Threat infrastructure: proxies, botnets, fast-flux - PowerPoint PPT Presentation

About This Presentation
Title:

Threat infrastructure: proxies, botnets, fast-flux

Description:

Threat infrastructure: proxies, botnets, fast-flux – PowerPoint PPT presentation

Number of Views:53
Avg rating:3.0/5.0
Slides: 11
Provided by: AlBe45
Learn more at: http://home.ubalt.edu
Category:

less

Transcript and Presenter's Notes

Title: Threat infrastructure: proxies, botnets, fast-flux


1
Threat infrastructure proxies, botnets, fast-flux
2
Botnets
  • Conceptnetwork of infected systems controlled
    by an administrator called Botmaster
  • Centralized infrastructure
  • Basic Botmaster (only one Command and Control
    server)
  • Multi-server Botmaster (one Botmaster but many
    CC servers) Asprox botnet an example.
  • Hierachical Botmaster (use Proxy servers to hide
    Botmaster location) Waledac botnet an example.

3
Botnets (centralized)
Proxy servers
4
Botnets
  • Command and Control communications
  • Most bots do not listen on ports, because
    administrators could block these ports.
  • Bots will initiate communications with CC
    server to appear legitimate.
  • How bots locate CC server
  • fixed IP list (weak) and
  • DNS lookup of the CC server (reliable).
  • Defense beyond anti-virus take down the domain
    (s) , block DNS access (?!?!).
  • The economics of botnets.

5
Botnets
  • Decentralized Botnet architecture (P2P)
  • No CC server, rather uses peer-to-peer
    communications to send commands

6
P2P Botnet stages
Source Wang et al
  • Recruiting P2P malware such as Gnuman ,
    WORM_PITUPI.K , and Koobface.
  • Forming the botnet
  • parasite P2P botnet all the bots are from an
    existing P2P network, and it uses this available
    P2P network for command and control.
  • leeching P2P botnet bot members join an
    existing P2P network and depend on this P2P
    network for CC communication.
  • bot-only P2P botnet builds its own network, all
    members are bots, such as Storm botnet and
    Nugache.
  • Standing by for instructions (using P2P
    Protocols)
  • P2P file-sharing have a file index used by
    peers to locate the desired content, may be
    centralized (e.g., Napster), distributed over
    part of the file-sharing nodes (e.g., Gnutella),
    or distributed over all or a large fraction of
    the nodes (e.g., Overnet).
  • Design a new P2P communication protocol to be
    used in a bot-only P2P botnet.
  • Defenses anti-virus poison the index

7
Fast-flux
  • ConceptThe ability to quickly move the location
    of a web, email, DNS or generally any Internet or
    distributed service from one or more computers
    connected to the Internet to a different set of
    computers to delay or evade detection.
  • What it does utilizes DNS to continually update
    valid domain names with A and NS records that
    resolve to an ever-changing set of of IP
    addresses of infected computers (a botnet).
  • The motherships command and control servers that
    issue commands to bots and add and remove IP
    addresses from DNS records. By cycling IP
    addresses of infected computers in and out of DNS
    records, the mothership is able to use active
    bots to host content and services.
  • Action To stop the constantly rotating IP
    addresses in the DNS server we need to take down
    the Fast-Flux domain. A domain Registrar needs
    to do so.

8
Fast-flux (single flux in action)
9
Fast-flux types
  • Single-flux utilizes static name servers to
    update DNS records, as seen in previous image.
  • Double-flux and hydra-flux include two or
    multiple motherships managing the rotating IP
    numbers, services and content.
  • Mothership protection The infected computers
    (botnet) form a protective barrier in front of
    the motherships. The only visible part of the
    attack are the bots.
  • Fast-Flux Domains to be able to change DNS
    records the motherships need to be located in
    Domains owned by the attackers. Only their domain
    Registrar can remove access to the Domain, but
    the Domain could easily be created in another
    Registrar.
  • Possible attacks phishing campaigns, bot
    recruiting malware, e-mail spam campaigns, etc.

10
Fast-flux mechanics
  • The mothership and DNS To cycle bot IP addresses
    and bypass caching features, fast-flux domains
    use short TTL (Time to live (TTL) values in the
    DNS to force clients to frequently query the
    name server for a new set of A addresses.
  • The bots and content the bots act as reverse
    proxies by sending requests to the mothership and
    relaying the malicious content hosted by the
    mothership.
  • Multiple motherships use of a single DNS server
    and mothership provides a single point to focus
    to stop the malicious action. Double or hydra
    flux addresses this flaw by providing multiple
    DNS, Domains, etc.
  • References Wikipedia, ICANN Advisory, Detection
    of Fast-flux, Recently discovered, Fast-flux
    Primer,
Write a Comment
User Comments (0)
About PowerShow.com