Botnet Detection Tool: Ourmon

There are many common botnet families like Spybot, Agobot, RBot, Mytob, SDBot etc.

A botnet can be used for sniffing packets, starting DDoS attack, spamming, phishing, and stealing data. In this Tool Gyan column, we will learn about botnet detection though the popular network sniffing tool known as Ourmon.

Ourmon is a NIX based open source tool originally designed for network packet sniffing. It works on the concept of promiscuous mode of Ethernet packet detection. It also uses port mirroring technique through a Layer 2 (Ethernet) switch. It works best in FreeBSD Operating System.

Ourmon has two software parts, which are called,

1. The probe or front-end which sniffs packets and summarizes them into various bits of statistical information.
2. The back-end graphics engine, which processes the probe result and makes Web graphics, ASCII reports, log entries, and reports. The graphics engine needs web server like Apache to be installed.

http://www.chmag.in/article/jan2011/botnet-detection-tool-ourmon

Zeus Botnet

Zeus is a toolkit that provides a malware creator all of the tools required to build and administer a botnet. The Zeus tools are primarily designed for stealing banking information, but they can easily be used for other types of data or identity theft. A Control Panel application is used to maintain/update the botnet, and to retrieve/organize recovered information. A configurable Builder tool allows to create the executables that will be used to infect victim's computers. These executables are usually detected as ZBot by anti-virus software.

There is no single Zeus botnet. The toolkit is a commercial product that is sold to many different users, and distributed freely to many more. Each of them can create one or more botnets of their own, so the number of Zeus botnets is likely quite large. The latest version of the toolkit typically sells for about $700 USD to trusted buyers, with the bot source code possibly available for a much larger sum. After a few months the new toolkit version is released as a free "public" version, which is probably meant to serve as a promotion for the commercial version. The public version may not include all of the latest functions, and the documentation is minimal. Modified versions of the public toolkit have also been offered for sale at lower prices by third party developers, sometimes known as "modders".

http://www.fortiguard.com/legacy/analysis/zeusanalysis.html

 Why DDoS Hard to Defend

There are many factors due to which DDoS attacks is more cumbersome to defend. One of the first reason is it is simple to initiate. There are variety of tools to generate DDoS traffic, only need to download and install these tools. To make DDoS attack more well-formed legitimate traffic can be generated to attack on a specific application or protocol which looks legitimate but consisted on fake packets to consume the bandwidth of the network. IP Spoofing is a major hurdle for defensive mechanism and botnets makes it more clumsy to defend. It can be initiated for short time span to avoid detection   but makes heavy impact on the victim machine.

Launching DDOS Attacks on Software Defined Networks

Software Defined Networking is a better approach towards network management. Its architecture provides greater control over network assets. The control and forwarding actions are separated as control plane and data plane. As previously both actions were used to be an integrate part of a single hardware provided with some proprietary software control by the vendor. Now the administrator take over the control plane and device fine grained policies for multiple forwarding actions. The policies may also be dynamic. In reality the switch from any vendor just do the forwarding task not processing the incoming traffic.

 

The switches look for a match against the incoming traffic in their forwarding tables, if a match is not found the traffic is sent to control plane for processing. The controller will decide whether it should be forwarded or dropped. Thus control plane is an obvious advantage for SDN but it can be a single point of failure as well. It can happen in case if the control plane is made unreachable by a DDOS attack. Compromising the path between the switch and the control plane can cause a DDOS to happen. By spoofing the source addresses of the incoming traffic, the switch will forward them for processing towards the control plane. Thus a large number of such instances can consume the resources of the controller and exhaust it.

 

DNS Amplification Attacks

 In addition to the DNS reflection attack discussed previously, a further variant of an amplification attack uses packets directed at a legitimate DNS server as the intermediary system. Attackers gain attack amplification by exploiting the behavior of the DNS protocol to convert a small request into a much larger response. This contrasts with the original amplifier attacks, which use responses from multiple systems to a single request to gain amplification.

 

As shown in the above picture a group of hacker generating queries of 50Mbps for DNS servers located in different cities. These DNS servers are compromised and amplifying requests to 2Gbps on each server with spoofed source IP addresses. each IP packet is of 64 Bytes and large amount of request packets are send to compromised server. The responses of these packets can chock the bandwidth of target network due to extensive packet stream.

Application-Based Bandwidth attacks

A good strategy for executing Denial of Service attack is to intrigue the target to run resource consuming operations for example a Web site engage itself to resource consuming operations like searches in response to a single request. Application-based bandwidth attacks attempt to take advantage of the disproportionally large resource consumption at a server.

Voice over IP (VoIP) is widely deployed over the internet. The standard protocol used for call setup in Voice over IP is the (SIP) Standard Initiation Protocol. It has the same syntax as used for HTTP. Two types of messages: request and response used in this protocol. In the fig there is a simple illustration of operation of the SIP invite message, used to establish a media session between user agents. In this case, Alice’s user agent runs on a computer, and Bob’s user agent runs on a cell phone. Alice’s user agent is configured to communicate with a proxy server (the outbound server) in its domain and begins by sending an INVITE SIP request to the proxy server that indicates its desire to invite Bob’s user agent into a session. The proxy server uses a DNS server to get the address of Bob’s proxy server, and then forwards the INVITE request to that server.

 

A SIP flood attack exploits the fact that a single INVITE requests triggers considerable resource consumption. The attacker can flood a SIP proxy with numerous INVITE requests with spoofed IP addresses. The attack puts load on SIP proxy server by consuming the network capacity.

HTTP Flood is also refers to Application-Based DDoS attack in which attacker bombard web server with HTTP requests. Typically it is a DDoS attacks in which HTTP requests coming from different Botnets. The purpose of this attack is to consume considerable resources. For example, an HTTP request to download a large file from the target causes the Web server to read the file from hard disk, store it in memory, convert it into a packet stream, and then transmit the packets. This process consumes memory, processing, and transmission resources.

Reflector and Amplification Attacks

In contrast to DDoS attacks, Reflector and Amplification attacks use network systems functioning normally. The attacker sends a network packet with a spoofed source address to a service running on some network server. The sever responds to this packet, sending it to spoofed source address that belongs to actual attack target. If the attacker sends a number of requests to a number of servers, all with the same spoofed source address, the resulting flood of responses can overwhelm the target’s network link. There are two basic variants of this type of attack. Reflection Attacks and Amplification Attack.

Reflection Attack is direct implementation of this type of attack. The attacker sends packets to a known server with spoofed source address of actual target system. When the server responds, the response is sent to the target. This reflects the attack off the server which acts like reflector that is why this attack is called reflector attack.

 

 

Amplification attacks are a variant of reflector attacks and also involve sending a packet with a spoofed source address for the target system to machines which acts like reflectors. They differ in generating multiple response packets for each original packet sent. In DNS amplification, the attacker crafts a small DNS message, usually 60-80 bytes, with a victim’s spoofed IP address and sends it to an open DNS resolver to trigger a response DNS message back to the victim’s address. The response is usually 2000-3000 bytes, an amplification factor that is approximately 60 times the original value. This amplification can significantly increase the volume of traffic that the victim receives.

Legal and Illegal Botnets

Botnet term is used when several IRC bots have been connected and may possibly set channel modes on other bots while keeping IRC channels away from unwanted users. These bots used for Legal purposes. one type of these botnets are eggdrop.

Botnets consisted of computers whose security defenses has been breached and controlled by third party. This type of compromised device known as a "bot" which is created when a computer is breached by some malware. The controller of the botnet is able to direct the activities of these infected computers through communication channels.

SYN Spoofing

Along with the basic flooding attack, the other common classic DoS attack is the SYN spoofing attack. This attacks the ability of a network server to respond to TCP connection requests by overflowing the tables used to manage such connections. This means future connection requests from legitimate users fail, denying them access to the server. It is thus an attack on system resources, specifically the network handling code in the operating system. To understand the operation of these attacks, we need to review the three-way handshake that TCP uses to establish a connection. This is illustrated in the following figure. The client system initiates the request for a TCP connection by sending a SYN packet to the server. This identifies the client’s address and port number and supplies an initial sequence number. It may also include a request for other TCP options.

 The server records all the details about this request in a table of known TCP connections. It then responds to the client with a SYN-ACK packet. This includes a sequence number for the server and increments the client’s sequence number to confirm receipt of the SYN packet. Once the client receives this, it sends an ACK packet to the server with an incremented server sequence number and marks the connection as established. Likewise, when the server receives this ACK packet, it also marks the connection as established. Either party may then proceed with data transfer. In practice, this ideal exchange sometimes fails. These packets are transported using IP, which is an unreliable, though best-effort, network protocol. Any of the packets might be lost in transit, as a result of congestion, for example. Hence both the client and server keep track of which packets they have sent and, if no response is received in a reasonable time, will resend those packets. As a result, TCP is a reliable transport protocol, and any applications using it need not concern themselves with problems of lost or reordered packets. This does, however, impose an overhead on the systems in managing this reliable transfer of packets

Classic Denial of Service Attacks

The simplest classical DoS attack is a flooding attack on an organization. The aim of this attack is to overwhelm the capacity of the network connection to the target organization. If the attacker has access to a system with a higher-capacity network connection, then this system can likely generate a higher volume of traffic than the lower-capacity target connection can handle. As shown in the figure the attacker might use the large company’s Web server to target the medium-sized company with a lower-capacity network connection. The attack might be as simple as using a flooding ping  1   command directed at the Web server in the target company. This traffic can be handled by the higher-capacity links on the path between them, until the final router in the Internet cloud is reached. At this point some packets must be discarded, with the remainder consuming most of the capacity on the link to the medium-sized company. Other valid traffic will have little chance of surviving discard as the router responds to the resulting congestion on this link.