State of the art and challenges

Transcription

1 Advanced Monitoring in P2P Botnets State of the art and challenges Kami Memimpin We Lead Kami Memimpin We Lead

2 About Me Dr. Shankar Karuppayah Senior Lecturer (NAv6) Universiti Sains Malaysia (USM) Research Interests: Cybersecurity, Malware and IoT PhD in Cyber Security (TU Darmstadt, Germany) MSc. Software Systems Engineering (KMUTNB, Thailand) BSc. (HONS) Computer Science (USM, Malaysia) Advanced Monitoring in P2P Botnets Kami Memimpin We Lead 2

3 BOTNETS Web Server Botmaster DDoS traffic peaked at 1.7TBps in 2018 [Memcached Amplification, 2018] ZeroAccess DDoS: Crooks can milk '$100k a day' from 1-million-zombie [The Register, Sept-2012] Advanced Monitoring in P2P Botnets Kami Memimpin We Lead 3

4 WHY MONITOR? Botmaster Enumerate infected machines Infection cleanup Alert stakeholders, e.g., ISPs Identify control infrastructure(s) Arrest the botmaster Takedown servers Advanced Monitoring in P2P Botnets Kami Memimpin We Lead 4

5 ARCHITECTURES C2 Server Botmaster Centralized Uses Command and Control (C2) servers Single point of failure / monitoring Distributed (P2P) No C2 servers / No centralized monitoring Bots (inter)connected via an overlay Hop-by-hop command dissemination Resilient to node failures and attacks Advanced Monitoring in P2P Botnets Kami Memimpin We Lead 5

6 P2P BOTNETS Superpeers A B E D F J C No. Bot D 1 E 2 F 3 GI Router Neighbor Non-Superpeers Firewall *The size of an NL ranges between entries Non-superpeers rely on superpeers H G Membership Maintenance (MM) mechanism Ensures overlay remains connected Periodically maintains a Neighborlist (NL) Probes responsiveness of neighbors every MM-interval (256 sec up to 40 min) Update/Replace entries as needed Request additional neighbors Advanced Monitoring in P2P Botnets Kami Memimpin We Lead 6 I

7 Common Monitoring Techniques P2P BOTNET MONITORING Advanced Monitoring in P2P Botnets Kami Memimpin We Lead 7

8 REVERSE ENGINEERING Protocols Probe Probe-Reply Seed list NL-Req NL-Rep : : First and foremost, reverse engineer a malware: Obtain a binary, e.g, VirusTotal or an infected machine. Reverse engineer using tools like IDA Pro and OllyDbg Overcome code obfuscation and virtualization environment detection techniques Discover and understand: MM-mechanism and its communication protocol (sending requests/parsing replies) Seed list embedded in the binary Advanced Monitoring in P2P Botnets Kami Memimpin We Lead 8

9 CRAWLING Protocols A B E Seed list D F J C Router G NL-Req B Non-Superpeers E H Crawlers mimic bots in need of neighbors to: Enumerate bots (mostly superpeers) Discover interconnectivity of bots I A C D F G Drawback: Non-superpeers not reachable (60-90% of bots) Advanced Monitoring in P2P Botnets Kami Memimpin We Lead 9

10 SENSORS Superpeers Protocols A B S E Probe-Reply D F J C Router Non-Superpeers H G Advanced Monitoring in P2P Botnets Kami Memimpin We Lead 10 I Sensors mimic reliable and stable superpeers to: Enumerate both superpeers and non-superpeers Reliably respond to MM probing messages Become popular among other bots Hide among bots Drawback: Sensors are stealthier than crawlers, No connectivity Andriesse information et al., 2015

11 Challenges in Monitoring P2P BOTNET MONITORING Advanced Monitoring in P2P Botnets Kami Memimpin We Lead 11

12 Categories of Challenges Dynamic Nature of P2P Botnets Unknown Activities Anti-Monitoring Countermeasures Advanced Monitoring in P2P Botnets Kami Memimpin We Lead 12

13 DYNAMIC NATURE Inherit properties of regular P2P networks. Dynamic IP address allocation pools, (e.g., ISPs, DHCP) High churn rate and diurnal effects Network/security devices, e.g., NAT, Firewall About > 90% Absence nodes are of unique identifiers NOT reachable Owh WOW! Okay Cool! via Only > 12,000 about crawling bots < ~1,400 in 7 days! bots Over/under estimating multiple nodes behind same IP We are under-estimating Sality V3 Crawling (7-days) 690 >= Total_bots <= 1,447 Advanced Monitoring in P2P Botnets Kami Memimpin We Lead 13

14 Categories of Major Challenges Dynamic Nature of P2P Botnets Unknown Activities Anti-Monitoring Countermeasures Advanced Monitoring in P2P Botnets Kami Memimpin We Lead 14

15 Geo-IP location of other researchers/parties crawling in Sality V3 on 1 st April 2015 Advanced Monitoring in P2P Botnets Kami Memimpin We Lead 15

