427 Botnet fm qxd

Introduction
Botnets can be difficult to detect in a network, but recently, Portland State
University’s Jim Binkley, a professor and network security engineer, modified
a tool called ourmon to detect the presence of botnets using network traffic
analysis.The basic idea is that ourmon detects network anomalies based on
hosts that are attacking other hosts via denial-of-service (DoS) attacks or by
network scanning. It can then correlate this information with IRC channels
and tell you if an entire IRC channel (set of communicating hosts) is suspi-
cious.Thus, it is possible to find an entire set of infected hosts at one time.
Ourmon is an open source tool. Originally, it was designed for network
monitoring but after a period of time it was discovered that it was also an
anomaly-based tool, meaning that once you knew what was normal, you
could begin to get suspicious about what was abnormal (anomalous).
Ourmon is a network-based tool and not a per-host tool like a garden-variety
virus detector. It typically is used to tell you the state of all the hosts in an
enterprise from one vantage point (the logical network center) and can be
viewed as a statistical network trend indicator.
In this chapter and subsequent chapters we are going to take a look at
various aspects of ourmon that pertain to low-level anomaly detection and
higher-level detection of botnets. We will do this by looking at ourmon and
how it works and also by looking at a few botnet-related case histories. Here
is our chapter plan for the chapters on ourmon.
■

Download 6,98 Mb.

Do'stlaringiz bilan baham: