botnet detection based on icmp infiltrations correlation pattern navaneethan c. arjuman phd...
TRANSCRIPT
Botnet Detection Based on Botnet Detection Based on ICMP ICMP Infiltrations Correlation PatteInfiltrations Correlation Patternrn
Navaneethan C. ArjumanPhd Candidate and MyBrain Fellow [email protected] .myNational Advanced IPv6 Centre February 2012
1Copyright Nava 2012
AgendaAgendaObjectiveWhat are Botnets ?
◦ Botnet History◦ Botnets Usage
◦ Botnet Command and Control (C&C) Mechanism
◦ Botnet ClassificationBotnet Detection Techniques
◦ Anomalies Detection Correlation Techniques
Inbound Scanning◦ Proposed new area on ICMP based scanning◦ Mitigation Technique ◦ Research Outcome
Copyright Nava 2012 2
What are Botnets?What are Botnets?An Internet Relay Chat (IRC) based,
command and control network of compromised hosts (bots)
A bot is a client program that runs in the background of a compromised host◦ Watches for certain strings on an IRC channel◦ These are encoded commands for the bot
Purpose◦ DoS, ID Theft, Phishing, keylogging, spam
Fun AND profit
3Copyright Nava 2012
Botnet History Botnet History First existence of botnet started in August
1988 when IRC invented at University of Oulu, Finland
1989 - First bot - “GM” ◦ -assist user to manage their own IRC Connections
May 1999 – Pretty park◦ Reported in June 1999 in Central Europe◦ Internet Worm – a password stealing trojan
1999 – Subseven◦ Remote controlled trojan
4Copyright Nava 2012
Botnet History Botnet History 2000 – GTbot (Global Threat)
◦ New capabilities - port scanning, flooding and cloning
◦ Support UDP and TCP socket connections◦ Support IRC Server to run malicious script
2002 – SDbot ◦ Written by Russian Programmer by the name ‘SD’◦ 40Kb – C++ Code◦ First to publish the code for hackers via website ◦ Provided e-mail and chat for support
2002 – Agobot ◦ Modular update◦ Spread through Kazaa, Grokser and etc
5Copyright Nava 2012
Botnet History Botnet History 2003 – Spybot or Milkit
◦ Derived from SDbot ◦ Come with spyware capabilities ◦ Spread via file sharing applications and e-mail
2003 – Rbot ◦ Backdoor trojan on IRC◦ Compromised Microsoft vulnerable share Port
139 and 445 ◦ Based on MSRT Report in June 2006 by Microsoft
- 1.9 million PCs affected worldwide2004 – PolyBot
◦ Polymorphism capabilities ◦ Based on Agobot
6Copyright Nava 2012
Botnet History Botnet History 2005 – MyBot
◦ New version of SpyBot ◦ Hybrid coding ◦ Spread via file sharing applications and e-mail
2006 – P2P Based Bot ◦ 1st generation - “SpamThru”, “Nugache”
Basd on “Gnutella” file sharing
◦ 2nd Generation – “Peacomm’ Pure Distributed P2P
2007 – “Storm Botnet” ◦ Truly pure P2P ◦ No single point of failure ◦ Provided high resilience, scalability and difficulty in
trackingList continue…….
7Copyright Nav a 2012
What is the latest? What is the latest? 2010 – Stuxnet
◦ spreads via Microsoft Windows, and targets Siemens industrial software and equipment
◦ malware that spies on and subverts industrial systems
◦ targeted five Iranian organizations - uranium enrichment infrastructure in Iran
September 2011 – Duqu ◦ Duqu is a computer worm discovered on 1st September, 2011◦ Operation Duqu is the process of only using
Duqu for unknown goals
New trend – new worm and new botnet
8Copyright Nav a 2012
Botnet Usage Botnet Usage DDOSSpamSniffing trafficKeyloggingInstalling Advertisement Addons
and Browser Helper Objects (BHOs)
Manipulating online polls/gamesMass ID theft
9Copyright Nava 2012
Botnet Command and Botnet Command and Control (C&C) Mechanism Control (C&C) Mechanism
From the Botmaster point of viewCentralized
◦ Pro - easy to setup, fast commands dissemination
◦ Cons - easy to detect , single point of failure
Peer-to-Peer Topology ◦ Pro – decentralized, not easy to detect , not
single point of failure◦ Cons – not easy to setup (more complex),
message delivery not guaranteed and high latency
10Copyright Nava 2012
Botnet Command and Botnet Command and Control (C&C) Mechanism….. Control (C&C) Mechanism…..
