Introduction CS 239 Security for Networks and System

Download Report

Transcript Introduction CS 239 Security for Networks and System

Handling Botnets
CS 236
Advanced Computer Security
Peter Reiher
April 15, 2008
CS 236, Spring 2008
Lecture 3
Page 1
Groups for This Week
1.
2.
3.
4.
5.
6.
7.
8.
Golita Benoodi, Vishwa Goudar, Kuo-Yen Luo
Darrell Carbajal, Aaron Hall, Ioannis Pefkianakis
Andrew Castner, Jih Fan, Hootan Nikbakht
Chia-Wei Chang, Nikolay Laptev, Min-Hsieh Tsai
Chien-Chia Chen, Abishek Jain, Zhen Huang
Yu Yuan Chen, Chen-Kuei Lee, Peter Wu
Dae-Ki Cho, Chieh-Ning Lien, Faraz Zahabian
Michael Cohen, Jason Liu, Peter Peterson
CS 236, Spring 2008
Lecture 3
Page 2
Outline
• The botnet problem
• Detecting bots
• An approach to handling bots
CS 236, Spring 2008
Lecture 3
Page 3
The Botnet Problem
• A botnet is a collection of
compromised machines
• Under control of a single person
• Using distributed system techniques
• Used to perform various forms of
attacks
– Usually those requiring lots of power
CS 236, Spring 2008
Lecture 3
Page 4
What Are Botnets Used For?
•
•
•
•
•
Spam
Distributed denial of service attacks
Hosting of pirated content
Hosting of phishing sites
Harvesting of valuable data
– From the infected machines
• Much of their time spent on spreading
CS 236, Spring 2008
Lecture 3
Page 5
Botnet Software
• Each bot runs some special software
– Often built from a toolkit
• Used to control that machine
• Generally allows downloading of new
attack code
– And upgrades of control software
• Incorporates some communication method
– To deliver commands to the bots
CS 236, Spring 2008
Lecture 3
Page 6
Botnet Communications
• Originally very unsophisticated
– All bots connected to an IRC channel
– Commands issued into the channel
• Starting to use peer technologies
– Similar to some file sharing systems
– Peers, superpeers, resiliency mechanisms
– Storm’s botnet uses peer techniques
• Stronger botnet security becoming common
– Passwords and encryption of traffic
CS 236, Spring 2008
Lecture 3
Page 7
Botnet Spreading
• Originally via worms and direct breakin attempts
• Increasingly through phishing and
Trojan Horses
– E.g., the Mega-D and Pandex botnets
• Regardless of details, almost always
automated
CS 236, Spring 2008
Lecture 3
Page 8
Characterizing Botnets
• Most commonly based on size
– Reliable reports of botnets of tens of
thousands of nodes
– Less reliable reports of botnets with
hundreds of thousands
• Controlling software also important
• Other characteristics less examined
CS 236, Spring 2008
Lecture 3
Page 9
Footprint vs. Effective Size
• Most botnets aren’t as powerful as their reported
sizes suggest
• Only part of the botnet is available at any time
– Some machines go offline
– Control servers reach capacity
– Some machines are cleaned up
• Footprint is total size
• Effective size is how many machines are on-line at
once
CS 236, Spring 2008
Lecture 3
Page 10
What Do You Do About Botnets?
•
•
•
•
A very good question
Without any good answers, so far
Hot topic for research for some years
Without commensurate good answers
coming from the research community
CS 236, Spring 2008
Lecture 3
Page 11
Why Are Botnets Hard to
Handle?
•
•
•
•
Scale
Anonymity
Legal and international issues
Fundamentally, if a node is known to
be a bot, what then?
– How are we to handle huge numbers
of infected nodes?
CS 236, Spring 2008
Lecture 3
Page 12
An Important Characteristic of
Most Bots
• They belong to legitimate users
– Who typically are unaware of
infection
• Legitimate user still uses machines for
legitimate purposes
• Proportion of total traffic representing
the bot activities could be small
CS 236, Spring 2008
Lecture 3
Page 13
A Consequence of This
Characteristic
• Nuking bots is not an attractive option
– Either disabling the machines
– Or dropping all their packets
• You throw out the baby with the bath
water
• Many sites would prefer to see traffic
from known bot sites
CS 236, Spring 2008
Lecture 3
Page 14
Possible Approaches to
Handling Botnets
• Clean up the nodes
– Can’t force people to do it
• Interfere with botnet operations
– Difficult and possibly illegal
• Shun bot nodes
– But much of their activity is legitimate
– And no good techniques for doing so
CS 236, Spring 2008
Lecture 3
Page 15
Identifying Bots
• An important first step
• How can we determine which nodes
are bots?
• And which belong to which botnets?
• The most successful area of current
botnet research
– Other than building them . . .
CS 236, Spring 2008
Lecture 3
Page 16
Core of the Common Approach
• Use honeypots/honeynets
• Seek to “become infected”
