Presentation is loading. Please wait.

Presentation is loading. Please wait.

Detecting Botnets 1 Detecting Botnets With Anomalous DNS Traffic Wenke Lee and David Dagon Georgia Institute of Technology College of Computing {wenke,

Published byAnnabella Roberts Modified over 8 years ago

Similar presentations

Presentation on theme: "Detecting Botnets 1 Detecting Botnets With Anomalous DNS Traffic Wenke Lee and David Dagon Georgia Institute of Technology College of Computing {wenke,"— Presentation transcript:

1 Detecting Botnets 1 Detecting Botnets With Anomalous DNS Traffic Wenke Lee and David Dagon Georgia Institute of Technology College of Computing {wenke, dagon}@cc.gatech.edu

2 Detecting Botnets 2 Introduction We summarize recent work on botnet detection and response –One aspect of large sinkhole study –“KarstNet” project Goal: stop botnets before they attack –Requires sensitive detection that identifies attack networks as they form.

3 Detecting Botnets 3 Introduction Significant, growing problem: botnets Collectively, attackers are stronger –DDoS, spam-sending armies, distributed phishing, Botnets facilitate blended attacks, and conduct lightning, mass-attacks of new exploits: “The short vulnerability-to- exploitation window makes bots particularly dangerous” -- “ Emerging Cybersecurity Issues Threaten Federal Information Systems”, http://www.gao.gov/cgi-bin/getrpt?GAO-05-231

4 Detecting Botnets 4 Introduction Botnet design goals: –Robustness: no simple point of failure –Mobility: Command and Control (C&C) can migrate to other networks –Stealth: difficult to detect Key insight: –C&C is essential to a botnet. Without C&C, bots are just discrete, unorganized infections

5 Detecting Botnets 5 “The Rallying Problem” C&C is used to “rally” victims into a network. –If we can detect C&C, we identify the botnet –Our goal: detect botnet during its formation, before it attacks (e.g., via DDoS) Let’s reason like an attacker, to learn how to identify C&C traffic. We’ll compare different attacker strategies to the attacker’s three design goals: –Robustness, Mobility, Stealth

6 Detecting Botnets 6 Naïve First Virus Suppose we write a virus. –We borrow from public repositories of virus source code –10 minutes later, we’ve compiled our first VB virus. Payload: it spreads itself by email, and prints annoying messages to the screen. –We email it with some enticing content or other social engineering ploy. –What happens? VX Virus Usenet / Email (VX means “virus”)

7 Detecting Botnets 7 Naïve First Virus The virus spreads to 10k victims (easily). Congratulations, you’ve just graduated to the 1980s virus scene. Let’s suppose we wanted to use the victim computers, instead of just harming them. V1V1 Usenet / Email V3V3 V8V8 V9V9 V7V7 V6V6 V5V5 V4V4 V2V2 Virus

8 Detecting Botnets 8 (Still) Naïve Rallying How can we find the victims? –Problem: Random victim propagation. –Simple (bad) idea: Victims e-mail their IP addresses Problems: –Virus has to include author’s address (no stealth) –Single point of failure (not robust) –Virus has hardcoded address (not mobile, if author’s e-mail account suspended) VX Virus Usenet / Email V1V1 V3V3 V2V2 Virus Victim3’s ip Victim2’s ip Victim1’s ip

9 Detecting Botnets 9 Naïve Rallying II Another idea: The victims could post to usenet, and the VXer could read the posts anonymously –We’ve just reinvented the early/mid 1990s vx scene Problem: –Somewhat robust A few Usenet posts get dropped Some Delays in posting cause DHCP victims to change IPs –Not stealthy AV companies and rival VXers obtain victim information –There’s a fairly public listing of who is infected We want packets, not Usenet posts from the victims, since these don’t usually make a lasting record.

10 Detecting Botnets 10 Naïve Rallying III We use one victim as a web server, and all other contact this victim. The VXer just reads the httpd logs to identify victims. Problems: –Not Robust: Single-point- of-failure –Not Very Stealthy: Hard- coded C&C IP VX Virus Usenet / Email V1V1 V3V3 V2V2 Virus Victim3’s ip Victim2’s ip Victim1’s ip backdoor

11 Detecting Botnets 11 Rallying IV Use an IRC network for rallying, and private (keyed) channels. This is the late 1990s VX scene Benefits: Robust –IRCd hub/leaf design has no single point of failure Problems: –Not very stealthy (careful binary RE can discover channel key) –Not very Mobile: once all IRCd operators ban channel, bots are not mobile VX Virus Usenet / Email V1V1 V3V3 V2V2 Virus IRC Network