Unstructured Topology – extreme peer to peer topology, one to one communication◦ Pro – easy to setup, decentralized, not easy to
detect , not single point of failure◦ Cons –message delivery not guaranteed and high
latency
11Copyright Nava 2012
Botnet ClassificationBotnet ClassificationCommand & Control (C&C) IRC Based – C&C using IRC Server
HTTP Based – C&C using Web Server
P2P Based – C&C on peer-to-peer protocol
DNS Based – C&C use Fast-flux networks
12Copyright Nava 2012
Botnet Detection Botnet Detection Signature Based – able to detect only
known bots
Anomaly Based – detect bots based traffic anomalies
DNS Based – detect based DNS information
Mining Based – detect based machine learning, classification and clustering
13Copyright Nava 2012
Anomaly Based Detection Anomaly Based Detection Detect based on traffic anomalies such as
High Network LatencyHigh Volumes of TrafficTraffic on unusual portsUnusual System Behaviour
Major AdvantageSolve the unknown bots
14Copyright Nava 2012
Correlation Techniques Correlation Techniques
Inbound ScanningExploit UsageEgg DownloadingOutbound bots coordination dialogOutbound attack propagationMalware P2P communication
15Copyright Nava 2012
Scanning for recruitsScanning for recruits
VASCAN 2005 Copyright Marchany 2005 16
Black – C&CRed – Scan info
Bot Attack StrategyBot Attack StrategyRecruitment of the agent
network◦Finding vulnerable systems◦Breaking into vulnerable systems
Protocol attack Middleware attack Application or resource attack
Controlling the agent network◦Direct, Indirect commands◦Updating malware◦Unwitting agents
17Copyright Nava 2012
Finding Vulnerable Finding Vulnerable SystemsSystemsBlended threat scanning
◦Program(s) that provide command & control using IRC bots
IRC commands tells bot(e.g. Power) to do a netblock scan
Bot builds list of vulnerable hosts, informs attacker via botnet
Attacker gets file and adds to master list
18Copyright Nava 2012
Inbound Scanning Inbound Scanning There several inbound ports scanning methodsavailable. All port scanning methods work if
target host satisfied the RFC 793 – Transmission
ControlProtocol (TCP).Internet Control Message Protocol (ICMP)Transmission Control Protocol (TCP) User Datagram Protocol (UDP)SYN ACK WindowFIN
19Copyright Nava 2012
Inbound Scanning….. Inbound Scanning….. Other Types (Uncommon)X-mas and NullProtocol Proxy Idle CatSCAN
20Copyright Nava 2012
Why use ICMP Scanning ? Why use ICMP Scanning ? Understanding ICMP Based AttacksAttackers preferred to do inbound
scanning basedon ICMP because
ICMP scanning provide high level target scanning
Elimination of Target Network (Type 3, Code 0- Destination network unreachable)
21Copyright Nava 2012
Why use ICMP Scanning ? Why use ICMP Scanning ? …. …. Elimination target host networks -
Type 3, Code 1-Destination host unreachable
Elimination of particular protocol – Type 3, Code 2 - Destination protocol unreachable
Elimination of particular port – Type 3, Code 3- Destination port unreachable
22Copyright Nava 2012
Why use ICMP Why use ICMP Scanning ?...... Scanning ?...... Smaller payload - unnoticeable in
terms of volume increment for detection
More reliable in reply – return by error message compare to TCP and UDP
23Copyright Nava 2012
Understanding ICMPUnderstanding ICMP
Currently there are two (2) typesICMPv4ICMPv6
24Copyright Nava 2012
ICMPv4ICMPv4Core Protocol of Internet Protocol Suite Defined under RFC 792Mainly used to provide error message ICMP messages are typically generated
in response to errors in IP datagrams (as specified in RFC 1122) or for diagnostic or routing purposes
ICMP errors are always reported to the original source IP address of the originating datagram.
