You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
excerpt: "Main defenses and countermeasures agains botnets"
4
+
excerpt: "Main defenses and countermeasures against botnets"
5
5
date: 2015-12-03 10:00:00
6
6
categories: countermeasures
7
7
---
@@ -13,15 +13,21 @@ Botnet Detection
13
13
14
14
**Botnet detection** deals with the identification of bots in the machine or network so that some sort of remedy can be done.
15
15
16
-
In recent years *botnet detection* has been a hot topic in the research community due to increase in the malicious activity. According to the majority of the common characteristic of a **bot malwareare related to network activities** since the bots require some sort of *interaction with the command and control servers*. Some of the *common activities* one could monitor to detect botnets are:
17
-
> -*opening of specific ports*
18
-
> -*establishing a number of unwanted network connections*
19
-
> -*downloading and executing files and programs*
20
-
> -*creating new processes with well-known names*
21
-
> -*disabling antivirus software*
16
+
In recent years *botnet detection* has been a hot topic in the research community due to increase in the malicious activity. According to the majority of the common characteristic of a **bot malwareare related to network activities** the bots require some sort of *interaction with the command and control servers*. Some of the *common activities* one could monitor to detect botnets are:
17
+
18
+
-*opening of specific ports*
19
+
20
+
-*establishing a number of unwanted network connections*
21
+
22
+
-*downloading and executing files and programs*
23
+
24
+
-*creating new processes with well-known names*
25
+
26
+
-*disabling antivirus software*
22
27
23
28
### Detection techniques
24
29
**Intrusion Detection System** (IDS) is an approach for *botnet detection* that can be either a **signature** or **anomaly-based** technique.
30
+
25
31
#### Signature-Based
26
32
A **signature-based***Botnet detection* technique uses the signatures of current *Botnets* for its detection. This method has several advantages, such as very low false alarm rate, immediate detection, easier to implement and there is better information about the type of detected attack. **Signature based** detection method can only able to detect well known botnets.
27
33
@@ -36,38 +42,38 @@ The idea behind **anomaly-based** detection approach is to perform botnet detect
36
42
A **host-based technique** is a detection strategy which *monitors* and *analyzes* the internals of a computer system *instead of network traffics* on its external interfaces. In this approach the individual machine is monitored to find any suspicious behavior, including its *processing overhead*, and *access to suspicious files*. If suspicious activity is detected the *Host Intrusion Detection Systems* will alert the user or administrator. It takes a snapshot of existing system files and matches it to the previous snapshot. If the critical system files were modified or deleted, an alert is sent to the administrator to investigate.
37
43
38
44
A **network-based technique** is a detection strategy which tries to detect Botnets by monitoring network traffics. Network-based techniques can be classified into two categories:
39
-
> -**Active monitoring** -- based on the ability to inject test packets into the network, servers or application for measuring the reactions of network. Hence, it can produce extra traffics on the network. The injected packets can determine whether a human or bot is managing that session. It works in a cause-effect correlation because for a large portion of Botnet command-and-control channels, a command-and-control interaction has a deterministic command response pattern. This technique shows effectiveness on real-world IRC-based Botnet detection.
40
45
41
-
> -**Passive monitoring** -- observe data traffic in the network and look for suspicious communications that may be provided by bots or command-and-control servers. It does not increase the traffics on the network for inspection.
46
+
-**Active monitoring** -- based on the ability to inject test packets into the network, servers or application for measuring the reactions of network. Hence, it can produce extra traffics on the network. The injected packets can determine whether a human or bot is managing that session. It works in a cause-effect correlation because for a large portion of Botnet command-and-control channels, a command-and-control interaction has a deterministic command response pattern. This technique shows effectiveness on real-world IRC-based Botnet detection.
42
47
43
-
To access the command-and-control server, bots perform DNS queries to locate the particular server that a DDNS (Dynamic DNS) provider typically hosts. It is thus possible to create a detection mechanism that monitors DNS traffic and searches for some DNS anomalies. Botnets frequently use DNS to rally infected hosts, launch attacks and update their codes.
48
+
-**Passive monitoring** -- observe data traffic in the network and look for suspicious communications that may be provided by bots or command-and-control servers. It does not increase the traffics on the network for inspection.
44
49
45
-
List of tool to detect botnets....
50
+
To access the command-and-control server, bots perform DNS queries to locate the particular server that a DDNS (Dynamic DNS) provider typically hosts. It is thus possible to create a detection mechanism that monitors DNS traffic and searches for some DNS anomalies. Botnets frequently use DNS to rally infected hosts, launch attacks and update their codes.