• Watch behavior of your infected
machine
– Especially network communications
• Also, analyze bot code for hints
CS 236, Spring 2008
Lecture 3
Page 17
For Example,
• Bots often communicate via IRC
• For given botnet, which IRC channel?
– At which IRC server?
• Both can be determined by watching
“captured” bot’s communications
CS 236, Spring 2008
Lecture 3
Page 18
Bots and Crypto
• Some bots have started to encrypt
communications
• Captured bot might have the key stored
internally, though
• Similarly, might have password
required to contact other bots
CS 236, Spring 2008
Lecture 3
Page 19
Another Approach
• Predict which nodes will become bots
• By understanding how likely they are
to be recruited
• Based on how “uncleanly” a network
they live in
• Badly managed networks tend to have
compromised machines
CS 236, Spring 2008
Lecture 3
Page 20
How Well Does This Work?
• Generally very accurate at positive
identifications
– Usually not wrong when a bot is
identified
• Those doing the watching are typically
looking at small part of Internet
– So they might be missing stuff
• Also might be missing “stealth” bots
– Though no data to suggest that
CS 236, Spring 2008
Lecture 3
Page 21
So, What Do We Do About Bots?
• Nothing special, they aren’t really a
new threat
• Clean up as many machines as possible
• Get inside them and rot them from
within
• Attack back?
• Drop all their packets?
CS 236, Spring 2008
Lecture 3
Page 22
Another Solution
• Inspired by RFC 3514
• Which introduced what is commonly
called “the evil bit”
• Required (by standard) that attackers
set a particular bit in their attack
packets
• Allowing the network to identify them
• This RFC released April 1 2003 . . .
CS 236, Spring 2008
Lecture 3
Page 23
But Think About It
• Wouldn’t it be nice if bad packets did
have an evil bit set?
• It’s ridiculous to assume attackers will
set it
• But maybe someone else can?
• Perhaps by knowing which nodes send
evil packets?
CS 236, Spring 2008
Lecture 3
Page 24
Bot Identification and Packet
Marking
• We’re good (relatively) at identifying
bots
• Why not use that knowledge to help us
identify dangerous packets?
• By having a router on the path mark
the bits
– Based on lists of known bots
CS 236, Spring 2008
Lecture 3
Page 25
Infamy
• A proposed system to do this
• Lives “somewhere in the network”
– Maybe at ingress point
– Maybe at egress point
– Maybe in the core
• Gets reliable list of bot addresses
• Marks all packets from those addresses
CS 236, Spring 2008
Lecture 3
Page 26
Infamy in Operation
1.2.3.4
1.2.3.4
1.36.7.125
1.133.2.8
1.2.3.4
CS 236, Spring 2008
Lecture 3
Page 27
And What Do We Do With That?
Whatever we want
Drop it
Ignore the
mark and
accept it
Examine it
carefully
CS 236, Spring 2008
Lecture 3
Page 28
Advantages of Infamy
•
•
•
•
Doesn’t mandate handling of packet
Customizable for different situations
More tolerant of false positives
Can be located at many places in
network
• Would allow those who care to be
protected from botnet nodes
CS 236, Spring 2008
Lecture 3
Page 29
Possible Infamy Network
Locations
• Near ingress
– Mark packets as they leave your
network
• In core
– Mark packets in transit
• Near egress
– Mark packets as they enter your
network
CS 236, Spring 2008
Lecture 3
Page 30
What’s The Mark?
•
•
•
•
At the simplest, one bit
Chosen from a couple of reserved bits
But it could be more complicated
Could steal the IP identification field
– Like everyone else
– Giving 16 bits of info
CS 236, Spring 2008
Lecture 3
Page 31
Issues for Infamy
• Where do you get the botnet identities?
• Specifics of design for various
locations
– Especially in core routers
• How do you use multiple bits of mark?
• What interesting things can you do
with a marked packet?
CS 236, Spring 2008
Lecture 3
Page 32
Obtaining Botnet Identities
• One oracle?
– Where’s it get its knowledge?
• Distributed system
– How do you combine listings?
– Trust issues?
• Do you age the list?
– At oracle?
– At Infamy marking site?
• How do you handle mistakes?
CS 236, Spring 2008
Lecture 3
Page 33
Design Specifics
• Scaling and other table design issues
• Degree of aggregation
• Can you mark fast enough?
– If not, is inaccuracy OK?
– What kinds and how much?
CS 236, Spring 2008
Lecture 3
Page 34
Using Multiple Bits
•
•
•
•
•
What for?
Certainty?
Age?
Degree of evil?
“Flavor” of evil
– Spam vs. DDoS vs. scanning vs. . . .
• Type of botnet?
CS 236, Spring 2008
Lecture 3
Page 35
What Do You Do With Marks?
• Nothing
• Drop marked packets
• Deliver to IDS system
– In series or parallel
• Use at application level?
– How?
CS 236, Spring 2008
Lecture 3
Page 36