Presentation is loading. Please wait.

Presentation is loading. Please wait.

Threat infrastructure: proxies, botnets, fast-flux

Published byNoel Lee Modified over 8 years ago

Similar presentations

Presentation on theme: "Threat infrastructure: proxies, botnets, fast-flux"— Presentation transcript:

1 Threat infrastructure: proxies, botnets, fast-flux

2 Botnets Concept “network of infected systems controlled by an administrator called Botmaster” Centralized infrastructure Basic Botmaster (only one Command and Control server) Multi-server Botmaster (one Botmaster but many C&C servers) Asprox botnet an example. Hierachical Botmaster (use Proxy servers to hide Botmaster location) Waledac botnet an example.

3 Botnets (centralized)
Proxy servers

4 Botnets Command and Control communications
Most bots do not listen on ports, because administrators could block these ports. Bots will initiate communications with C&C server to appear legitimate. How bots locate C&C server: fixed IP list (weak) and DNS lookup of the C&C server (reliable). Defense beyond anti-virus: take down the domain (s) , block DNS access (?!?!). The economics of botnets.

5 Botnets Decentralized Botnet architecture (P2P)
No C&C server, rather uses peer-to-peer communications to send commands

6 Source: Wang et al P2P Botnet stages Recruiting: P2P malware such as Gnuman , WORM_PITUPI.K , and Koobface. Forming the botnet: parasite P2P botnet: all the bots are from an existing P2P network, and it uses this available P2P network for command and control. leeching P2P botnet: bot members join an existing P2P network and depend on this P2P network for C&C communication. bot-only P2P botnet: builds its own network, all members are bots, such as Storm botnet and Nugache. Standing by for instructions (using P2P Protocols): P2P file-sharing have a file index used by peers to locate the desired content, may be centralized (e.g., Napster), distributed over part of the file-sharing nodes (e.g., Gnutella), or distributed over all or a large fraction of the nodes (e.g., Overnet). Design a new P2P communication protocol to be used in a bot-only P2P botnet. Defenses: anti-virus + poison the index

7 Fast-flux Concept “The ability to quickly move the location of a web, , DNS or generally any Internet or distributed service from one or more computers connected to the Internet to a different set of computers to delay or evade detection.” What it does: utilizes DNS to continually update valid domain names with A and NS records that resolve to an ever-changing set of of IP addresses of infected computers (a botnet). The motherships: command and control servers that issue commands to bots and add and remove IP addresses from DNS records. By cycling IP addresses of infected computers in and out of DNS records, the mothership is able to use active bots to host content and services. Action: To stop the constantly rotating IP addresses in the DNS server we need to take down the Fast-Flux domain. A domain Registrar needs to do so.

8 Fast-flux (single flux in action)

9 Fast-flux types Single-flux: utilizes static name servers to update DNS records, as seen in previous image. Double-flux and hydra-flux: include two or multiple motherships managing the rotating IP numbers, services and content. Mothership protection: The infected computers (botnet) form a protective barrier in front of the motherships. The only visible part of the attack are the bots. Fast-Flux Domains: to be able to change DNS records the motherships need to be located in Domains owned by the attackers. Only their domain Registrar can remove access to the Domain, but the Domain could easily be created in another Registrar. Possible attacks: phishing campaigns, bot recruiting malware, spam campaigns, etc.

10 Fast-flux mechanics The mothership and DNS: To cycle bot IP addresses and bypass caching features, fast-flux domains use short TTL (Time to live (TTL) values in the DNS to force clients to frequently query the name server for a new set of A addresses. The bots and content: the bots act as reverse proxies by sending requests to the mothership and relaying the malicious content hosted by the mothership. Multiple motherships: use of a single DNS server and mothership provides a single point to focus to stop the malicious action. Double or hydra flux addresses this “flaw” by providing multiple DNS, Domains, etc. References : Wikipedia, ICANN Advisory, Detection of Fast-flux, Recently discovered, Fast-flux Primer,

Download ppt "Threat infrastructure: proxies, botnets, fast-flux"

Similar presentations

ICANN SSAC, Cairo Nov 2008 Page 1 Summary of Fast Flux Dave Piscitello ICANN SSAC.

ICANN SSAC, Cairo Nov 2008 Page 1 Summary of Fast Flux Dave Piscitello ICANN SSAC.
A look into Bullet Proof Hosting November 2014 - DefCamp 5 Silviu Sofronie – Head of Forensics

A look into Bullet Proof Hosting November DefCamp 5 Silviu Sofronie – Head of Forensics
Botnets. Botnet Threat Botnets are a major threat to the Internet because: Consist of a large pool of compromised computers that are organized by a master.

