containing and tracking botnets angelos d. keromytis columbia university

Containing and Tracking Botnets

Angelos D. Keromytis

Columbia University

Prevention and Attribution

• Consent-based networking (i.e., network capabilities)– Explore the expensive-but-expressive end of

the design spectrum– GRA: Mansoor Alicherry

• Identify ultimate source of C&C traffic (botmaster)– Adopt technique we developed in attacking

anonymity networks– GRA: Sambuddho Chakravarty

February 2010 Project Review Meeting 2

Expressive Capabilities

• Network capabilities proposed as a decentralized (management) and distributed (enforcement) containment mechanism

• Typical designs try to minimize space and processing overhead

• We are exploring opposite side of spectrum: expressive but expensive capabilities– What is the limit of capabilities?– Can they be managed?– Can we gain flexibility with minimal overhead?


Example environment: MANETs


Our Approach

• Policy enforcement framework– Capability: Access rules and bandwidth constraints

represented using capabilities– Deny-by-default: Every packet in the network needs to

have an associated capability– Distributed Enforcement: All the intermediate nodes

enforce the capability policy

• Unauthorized traffic dropped closer to the source– Protects end-host resources and network bandwidth


Network Capabilities

• Access control and bandwidth limitation represented using capability– Identity of the principal– Identity of the destination– Type of service and bandwidth– Expiration date– Issuer & Signature

• Policy tokens– Issued by the administrator

• Network capability– Issued by the receiving node– Contains policy authorizing it to issue


Policy Token Example

serial: 130745owner: unit01.nj.army.mil (public key)destination: *.nj.army.milservice: httpsbandwidth: 50kbpsexpiration: 2010-12-31 23:59:59issuer: captain.nj.army.milsignature: sig-rsa 23455656767543566678


Network Capability Example

serial: 1567owner: unit01.nj.army.mil (public key)destination: unit02.nj.army.milbandwidth: 150kbpsexpiration: 2009:10:21 13:05:35issuer: unit02.nj.army.milcomment: Policy allowing the receiverto issue this capability.signature: sig-rsa 238769789789898


Protocol• Capability associated with each communication

session– Transaction identifier and signature

• Capability Establishment– Source node informs the intermediate nodes about

transaction identifier, capability and key for signature• Smaller keys used for per packet signature|

• Sender– Adds transaction id, sequence number and signature to

the packet• Intermediate nodes and Receiver

– Verifies the packet (probabilistically) for signature and bandwidth


System Architecture


Evaluation Methodology

• Simulations using GloMoSim– Extend GloMoSim for new architecture– Add support for packet processing delays

• Input Parameters– Conducting experiments in stand alone settings (Pentium-4

3.20GHz CPU, 1GB RAM)

• Traffic– CBR, FTP

• From simple (line) to complex (grid, random) topology– With mobility


Parameters of Interest

• Latency of packets– Time taken for a packet to travel from a source

to destination– First packet latency, Average latency

• Throughput• Packet Delivery Ratio (PDR)


Latency of first packet

• Capability establishment, database lookup, signature verification, larger header (36B)

• Overhead (35.8 mS, 41.6 mS, 60.9 mS) – About 20.5%

• Line topology (node distance =

200 m)

• CBR 512 B


Future Directions

• Proceeding with implementation and performance evaluation on wireless testbed

• Evaluation of usability aspects– Token issuance– Revocation– Disconnected operation

• Explore multi-party consent– Capabilities can incorporate hierarchy,

thresholds, and other schemes authorizing 3rd parties to control aspects of the communication


Attribution

• Can we identify the node that originates commands?– botmaster may use proxies– botnet may be inherently decentralized (P2P)– we don’t have presence in all routers and links– C&C traffic may be encrypted

• Insight: remote sensing of a link’s available bandwidth, combined with induced oscillations of specific types of botnet traffic, can allow us to track where such traffic goes