25Copyright Nava 2012
ICMPv4 – IP DatagramICMPv4 – IP Datagram
Type – ICMP type as specified below.Code – Subtype to the given type.Checksum – Error checking data. Calculated
from the ICMP header+data, with value 0 for this field. The checksum algorithm is specified in RFC 1071.
Rest of Header – Four byte field. Will vary based on the ICMP type and code.
26
Bits 0-7 8-15 16-23 24-31
0 TYPE CODE CHECKSUM
32 REST OF HEADER
Copyright Nava 2012
ICMPv4 - Type ICMPv4 - Type Type RangeThere are 0-255 types0 till 41 – already defined42 till 255 – reservedSpecial attention focused on the
following typeType 3Type 9 and 10Type 15 and 16Type 17 and 18 Type 37 and 38 27Copyright Nava 2012
ICMPv4 - Type 3 ICMPv4 - Type 3 Below are special codes that required mainattention
Code Range0 - Destination network unreachable1 - Destination host unreachable2 - Destination protocol unreachable3 - Destination port unreachable6 - Destination network unknown7 - Destination host unknown
28Copyright Nava 2012
ICMPv4 - Type 3 ICMPv4 - Type 3 8 - Source host isolated9 - Network administratively
prohibited10 - Host administratively prohibited11 - Network unreachable for TOS12 - Host unreachable for TOS13 - Communication administratively
prohibited
29Copyright Nava 2012
ICMPv4 - Others TypeICMPv4 - Others TypeType 9, Code 0 -Router AdvertisementType 10, Code 0 - Router
discovery/selection/ solicitationType 15, Code 0 - Information Request Type 16, Code 0 - Information ReplyType 17, Code 0 - Address Mask RequestType 18, Code 0 - Address Mask ReplyType 37, Code 0 - Domain Name RequestType 38, Code 0 - Domain Name Reply
30Copyright Nava 2012
ICMPv4 – ICMP Fault ICMPv4 – ICMP Fault Monitoring Features Sample Monitoring Features Sample CaptureCapture
31Copyright Nava 2012
ICMPv6ICMPv6Internet Control Message Protocol (ICMP)
for Internet Protocol version 6 (IPv6)Defined under RFC 4443Mainly used for error messageSeveral extensions have been published,
defining new ICMPv6 message types as well as new options for existing ICMPv6 message types
Neighbor Discovery Protocol (NDP) is a node discovery protocol in IPv6 which replaces and enhances functions of ARP
32Copyright Nava 2012
ICMPv6ICMPv6 Secure Neighbor Discovery Protocol
(SEND) is an extension of NDP with extra security.
Multicast Router Discovery (MRD) allows discovery of multicast routers.
ICMPv6 messages may be classified into two categories: error messages and information messages
ICMPv6 messages are transported by IPv6 packets in which the IPv6 Next Header value for ICMPv6 is set to 58.
33Copyright Nava 2012
ICMPv6 – IP DatagramICMPv6 – IP Datagram
Type – ICMP type as specified below.Code – Subtype to the given type.Checksum – Error checking data.
Calculated from the ICMP header+data, with value 0 for this field.
34Copyright Nava 2012
Bit Offset 0-7 8-15 16-31
0 Type Code Checksum
32 Message Body
ICMPv6 - Type ICMPv6 - Type Special attention focused on the
following typeType 1Type 128 and 137Type 139 and 153
35Copyright Nava 2012
ICMPv6 - Type 1 ICMPv6 - Type 1 Below is special codes that required
attention when scanning take placeCode Range0 - no route to destination1 - communication with destination
administratively prohibited2 - beyond scope of source address3 - address unreachable4 - port unreachable
36Copyright Nava 2012
ICMPv6 - Type 1 ICMPv6 - Type 1
7 - source address failed ingress/egress policy
8 - reject route to destination
37Copyright Nava 2012
ICMPv6 - Others TypeICMPv6 - Others TypeType 128, Code 0 - Echo RequestType 129, Code 0 – Echo ReplyType 130, Code 0 - Multicast Listener QueryType 133, Code 0 - Router Solicitation (NDP)Type 134, Code 0 - Router Advertisement
(NDP) Type 135, Code 0 - Neighbor Solicitation
(NDP)Type 136, Code 0 - Neighbor Advertisement
(NDP)
38Copyright Nava 2012
ICMPv6 - Others TypeICMPv6 - Others TypeType 139, Code 0 till 2 - ICMP Node
Information Query Type 140, Code 0 till 2 - ICMP Node
Information ResponseType 141, Code 0 - Inverse Neighbor
Discovery Solicitation MessageType 142, Code 0 - Inverse Neighbor
Discovery Advertisement MessageType 144, Code 0 - Home Agent
Address Discovery Request Message
39Copyright Nava 2012
ICMPv6 - Others TypeICMPv6 - Others TypeType 145, Code 0 - Home Agent
Address Discovery Reply Message Type 146, Code 0 till 2 - Mobile Prefix
SolicitationType 147, Code 0 - Mobile Prefix
AdvertisementType 151- Multicast Router
Advertisement (MRD)Type 152 - Multicast Router
Solicitation (MRD)
40Copyright Nava 2012
Mitigating ICMP Based Mitigating ICMP Based Scanning Attacks Scanning Attacks
Capturing this ICMP error message can lead to high probability attacks take place
Proposed new Profiling AlgorithmProposed new ICMP Based Scanning
Profiling ApplicationsNeed to improve the existing iNetmon
ICMP Default Monitoring features
41Copyright Nava 2012
Mitigating ICMP Based Mitigating ICMP Based Scanning Attacks…. Scanning Attacks…. Integration with Profiling system
required to correlate with other the correlation factors such as ◦ Exploit Usage◦ Egg Downloading◦ Outbound bots coordination dialog◦ Outbound attack propagation◦ Malware P2P communication
There are already systems are available such as Bot Hunter (SNORT based correlation engine) that does correlation for the above mentioned correlation features.
42Copyright Nava 2012
Proposed Research Proposed Research OutcomeOutcomePublish Papers (focus on ISI
Standard) and Journal based on this techniques
Develop the ICMP Based Scanning Profile Algorithm
Build ICMP Based Scanning Profile Solution (can modify NMap and add ICMP profiling algorithm)
43Copyright Nava 2012
ReferencesReferenceswww.sunbelt-software.com/ihs/alex/
rmbotnets.ppthttp://www.bothunter.net/doc/
users_guide-WIN.htmlhttp://www.iana.org/assignments/
icmpv6-parametershttp://www.sans.org/security-
resources/idfaq/icmp_misuse.php“Know your Enemy: Tracking Botnets”,
Lance Spitzner, http://www.honeynet.org/papers/bots
44Copyright Nava 2012
ReferencesReferenceshttp://en.wikipedia.org/wiki/ICMPv6http://en.wikipedia.org/wiki/
Internet_Control_Message_Protocolhttp://en.wikipedia.org/wiki/Stuxnethttp://en.wikipedia.org/wiki/Duqu
45Copyright Nava 2012
46
Thank You
Copyright Nava 2012