BOTNETS

INTRODUCTION

Term botnet is defined as a set of software bots, which operate separately and automatically. They make a network which is controlled by attackers. Botnets are rising warning with thousands of computers infected. Attackers control 40% of the infected bot computers connected to the internet. Understanding, detecting, tracking, and defending botnets are important topics as botnets are widespread. Mostly home-based computers suffer from this.

How are Botnets Created?

Botnet creation starts when a software program known as "bot" like IRC bot is downloaded by any user, who clicks an infected e-mail attachment or download an infected file from peer-to-peer networks or malicious Web sites. When the installation of the bot is done, the infected system connects to a public server which is set up by the botmaster to issue commands to the botnet. For this, many techniques are used like public Internet Relay Chat servers which are very common.

The botmaster occasionally ejects new code to the bots by using the control plane. The main function of botmaster is to take on more machines into the network. All infected machines are instructed to scan other vulnerable hosts. Every newly infected system joins the network and then scans for possible recruits. The botnet can grow very large in size. This paper is classified into three categories: understanding botnets, detection of botnets and protection or defense against the botnet.

UNDERSTANDING BOT

To understand botnet first we have to understand different types of bot and there functions how they attack other computers. Some of them are discussed below:

A.    IRC BOT

     An IRC bot is set up as a separate program which connects with IRC and performs things automatically. A group of computers that are connected to each other is called botnet. There are many reasons that Bots are connected to botnets. Such as sharing common user lists and channel settings and gives information about what is happening in the IRC channel and also gives information on demand and also provide a method to control several bots simultaneously.

B.    HTTP BOT

  A botnet consists of three key features: a botmaster, botnets are controlled and designed by the botmaster, the bots, .the command..& .control domain (C&C). The command and control (C&C) are. Let’s take an example, the process is used to send spam. 1^st bot instructs the controller to destroy and remove local processes/files. After receiving that command controller refers to system data to bot. The bot requests for SMTP(Simple Mail Transfer Protocol) domains. The bot receives failure .responses.from.SMTP servers.. then bot receives spam email, email addresses become targeted by bots.

C.    P2P BOT

Peer to Peer (P2P) botnet is used for security of servers or domains that are targeted, by creating different networks. In P2P. the bot is connected and communicates with each other that eliminates the need for a centralized server; botmaster commands the bots by using digital signing. Asymmetric encryption is used for digital signing, two types of encryption keys are required one is public and other is reserved.. if 1^st  the key is for encryption of a message,. then other. the key will be for decrypt it. Botmaster reserves one key as secret or reserved key and inserts as a public key,. botmaster use his key for encryption of commands and then the.bots use the public key for decryption, commands cannot be encrypted by anyone without the botmaster's private key.

D.    Fast-Flux Networks

Fast-flux servers are used. as botnet.Command & Control servers. Some websites are valuable, so they want to hide IP addresses from other users. To do this, first, they allow the user to connect with compromised.PC. This computer helps as. proxy, which forwards the user’s request and the user receives a reply from the server.  Fast-flux networks are used for this purpose and if any identified specific DNS Resource. Record (RR)..network uses combined IP addresses of round-robin and short Time-To-Live (TTL) to assign a user’s demand to a great number of. compromised computers. The Fast-flux..motherships controls the fast-flux..service systems. Fast-flux provides more features then C&C system but both are similarly found in conventional botnets.

DETECTION OF BOTNET

There are many approaches and techniques to detect Botnets, some of which are discussed below:

A.   IRC Snort Intrusion Detection

In Snort, there are three modes to configure snort.

·       Sniffer mode: in which network packets are read and then catch by libcap library and displayed on the screen.       

·       Packet logger mode: this system keeps proof of network packets to the disk and stores them as ASCII code to log file or put in MySQL database.

·       Network intrusion detection system: the system examines network protocols and some rules are set to detect different kinds of attacks. Packet decode module, Pre-processor module, Detection engine module, and Output module are present in snort structure and operation processes. By this technique, the administrator can detect bot host on a local area network.

This system contains a module. For filtering packets, Linux uses iptables. It performs many works like it blocks malicious intrusions from outside connections, protect the secret information, and also stop from the hackers’ attacks.

C.    Signature-Based Detection

Botnets can be detected easily and immediately if we know existing Botnets signatures but this is limited to only well-known Botnets. Rishi is one of the examples of well-known Botnet.

D.    Anomaly-Based Detection

This detection technique is used in several network traffic anomalies that show the existence of malicious bots in the network. it is also used to detect unknown Bots.

E.    DNS-Based Detection

This approach is used when Botnet generates particular DNS information. This is similar to the anomaly based detection as the same algorithm is used.

F.    Honeypot- Based Detection

This detection approach is very effective as it collects information about botnets. It detects holes through which Bots enter the network, many tools, and methods that attacker use, The motivation of attacker. This technique can be applied in many ways such as Nepenthe, Freiling, etc.

G.    Mining-Based Detection

Command and control traffic is difficult to detect as it does not create high latency and Botnet uses normal protocol for it. In this case Minning-based technique including machine learning, classification is used to detect Botnet C&C.

H.    Network-Based Technique

By monitoring network traffic we can detect botnets, for this we use the network-based technique. And it has two types: Active and Passive Monitoring. In active monitoring, extra packets are produced as it has the capability to add test packets. During passive monitoring, some devices are used to detect traffic as they pass by. No traffic is increased, but it takes a long time.

I.      Host-based detection

This detection strategy is used in P2P Bots in which monitoring and analysis are done in the internals of the computer, such as system logs, registry records, API calling sequences, etc.

DEFENSE AGAINST BOT

If computers were infected, the system slows down, crashes or stops replying frequently. The effective way to stop the infection is to shut down the botmaster once we detect it. Some approaches are discussed below.

A.       Spam

       Spam system is used to prevent generated spam messages from.bot..Previous detection results do not use by a system to block spam emails created by botnets. Basically, system’s idea is like ''A host may be sent spam-bot with a large number of e-mails if the IP address of source allocated dynamically (simple IP address) and check the recipient address book an email .address is not exist here and not the previous recipients or sender that clears that this email is spam. The use of that system.is unidentified but it is.under the process of implementation.

       C.             

B.    Secure Web Gateways

The purpose of protected web..gateways is to clean Web circulation and ban malicious content this might not be as effective for URL dependent devices when it.comes to blocking kits.

C.    Antivirus Software

Now a day’s much antivirus software is available in the market. By installing that software, it automatically defense with viruses and protects the computer from viruses.

D.    Web Application Firewall

To protect web networks at the application layer a plug-in,. applications and filters are designed, like .cross-site. scripting, malicious..links and .files are used for blocking code injections.

CONCLUSION

This paper concludes the basic Introduction and understanding of botnets. And a brief history of Botnets. It also discusses how botnets are created and spread in computers and for detection some techniques and approaches like Honeypot, IRC Snort Intrusion are required. Safety against botnet suggests to simply shutdown system after a detection of a bot network.