Summary: How big the botnet problem is, how it can affect your network and how traffic and log analysis can help slay the botnets in your network.
As a network administrator, you may have implemented security measures to stop DDoS attacks and upped the ante against malware. You may have your firewalls, ACLs, and Intrusion detection and prevention systems in place to protect your network from attacks originating from the Internet.
But have you thought about a scenario where your network is hosting a DDoS attack or sending out spam? Which means your network is contributing to an attack and not under attack.
That can happen if the computers in your network have been compromised and are part of a botnet. Other than possible legal issues and blacklisting of your public IP addresses, you may also incur huge bandwidth charges because bots in your network are sending countless spam or taking part in high traffic DDoS attacks. For example, there was this record-breaking DDoS attack that reached 400Gbps at its peak!
What is a Botnet?
A botnet is a network of compromised computers called bots which are controlled by a bot master through a Command and Control Center (C&C center). Bots can be remotely configured to forward transmissions that can perform DDoS attacks, email spamming, click fraud, and malware distribution. The number of hosts or bots in a botnet can range from a few thousands to even millions (Zeus, Conficker or Mariposa).
The C&C center is the interface through which the bot owner manages his bots, mostly from behind a Tor and the communication methods used include IRC channels, peer-to-peer, social media and now, even the cloud. Statistics show that each day, more than a 1000 DDoS attacks1 occur and between 40 and 80 billion spam emails2 are sent. Botnets are responsible for almost all DDoS attacks and more than 80% of the total spam sent worldwide3.
Detecting Botnets through Analytics:
To stop bots, you will first have to detect them. Bots can lie dormant for months together and become active when it has to take part in a DDoS attack. That doesn’t mean bots are undetectable. It is possible to detect bots by analyzing event logs and network traffic behavior. So, let’s take a look at some common bot behavior that can help with its detection.
IRC is one of the methods used by the C&C center to communicate with its botnet and the communication is kept as short as possible to prevent noticeable impact on the network. If you cannot block IRC in your network, analyze your network traffic and check for port-protocol combinations that matches with IRC traffic. And if you see multiple short sessions of IRC, make sure to scan for botnet presence in your network. You can also scan your system logs to find if any new programs have been installed or if there has been unexpected creation, modification or deletion of files and check for modification of registry entries. If any of it smells IRC, you know what you should look for next.
A C&C center is what controls the botnet. If the C&C center is taken down, the botnet itself is useless. For resilience, a C&C center has 2 options - one, known as Fast flux, involves constantly changing the IP address associated with the FQDN which hosts the C&C center. The other, which is Domain flux, creates multiple FQDNs each day and allocates it to the IP address of the C&C center. Due to this, the bots will have to do a number of DNS lookups to locate its C&C center. Analyze egress/outbound traffic from your network or logs related to DNS and if you find more DNS lookups than expected or DNS lookups for weird domain names, it could be a bot.
Like malware, bots too search for other vulnerable hosts to infect. To find open ports on a host, a burst of packets with the SYN flag set is send either to a single host on multiple ports or to multiple hosts on a single port. If the target port is open, the system responds with a SYN-ACK packet. So, if you see too many conversations from a host to other hosts with the SYN flag set or an increase in the packet count but no major increase in traffic volume, you are possibly looking at a port scan by the bots.
Remember the statistic about almost 90% of the total spam being sent by botnets? Something worse than receiving spam is being slammed with a huge bandwidth bill for spam emails sent by bots from your network and even possible blacklisting of your IP address along with other legal troubles. Because spam email has to be sent from your network to the outside, SMTP will have to be leveraged on. If you see an unexpectedly high volume of SMTP traffic originating from your network to the outside, especially from random endpoints, bad news - you are hosting a spam bot!
SYN flooding is one of the methods bots use to carry out a DDoS attack. Bots send SYN messages with a spoofed source IP address to its target so that the server’s ACK message never reaches the original source. The server keeps the connection open waiting for a reply while it receives more SYN messages all leading to a DoS. Watch your outbound traffic for conversations with only the SYN flag set but no return conversation with an ACK flag. And check for egress network traffic with the source having invalid IP addresses, such as an IANA reserved IP or a broadcast IP. Both these behaviors can be due to bots taking part in a DDoS attack.
While the patterns we discussed here can also be genuine IP traffic behavior, keeping an eye open for anything out of the ordinary and comparing that information with your baseline data or normal network behavior will help you minimize false positives.
There are a number of mature, easy to use options for network behavior analysis such as packet capture, flow analysis with technologies like NetFlow or with an SIEM tool. Options such as NetFlow and syslog exports are already built into your routers, switches and systems. You only have to turn it on and use reporting or SIEM tools such as a NetFlow analyzer or log analyzer. Such solutions are cost-effective and does not need complex configuration or set up. So start your traffic and log analysis to slay those botnets.
- Number of DDoS attacks per day as per the Arbor ATLAS report: http://atlas.arbor.net/summary/dos
- Guardian claims the peak was at 200 billion: http://www.guardian.co.uk/technology/2011/jan/10/email-spam-record-activity
- 88% of all spam emails are sent by botnets: http://www.techrepublic.com/blog/10-things/the-top-10-spam-botnets-new-and-improved/