16 UNKNOWN ACTIVITIES Many third-parties snooping around P2P botnets Introduce a lot of noise from their activities Attacks (e.g., Neighbor list poisoning, sybil attacks) Spoofing of invalid addresses/ids Over-estimation prone to happen Aggressive monitoring Requests as high as 15 request/min (consistent and constant rate, 24x7) Generate random IDs on-the-fly Artificial nodes Low/high uptime Skew churn measurements Stress-test our crawlers and sensors Malformed packets / commands / contents: Require a LOT of bug-fixing! Testing our system s assumptions: Replay REAL commands Advanced Monitoring in P2P Botnets Kami Memimpin We Lead 16

17 Categories of Major Challenges Dynamic Nature of P2P Botnets Unknown Activities Anti-Monitoring Countermeasures Advanced Monitoring in P2P Botnets Kami Memimpin We Lead 17

18 ANTI-MONITORING COUNTERMEASURES Try to get into NL of D FULL D Is this bot If yes, contacting blacklist me too frequently? this bot NL is full and all neighbors are having positive F reputation E J Crawler Bot goes offline before crawling Challenges in crawling: Delay introduces noise in crawl data Botnet anti-crawling countermeasures: 1. Restricted NL-reply mechanisms Disclosing only a subset of neighbors 2. Automated blacklisting mechanisms Force crawlers to rate-limit their crawl frequency G I Challenges in deploying sensors: Local reputation mechanism E (Sality) Prefer existing neighbors than newly F discovered ones D G I Advanced Monitoring in P2P Botnets Kami Memimpin We Lead 18

19 (Selected) Botnet Anti-Monitoring Mechanisms 1. Blacklisting (P2P Zeus) Crawlers contacting bots too aggressively (>6 request / min) 2. Local reputation mechanism (Sality) Older bots are preferred over newer bots (Could even be > 7 years old) 3. Restricted NL return size (P2P Zeus, Sality, ZeroAccess) Only a subset of neighbors returned for every request P2P Zeus = 10/50 (XOR-metric based selection mechanism) Sality = 1/1000 ZeroAccess = 16/ Restricted Subnet/Address (P2P Zeus, Sality, ZeroAccess) One entry for a /20 subnet Non-duplicate IP address Advanced Monitoring in P2P Botnets Kami Memimpin We Lead 19

20 State of the art P2P BOTNET MONITORING Advanced Monitoring in P2P Botnets Kami Memimpin We Lead 20

21 (Selected) State of the art Mechanisms Crawlers 1. P2P Zeus neighborlist return mechanism ZeusMilker: Retrieve entire neighborlist from a single bot with a max. of 2N requests 2. Noise in dataset due to high churn Strobocrawler: High speed crawler that takes successive snapshots of the topology in high frequency 3. BoobyTrap: Crawler detection techniques Sensors Previously, no clear mechanisms were available to distinguish them Now, 3 mechanisms exists: LCC: Local Clustering Coefficient SensorRanker: PageRank inspired algorithm to distinguish artificially-popular nodes SensorBuster: Uses Strongly Connected Components to distinguish them Advanced Monitoring in P2P Botnets Kami Memimpin We Lead 21

22 Outlook Now (Simple) Anti-Monitoring Countermeasures Independent Monitoring Future Advanced Anti-Monitoring Countermeasures Collaborative Monitoring Review Existing Cyber Laws Advanced Monitoring in P2P Botnets Kami Memimpin We Lead 22

23 Selected Publications Shankar Karuppayah, Mathias Fischer, Christian Rossow, and Max Mühlhäuser. On Advanced Monitoring in Resilient and Unstructured P2P Botnets. In IEEE International Conference on Communications (ICC), Shankar Karuppayah, Stefanie Roos, Christian Rossow, Max Mühlhäuser, and Mathias Fischer. ZeusMilker: Circumventing the P2P Zeus Neighbor List Restriction Mechanism. In IEEE International Conference on Distributed Computing Systems (ICDCS), Leon Böck, Shankar Karuppayah, Tim Grube, Max Mühlhäuser, and Mathias Fischer. Hide And Seek: Detecting Sensors In P2P Botnets. (Extended Abstract) In IEEE Conference on Communications and Network Security, Emmanouil Vasilomanolakis, Shankar Karuppayah, Max Mühlhäuser, and Mathias Fischer. Taxonomy and Survey of Collaborative Intrusion Detection. ACM Computing Surveys 47 (4)., Shankar Karuppayah, Emmanouil Vasilomanolakis, Steffen Haas, Max Mühlhäuser, and Mathias Fischer. BoobyTrap: On Autonomously Detecting and Characterizing Crawlers in P2P Botnets. In IEEE International Conference on Communications (ICC), Steffen Haas, Shankar Karuppayah, Selvakumar Manickam, Max Mühlhäuser, and Mathias Fischer. On the Resilience of P2P-Based Botnet Graphs., IEEE Conference on Communications and Network Security (CNS), Shankar Karuppayah, Leon Böck, Tim Grube, Selvakumar Manickam, Max Mühlhäuser, and Mathias Fischer. SensorBuster: On Identifying Sensor Nodes in P2P Botnets. International Conference on Availability, Reliability and Security (ARES), Advanced Monitoring in P2P Botnets Kami Memimpin We Lead 23

24 Kami Memimpin We Lead Thank You Dr. Shankar Karuppayah Advanced Monitoring in P2P Botnets 24