Stopping the bots – With NetFlow and NetFlow Analyzer - Part 2

Sep 04 2009 01:03:50 AM Posted By : Don Thomas Jacob
Comments (1)
Having discussed about what are the traffic patterns to be checked for to identify bot behavior, we will now look at how NetFlow / cFlowd data with ManageEngine NetFlow Analyzer can make the tracking much more easier. In case you have not read the PART 1 of this blog which outlines the traffic patterns related to bot behavior in a network, do catch up with it.

It is not easy to track the traffic behavior with just SNMP based or other tools as no technology provides an in depth information as NetFlow. To use NetFlow or cFlowd for traffic analysis, all you need is a device that is capable of exporting NetFlow / sFlow or similar flow packets. The sweet part of this is that NetFlow or similar flows are supported on most of the devices from the major vendors thus removing the need for additional equipment and hardware purchases. NetFlow Analyzer, which can be installed on a server in your network would receive the exported packets to generate reports about bandwidth and traffic. With no additional configuration to get the reports, setting up and reporting all happens in a matter of minutes.

Lets now delve into how the traffic patterns outlined in the last blog can be analyzed easily with NetFlow Analyzer using NetFlow data.

The first point we had talked about is the necessity of the bots to locate the C&C servers for updates and how this is done through DNS requests. Thus, seeing a large volume of DNS requests from the network is something to be concerned about.
NetFlow data can report in detail about the traffic and show you the applications passing through the interfaces. Monitoring the OUT traffic on the WAN link will show if there are any DNS requests to the Internet from the network and how much of the total traffic was taken up by these requests. You can also drill down on the application to find the hosts involved with the traffic. NetFlow Analyzer can also generate alerts if the DNS requests leaving the network exceeds an expected percentage. This can be done from 'Alert Profiles' under 'Admin Operations' where the alert for IN or OUT traffic with specific criteria can be set and have the alerts send as an email or SNMP trap.

After having located the C&C server, the bots communicate with them over IRC to receive the update commands on attacks to be performed or for updating the bot itself. If see your internal hosts communicating a lot over IRC, this should definitely be checked. To track this, you can take a look at the LAN or WAN interface and look at the applications being used. The 'Application' tab will show you if IRC is being used and the hosts involved with IRC traffic. Here again, you can make use of alerts to alert you or if you are expecting zero percent IRC traffic from the network, create an IP Group associating the IRC application and this grouping will show you even the smallest volume of IRC traffic in an easy to view category removing the needs for drill down and searches.





Another work of the bots is to spread further and this is done by scanning hosts in the subnet for vulnerable hosts. The scanning is done by sending small burst of packets in the subnet checking for host vulnerabilities. You can easily track the traffic based on packets for each interface from the Traffic - Packets tab. This should show you easily if there is an increase in the number of packets in the LAN without a large increase in traffic volume.




After locating the C&C server and after having received the updates, the botnets take part in a DDoS attack. One method of DDoS attack is by sending a high volume of outbound TCP SYN requests with an invalid source IP Address. Our blog on tracking TCP/SYN attack will help in finding an attack on your server and looking at the TCP/SYN requests exiting your WAN link will let you know if there are DDoS attacks originating from your network.

The last point we talked about was on how the botnets involved with email spamming can be identified. Since such bots sends millions of emails to all sort of email addresses, keep a watch on the SMTP traffic to the outside and get alerted for an unusually large volume of SMTP traffic. Here too you can make use of the IP Group option for tracking specific application behavior and this blog should help you on application tracking with IP Groups.

The features and capabilities of NetFlow Analyzer does not end here. You can make use of various options like customizable dashboard to track the top applications from the network, use IP Groups and alerts to inform you on traffic behavior, have reports exported to PDF, CSV or even instantly emailed and much more. Try ManageEngine NetFlow Analyzer 30 day trial with free technical support to have a hands on experience on what more you can do with NetFlow Analyzer.

Download | Interactive Demo | Product overview video


Regards,
Don Thomas Jacob

Posted Under : Technical
Tags : netflow traffic analysis botnet DDoS preventing bots tracking NetFlow Analyzer tracking botnet detecting
Buzz it
Permalink Trackback

Stopping bots – Tracking Botnet Behavior with NetFlow

Aug 27 2009 01:13:14 AM Posted By : Don Thomas Jacob
Comments (0)

With Twitter being the new big site brought down through a DDoS attack, botnets and DDoS is making news. So, what does DDoS attacks have to to do with bots (botnet) or bots have to do with DDoS ? DDoS or Distributed Denial of Service attacks involve flooding of a host with continuous communication requests by numerous distributed computers which leads to a bandwidth choke for the hosted service, denying legitimate users the access to a service.