12 Detecting Botnets 12 Rallying V VX Virus Usenet / Email V1V1 V3V3 V2V2 Virus IRC Network 1 IRC Network 2 Attacker uses Dynamic DNS (DDNS) –Chooses an IRC network for victims, updates record response (RR) through DDNS. –Other robust network rallying possible (e.g., P2P) DDNS is used by most (95%+) of the botnets. –Even for those using non-IRCd rallying DDNS DNS for hacker.org? RR for hacker.org SYN DDNS Update

13 Detecting Botnets 13 KarstNet Overview www.hackers.com 10.0.0.1 (Rallying box) Dynamic DNS V1V1 V2V2 V3V3 V4V4 V5V5 Victim Cloud Malware Author 1: propagate; “www.hackers.com”www.hackers.com coded in malware 2: www.hackers.com?” 1 3: 10.0.0.1 4 4 ! 3’: DNStop alert. DynDNS updates CName to point to GT sinkhole Georgia Tech Sinkhole 4’

14 Detecting Botnets 14 DDNS Rallying Note general properties of hardcoded rallying (string) address: –Domain name purchases use traceable financial information. Multiple 3LDs can use DDNS service with one package deal. –Thus: financial and stealthy motives for botnet authors to “reuse” SLD with numerous 3LDs. botnet1.evilhacker.org botnet2.evilhacker.org botnet3.evilhacker.org … SLD 3LDs

15 Detecting Botnets 15 DNS Rallying Also, note DNS behavior of botnets –After boot, bots immediately resolve their C&C. Exponential arrival of bot DNS requests, because of time zones, 9 a.m./5 p.m. schedules, etc. –Normal DNS behavior is not exponential. Humans don’t immediately check the same server seconds after boot.

16 Detecting Botnets 16 Detection Overview Observation #1: Rates of 3LDs within and SLD are higher for botnets. –Easily detected when 3LD rates are factored into SLD rates Observation #2: Rates of DNS requests for botnet domains is exponential. –Easily distinguished from normal DNS rate densities.

17 Detecting Botnets 17 3LD/SLD Detection We define canonical DNS rate for SLD i as: We obtained 2-week DNS sample from DDNS provider; hand identified the dozens of botnets for ground truth.

18 Detecting Botnets 18 3LD/SLD Detection

19 Detecting Botnets 19 3LD/SLD Detection Detection via simple threshold and inequality:

20 Detecting Botnets 20 Assumptions: –DDNS providers tend to have few 3LDs for customers Financial disincentives for web design (changes require DNS updates) Easier to create (HTML skills vs DNS skills) Customers expect SLDs 3LD/SLD Detection somebusiness.com somebusiness.com/products somebusiness.com/orders products.somebusiness.com/ orders.somebusiness.com/ Subdirectories 3LDs

21 Detecting Botnets 21 Rate Detection Most victim (home) computers are turned on/off periodically. –(Note strong diurnal pattern) A second detection layer: –Take DNS rates for all hosts, and sort by lookups/time unit for a small (e.g., 12 hour) window –The botnet hosts have exponential “spikes” as victims rally –Normal traffic is smoother (poisson arrival) Activity (SYN rate) of large 350K+ member botnet

22 Detecting Botnets 22 Rate Detection Differentiate densities with various measures Mahalanobis distance K-S distance

23 Detecting Botnets 23 Assumptions DNS rates for DDNS providers differ from other networks. –These detection techniques are specific to DDNS provides. –Currently, most (95%+) of studied botnets use DDNS

24 Detecting Botnets 24 Response We’ve focused on detection, so we’ll just note response options: –Recording victim IPs (blacklist routing) –Contacting upstream ISPs –Sinkholing DDNS provider offers RR of sinkhole IP

25 Detecting Botnets 25 (Other Work) Time permits only brief mention of other benefits: –Accurate propagation models based on actual data—a first! –Rank ordering of malware importance, based on expected propagation rates. –Design of next-generation proxypots and honeypots

26 Detecting Botnets 26 Conclusion Botnets: a significant problem Goal: detect victim cloud prior to botnet attacks (e.g., DDoS) Insight: botnets must use C&C Detection: –For DDNS detection possible with 3LD/SLD adjusted rates, and sorted rate densities.

Download ppt "Detecting Botnets 1 Detecting Botnets With Anomalous DNS Traffic Wenke Lee and David Dagon Georgia Institute of Technology College of Computing {wenke,"

Similar presentations

Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.

Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.
Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.

Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.
Code-Red : a case study on the spread and victims of an Internet worm David Moore, Colleen Shannon, Jeffery Brown Jonghyun Kim.

