Botnets: An Analysis of Attack Techniques, Detection and Mitigation Methods using Open Source Software

Contents

Introduction and Background

Aims

Objectives

Resources

Hardware

Software

Library

Other

Deliverables

Academic Challenges

Ethics

Professionalism

Literature Review

Methodology

Project Plan

A Bot is a piece of software or program used to very quickly perform repetitive commands or tasks. A Botnet or network of robots is a collection of these systems with the purpose of carrying out a series of distributed commands or tasks. Initial Bots were not malicious. They were developed in the late 1980’s early 1990’s to work within and alongside the release of Internet Relay Chat or IRC.

Over the last two decades the sophisticated design and complexity of Bots as well as their purpose has evolved. Botnets are now recognised as one of the favourite tools of cybercriminals and hackers.

Spitz and Hunter (2005) explain that these original Bots were developed to provide services to users and highlight that Napster, the peer to peer file sharing system developed in 1999 was one of the biggest successes for Botnets. However Hoque, Bhattacharyya, and Kalita (2015) suggest that various malicious Botnet techniques such as Distributed Denial of Service (DDoS), Malware and Spam attacks provide criminals with the ability to exploit systems and gain access to personal data or even prevent access to systems.

Wainwright and Kettani (2019) reflect that to detect and mitigate against these attacks is an ongoing and ever increasing problem as systems migrate to a more mobile and expansive range of IoT connected devices.

To analyse Botnet attack behaviours, evaluate detection methods and propose a framework of mitigation techniques to protect networks and systems using Open Source Software

Investigate the design and behaviours of Botnets

Investigate existing Botnet detection mechanisms

Examine current mitigation techniques 

Investigate relevant Open Source Software 

Design a controlled environment for test purposes

Design a test framework

Document the processes

Document the environment 

Design a schedule of testing

Analyse results

Design a recommended mitigation framework

Hardware

2 x Desktop Computers

2 x Monitors

2 x Keyboards

2 x Mice

2 x Network Interface Cards

Performance (Per System)

Quad Core Processors, min 2.7GHz

16 – 32 Gb Ram

Large / Fast hard drives (SSD / SATA)

External USB hard drives

Router / Switch for connectivity between systems

Wired and Wi-Fi Connectivity

Internet Connectivity

Software

Operating System software for the host systems (Windows / Linux)

Web Browsers

Word Processor

Spreadsheet

Email Client

Presentation software

Recording software

Open Source Virtualisation software

Open Source applications

Intrusion Detection software

Intrusion Detection and Prevention software

Botnet malware

Firewall solution

DNS

Webserver

IRC software

Penetration Testing tools

Multiple network utilities

Library

Journals

IEEE Xplore Digital Library

ACM Library

Books

Various reference guides as listed in the reference section

Other

Website Resources

Oracle Virtual Box

Ubuntu.com

Microsoft.com

Github.com

SANS Institute

NIST

Write a literature review to include

Botnet design and behaviours and how they can be controlled through Command and Control servers

Detection mechanisms including, how they are implemented and how they detect Botnet attacks  

Mitigation techniques and how they have developed and the processes required to remove detected Botnet Bots

Research, categorise and obtain the various open source software required for the project

Create a controlled, virtualised sandbox environment to protect the physical systems while allowing for the deployment of Botnet detection software and the distribution of Botnet malware within the environment

Produce a series of tests to be generated in the controlled environment

Produce a detailed report on the structure of the controlled environment and the processes used in the testing phase

Create a detailed schedule to be included in the overall project plan. for the build of the controlled environment, the installation and configuration of the various systems and software and the testing phase

Produce a detailed report highlighting the results of the various tests.

Create a recommended mitigation framework based on the information gathered in the literature reviews and the detailed results of the testing phase.

The area being researched is quite broad with a combination of attack, detection and mitigation techniques at the core. This will require a strong understanding of each of these areas both individually and collectively. Extensive research will be required to generate an indebt understanding of each area. This understanding will be required to ensure the tests being created fulfil the requirements to simulate a real world environment and therefore provide results that can be realistically analysed. From the attack perspective the coding and understanding of the creation of a specific type of Bot will be an area that the researcher will have the least amount of exposure to. This learning will be both important and beneficial within the project to assist with the design of tests and create a better awareness of the requirements of the detection methods and the implementation of mitigation techniques.

As this proposal has outlined the research will be a combination of literature reviews and practical work to be followed by comparative analysis and proposals. There will be no participants aside from the researcher. It is important therefore from an ethical perspective that all the tests and experiments are confined to this environment and not used in a wider scope.

From a professional perspective and to comply with the standards of ethical and professional conduct all research will be conducted in a proper Academic manner with reference to the BCS code of conduct which includes employing a professional approach, necessary care and the passing of information to others to enhance the area of IT.

Malware or Malicious software comes in many forms and many different purposes. One form of distribution and control of malware is through Botnets. These malicious Botnets can be characterised as an initial single Bot whose purpose it is to grow by replicating to multiple systems with the intent of using the replicated malware to perform large scale attacks.

Kumar, Kumar Sehgal, and Chamotra, (2016) categorise such attacks as DDoS attacks, Phishing attacks, Spam attacks and P2P attacks and this can be supported by Symantec’s annual Internet Security Threat Report where they recorded that a single Bot distributed over 67000 malicious emails in the latter half of 2017. Symantec (2018)

Wainwright and Kettani (2019) in their research explain that a Bot is not itself malware and has many legitimate purposes and has been in existence on the internet since the development of the Internet Relay Channel however Shanthi and Seenivasan (2015) take this a step further by separately defining malicious Botnets as a collection of systems infected with the same Bot with one or more malware payloads.

These systems acting as zombies differ from traditional malware infection as they are under the control of a remote Bot Master operating from a Command and Control Server(s) or C&C with the capability to send commands to these zombies to carry out tasks very quickly and simultaneously.

Czosseck, Klein and Leder (2011) put forward the argument that as most modern Botnets are deployed for malicious purposes, the challenge faced by Antivirus Companies (AV) to keep up to date with new threats is not feasible. Therefore other countermeasures must be developed.

While payloads in the Bots may be designed to steal personal information, create Spam or deny services, it is the behaviour of these Botnets that make detection more difficult. The Botnet Command and Control servers are the critical systems in a successful Botnet attack. Traditionally these C&C servers have been centralised but over time have been replaced in many cases by peer to peer or P2P decentralised C&C servers.

Wang and Yu (2009) suggested a technique based on packet size and timings which targeted a centralised C&C server however Venkatesh et al (2015) through further research suggested a detection technique aimed at P2P or decentralised C&C servers which in themselves are more difficult to take down.

Kumar, Kumar Sehgal and Chamotra (2016) in their research suggest that C&C techniques can be categorised into IRC, HTTP, DNS and P2P with the ultimate intention of activating the malware for Phishing, Spamming or DDoS attacks.

To successfully detect and protect against these Botnet attacks, various techniques have been and are being developed on an ongoing basic.

Zeng Hu and Shin (2010) recommend a multi-layer approach that includes an infrastructure layer such as detection through routers and firewalls as well as a host based software layer using tools such as Intrusion Detection systems or IDS and Intrusion Detection and Prevention systems or IDPS.

Due to the variety of techniques used to distribute the Bots and the complexity of P2P C&C servers no single solution to detect and mitigate against these malicious attacks has been successful. Therefore a framework of mitigation techniques is possibly required to provide a more encompassing solution to protect vulnerable systems and data.

“A positivist, deductive perspective using a quantitative mono method, cross-sectional single-case experiment design approach will be used” (Dudovskiy, J. 2018)

The primary data will be collected by initially creating a series of baselines on the systems and then running a series of tests or experiments against these systems. The purpose of these tests will be to see how well various software operates against specific types of Botnet attacks. These results will be documented and categorised by level of success or failure and will be used in the analysis stage to provide the basis for the proposed mitigation framework.

As in any type of experiment in a controlled environment care will need to be taken to recognise and account for the possibility of false positives and the limited environment that is being used for the tests.

A separate project plan is attached detailing the schedule and stages that will be performed throughout the project duration

References

BCS: The British Computer Society ‘Code of conduct’ Available at: https://www.bcs.org/membership/become-a-member/bcs-code-of-conduct/

Czosseck, C. Klein, G. and Leder, F. (2011) ‘On the Arms Race around Botnets – Setting Up and Taking Down Botnets’ 3rd International Conference on Cyber Conflict

Dudovskiy, J. (2018) The Ultimate Guide to Writing a Dissertation in Business Studies: A Step-by-Step Assistance Available at: https://research-methodology.net/about-us/ebook/ 

Hoque, N, Bhattacharyya, D.K, and Kalita, J.K, (2015) ‘Botnet in DDoS Attacks: Trends and Challenges’. IEEE Communications Surveys & Tutorials (Volume: 17, Issue: 4),

doi: 10.1109/COMST.2015.2457491

Spitz, D. and Hunter, S. D. (2005). ‘Contested codes: The social construction of Napster’. The Information Society, doi: 10.1080/01972240490951890

Symantec Internet Security Threat Report March 2018 Volume 23. Available at: https://www.symantec.com/content/dam/symantec/docs/reports/istr-23-2018-en.pdf

Venkatesh, B. Hazra, Choudhury, S.H. Nagaraja, S. Balakrishnan, N. (2015) ‘BotSpot: fast graph based identification of structured P2P bots’ Journal of Computer Virology and Hacking Techniques November 2015, Volume 11, Issue 4, pp 247–261  doi:10.1007/s11416-015-0250-2

Wainwright, P. and Kettani, H. (2019) ‘An Analysis of Botnet Models’ The International Conference on Compute and Data Analysis (ICCDA), doi: 10.1145/3314545.3314562

Wang, T. Yu, S. (2009) ‘Centralized Botnet Detection by Traffic Aggregation’ International Symposium on Parallel and Distributed Processing with Applications. doi: 10.1109/ISPA.2009.74

Zainudeen, S. Shaid, M. and Aizaini Maarof, M. (2015) ‘Malware Behavior Image for Malware Variant Identification’ International Symposium on Biometric and Security Technologies (ISBAST) doi: 10.1109/ISBAST.2014.7013128

Zeng, Y. Hu, X. and Shin, K. (2010). ‘Detection of botnets using combined host and network level information’ International Conference on Dependable Systems and Networks, Chicago, IL doi: 10.1109/DSN.2010.5544306

Resource Books

Caswell, B. Beale, J. and Baker, A. (2007) Snort IDS and IPS Toolkit Available at: http://www.amazon.co.uk

Elisan, C. (2012) Malware, Rootkits & Botnets A Beginner’s Guide Available at: http://www.amazon.co.uk  

ICT School (2019) Hacking with Kali Linux Available at: http://www.amazon.co.uk

Provos, N. (2007) Virtual Honeypots: From Botnet Tracking to Intrusion Detection Available at: http://www.amazon.co.uk  

Schiller, C. et al, (2012) Botnets: The Killer Web Applications Available at: http://www.amazon.co.uk 

Welsh, J. (2017) Hacking with Python Available at: http://www.amazon.co.uk