46
51
47
52
48
53
### Botnet countermeasures
49
54
50
-
Defense against Bots and Botnets is carried out by application of certain strategies. All the Internet users are responsible for defense, starting from home or business computer users, system administrators, developers, up to web administrators and ISPs. The defense must be considered as a permanent and comprehensive process in which all the activities must be proactive. This is the only way to achieve good results and to protect computers, i.e. Web services/applications against the activities with bad intentions.
55
+
Defense against botnets is carried out by application of certain strategies. All the Internet users are responsible for defense, starting from home or business computer users, system administrators, developers, up to web administrators and ISPs. The defense must be considered as a permanent and comprehensive process in which all the activities must be proactive. This is the only way to achieve good results and to protect computers, i.e. Web services/applications against the activities with bad intentions.
56
+
57
+
**Countermeasures** against *botnet* can be broadly classified into two approaches:
58
+
59
+
- Technical approaches
51
60
52
-
**Countermeasures** against *botnet treats* can be broadly classified into two approaches:
53
-
\item technical approaches
54
-
\item social and regulatory approaches
61
+
- Social and regulatory approaches
55
62
56
63
#### Technical Approach
57
64
58
-
Most of **Botnet countermeasures** focus on the commandand-control infrastructure of botnets by *filtering botnetrelated traffic*, *sinkholing domains* with the assistance of DNS registrars or *obtaining the shutdown of malicious servers* in data centers. The *technical botnet defense approach* includes __*Blacklisting, Packet Filtering, Reverse Engineering and Port Blocking*__.
65
+
Most of **botnet countermeasures** focus on the commandand-control infrastructure of botnets by *filtering botnet related traffic*, *sinkholing domains* with the assistance of DNS registrars or *obtaining the shutdown of malicious servers* in data centers. The *technical botnet defense approach* includes __*Blacklisting, Packet Filtering, Reverse Engineering and Port Blocking*__.
59
66
60
67
#### Blacklisting
61
68
A **blacklist** may provide single IP addresses of malicious hosts or whole subnets showing suspicious activities. A **blacklist** can be used to block all traffic from included addresses and also to filter websites with suspicious or proven malicious contents.
62
69
63
-
**For exemple**, the *Spamhaus Project* provides various real-time lists that assist in identifying and blocking attempts by malicious activities. **Spamhaus Block List** (SBL) and the **Domain Block List** (DBL) contain a collection of IP addresses and domain names respectively from which incoming e-mail should not be accepted.
70
+
**For example**, the *Spamhaus Project* provides various real-time lists that assist in identifying and blocking attempts by malicious activities. **Spamhaus Block List** (SBL) and the **Domain Block List** (DBL) contain a collection of IP addresses and domain names respectively from which incoming e-mail should not be accepted.
64
71
65
-
#####Packet Filtering
72
+
#### Packet Filtering
66
73
The **packet filtering** can be applied at a host, network and ISP level. A typical component that performs packet filtering at host level is a *desktop firewall*. Its purpose is to monitor the network activities of all active processes. As the amount of traffic at host level is usually manageable, deep-packet inspection is applicable. Often, user or administrator interaction is required to allow or deny network access for certain applications, if no suitable rules have been specified for them yet.
67
74
68
-
##### Reverse Engineering
69
-
Recovering the functionality of a program without the source code is known as **reverse engineering**. The
70
-
malware reverse engineering technique helps in extracting the details of the installation and spreading of malware. The process involves static analysis and dynamic analysis. In case of static analysis, the binary is not executed. This phase deals with the reconstruction of certain aspects of the functionality. The dynamic analysis deals with the execution of the sample. The behavior of the malware can be determined by monitoring the host.
75
+
#### Reverse Engineering
76
+
Recovering the functionality of a program without the source code is known as **reverse engineering**. The malware reverse engineering technique helps in extracting the details of the installation and spreading of malware. The process involves static analysis and dynamic analysis. In case of static analysis, the binary is not executed. This phase deals with the reconstruction of certain aspects of the functionality. The dynamic analysis deals with the execution of the sample. The behavior of the malware can be determined by monitoring the host.
71
77
72
-
#####Port Blocking
73
-
**Port blocking** is a preventive measure that can be applied by ISPs to reducing the amount of spam mails traversing their network. The use of unauthenticated services via port 25, like direct mail exchange or open relay mail servers is almost exclusively for spam distribution purposes. Hence, blocking port 25 at ISP level has been recommended as best practice.
78
+
#### Port Blocking
79
+
**Port blocking** is a preventive measure that can be applied by ISPs to reducing the amount of spam mails traversing their network. The use of unauthenticated services via port 25, like direct mail exchange or open relay mail servers is almost exclusively for spam distribution purposes. Hence, blocking port 25 at ISP level has been recommended as best practice.
0 commit comments