Intrusion Detection for Botnets

Botnets have been in existence for a considerable period of time; a recent attack took place in Estonia, where hundreds of systems where attacked by Distributed denial-of-service (DDoS). Critical Government functions were disabled including all IP-based communications. Even the computer systems within the ministry of Finance were incapacitated. The Russians were alleged to the accountable for these attacks (FireEye, 2008). Botnets are particularly harmful because they are able to steal sensitive data about corporate resources and organizational assets.

Botnets are a form of cybercrime. FBI ranks cybercrime as one of its top priorities for combating terrorism and espionage. Statistics from FBI Survey reveal that some businesses have lost an estimated total of $14. 2 billion in damages due to cybercrime. This amount is associated with the costs of recovering compromised systems and lost productivity suffered by the businesses due to the attack (FireEye, 2008). Botnets first appeared in 1999 through an IRC-based backdoor. They were used to install harmful materials on computers and commit identity theft.

The attacker usually employed the Internet Relay Chat (IRC) protocol to command its clients. There’s an increasing need to explore the concept of botnets in detail so that appropriate strategies can be developed to inhibit their proliferation. Background Information The Concept of Botnets Botnets, also known as bots, are a group of computers that have been strategically compromised and are capable of causing problems like DDoS attacks, phishing, spam and other inconsistencies within a network. They are a huge threat, regardless of the size of the organization.

They have a negative impact on today’s security defenses. Through the use of worms and other social engineering methods, they are able to multiply and dominate the network (FireEye, 2008). Botnets may also be referred to as a zombie army. They are used to create and transmit viruses across an entire network in order to cause network systems to crash or prevent the smooth access to computer resources within an organization. They often work by unblocking an Internet Relay Chat (IRC) channel that accepts instructions from the parties that control the botnet.

An IRC is an internet protocol that enables the transmission of text messages amongst users in a real-time environment. Botnets may also employ peer to peer communications and HTTP protocol. Experts estimate that as many as a quarter of all personal computers have been infected by botnets (FireEye, 2008). Botnets are designed to increase in a controlled manner through the entire network. They can evade intrusion detection systems and honey pots by remaining embedded in hidden locations where it’s often quite difficult to discover them. Ultimately, a botnet can also be defined as a robot network.

Infected systems are referred to as bots or zombies. Botnet owners can decide to use the botnets themselves or rent them out to other individuals who can use it for nefarious purposes. Methods of Attack Typical methods of attack can be accomplished by overwhelming the network infrastructure, phishing, spam, address harvesting, and brute force attacks. Using traditional methods to combat botnets has proven to be ineffective over time. Bot developers are familiar with how traditional security solutions work and are able to circumvent them. They often go undetected by antivirus solutions and some security technologies.

They can attack networks through any of the following methods discussed below: 1. Distributed Denial-of-Service Attacks: These are implemented by causing loss of service to users, loss of connectivity and excessive consumption of bandwidth by the victim network such that the resources of the system are overloaded. Examples of this include UDP flood attacks and TCP SYN flood attacks (Bacher, Holz, Kotter, & Wicherski, 2008). 2. Spamming: Some bots are able to open a SOCKS v4/v5 proxy which is a proxy protocol used on most internet applications.

After enabling this proxy, the machine can be used for spamming. An attacker is also able to send massive emails and harvest email addresses through phishing (Bacher et al, 2008). 3. Bots can also work by sniffing traffic in a bid to get usernames and passwords. They can also retrieve sensitive information through key logging (Bacher et al, 2008). 4. Botnets can spread harmful malware. An attacker for instance, can use botnets to increase the number of clicks recorded on a page that contains the Google AdSense program.

Poll games and several online can be hijacked by botnets and massive identity thefts can be executed by using botnets within the network (Bacher et al, 2008). Relevance of the Study According to a survey conducted by FireEye, bots constitute about 25% of computers that are connected to the internet. Mitigating the proliferation of botnets is top priority for most organizations and Governments (FireEye, 2008). This is because botnets can cause network congestions and constitute significant hindrances to business operations.

Current network security technologies have not been able to prevent the introduction of botnets into the network. A typical botnet can range from1, 000 to 150,000 infected systems. Intrusion Detection for Botnets Botnet distribution is of a global scale and it attacks a distributed collection of critical infrastructure and victims. Automated counter measures like Intrusion Detection Systems (IDS) which are continually evolving to accommodate the ever-increasing threats can be employed in this crisis. Botnets have started shifting from just IRC protocols to protocols like HTTP and other custom protocols (Bacher et al, 2008).

An IDS is designed to monitor and supervise the movement of traffic from one point to another within a network. It can read packets of data that make use of different types of protocol. It is especially capable of observing DDoS attacks and can notify the administrator so that effective steps can be taken to eliminate the threat (ISS, 2001). There are many types of intrusion detection systems available in the market today. Network Intrusion Detection System (NIDS) can act as a packet sniffer. Incoming traffic is analyzed using the TCP/IP Protocol.

NIDS have a database of harmful attacks known as signatures and it can compare incoming messages or traffic with the in-built database of signatures to identify harmful content. The Host-based Intrusion Detection System (HIDS) works in almost the same way. It can detect potential attacks by botnets on a particular host through the use of data forensics, statistical analysis and audit management tools. Intrusion detection systems are capable of using protocol analysis, anomalies and frequency of occurrence of certain events to protect their hosts systems.

Over time, IDS technologies have proven to be extremely capable of monitoring network traffic and isolating harmful traffic. The exciting concept of correlation is bound to be incorporated into the development of IDS products. IDS technologies are also being employed to analyze traffic more effectively by using predictive artificial intelligence. Mathematical and SI concepts required for building future IDS systems are also being developed and tested (ISS, 2001). Conclusion The battle against botnets can only be successful if Governments and organizations can work collaboratively to ensure that private security is sustained.

Firewalls and regular installation of software patches can also be quite effective in combating the harmful effects of botnets. References Bacher, P. , Holz, T. , Kotter, M. , & Wicherski, G. (2008, October 08). Know your Enemy: Tracking Botnets. Retrieved March 28, 2009, from The Honeynet Project: http://www. honeynet. org/papers/bots/ FireEye. (2008). Working to Stop Botnets: Enterprises & FireEye. Retrieved March 28, 2009, from FireEye: www. fireeye. com Internet Security Systems (ISS). (2001). The Evolution of Intrusion Detcetion Technology. An ISS Technical White Paper (p. 7). Atlanta: ISS.