Code-Red : a case study on the spread and victims of an Internet worm David Moore, Colleen Shannon, Jeffery Brown Jonghyun Kim.
A Survey of Botnet Size Measurement PRESENTED: KAI-HSIANG YANG ( 楊凱翔 ) DATE: 2013/11/04 1/24.

A Survey of Botnet Size Measurement PRESENTED: KAI-HSIANG YANG ( 楊凱翔 ) DATE: 2013/11/04 1/24.
An Introduction of Botnet Detection – Part 2 Guofei Gu, Wenke Lee (Georiga Tech)

An Introduction of Botnet Detection – Part 2 Guofei Gu, Wenke Lee (Georiga Tech)
Your Botnet is My Botnet: Analysis of a Botnet Takeover

Your Botnet is My Botnet: Analysis of a Botnet Takeover
Zombie or not to be: Trough the meshes of Botnets - Guillaume Lovet AVAR 2005 Tianjin, China.

Zombie or not to be: Trough the meshes of Botnets - Guillaume Lovet AVAR 2005 Tianjin, China.
Kindred Domains: Detecting and Clustering Botnet Domains Using DNS Traffic Matt Thomas Data Architect, Verisign Labs.

Kindred Domains: Detecting and Clustering Botnet Domains Using DNS Traffic Matt Thomas Data Architect, Verisign Labs.
BotMiner Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology.

BotMiner Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology.
Wide-scale Botnet Detection and Characterization Anestis Karasaridis, Brian Rexroad, David Hoeflin.

Wide-scale Botnet Detection and Characterization Anestis Karasaridis, Brian Rexroad, David Hoeflin.
Understanding the Network-Level Behavior of Spammers Mike Delahunty Bryan Lutz Kimberly Peng Kevin Kazmierski John Thykattil By Anirudh Ramachandran and.

Understanding the Network-Level Behavior of Spammers Mike Delahunty Bryan Lutz Kimberly Peng Kevin Kazmierski John Thykattil By Anirudh Ramachandran and.
1 Botnets A Multifaceted Approach to Understanding the Botnet Phenomenon (Rajab/Zarfoss/Monrose/Terzis) Ryan Hannan Rohit Bhat Alan Mui Irfan Siddiqui.

1 Botnets A Multifaceted Approach to Understanding the Botnet Phenomenon (Rajab/Zarfoss/Monrose/Terzis) Ryan Hannan Rohit Bhat Alan Mui Irfan Siddiqui.
Enhanced Secure Dynamic DNS Update with Indirect Route David Wilkinson, C. Edward Chow, Yu Cai 06/11/2004 University of Colorado at Colorado Springs IEEE.

Enhanced Secure Dynamic DNS Update with Indirect Route David Wilkinson, C. Edward Chow, Yu Cai 06/11/2004 University of Colorado at Colorado Springs IEEE.
Internet Quarantine: Requirements for Containing Self-Propagating Code David Moore et. al. University of California, San Diego.

Internet Quarantine: Requirements for Containing Self-Propagating Code David Moore et. al. University of California, San Diego.
1. Introduction The underground Internet economy Web-based malware The system analyzing the post-infection network behavior of web-based malware How do.

1. Introduction The underground Internet economy Web-based malware The system analyzing the post-infection network behavior of web-based malware How do.
Hands-On Microsoft Windows Server 2008 Chapter 8 Managing Windows Server 2008 Network Services.

Hands-On Microsoft Windows Server 2008 Chapter 8 Managing Windows Server 2008 Network Services.
BOTNETS & TARGETED MALWARE Fernando Uribe. INTRODUCTION  Fernando Uribe   IT trainer and Consultant for over 15 years specializing.

BOTNETS & TARGETED MALWARE Fernando Uribe. INTRODUCTION  Fernando Uribe   IT trainer and Consultant for over 15 years specializing.
Capacity Development Workshop on Public Information Management System and Policy in Korea on cyber attacks 2011.11.28 Jeong Min, Lee KISA.

Capacity Development Workshop on Public Information Management System and Policy in Korea on cyber attacks Jeong Min, Lee KISA.
Reconnaissance & Enumeration Baseline, Monitor, Detect, Analyze, Respond, & Recover Hervey Allen Chris Evans Phil Regnauld September 3 – 4, 2009 Santiago,

Reconnaissance & Enumeration Baseline, Monitor, Detect, Analyze, Respond, & Recover Hervey Allen Chris Evans Phil Regnauld September 3 – 4, 2009 Santiago,
Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology USENIX Security '08 Presented by Lei Wu.

Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology USENIX Security '08 Presented by Lei Wu.

Similar presentations

Ads by Google