BotNet, which means a network of computer robots or bots, is a set of compromised computers controlled by a bot herder or bot master (the one who manages the bots) through a Command and Control (C&C) Server and is used for performing malicious activities like DDoS attacks, email spamming, click fraud, spreading malware and etc.

With bots being used for malicious activities, no organization can let their computers to be a part of a botnet. Due to this, it is important to identify the bots and quickly remove them from the network or clean them, thus preventing further rot and attacks. One of the best methodologies that can be adopted to identify botnets is to analyze network traffic for common botnet behavior patterns and find the infected hosts.


Botnet architetcture and attack


We will outline some of the common traffic patterns to keep an eye on to identify botnets and what these patterns mean in terms of botnet activity.

One of the main character of a bot is its need for communication with the C&C server and this is a must for maintaining control and update of the botnet by the bot herder. Most of the botnets today use DNS service to find the location of a C&C server from which it has to receive the updates.

To avoid detection and shut down, the C&C servers uses different methodologies like IP flux and Domain flux to change their DNS name or the IP Addresses associated with FQDN. Due to this, the botnets cannot connect to a specific C&C server as and when needed. Instead, it has to do a large number of DNS lookups, scanning a large volume of addresses to find the C&C server for receiving the update. This turns out to be the best way to track the botnet. If you find a lot more DNS lookup in your network than ever expected or DNS queries from hosts to improper DNS names, the chances that it is an infected host trying to find its C&C server is as high as probability can be !

What does the bot do after locating the C&C server ? In most cases the C&C server could also be an IRC server, and once it has been discovered, the bots receives updates from the master about what type of action has to be performed. The action can be anything from sending spam emails to mounting a DDoS attack. Since most C&C servers is an IRC server, the communication takes place via IRC and so seeing unexpected IRC traffic to and from your internal hosts where IRC traffic is not allowed is definitely a case of concern.

Bots also needs to spread further and add more bots into its botnet which finally helps increase the strength of a botnet and thus that of the attack carried out too. An infected bot will scan for other hosts in its network for vulnerabilities and when such a host is found, will attack it to compromise the host. When scanning the network for possible hosts to infect, bots generate a burst of small packets. So, if you see a sudden increase in the number of packets without a major increase in the traffic volume, what you are possibly seeing is a bot scanning the subnet for other hosts to infect and add to the botnet.

Another common option that can be used is to track outbound TCP SYN packets having an invalid source IP Address. The reason for these large number of TCP SYN packets could mean that some of the internal hosts in your network is part of a botnet and are participating in a DDoS attack at the moment.

One of the functions other than DDoS attack for which botnets are used is for email spamming. Email spamming involves sending huge volume of spam emails advertising fake products intended at financial gains. When the hosts in a network are part of a botnet involved with spamming, they send huge number of emails to the outside world and mostly using some external email server. So, unusual SMTP activity from your network to the outside is another significant network activity that needs to be tracked. Steps can also be taken to forward emails only through the organization's mail server and prevent the use of any external or public mail servers.

Now that you have an idea on what kind of information needs to be tracked, how does one do this easily?

The best technology that lets you keep track of such detailed network activity is NetFlow / cFlowd with its capability for exporting in-depth information. With NetFlow Analyzer's capability to group and classify traffic and analyze in detail the flow records, the job is made even easier. In our next blog, we will discuss on how we can use NetFlow Analyzer to track the mentioned traffic behavior within minutes of set up.


Download (30 day trial) | Interactive Demo | Product overview video

Regards,
Don Thomas Jacob

Article References:
Taxonomy of Botnet
Book Excerpt: Virtual Honeypots: From Botnet Tracking to Intrusion Detection by Niels Provos and Thorsten Holz
Botnet Communication Topologies
Wikipedia

Posted Under : Technical
Tags : netflow netflow analyzer botnet DDoS preventing bots detecting botnet botnet attack detecting bots bots bot attack botnet detection
Buzz it
Permalink Trackback

Search Post
 
Latest Posts
Authors
Categories
BlogRoll
© 2009 Corp. All rights reserved. Trademarks | PrivacyPolicy | Site Map | Contact Us | Careers