COUNTERMEASURES FOR FIGHTING BOTNETS

250
CHAPTER 17
Responding to cyber crime and cyber terrorism
Even behavioral analysis, however, is not easy to manage. Typically a lot of work 
has already been done in the analysis of standard protocols (typically level 4 and 5 of 
the TCP/IP stack) in order to distinguish legitimate traffic from the botnet.
Unfortunately the increasing use of high encryption mechanisms and of tech-
niques of traffic customization/obfuscation (as we shall see in the next section), will 
make this work ineffective in the medium to long term, even because much of the 
work mentioned in this paragraph have revealed great response only for specific 
botnet architectures.
First of all, from an operational standpoint, the necessary condition (probably not 
enough!) where you have to be ready to deal with an in-progress botnet attack, con-
sidering for example the two cases for excellence, as a spam campaign and a DDOS, 
is to verify that:
• firewall facing the Internet has capacity of “Intrusion Detection/Prevention 
System” and throughput greatly overestimated compared to the normal 
conditions of work and the Internet bandwidth available;
• Antispam system is configured as rigidly as possible (e.g., only accept messages 
from the MTA that have the common DNS MX, PTR and A records correctly 
configured);
• your Internet Service Provider is equipped with monitoring tools that highlight 
timely surge of traffic to your Internet services and in the worst cases, can 
quickly disable entire portions of the Internet (e.g., all international routes) to 
reduce temporarily the firepower of the botnet;
Regarding the goals to be achieved, we formerly need to distinguish two different of 
approaches. In fact, network and security administrators usually have an interest in 
detecting the presence of bots and C&C servers on their networks or to withstand a 
botnet attack (mitigation), while researchers focus their attention on the direct iden-
tification of the botnet itself (payload, architectures, protocols, capacity criminals, 
etc.) to its vulnerability and, consequently, disruption.
In regards to the methodology used, botnet hunting methods can be divided in 
two key categories:
• 
Passive
: such capabilities are usually organized with network monitoring 
solutions within corporate LANs. These techniques are essentially based 
on statistical analysis of both TCP and UDP traffic, on specific application 
protocols analysis such as HTTP or DNS as well as on the pattern recognition 
of specific keywords or IP addresses to be put in the blacklist.
• 
Active
: these techniques are usually based on scanning, crawling or sinkholing 
of IP address ranges, probing the presence of bots and/or C&C peers as a result 
of the analysis of specific query answers (usually via honeynet). These practices 
also attempt to exploit any protocols or C&C servers vulnerabilities.
As previously mentioned, we can assume that botnets are different from other forms 
of malware in that they use C&C channels which are the essential mechanism that 
allows a botmaster to direct the actions of bots in a botnet. As such, the C&C channel 

Download 5,67 Mb.

Do'stlaringiz bilan baham: