Lecture 12 - botnetDetection

Lecture 12 - botnetDetection - Baris Coskun Polytechnic...

Info iconThis preview shows pages 1–10. Sign up to view the full content.

View Full Document Right Arrow Icon
Baris Coskun Polytechnic Institute of NYU
Background image of page 1

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
A network of remotely controlled software agents (roBOTs) distributed over (large number of) hosts. Remote Controller => Bot Master
Background image of page 2
Non-Malicious : Distribute computationally intense tasks over many home computers. Folding@home Compute part of protein folding simulations. SETI@home Analyze radio signals to search for signs of extra terrestrial intelligence. All distributed computing projects We are interested in Malicious Botnets: From now on: Botnet => Malicious Botnet
Background image of page 3

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
Have financial motives Try to make money by means of: Spam Spy on users (Steal sensitive information) Host a Phishing Site DDoS Click fraud Ex: Storm, Nugache, Conficker, Waledac, ….
Background image of page 4
Background image of page 5

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
Propagation Infect new hosts (recruit new bots) Command and Control (C&C) Distribute commands, updates, patches i.e. Spam mail content, recipients etc. Launch attack
Background image of page 6
Goal is to execute a piece of software on Victim host Exploit vulnerabilities at different levels OS Level exploits Application level exploits Browsers, Flash Player, etc. Locating Victims Scan (Can be prevented by a firewall) Random Hit-list Social Engineering (why firewall is useless?) XSS and Drive-by-downloads
Background image of page 7

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
Centralized Botnets Get commands from a central source IRC Bots, HTTP Bots, Twitter Bots, etc. Single point of failure Cut the head of the botnet Fast-flux, domain-flux to mitigate SPF
Background image of page 8
Fast Flux Bots find their controller via a domain name. Botmaster has many controllers but uses one at a time Update DNS records frequently with very low TTL The controller that the domain name points to continuously changes If a control server is taken down, another will be available very soon. But still a single domain name. A single point
Background image of page 9

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
Image of page 10
This is the end of the preview. Sign up to access the rest of the document.

This note was uploaded on 11/02/2010 for the course CS 393 taught by Professor Staff during the Spring '08 term at NYU Poly.

Page1 / 41

Lecture 12 - botnetDetection - Baris Coskun Polytechnic...

This preview shows document pages 1 - 10. Sign up to view the full document.

View Full Document Right Arrow Icon
Ask a homework question - tutors are online