With Twitter being the new big site brought down through a DDoS attack, botnets and DDoS is making news. So, what does DDoS attacks have to to do with bots (botnet) or bots have to do with DDoS ? DDoS or Distributed Denial of Service attacks involve flooding of a host with continuous communication requests by numerous distributed computers which leads to a bandwidth choke for the hosted service, denying legitimate users the access to a service.
BotNet, which means a network of computer robots or bots, is a set of compromised computers controlled by a bot herder or bot master (the one who manages the bots) through a Command and Control (C&C) Server and is used for performing malicious activities like DDoS attacks, email spamming, click fraud, spreading malware and etc.
With bots being used for malicious activities, no organization can let their computers to be a part of a botnet. Due to this, it is important to identify the bots and quickly remove them from the network or clean them, thus preventing further rot and attacks. One of the best methodologies that can be adopted to identify botnets is to analyze network traffic for common botnet behavior patterns and find the infected hosts.
We will outline some of the common traffic patterns to keep an eye on to identify botnets and what these patterns mean in terms of botnet activity.
One of the main character of a bot is its need for communication with the C&C server and this is a must for maintaining control and update of the botnet by the bot herder. Most of the botnets today use DNS service to find the location of a C&C server from which it has to receive the updates.
To avoid detection and shut down, the C&C servers uses different methodologies like IP flux and Domain flux to change their DNS name or the IP Addresses associated with FQDN. Due to this, the botnets cannot connect to a specific C&C server as and when needed. Instead, it has to do a large number of DNS lookups, scanning a large volume of addresses to find the C&C server for receiving the update. This turns out to be the best way to track the botnet. If you find a lot more DNS lookup in your network than ever expected or DNS queries from hosts to improper DNS names, the chances that it is an infected host trying to find its C&C server is as high as probability can be !
What does the bot do after locating the C&C server ? In most cases the C&C server could also be an IRC server, and once it has been discovered, the bots receives updates from the master about what type of action has to be performed. The action can be anything from sending spam emails to mounting a DDoS attack. Since most C&C servers is an IRC server, the communication takes place via IRC and so seeing unexpected IRC traffic to and from your internal hosts where IRC traffic is not allowed is definitely a case of concern.
Bots also needs to spread further and add more bots into its botnet which finally helps increase the strength of a botnet and thus that of the attack carried out too. An infected bot will scan for other hosts in its network for vulnerabilities and when such a host is found, will attack it to compromise the host. When scanning the network for possible hosts to infect, bots generate a burst of small packets. So, if you see a sudden increase in the number of packets without a major increase in the traffic volume, what you are possibly seeing is a bot scanning the subnet for other hosts to infect and add to the botnet.
Another common option that can be used is to track outbound TCP SYN packets having an invalid source IP Address. The reason for these large number of TCP SYN packets could mean that some of the internal hosts in your network is part of a botnet and are participating in a DDoS attack at the moment.
One of the functions other than DDoS attack for which botnets are used is for email spamming. Email spamming involves sending huge volume of spam emails advertising fake products intended at financial gains. When the hosts in a network are part of a botnet involved with spamming, they send huge number of emails to the outside world and mostly using some external email server. So, unusual SMTP activity from your network to the outside is another significant network activity that needs to be tracked. Steps can also be taken to forward emails only through the organization’s mail server and prevent the use of any external or public mail servers.
Now that you have an idea on what kind of information needs to be tracked, how does one do this easily?
The best technology that lets you keep track of such detailed network activity is NetFlow / cFlowd with its capability for exporting in-depth information. With NetFlow Analyzer’s capability to group and classify traffic and analyze in detail the flow records, the job is made even easier. In our next blog, we will discuss on how we can use NetFlow Analyzer to track the mentioned traffic behavior within minutes of set up.
Download (30 day trial) | Interactive Demo | Product overview video
Regards,
Don Thomas Jacob
Article References:
Taxonomy of Botnet
Book Excerpt: Virtual Honeypots: From Botnet Tracking to Intrusion Detection by Niels Provos and Thorsten Holz
Botnet Communication Topologies
Wikipedia