Hacking BotNets
BotNet Overview
- How to Know if You’re Infected
- Key Commands for Testing
- Infection
Lifecycle:
- Initial information - find a vulnerability and exploit
- Inject scripts to infect the victim
- Establish connection to Command & Control Channel (C&C)
- BotNet request commands from C&C to the begin attack
- Firewalls
- Firewall Architecture
- Packet Filtering
Firewall:
- Packet filters are scalable and not application dependent.
- Packet filters are high performance firewalls since they do not carry out extensive processing on each package.
- Good to use as a first line of defense
- A BotNet will most likely get through this type of firewall.
- Stateful Firewall:
- Maintains a state table that tracks everything within the session
- Has a better performance matrix then an application proxy Firewalls with a higher degree of security
- Is Scalable
- Application Proxy
Firewall:
- They have extensive logging capabilities.
- They can authenticate users directly which is unlike other firewalls that only use system authentication
- Not great in high-bandwidth, real-time applications
- Performance issues since it looks at each packet.
- Dynamic Packet-Filtering Firewall:
- It operates at the Network, and Transport layers (Layers 3 and 4) of the OSI model
- A Dynamic Firewall evaluates the context of network traffic. It looks at source, destination addresses, application usages, origin, and relationship between current/previous packets.
- Kernel Proxy Firewall:
- Known as a fifth-generation firewall
- Can create dynamic, customizable virtual network stacks
- It can scrutinize every layer of the packet.
- It can also act as a NAT by changing the source address
- Next-Generation Firewalls:
- Build-in signature-based IPS engines that can learn traffic patterns
- Understand behavior patterns across networks
- Spot specific indicator patterns using advanced AI algorithms
- Have the ability to connect to Active Directories, White-Lists, Black-List and other policy servers linked across cloud networks
- Firewall Architecture Types:
- Screened Host
- Multi/Dual-Homed
- Screened Subnet
- Additional Methods to Combat BotNets
11 Ways to Combat Botnets:
1) Install a Windows Firewall: Also, properly configure it.
2) Disable AutoRun: Do not let systems automatically install software.
3) Break Password Trusts: Take control of admin accounts and don't let systems automatically connect to each other.
4) Consider Network Compartmentalization: Set up VLANS, or access control lists (ACLS) between subnetworks and limit the capability for computers to communicate with each other.
5) Provide Least Privilege: Give users what they need to do their jobs and nothing more.
6) Install Host-Based Intrusion Prevention: Don't let Botnets get root access.
7) Enhance Monitoring: The more you know the better so log it, log it, LOG IT!
8) Filter Data Leaving the Network: Botnets like to communication with the command and control center so egress filtering is key.
9) Use a Proxy Server: Forcing outbound traffic through a proxy gives you a point of monitoring.
10) Install Reputation-based Filtering: Block emails from, request to. Know your potential malware websites and filter.
11) Monitor DNS Queries: If a computer is responding to a DNS query could be a sign of a botnet infection.
- BotNet Command & Control
- Comparison Chart of BotNet Categories
- Fast Flux Networks
- Intrusion Detection Systems
- Host-Based
- Network-Based
- Hybrid of the two
- Mobile Systems
Analysis of some of the ways to combat the growing problem of BotNets on the Web
Hacking_Botnets.pdf
Adobe Acrobat document [1.2 MB]
Print