Botnets, detection and mitigation DNS-based techniques：僵尸网络的基础技术，检测和缓解DNS.ppt

Botnets, detection and mitigation:DNS-based techniques What is a botnet? An army of compromised hosts (bots) Under a common command and control (cc): commonly IRC-based The purpose: DoS, id theft, spam for fun and profit Typical command and control cc functions mostly centralized one or more IRC servers DNS name(s) used for rendezvous vanity web pages for malware updates Nothing really new CERTs October 2001 Trends in DoS paper Whats wrong with this picture? Welcome to Your host is h4x0r.0wnz.j00 There are 9556 users and 9542 invisible on 1 server 5 :channels formed 1 :operators online Channel Users Topic #help 1 #oldb0ts 5 .download /r00t.exe End of /LIST Botnet info is everywhere /papers/bots/ http://cert.uni-stuttgart.de/files/tf/botnets.pdf /ir/library/pdf/SPC0568.pdf /presentations/jtsaltlake/Botnets-Moody.pdf /mtg-0410/kristoff.html Some typical detection strategies Up-to-date anti-virus software IDS signatures for IRC/botnet traffic Traffic flow monitoring (for known CCs?) email alerts To: security@ Subject: Bot detected on your network Some typical mitigation strategies TCP port 6667 filtering CC IP address ( port?) filtering Intrusion prevention systems (IDS++) Secure systems and applications Careful and smart users What about DNS traffic? Repetitive A queries may indicate bot/controller MX queries may indicate spam bot queries may indicate a server Usually 3 level hostname.subdomain.TLD [^(www|mx\d+|ns\d+)]\w+\.\w+\.\w+ Names and subdomains that just look rogue Something .edus cant be blamed for! :-) Note: synchronization problem If name doesnt resolve, but controller is up connected bots instructed to update DNS If controller(s) is(are) gone, but name resolves DNS changed to point to new controller(s) Synchronizing the closure of both is difficult Name-based sink holes with BIND zone { type master; file /etc/db.badname; }; $TTL 30D @ IN SOA . root ( 2004101700 3H 15M 1W 1D ) IN NS . I