capturing malicious bots using a beneficial bot and wiki
DESCRIPTION
ACM SIGUCCS 2012 @ Memphis, 18, Oct.TRANSCRIPT
Capturing Malicious Bots
Using a Beneficial Bot and WikiTakashi Yamanoue, Kentaro Oda,
Koichi ShimozonoKagoshima University
Contents
• Introduction• Implementation• Usage Example• Related Research• Concluding Remarks
Introduction
• A bot– runs automated tasks over the Internet. – usually a malicious application– controlled by a malicious herder
• Herder– the master of the bot
Introduction
• Many resent viruses• are used for recruiting a host into a
botnet– Botnet
• is a collection of malicious bots. – Malicious bots - in a campus LAN
• Leak private information of students, research secrets
• spam other people• attack other web sites via DDos.
Introduction
• A campus with malicious bots– may be considered to be
engaging in criminal activity.
Introduction
• The manager of the campus LAN – has to be careful about malicious bots
and remove the bot quickly when found
Introduction
• A fire-wall and a Network Address Translation (NAT) – enhance network security of a LAN.
Introduction
• NAT or fire-wall– defend the LAN against
intrusion of a malicious bot. – like a house protected
by a door with a key.– Only permitted IP packets may pass
through the fire-wall or the NAT – much like only people who have the key
may pass through the door of the house.
Introduction
Introduction
• When a host in the sub-LAN is compromized by a malicous bot– it is hard to identify the compromized
host from the outside of the LAN, much like it is hard to find a robber who is hidden in the house or the building.
– DHCP and IPv6 with privacy address extension (RFC 3041) also make it difficult
– the IP address is changed dynamically.
Introduction
Introduction
• A campus’s LAN– a central network infrastructure + sub-
LANs. • Some sub-LANs
– may be protected by a fire-wall or a NAT. The Internet Sub-
LAN
Sub-LAN
Sub-LANCentral Network Infrastructure
Introduction
• Network managers sometimes have to find out bots which are hidden in such protected sub-LANs.
Introduction
• One way to realize this is to prohibit use of a fire-wall or a NAT for a sub-LAN.
Introduction
• It is easy to define the rule, but unrealistic because broadband routers with fire-wall or NAT function are so common.
Laws are made to be broken
Introduction
• When malicious communication between a bot in a protected sub-LAN and another host on the outside is discovered by the manager of the central network infrastructure (or the central manager),
?
? ? ??
Introduction
• the central manager usually directs the manager of the sub-LAN to disconnect the sub-LAN from the central network infrastructure immediately.
? ??
Introduction
• The sub-manager inspects all PCs in the sub-LAN using anti-virus software.
? ?
?
Introduction
• Cannot always find the bot because – anti-virus software can not find 0-day
attacks, – the central manager can not observe
the malicious communication in the sub-LAN.
? ?
?
Introduction
• Sometimes, the central manager would like to monitor sub-LANs in order to find the compromized host. The compromized host should be found as quickly as possible.
Introduction
• The central manager can monitor the sub-LAN by re-configuring the LAN.
?
Introduction
• However such re-configuration without care may cause serious trouble. Ex. Loop – Such re-configuration usually takes a
long time.
Introduction
•The manager should have an easy and fast way to monitor and control sub-LANs.
Introduction
• We have made a network security controlling system which uses – a remote security device and – a web site with wiki software.
(PukiWiki)
Introduction
• The device can be deployed fast and easily because it is portable.
Introduction
• The central manager can monitor and control the sub-LAN behind a fire-wall or a NAT easily from a web site with common wiki software, using the remote security device.
Introduction
Introduction
• The remote security device is a kind of bot which is controlled by the central manager.
Introduction
• The device can do the following:– Monitor traffic between hosts in the
sub-LAN and outside hosts.
– Filter out malicious packets of the traffic.
Introduction
– Intercept DNS query packets from the suspicious host and return the IP address of the fake host which pretends the herder’s host.
– Pretend the herder’s host such like returning the fake syn-ack packet to the syn packet from the suspicious host.
Introduction
• The Internet
• Organization’sCentral Networ
k Infrastructure
• The Wiki Site• Porta
ble Remote Security Device
• Sub-LAN
• Auxiliary
Switch
• NAT or Router
• IDS• Fire-Wall
• Virus Infected Host• This Security Controlling System• Original
Connection
• Auxiliary Wi-fi AP
Implementation
Portable Remote Security Device
Implementation
• Filter/Controller– If the packet matches up to a “select
pattern”,• pass through the packet (from one DAQ to
another DAQ) and • send the information of the frame of the
packet to the wiki access engine with the status.
