Cyber Crime and Cyber Terrorism

partners (PPI business model) (

Download 5,67 Mb.

Pdf ko'rish

bet	244/283
Sana	19.05.2022
Hajmi	5,67 Mb.
	#604880

1 ... 240 241 242 243 244 245 246 247 ... 283

Bog'liq
Cyber crime and cyber terrorism investigators handbook by Babak

BOTNETS HOW DO THEY WORK. NETWORK TOPOLOGIES AND PROTOCOLS
Margin Margin Prima ry Activities Support Activities FIGURE 17.5

partners (PPI business model) (
Figure 17.5
).
BOTNETS HOW DO THEY WORK. NETWORK TOPOLOGIES AND
PROTOCOLS
As mentioned in the introduction a botnet is a network of infected computers (bots
or zombies) managed by attackers, through one or more Command & Control Server
and due to the inoculation of malware. The controller of a botnet, also known as
Botmaster, controls the activities of the entire structure (from specific orders to soft-
ware updates) through different communication channels.
The level of diffusion of the botnets depends on the capabilities of botmasters to
involve the largest number of machines trying to hide both the activities of the mali-
cious architecture and the location of the C&C servers.
We will not make reference to infection or dissemination practices of the payload
because already mentioned in the introduction (e.g., Blackhole) and because it is
intimately linked to the exploitation of the vulnerabilities of compromised systems
(out of scope).
Trying to categorize the concept of botnet is not an easy task. There are many
purposes for which these architectures are designed and created. They inevitably
influence factors such as the malware used to compromise victims, rather than the
technology involved (
Balapure, 2013
;
Paganini, P., 2013a, 2013b, 2013c
).
Firm Infrastructure
Human Resource Management
Technological Development
Procurement
Inbound Logistics
Opera
tions
Outbound Logistics
Mar
keting and Sales
Ser
vice
Margin
Margin
Prima
ry
Activities
Support Activities
FIGURE 17.5
The Porter's value chain.

241

Botnets how do they work. Network topologies and protocols
Botnets could be discriminated, for example, by their architecture. Some networks
are based on one or more C&C, every bot is directly connected with Command &
Control servers. The C&C manages a list of infected machines, monitors their status
and gives them operative instructions.
This type of architecture is quite simple to organize and manage, but has the
drawback of being very vulnerable, since turning-off the C&C server(s) would cause
the malfunction of the entire botnet. The server(s) in fact represent a single point of
failure since the operation of the whole botnet is functional to the capacity of its bots
to reach the control systems.
Initially C&C IP addresses were hardcoded into each bot, which made their iden-
tification easier and resulted in their eventual disruption by researchers, but the “at-
tackers” learn from their failures every time. For example a natural evolution could
be the use of a reverse proxy (in some environments called rendez-vous point) to ad-
dress a C&C server. In this way is easier to hide C&C IP addresses and the botmaster
identities (but we have just moved the single point of failure from the C&C to the
Reverse Proxy). This is the case of centralized architectures (
Figure 17.6
).
A more radical and increasingly popular way to increase botnet resilience is to
organize the botnet in decentralized architectures as a Peer-to-Peer (P2P) network.
In a P2P botnet, bots connect to other bots to exchange C&C traffic, eliminating the
need for centralized servers. As a result, P2P botnets cannot be disrupted using the
traditional approach of attacking centralized infrastructures.

Download 5,67 Mb.

Do'stlaringiz bilan baham:

1 ... 240 241 242 243 244 245 246 247 ... 283