Bots and Botnets The Automation of Computer Network Attacks
-
Upload
kadeem-bell -
Category
Documents
-
view
55 -
download
2
description
Transcript of Bots and Botnets The Automation of Computer Network Attacks
1
Bots and BotnetsThe Automation of Computer Network Attacks
Written and researched by David DittrichThe Information SchoolUniversity of Washington
Presented by Amelia Phillips
2
Overview
Where did “bots” come from?
How do they work?
How botnets are built
How are they used for attacking?
How do you defend against them?
Botnets in action!
3
Where did “bots” come from?
4
Internet Relay ChatInternet Relay Chat
http://www.newircusers.com/network.html
5
IRC CommandsIRC Commands
http://www.newircusers.com/ircmds.html
6
DCC CommandsDCC Commands
http://www.newircusers.com/ircmds.html
7
mirc IRC clientmirc IRC client
http://www.irchelp.org/irchelp/ircii/ircii.gif
8
IRC botsIRC bots
http://www.irchelp.org/irchelp/misc/botfaq.html#1
9
Typical uses
Keep track of channel users
Transfer files automatically
Enforce kick/ban lists of “bad” users
Protect channels from takeover
10
How do bots work?
11
““Net split” attack (before)Net split” attack (before)
Owner
12
““Net split” attack (after)Net split” attack (after)
Owner
Attacker
DDoSAttack
13
““Net split” attack (defense)Net split” attack (defense)
Owner
Bot
Bot
Bot
Bot
14
Eggdrop config fileEggdrop config file
15
Eggdrop config fileEggdrop config file
16
Translated eggdrop configTranslated eggdrop config
17
Encrypted communicationsEncrypted communications
18
My how these bots have grown…
19
High
Low
1980 1985 1990 1995 2001
password guessing
password cracking
exploiting known vulnerabilities
disabling audits
back doors
hijacking sessions
sniffers
packet spoofing
GUIautomated probes/scans
denial of service
www attacks
Tools
Attackers
IntruderKnowledge
AttackSophistication
“stealth” / advanced scanning techniques
burglaries
network mgmt. diagnostics
distributedattack tools
binary encryption
Source: CERT/CC
Attack sophistication vsIntruder Technical Knowledge
Increasing Attack SophisticationIncreasing Attack Sophistication
1998
20
Bot features then (1994)
Channel controls
Simple file transfers
Password protected back door
21
Growth of botnetsGrowth of botnets
22
Growth of botnetsGrowth of botnets
23
Bot features now (2004)Bot features now (2004)
http://www.lurhq.com/phatbot.html
24
Bot features now (2004)Bot features now (2004)
http://www.lurhq.com/phatbot.html
25
Advances in C2 & security features
Encryption of communications
Use of Peer-to-Peer
“Swiss Army knife” feature set
Polymorphism and Anti-Anti-Virus
Anti-forensics/Anti-debugging
26
Waste networkWaste network
http://waste.sourceforge.net/index.php?id=information
27
Combining Waste networksCombining Waste networks
http://waste.sourceforge.net/docs/docs.html
28
Relationship to DDoSRelationship to DDoS19
96
1998
1997
1999
2000
2001
2002
2003
2004
2005
Single threaded DoS
Classic DDoS(Handler/Agent)
DDoS Botnets
Bots
Leads to
(Dates approximated)
29
How are botnets built?
30
“It takes malware…”
31
Strategies in botnet creationLearn about IRC commands and featuresChoose a bot or “blended threat” kitGet access to some computers
Trade for CCs, other hosts/accounts, or buyUse a virus, trojan horse, or other “sploit”“War drive” to find free wireless access
Herd your botsTry to keep someone from finding/stealing them
32
Botnet used for recruitmentBotnet used for recruitment
33
Bot propagationBot propagation
“Trends in Denial of Service Attack Technology,” http://www.cert.org/archive/pdf/DoS_trends.pdf
34
Malicious use of botsand how to respond
35
The new spammersThe new spammers
36
Phases of botnet/DDoS attacks
Phase one: “own” a [bleep!]load of computers!
Phase two: use them to attack othersDDoS
More “owning”
Anonymity while doing crimes
37
The new gangstersThe new gangsters
38
39
40
Phatbot DDoS attack methodsPhatbot DDoS attack methods
Two types of SYN floods, UDP & ICMP
“Targa” (random IP protocol, fragmentation, and frag offset)
“Wonk” (one SYN packet followed by 1023 ACK packets)
HTTP (single GET w/delay in hours, or recursive GET)
Many attacks support various spoofing (/16, /24 or all 32 bits)
41
Botnet used for DDoS attackBotnet used for DDoS attack
42
Assoc. of Remote Gambling Assoc. of Remote Gambling OperatorsOperators
$73M lost to extortion in 2004$10k - $40k per attack (some multiple)Each attack lasts hours to > 1 week518,000 “computers” used in one attack3 arrested in July 2004
By following the $$, not by tracebackSeveral gangs still active worldwide
“Gambling Sites, This Is A Holdup: Organized criminal hackers threaten to paralyze their networks if they don't pay up,” Business Week, http://www.businessweek.com/magazine/content/04_32/b3895106_mz063.htm
43
Strategies in botnet defenseLearn about IRC commands and featuresLearn about bots, DDoS, other malware(http://staff.washington.edu/dittrich/misc/ddos, and book…)
Gain data collection and analysis skillsHost forensicsNetwork forensicsReverse engineering, programming, scanning, etc.