– If the packet matches up to a “drop pattern”,• do not pass through the packet and send
the information of the frame of the packet to the wiki access engin with the status.
– If the packet matches up to a “forward pattern”, • replace the destination IP address and
destination port with the IP address and port of a pseudo application of a pseudo host, and pass the replaced packet to another DAQ.
• Send the information of the frame of the original packet to the wiki access engine with the status.
– Sends a packet to one of the bridges from one of the DAQs. The sending packet is one of the following.• The pseudo syn-ack packet to a syn packet
of dropped packets.• The pseudo DNS answer packet to a DNS
query packet.
Implementation
Usage ExampleBooting and Setting
Usage ExampleBooting and Setting
Usage ExampleBooting and Setting
Usage ExampleBooting and Setting
Usage ExampleMonitoring and
ControllingClick here, and here
Usage ExampleMonitoring and
Controlling
Usage ExampleMonitoring and
Controlling
Usage ExampleCommands and
Results
• get ip=<IP address>• get startsWith <String constant>
– Ex. “PING”, “PONG”, “NIC” , “USER” for IRC.
• lan2wan drop ip=<IP address>• wan2lan drop ip=<IP address>
Usage ExampleCommands and
Results
• lan2wan return-syn-ack ip=<IP address>
• lan2wan forward ip=<IP address 1> to <IP address2>:<Port>
• lan2wan dns-intercept ip=<IP address 1> to <IP address 2>
Usage ExampleCommands and
Results
Usage Example Responding
Infection• The central manager identifies the
suspicious sub-LAN by using an IDS or a firewall or managed security monitoring service.
? ? ??
Usage Example Responding
Infection• The central manager asks the sub-
manager of the sub-LAN to disconnect the NAT or router of the sub-LAN from the central network infrastructure.
? ??
Usage Example Responding
Infection• The central manager writes
commands on the wiki page to capture and filter out the suspicious packets. The manager configures the remote security device to connect the device to the wiki page.
Usage Example Responding
Infection• The central manager sends the
portable sensor device to the sub-manager– after the sub-manager agrees with the
need for identifying the suspicious host. • The sub-manager connects the
remote security device to the sub-LAN and starts it.
?
Usage Example Responding
Infection• The remote security device reads
the commands on the wiki page periodically.
• When the device detects suspicious packets, the device drop the packets and writes information of the packets with the MAC address of the suspicious host in the sub-LAN on the wiki page.
?
Usage Example Responding
Infection• The central manager confirms the
information of the suspicious packets on the wiki page, and if the manager judges the packets to be malicious,
• the central manager asks the sub-manager to disconnect the host from that sub-LAN.
Usage Example Responding
Infection• If the central manager feels more
deep analysis on the traffic, the manager can prepare a telnet server and s/he can write commands for forwarding the packets from the suspicious host to the telnet server on the wiki page.
Usage Example Responding
Infection• When a suspicious packet is
forwarded to the telnet server, the central manager can see the contents of the packet and can response to the packet on the telnet server.
Usage Example Responding
Infection• When the sub-manager cannot
identify the suspicious host, the central manager writes the command, which transfers packets from the host to a notification web server, on the wiki page.
?
Usage Example Responding
Infection• The notification web server
– notifies the user of the suspicious host that the host is suspicious and asks the user of the host to call the sub-manager.
• The sub-manager – disconnects the suspicious host,
Usage Example Responding
Infection
Related research
• Security Monitoring System• Snort• Observing MAC address at the WAN
side• Unix device with two NICs• KASEYA and UNIFAS
Concluding Remarks
• Bot for Bot• An Easy way of incident response• Wiki• Not so stable now for real using
– Hope to have your support, assistant, ..– https://github.com/takashiyamanoue/
TrafficController• Should not turn into dark side.
• Masato Masuya, Takashi Yamanoue, Shinichiro Kubota"An Experience of Monitoring University Network Security Using a Commercial Service and DIY Monitoring" ,Proceedings of the 34nd annual ACM SIGUCCS conference on User services, pp.225-230, Edmonton, Alberta, Canada. 5-8 Nov. 2006.