharing nodes (e.g., Gnutella), or distributed over all or a large fraction of the nodes (e.g., Overnet). Design a new P2P communication protocol to be used in a bot-only P2P botnet. Defenses: anti-virus + poison the index

Fast-flux Concept “The ability to quickly move the location of a web, email, DNS or generally any Internet or distributed service from one or more computers connected to the Internet to a different set of computers to delay or evade detection.” What it does: utilizes DNS to continually update valid domain names with A and NS records that resolve to an ever-changing set of of IP addresses of infected computers (a botnet). The motherships: command and control servers that issue commands to bots and add and remove IP addresses from DNS records. By cycling IP addresses of infected computers in and out of DNS records, the mothership is able to use active bots to host content and services. Action: To stop the constantly rotating IP addresses in the DNS server we need to take down the Fast-Flux domain. A domain Registrar needs to do so.

Fast-flux (single flux in action)

Fast-flux types Single-flux: utilizes static name servers to update DNS records, as seen in previous image. Double-flux and hydra-flux: include two or multiple motherships managing the rotating IP numbers, services and content. Mothership protection: The infected computers (botnet) form a protective barrier in front of the motherships. The only visible part of the attack are the bots. Fast-Flux Domains: to be able to change DNS records the motherships need to be located in Domains owned by the attackers. Only their domain Registrar can remove access to the Domain, but the Domain could easily be created in another Registrar. Possible attacks: phishing campaigns, bot recruiting malware, e-mail spam campaigns, etc.

Fast-flux mechanics The mothership and DNS: To cycle bot IP addresses and bypass caching features, fast-flux domains use short TTL (Time to live (TTL) values in the DNS to force clients to frequently query the name server for a new set of A addresses. The bots and content: the bots act as reverse proxies by sending requests to the mothership and relaying the malicious content hosted by the mothership. Multiple motherships: use of a single DNS server and mothership provides a single point to focus to stop the malicious action. Double or hydra flux addresses this “flaw” by providing multiple DNS, Domains, etc. References : Wikipedia, ICANN Advisory, Detection of Fast-flux, Recently discovered, Fast-flux Primer,