Botnets. Botnet Threat Botnets are a major threat to the Internet because: Consist of a large pool of compromised computers that are organized by a master.
RB-Seeker: Auto-detection of Redirection Botnet Presenter: Yi-Ren Yeh Authors: Xin Hu, Matthew Knysz, Kang G. Shin NDSS 2009 The slides is modified from.

RB-Seeker: Auto-detection of Redirection Botnet Presenter: Yi-Ren Yeh Authors: Xin Hu, Matthew Knysz, Kang G. Shin NDSS 2009 The slides is modified from.
MOSQUITO BREEDING ATTACK: Spread of bots using Peer To Peer INSTRUCTOR: Dr.Cliff Zou PRESENTED BY : BHARAT SOUNDARARAJAN & AMIT SHRIVATSAVA.

MOSQUITO BREEDING ATTACK: Spread of bots using Peer To Peer INSTRUCTOR: Dr.Cliff Zou PRESENTED BY : BHARAT SOUNDARARAJAN & AMIT SHRIVATSAVA.
A Hierarchical Hybrid Structure for Botnet Control and Command A Hierarchical Hybrid Structure for Botnet Control and Command Zhiqi Zhang, Baochen Lu,

A Hierarchical Hybrid Structure for Botnet Control and Command A Hierarchical Hybrid Structure for Botnet Control and Command Zhiqi Zhang, Baochen Lu,
Taxonomy of Botnets Team Mag Five Valerie Buitron Jaime Calahorrano Derek Chow Julia Marsh Mark Zogbaum.

Taxonomy of Botnets Team Mag Five Valerie Buitron Jaime Calahorrano Derek Chow Julia Marsh Mark Zogbaum.
BotMiner Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology.

BotMiner Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology.
Rheeve: A Plug-n-Play Peer- to-Peer Computing Platform Wang-kee Poon and Jiannong Cao Department of Computing, The Hong Kong Polytechnic University ICDCSW.

Rheeve: A Plug-n-Play Peer- to-Peer Computing Platform Wang-kee Poon and Jiannong Cao Department of Computing, The Hong Kong Polytechnic University ICDCSW.
Hitesh Ballani, Paul Francis(Cornell University) Presenter: Zhenhua Liu Date: Mar. 16 th, 2009.

Hitesh Ballani, Paul Francis(Cornell University) Presenter: Zhenhua Liu Date: Mar. 16 th, 2009.
Peer-to-Peer Technology and Security Issues By Raul Rodriguez, Arash Zarrinbakhsh, Cynthia Roger and Phillip Shires College of Business Administration.

Peer-to-Peer Technology and Security Issues By Raul Rodriguez, Arash Zarrinbakhsh, Cynthia Roger and Phillip Shires College of Business Administration.
FRIENDS: File Retrieval In a dEcentralized Network Distribution System Steven Huang, Kevin Li Computer Science and Engineering University of California,

FRIENDS: File Retrieval In a dEcentralized Network Distribution System Steven Huang, Kevin Li Computer Science and Engineering University of California,
Botnet Dection system. Introduction  Botnet problem  Challenges for botnet detection.

Botnet Dection system. Introduction  Botnet problem  Challenges for botnet detection.
Botnets Abhishek Debchoudhury Jason Holmes. What is a botnet? A network of computers running software that runs autonomously. In a security context we.

Botnets Abhishek Debchoudhury Jason Holmes. What is a botnet? A network of computers running software that runs autonomously. In a security context we.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 7: Planning a DNS Strategy.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 7: Planning a DNS Strategy.
What’s New in WatchGuard XCS 10.0 Update 3 WatchGuard Training.

What’s New in WatchGuard XCS 10.0 Update 3 WatchGuard Training.
Borrowed from Brent ByungHoon Kang, GMU. A Network of Compromised Computers on the Internet IP locations of the Waledac botnet. Borrowed from Brent ByungHoon.

Borrowed from Brent ByungHoon Kang, GMU. A Network of Compromised Computers on the Internet IP locations of the Waledac botnet. Borrowed from Brent ByungHoon.
Barracuda Web Filter Overview March 26, 2008 Alan Pearson, Monroe County School District Marcus Burge, Network Engineer.

Barracuda Web Filter Overview March 26, 2008 Alan Pearson, Monroe County School District Marcus Burge, Network Engineer.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Application Layer Functionality and Protocols Network Fundamentals – Chapter.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Application Layer Functionality and Protocols Network Fundamentals – Chapter.
Bayesian Bot Detection Based on DNS Traffic Similarity Ricardo Villamarín-Salomón, José Carlos Brustoloni Department of Computer Science University of.

Bayesian Bot Detection Based on DNS Traffic Similarity Ricardo Villamarín-Salomón, José Carlos Brustoloni Department of Computer Science University of.

Similar presentations

Ads by Google