Cyber Crime and Cyber Terrorism


COUNTERMEASURES FOR FIGHTING BOTNETS



Download 5,67 Mb.
Pdf ko'rish
bet253/283
Sana19.05.2022
Hajmi5,67 Mb.
#604880
1   ...   249   250   251   252   253   254   255   256   ...   283
Bog'liq
Cyber crime and cyber terrorism investigators handbook by Babak

COUNTERMEASURES FOR FIGHTING BOTNETS
OR MITIGATING BOTNETS EFFECTS
Due to the high level customization of malwares, it is quite difficult to adopt an ef-
fective and efficient countermeasure through code analysis and fingerprint definition 
which, of course, is what well known Antivirus systems practice. So we need methods 
that analyze malware behaviors (regardless of architectures and protocols used, bots 
need to contact with their C&C—you can hide everything except the network traffic!).


250
CHAPTER 17
Responding to cyber crime and cyber terrorism
Even behavioral analysis, however, is not easy to manage. Typically a lot of work 
has already been done in the analysis of standard protocols (typically level 4 and 5 of 
the TCP/IP stack) in order to distinguish legitimate traffic from the botnet.
Unfortunately the increasing use of high encryption mechanisms and of tech-
niques of traffic customization/obfuscation (as we shall see in the next section), will 
make this work ineffective in the medium to long term, even because much of the 
work mentioned in this paragraph have revealed great response only for specific 
botnet architectures.
First of all, from an operational standpoint, the necessary condition (probably not 
enough!) where you have to be ready to deal with an in-progress botnet attack, con-
sidering for example the two cases for excellence, as a spam campaign and a DDOS, 
is to verify that:
• firewall facing the Internet has capacity of “Intrusion Detection/Prevention 
System” and throughput greatly overestimated compared to the normal 
conditions of work and the Internet bandwidth available;
• Antispam system is configured as rigidly as possible (e.g., only accept messages 
from the MTA that have the common DNS MX, PTR and A records correctly 
configured);
• your Internet Service Provider is equipped with monitoring tools that highlight 
timely surge of traffic to your Internet services and in the worst cases, can 
quickly disable entire portions of the Internet (e.g., all international routes) to 
reduce temporarily the firepower of the botnet;
Regarding the goals to be achieved, we formerly need to distinguish two different of 
approaches. In fact, network and security administrators usually have an interest in 
detecting the presence of bots and C&C servers on their networks or to withstand a 
botnet attack (mitigation), while researchers focus their attention on the direct iden-
tification of the botnet itself (payload, architectures, protocols, capacity criminals, 
etc.) to its vulnerability and, consequently, disruption.
In regards to the methodology used, botnet hunting methods can be divided in 
two key categories:
• 
Passive
: such capabilities are usually organized with network monitoring 
solutions within corporate LANs. These techniques are essentially based 
on statistical analysis of both TCP and UDP traffic, on specific application 
protocols analysis such as HTTP or DNS as well as on the pattern recognition 
of specific keywords or IP addresses to be put in the blacklist.
• 
Active
: these techniques are usually based on scanning, crawling or sinkholing 
of IP address ranges, probing the presence of bots and/or C&C peers as a result 
of the analysis of specific query answers (usually via honeynet). These practices 
also attempt to exploit any protocols or C&C servers vulnerabilities.
As previously mentioned, we can assume that botnets are different from other forms 
of malware in that they use C&C channels which are the essential mechanism that 
allows a botmaster to direct the actions of bots in a botnet. As such, the C&C channel 



Download 5,67 Mb.

Do'stlaringiz bilan baham:
1   ...   249   250   251   252   253   254   255   256   ...   283




Ma'lumotlar bazasi mualliflik huquqi bilan himoyalangan ©hozir.org 2024
ma'muriyatiga murojaat qiling

kiriting | ro'yxatdan o'tish
    Bosh sahifa
юртда тантана
Боғда битган
Бугун юртда
Эшитганлар жилманглар
Эшитмадим деманглар
битган бодомлар
Yangiariq tumani
qitish marakazi
Raqamli texnologiyalar
ilishida muhokamadan
tasdiqqa tavsiya
tavsiya etilgan
iqtisodiyot kafedrasi
steiermarkischen landesregierung
asarlaringizni yuboring
o'zingizning asarlaringizni
Iltimos faqat
faqat o'zingizning
steierm rkischen
landesregierung fachabteilung
rkischen landesregierung
hamshira loyihasi
loyihasi mavsum
faolyatining oqibatlari
asosiy adabiyotlar
fakulteti ahborot
ahborot havfsizligi
havfsizligi kafedrasi
fanidan bo’yicha
fakulteti iqtisodiyot
boshqaruv fakulteti
chiqarishda boshqaruv
ishlab chiqarishda
iqtisodiyot fakultet
multiservis tarmoqlari
fanidan asosiy
Uzbek fanidan
mavzulari potok
asosidagi multiservis
'aliyyil a'ziym
billahil 'aliyyil
illaa billahil
quvvata illaa
falah' deganida
Kompyuter savodxonligi
bo’yicha mustaqil
'alal falah'
Hayya 'alal
'alas soloh
Hayya 'alas
mavsum boyicha


yuklab olish