Analyze traffic flows, patternsKey goals: Identify structure and C2 methods
44
Weaknesses in botnets
Recruitment/Herding
Command/ Control
Scanning/ Attacking
45
Botnets in action
46
Report of activityReport of activity
47
Nmap scanNmap scan
48
Services provided by botServices provided by bot
49
Feedback to attacker!Feedback to attacker!
“My” IP address!
50
Other compromised hostsOther compromised hosts
51
Bot propagationBot propagation
“Trends in Denial of Service Attack Technology,” http://www.cert.org/archive/pdf/DoS_trends.pdf
52
Scanning with PhatbotScanning with Phatbot
53
The victims…The victims…
"Politehnica" University of Bucharest, HungaryAachen University of Technology, Aachen, GermanyAcademic Medical Centre, Amsterdam, The NetherlandsAlbert-Ludwigs-Universitaet Freiburg, GermanyCzech Technical University, PragueFachhochschule Albstadt-Sigmaringen, GermanyFachhochschule Augsburg, GermanyFachhochschule Esslingen, GermanyFachhochschule Konstanz, GermanyFachhochschule Worms, GermanyHochschule fuer Technik, Ulm, GermanyHogeschool Brabant, The NetherlandsHogeschool Rotterdam & Omstreken, The NetherlandsHogeschool van Amsterdam, The NetherlandsHogeschool van Utrecht, The NetherlandsHumboldt-Universitaet zu Berlin, GermanyJohann Wolfgang Goethe-Universitaet Frankfurt, GermanyPhilipps-Universitaet Marburg, GermanyPhysikalisch-Technische Bundesanstalt, GermanyRechenzentrum der Universitaet Jena, GermanyTechnische Universitaet Berlin, GermanyTechnische Universitaet Dresden, Germany
Universitaet Augsburg, GermanyUniversitaet Bamberg, GermanyUniversitaet Bremen, GermanyUniversitaet Duisburg-Essen, GermanyUniversitaet Karlsruhe, GermanyUniversitaet Konstanz, GermanyUniversitaet Muenster, GermanyUniversitaet Oldenburg, GermanyUniversitaet Stuttgart, GermanyUniversitaet Wuerzburg, GermanyUniversite de Fribourg, SwitzerlandUniversite de Liege, BelgiumUniversite de Valenciennes, FranceUniversiteit van Amsterdam, The NetherlandsUniversity College London, UKUniversity of Applied Sciences, Weingarten, GermanyUniversity of Cooperative Education, Mannheim, GermanyUniversity of Cooperative Education, Ravensburg, GermanyUniversity of Cooperative Education, Stuttgart, GermanyUniversity of Hamburg, GermanyUniversity of Innsbruck, AustriaUniversity of Liverpool, UKUniversity of London, UKWestsaechsische Hochschule, Zwickau, Germany
54
Some more victims…Some more victims…
Amsterdam Airport Schiphol, The Netherlands
DESY Zeuthen, Germany
DeTeLine GmbH, Berlin, Germany
Dr. Ing. h.c. F. Porsche AG, Germany
Dutch Railways Network, Utrecht, The Netherlands
EDS International B.V., The Netherlands
Materna GmbH, Dortmund, Germany
Ministerie van Binnenlandse Zaken, The Hague
Ministerie van Sociale Zaken en Werkgelegenheid, The HagueSaudi Online Network, Riyadh, Saudi ArabiaShell Information Technology International, SA TelecomSiemens AG, World Headquarter, Munich, GermanySwisscom Fixnet, Berne, SwitzerlandSwisscom IP-Plus, Berne, SwitzerlandUnilever Research Laboratorium, The NetherlandsUnilever Research Vlaardingen, The Netherlands
55
Harvesting product keysHarvesting product keys
56
Uptime of botsUptime of bots
57
UptimesUptimes
58
Proxying IRC trafficProxying IRC traffic
59
Proxying IRC traffic (2)Proxying IRC traffic (2)
60
Proxying IRC traffic (3)Proxying IRC traffic (3)
61
Still a Threat
Security World says botnets are on the decline
Phishing is now the chosen method
Botnets are still a threat
Visit the Honeynet Projectwww.honeynet.org
62
Thanks and questionsThanks and questions
Contact: Dave DittrichInformation Assurance ResearcherThe Information Schooldittrich(at)u.washington.eduhttp://staff.washington.edu/dittrich/