Emulating a Global Eavesdropper

• Induce traffic fluctuations on botnet traffic that is ultimately intended for the botmaster– e.g., information harvesting– not all botnets may allow this– may require capture or emulation of bots– need large amounts of such traffic

• may be detected

• Trace the effects of those fluctuations by measuring available bandwidth on remote links– need a lot of bandwidth, and a network map


Bandwidth Estimation

• Send pair of “back-to-back” packets to destination

• Pair “spreads” in time; we call this dispersion

BW = (Packet Length * 8) / (dispersion) (measured in bps)

• Packet train method: send multiple back-to-back packets– fewer errors (equivalent to multiple

independent* trials)


LinkWidth

• Tool that emulates TCP Westwood sender to measure available bandwidth and throughput– TCP-Westwood uses bandwidth estimation

every RTT seconds to adjust the TCP slow start threshold whenever congestion is detected

• Generates TCP RST packets “sandwiched” between TCP SYN packets– TCP SYNs go to closed ports, eliciting TCP

RST+ACK responses• If TCP SYNs are filtered, we resort to ICMP


Remote Bandwidth Sensing

• Use LinkWidth against routers to measure the available bandwidth on the links from probe host to that router– need static topology map

• Induce severe traffic fluctuations on traffic whose ultimate destination we want to identify– traffic volume must be mostly preserved

• Trace back fluctuations on available bandwidth, one link at a time


Experimental Testbed


Preliminary Experimental Results

• Test for accuracy: 10Mbps link shared by up to 3 HTTP sessions (each at 500 Kbps)

• Test for convergence: increase traffic from 200Kbps to 1.4Mbps in less than 2 minutes


Probing Nodes in TOR


Future Directions

• Automate process; currently, requires human operator

• Improve sensitivity and reduce FPs• Considerably more evaluation

– currently working on DETER topologies– also experimenting on TOR


Outreach and Education

• Integrated material on bots into COMS W4180 course• 1 invited talk (beyond conference talks)

• Working with Symantec to determine modus operandi of rogue AV sites (and why users trust them)– Preliminary results published in the October 2009

Interim Symantec Threat Report (ISTR)

"Gone Rogue: An Analysis of Rogue Security Software Campaigns" Marc Cova, Corrado Leita, Olivier Thonnard, Marc Dacier, and Angelos D. Keromytis. In Proceedings (electronic) of the 5th European Conference on Computer Network Defense (EC2ND). November 2009, Milan, Italy. (Invited paper)

February 2010 24Project Review Meeting

Backup slides


Input Parameters

• Radio range = 377m, link bandwidth = 2 Mbps, 802.11 MAC

• Packet processing time = 0.01 mS (equavalent to 100Mbps for 128 B packets)

• Database: insertion = 0.01 mS, lookup = 0.005 mS

• 1024 bit RSA for capability– Signature 3.159 mS, verification 0.140 mS

• 256 bit for packet signature– Signature 0.168 mS, Verification 0.0275 mS


Average Latency

• Database lookup, signature verification, larger header (36B)• Overhead (0.6 mS, 1.2 mS, 1.6 mS) – About 8%

• Line topology

• CBR 512 B, 100 mS, 1000 pkts


Throughput (CBR)

• Throughput overhead: 2% lower for our scheme

• Line topology

• CBR 1400 B, 1 mS


Throughput (FTP)

• Throughput overhead: 5.3% lower for our scheme

• Line topology

• 10 FTP files


Route Change

• Original Drops: 108mS worth of traffic• Our scheme: 155mS

• Line topology

• CBR 512 B, 1000 pkts

• Path length: 3

• Route change at 0.5 S


Mobility on Grid

• PDR overhead: 1.6% (50mS), 9.14(25mS) lower for our scheme

• Random topology: 50 nodes,

1200x1200m grid

• CBR 256 B

• 5 pairs of traffic

• Random way point mobility


containing and tracking botnets angelos d. keromytis columbia university

Documents

project review meeting

network bandwidth

capability identity

associated capability

protocol capability

packet signature sender

expensive capabilities

network needs