427 Botnet fm qxd



Download 6,98 Mb.
Pdf ko'rish
bet248/387
Sana03.12.2022
Hajmi6,98 Mb.
#878307
1   ...   244   245   246   247   248   249   250   251   ...   387
Bog'liq
Botnets - The killer web applications

www.syngress.com
306
Chapter 8 • IRC and Botnets
427_Botnet_08.qxd 1/8/07 4:10 PM Page 306

4. Bot servers 
might
seem to be undergoing scans from remote hosts and
thus could appear in the evil channel sort. Don’t depend on this; it is
a scalability problem with the bot server system, but it can happen.
One other curious side effect can be seen by looking at the daily summa-
rization for three sample hosts from that day. Keep in mind that these are
summarizations; the numbers were averaged across port reports for the entire
day.The first sample is for a client using BitTorrent.The second is for our bot
server.The third is for a busy campus Web server. What, if anything, might we
learn? (Refer to Chapter 7 for summarization headings.) The interesting part
is that the bot server seems to have a higher average for Layer 3 IP destination
addresses per sample.
For example, the bot server has an average of 1183 L3D (unique IP desti-
nation addresses) versus 106 for the BitTorrent client and 802 for the Web
server.This is not a strong result; we have seen BitTorrent clients with counts
of over 1000 L3D in 30-second samples. However, it is possible that in gen-
eral the bot server might tend to have more peers than most other hosts.
Packet counts don’t work very well.The bot server sends and receives 3746
and 2516 packets per second. Because the host is used for control data, it
might simply not send as many packets as a P2P host or a Web server.The
BitTorrent client sends and receives 5296 and 3373 packets per sample
period. Another way to look at it is that although the bot server has thousands
of clients, it really isn’t sending very many packets. Most of its packets are
control packets (PING and PONG and the like) maintaining the client-server
connection. Host 192.168.2.2 in the following example is using BitTorrent.
Host 192.168.2.51 is, of course, our bot server. Host 192.168.2.3 is a busy
Web server.
192.168.2.2
WOR
Be
(
0:
3: 95:)
0: (106/95) (69:11:0)
(5296:3373)
:2796: Fri_Nov_25_00:00:37_PST_2005: Fri_Nov_25_23:20:33_PST_2005:
portuples[10]: [16881, 581369][10592, 116174][5107, 49129][6881,
44625][20000, 41391][32075, 40308][25977, 38775][15912, 37601][14587,
36534][14148, 35002]
192.168.2.51 EWORM
IP
(
0: 34:100:)
20: (1183/777) (719:39:0)
(3746:2516)
:2779: Fri_Nov_25_00:00:37_PST_2005: Fri_Nov_25_23:20:33_PST_2005:

Download 6,98 Mb.

Do'stlaringiz bilan baham:
1   ...   244   245   246   247   248   249   250   251   ...   387



Ma'lumotlar bazasi mualliflik huquqi bilan himoyalangan ©hozir.org 2024
ma'muriyatiga murojaat qiling
kiriting | ro'yxatdan o'tish
    Bosh sahifa
юртда тантана
Боғда битган
Бугун юртда
Эшитганлар жилманглар
Эшитмадим деманглар
битган бодомлар
Yangiariq tumani
qitish marakazi
Raqamli texnologiyalar
ilishida muhokamadan
tasdiqqa tavsiya
tavsiya etilgan
iqtisodiyot kafedrasi
steiermarkischen landesregierung
asarlaringizni yuboring
o'zingizning asarlaringizni
Iltimos faqat
faqat o'zingizning
steierm rkischen
landesregierung fachabteilung
rkischen landesregierung
hamshira loyihasi
loyihasi mavsum
faolyatining oqibatlari
asosiy adabiyotlar
fakulteti ahborot
ahborot havfsizligi
havfsizligi kafedrasi
fanidan bo’yicha
fakulteti iqtisodiyot
boshqaruv fakulteti
chiqarishda boshqaruv
ishlab chiqarishda
iqtisodiyot fakultet
multiservis tarmoqlari
fanidan asosiy
Uzbek fanidan
mavzulari potok
asosidagi multiservis
'aliyyil a'ziym
billahil 'aliyyil
illaa billahil
quvvata illaa
falah' deganida
Kompyuter savodxonligi
bo’yicha mustaqil
'alal falah'
Hayya 'alal
'alas soloh
Hayya 'alas
mavsum boyicha

yuklab olish