Botnet Detection Using Honeypots. Kalaitzidakis Vasileios

Similar documents
ACS / Computer Security And Privacy. Fall 2018 Mid-Term Review

Chapter 9. Firewalls

SYMANTEC ENTERPRISE SECURITY. Symantec Internet Security Threat Report September 2005 Power and Energy Industry Data Sheet

ACS-3921/ Computer Security And Privacy. Chapter 9 Firewalls and Intrusion Prevention Systems

LaBrea p. 74 Installation and Setup p. 75 Observations p. 81 Tiny Honeypot p. 81 Installation p. 82 Capture Logs p. 83 Session Logs p.

Firewall Identification: Banner Grabbing

Shedding Light on the Configuration of Dark Addresses

Network Analysis of Point of Sale System Compromises

Computer Network Vulnerabilities

COMPUTER NETWORK SECURITY

ARAKIS An Early Warning and Attack Identification System

UTM 5000 WannaCry Technote

Internet Security: Firewall

ERT Threat Alert New Risks Revealed by Mirai Botnet November 2, 2016

INSIDE. Symantec AntiVirus for Microsoft Internet Security and Acceleration (ISA) Server. Enhanced virus protection for Web and SMTP traffic

CE Advanced Network Security Honeypots

Activating Intrusion Prevention Service

Training UNIFIED SECURITY. Signature based packet analysis

Cyber Common Technical Core (CCTC) Advance Sheet Windows Operating Systems

IDS: Signature Detection

Network Security Issues and New Challenges

Security+ Guide to Network Security Fundamentals, Third Edition. Chapter 3 Protecting Systems

CSE 565 Computer Security Fall 2018

W is a Firewall. Internet Security: Firewall. W a Firewall can Do. firewall = wall to protect against fire propagation

Different attack manifestations Network packets OS calls Audit records Application logs Different types of intrusion detection Host vs network IT

Intrusion Detection. Comp Sci 3600 Security. Introduction. Analysis. Host-based. Network-based. Distributed or hybrid. ID data standards.

CIH

HTTP BASED BOT-NET DETECTION TECHNIQUE USING APRIORI ALGORITHM WITH ACTUAL TIME DURATION

exam. Number: Passing Score: 800 Time Limit: 120 min File Version: CHECKPOINT

Intrusion prevention systems are an important part of protecting any organisation from constantly developing threats.

Distributed Systems. 29. Firewalls. Paul Krzyzanowski. Rutgers University. Fall 2015

BOTNET-GENERATED SPAM

Intelligent and Secure Network

Usage of Honeypot to Secure datacenter in Infrastructure as a Service data

Symantec Client Security. Integrated protection for network and remote clients.

IJSER. Virtualization Intrusion Detection System in Cloud Environment Ku.Rupali D. Wankhade. Department of Computer Science and Technology

PND at a glance: The World s Premier Online Practical Network Defense course. Self-paced, online, flexible access

A brief Incursion into Botnet Detection

CS System Security 2nd-Half Semester Review

Basic Concepts in Intrusion Detection

CounterACT Check Point Threat Prevention Module

HONEYNET SOLUTIONS. A deployment guide 1. INTRODUCTION. Ronald C Dodge JR, Richard T Brown, Daniel J Ragsdale

Network Defenses 21 JANUARY KAMI VANIEA 1

SYMANTEC SECURITY UPDATE JUNE 2005

Fireware-Essentials. Number: Fireware Essentials Passing Score: 800 Time Limit: 120 min File Version: 7.

Cisco IOS Inline Intrusion Prevention System (IPS)

White Paper. New Gateway Anti-Malware Technology Sets the Bar for Web Threat Protection

Distributed Systems. 27. Firewalls and Virtual Private Networks Paul Krzyzanowski. Rutgers University. Fall 2013

INDEX. browser-hijacking adware programs, 29 brute-force spam, business, impact of spam, business issues, C

Multi-phase IRC Botnet & Botnet Behavior Detection Model

Hands-On Ethical Hacking and Network Defense 3 rd Edition

Symantec Intelligence Quarterly: Best Practices and Methodologies October - December, 2009

Honeynet Weekly Report Canadian Institute for Cybersecurity (CIC)

Using the Cisco ACE Application Control Engine Application Switches with the Cisco ACE XML Gateway

2. INTRUDER DETECTION SYSTEMS

Cisco Service Control Service Security: Outgoing Spam Mitigation Solution Guide, Release 4.1.x

Intrusion Detection Systems and Network Security

Malware Research at SMU. Tom Chen SMU

Configuring attack detection and prevention 1

Ethical Hacking and Prevention

Applied IT Security. System Security. Dr. Stephan Spitz 6 Firewalls & IDS. Applied IT Security, Dr.

Pass4sure q. Cisco Securing Cisco Networks with Sourcefire IPS

How to Make the Client IP Address Available to the Back-end Server

Managing SonicWall Gateway Anti Virus Service

n Learn about the Security+ exam n Learn basic terminology and the basic approaches n Implement security configuration parameters on network

McAfee Advanced Threat Defense

Phishing Activity Trends Report March, 2005

Dynamic Botnet Detection

PRACTICAL NETWORK DEFENSE VERSION 1

Network Intrusion Analysis (Hands on)

Networking Security SPRING 2018: GANG WANG

CE Advanced Network Security Botnets

APT Protection.

Honeynets and Darknets. What good are they?

Configuring BIG-IP ASM v12.1 Application Security Manager

Large-Scale Internet Crimes Global Reach, Vast Numbers, and Anonymity

Multi-Stream Fused Model: A Novel Real-Time Botnet Detecting Model

Experiences with Building, Deploying and Running a remotecontrolled

CIS 551 / TCOM 401 Computer and Network Security. Spring 2007 Lecture 12

Venusense UTM Introduction

What s New in Version 3.5 Table of Contents

UTM Firewall Registration & Activation Manual DFL-260/ 860. Ver 1.00 Network Security Solution

Base64 The Security Killer

Last time. Security Policies and Models. Trusted Operating System Design. Bell La-Padula and Biba Security Models Information Flow Control

Intrusion Detection - Snort

Guide to Computer Forensics. Third Edition. Chapter 11 Chapter 11 Network Forensics

Securing Your Business Against the Diversifying Targeted Attacks Leonard Sim

Honeypot Hacker Tracking and Computer Forensics

KERIO TECHNOLOGIES KERIO WINROUTE FIREWALL 6.3 REVIEWER S GUIDE

Automating Security Response based on Internet Reputation

Worm Detection, Early Warning and Response Based on Local Victim Information

Configuring attack detection and prevention 1

BIG-IP Application Security Manager : Implementations. Version 13.0

Lecture 12 Malware Defenses. Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Slides based on Bailey s ECE 422

Data Sheet. DPtech IPS2000 Series Intrusion Prevention System. Overview. Series IPS2000-MC-N. Features

Journal of Chemical and Pharmaceutical Research, 2014, 6(7): Research Article

Network Defenses KAMI VANIEA 1

Analyzing Huge Data for Suspicious Traffic. Christian Landström, Airbus DS

Gladiator Incident Alert

Detecting Malicious Hosts Using Traffic Flows

Transcription:

Botnet Detection Using Honeypots Kalaitzidakis Vasileios Athens, June 2009

What Is Botnet A Botnet is a large number of compromised computers, controlled by one or more Command-and-Control Servers, the Botmasters RoBot Network also called "zombie army The history of botnets began in 1999: The first IRC Bot, Pretty Park worm, appeared Botnets are used for: Distributed DoS Attacks Spam Identity Theft Click Fraud Virus propagation Rising Underground Economy June 2009 Kalaitzidakis Vasileios 2

How Do Botnets Work Installation of malicious software Exploitation Download infected files (P2P, malicious sites, email attachments) The infected machine contacts the BotMaster for a mission Botmaster sends back mission information Bot executes mission and returns results Bots can periodically be updated June 2009 Kalaitzidakis Vasileios 3

Botnet Architectures Centralized All computers are connected to a single C&C center The most widespread type Easier to deploy Single point of failure IRC, IM Decentralized P2P botnet Commands are transferred from bot to bot Botmaster needs access to at least one bot Hybrid / Random June 2009 Theoretical Kalaitzidakis Vasileios 4

Growing Internet Threat According to Symantec: 1,656,227 new signatures in 2008 165% up from last year ShadowServer: Botnets are growing Botnet size is also growing June 2009 Kalaitzidakis Vasileios 5

Detection Techniques Taxonomy (1) Host-based detection Antivirus Programs Log Files Investigation (Administrator should periodically examine Logs) Log Files Correlation (Log files size correlation between different hosts) Monitoring function calls (Keylogging activities, GetKeyboardState or GetAsyncKeyState, WriteFile, outgoing traffic) Network-based detection IP Headers inspection Monitoring DNS traffic to C&C domains Non-SMTP-server sending emails (spam) High rates of TCP or UDP connections (bots using P2P networks) June 2009 Kalaitzidakis Vasileios 6

Detection Techniques Taxonomy (2) Network-based detection Payload inspection C&C traffic (known commands) Propagation or attacks (exploit code) Signature-based detection (IDSs) Malicious flow patterns Anomaly-based detection Abnormal Behavior (Normal behavior knowledge, Response time, Synchronization) Detection Using Honeypots Robots cannot easily identify victims from honeypots Robots have to send noticeable traffic June 2009 Kalaitzidakis Vasileios 7

Honeypot Technology Honeypot: system used to capture attackers activities Low-Interaction emulate services and systems do not offer full access to the underlying system used in production environments Nepenthes, Honeyd, Honeytrap High-Interaction Real operating system full control over the honeypot used in a research role Honeywall CDROM Honeynet: network of two or more honeypots for attackers to interact with June 2009 Kalaitzidakis Vasileios 8

Used Tools Honeywall CDROM Honeynet Gateway Fedora Core 6 Two layer 2 network interfaces Walleye interface Remote administration and data analysis tool Third network interface Sebek Kernel level rootkit Client installed on honeypots Server on Honeywall Monitor system processes Honeysnap Basic data analysis tool IRC, HTTP, DNS traffic Test Bed Process Monitor Windows XP System Updated Monitor all system activities (file system, registry, processes, network connections) June 2009 Kalaitzidakis Vasileios 9

The Honeynet Deployment

The Honeypots Windows XP Professional SP1 Default Windows Services Port 135/tcp, Microsoft Remote Procedure Call Port 139/tcp, NETBIOS Session Port 445/tcp, Microsoft Directory Services Windows XP Professional SP3 Default Windows Services IIS web server v5.1 Microsoft SQL server 2005 Windows SMTP server Windows XP Professional Up To Date Default Windows Services Ubuntu Server 7.10 OpenSSH server VSFTPD server Username: user / Password: password June 2009 Kalaitzidakis Vasileios 11

Methodology Of Analysis Communication Traffic Data Windows XP SP1 & SP3 IRC HTTP DNS SMTP Outgoing Attacks Windows XP SP1 & SP3 Top Destination Ports IP Addresses Incoming Attacks Windows XP Up To Date & Ubuntu Server 7.10 Top Destination Ports IP Addresses June 2009 Kalaitzidakis Vasileios 12

IRC Ports 1030, 1099, 1828, 1061,1070 Over 30 IRC Channels ##russia## irc.priv8net.com HTTP File Downloads "GET http://72.10.169.26/ssvc.exe" "GET http://72.10.169.26/ub.exe" "GET http://rsfq.info/demo.exe XML communication DNS Data Analysis - Communication 192.168.1.1 & 194.219.227.2 Servers Queries include mail servers justforclickz.com mail.ru yahoo.com SMTP 220 hotmail.com Kerio MailServer 5.5.0 ESMTP ready 250 hotmail.com 250 2.1.0 Sender <xwfstegxnbo@loughgs.leics.sch.uk> ok 250 2.1.5 Recipient <<nrhy@hotmail.com> > ok (local) 354 Enter mail, end with CRLF.CRLF 250 2.0.0 6f37855f7fcd14d5da0385837a595cab Message accepted for delivery <?xml version="1.0" encoding="iso-8859-1"?> <Results> <ip>get:77.49.137.146, POST:77.49.137.146</ip> <count>0</count> <country>--</country> <executed>0</executed> <generator>jumbofeed v2.3</generator> </Results> June 2009 Kalaitzidakis Vasileios 13

Data Analysis Outgoing Attacks Top Destination Ports 135 for Windows XP SP1 445 for Windows XP SP3 Destination Networks ISP s Network Nat Attack Strategies Portsweep at 135,445 About 20 different processes observed June 2009 Kalaitzidakis Vasileios 14

Data Analysis Incoming Attacks Top Destination Ports 135, 445,139 for Windows 22 for Ubuntu Source IP addresses ISP s Network 445, 135, 139, 137, 23 Global 80, 22, 25 Attack Strategies Scan and run exploits e.g. 62.1.236.74 445, 135, 80 Brute force e.g. 61.243.232.120 139, 1419 packets e.g. 77.245.148.115 22, 5838 packets Attack rates 10-30 per hour for Windows 5-10 per day for Ubuntu 4500 4000 3500 3000 2500 2000 1500 1000 500 0 1600 1400 1200 1000 800 600 400 200 0 Flows Alerts Flows Alerts June 2009 Kalaitzidakis Vasileios 15

Snort Alerts Port 445 o o o NETBIOS SMB-DS IPC$ share access NETBIOS SMB-DS srvsvc NetrPathCanonicalize WriteAndX little endian overflow attempt NETBIOS SMB-DS srvsvc NetrPathCanonicalize little endian overflow attempt Port 135 o o NETBIOS DCERPC NCACN-IP-TCP IActivation remoteactivation little endian overflow attempt NETBIOS DCERPC NCACN-IP-TCP ISystemActivator RemoteCreateInstance little endian attempt Port 139 o o NETBIOS SMB srvsvc NetrPathCanonicalize WriteAndX unicode little endian overflow attempt NETBIOS SMB repeated logon failure June 2009 Kalaitzidakis Vasileios 16

Main Findings Botnets Many active old-fashioned botnets, easy to detect Most of bots are single users pcs Outgoing Attacks Most of attacks target ports 135 & 445 Main attack strategy is port sweep Destinations are ISP s & Nat networks Incoming Attacks Most of attacks target ports 135, 145,139, 22 Attacks at windows services mostly come from ISP s network 300 different IPs found within 5 days June 2009 Kalaitzidakis Vasileios 17

Conclusions We employed honeynet to study the current attacks employed by botnets Our methodology produced clear conclusions General A single detection technique is not able to detect all botnets Updating system is a good defense Using honeypot is easy to detect a large number of compromised machines within ISP s network June 2009 Kalaitzidakis Vasileios 18

Future Work Honeynet within ISP s network architecture System consists of a number of honeypots in order to: Capture traffic data Recognize attacks Discover IP addresses of compromised machines Alert users Inform other ISPs using a trust based model June 2009 Kalaitzidakis Vasileios 19

End Of Slides Thank you! June 2009 Kalaitzidakis Vasileios 20

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback