Can IPS alleviate the botnet problem?
Botnets are back in the news. Leading experts have recently gone on record stating we are losing the war on botnets. Then yesterday, McAfee released a whitepaper showing startling success in Central America against botnets. This has ignited a debate in both the IPS and botnet sub-cultures of the Information Security World.
Botnets are problematic for a number of reasons:
1) We have no idea how many botnets are out there. Most of our results come from honeynets (http://www.honeynet.org/papers/honeynet/) which are globally distributed. However, honeynets are binary, they are either infected by a particular botnet or they are not. It is quite possible to have a huge botnet army in the wild that misses the honeynet traps.
2) We have no idea how big the active botnets are. Botnet armies have been reported which are smaller than 1,000 and others larger than a million. Bot herders will exaggerate their size, until they get caught, in which case they will lower their size attempting to get a lower sentence.
3) Size is not correlated directly to lethality. A small botnet which infects a computer in a sensitive network can do untold damage. The botnet may download keyloggers and password sniffers leading to confidential data leakage. The compromised bot may even be used as a launchpad for attacking other machines in the internal network.
4) Many botnets are programmable. When a 0-day exploit becomes available, a bot herder can push the code to the bots and get them to attack other machines, attempting to recruit them.
5) Bots create a lot of ‘network noise’ as they scan and attack other hosts. This extra traffic can disrupt the internal networks of enterprises, leading to slower application response and causing servers to crash.
Botnets have a complex life cycle. The life cycle below, however, is typical:
Figure 1: Anatomy of a typical botnet attack
Step 1: Bot herder loads remote exploit code on an ‘attack machine’, which may be dedicated for this purpose or an already compromised bot. Many bots use file-sharing and RPC ports to spread. Initial infection vectors ensure victim machines have sufficient configuration information to contact bot controller when compromised. Step 2: Attack machines scan for unpatched targets and launch attacks. An unpatched machine becomes a victim to the exploit. Steps 3 & 4: The victim machine is ordered to download binaries from another server (frequently a compromised web or FTP server). Step 5: These binaries are run on the victim machine and convert it to a bot. The victim connects to the bot controller and ‘reports for duty’. Step 6: The bot controller issues commands to the victim. These instructions may include commands to download new modules, steal account details, install spyware, attack other machines and relay spam. Step 7: The Bot herder controls all bots by issuing commands via the bot controller(s).
Just as in the Biological Sciences, by interrupting a pest’s life cycle we can stop them. Almost all quality IPS devices can stop Step 2 (see figure 1). There are many IPS devices deployed globally, but often there is a detection-only mindset held by some who call themselves information security professionals. This indifference allows botnets to spread deep inside networks.
Steps 5 & 6 can be stopped by Next-Generation IPS devices (that have up-to-date and comprehensive signatures, and can truly decode the protocols). These are not common and the successful deployment of these forms the basis of the McAfee case study (http://www.mcafee.com/us/local_content/white_papers/wp_botnet.pdf). Those with legacy IPS devices can only slow the growth of botnets only at step 2, and should be encouraged to do so. To destroy established botnets requires Next-Generation IPS devices.
Next-Generation IPS devices bring a number of extra benefits, and solve many of the botnet problems. When deployed at the network edge, IPS devices can see all traffic entering and exciting the network. This brings a number of advantages, we can:
i) see how many bots are on our network,
ii) see where their bot controllers are,
iii) estimate the size of each botnet army
iv) see which botnet variant the infected machines are using,
v) see deeply into the command and control structures including the commands being sent to individual bots.
vi) capture traffic from the small but lethal botnets and give visibility into their mission.
vii) capture traffic which may be used to secure bot herder convictions.
Is the botnet war over then?
Next-Generation IPS devices have proven themselves to be very helpful in the war on botnets. Bot herders and their botnets will however evolve, and seek to evade them. The cat and mouse game played so often in the past with virus writers will now come to the botnet world.
Nonetheless, IPS devices can pinpoint botnets, indicate their size, show where their controllers are and enable us to see their control & command traffic. We are much closer to putting bot herders behind bars, with the active assistance of law enforcement. Perhaps that is the message bot herders should take away.
Posted: October 26th, 2006 under Network Security, Security.
Comments: none
Write a comment