I, botnet

While teaching a class on intrusion detection techniques, I asked my students to make usage graphs of their networks. A few days later, a student called me at 2 a.m. because he had found 3,000-plus machines on his network that were broadcasting IRC traffic. It was a botnet -- a nasty one.

Botnets are highly evolved versions of DoS tools and remote-control Trojans that hackers developed in the late '90s. Instead of controlling a few hundred machines, today's botnets can control up to 25,000 zombies. Hackers are using them not just to crash target networks, but to send spam and generate click-throughs to ad-laden porn sites.

Once on a compromised network, bots log onto private IRC channels and wait for orders. Using the bot to download more attack tools and wreak more mayhem, the hacker can comfortably eat into a network even if it's behind a firewall, since most firewalls allow inside-outside connections. Bots mostly use IRC for communication, but they could use any other service that your firewall allows: SSL, HTTP, DNS, ICMP, etc. They effectively render your firewall transparent to the bad guys.

Here's a couple of ways to detect and block bots:

• Monitoring. Most IDSes can identify IRC traffic carrying bot communications. You may wish to monitor for spikes in ICMP or UDP traffic through your firewall, which may indicate your network is being used for a DDoS attack. Fundamentally, detecting illicit traffic means having a clear definition of permitted traffic and looking for policy violations.

• Hardening. Bots exploit open ports and unnecessary services allowed by permissively configured firewalls. This is a bread-and-butter concept that security graybeards have been advocating ad infinitum. Close unused ports, disallow unnecessary or risky services, install tamper detection on crucial internal systems, strip e-mail attachments at gateways and compartmentalize the network. When in doubt, default deny. .

• Auditing. Since most botnets rely on IRC, auditing IRC traffic is likely to detect early signs of penetration. If you understand the usage and purpose of your network, it's a lot harder for an intruder to hijack it. If you've got a large population of IRC users, you may need to set up your own relay and audit or block traffic that attempts to bypass it.

• Awareness training. It's the same as with e-mail-borne viruses: Don't double-click the attachment or hit strange URLs. Users are commonly "botted" through booby-trapped file shares, malicious e-mail attachments or URLs transmitted via IRC or instant messages. The hackers simply tell naive users "run this," and they do. Tell users: When in doubt, delete.

It's tempting to be heavy-handed and block IRC, but even that approach isn't foolproof. Fundamentally, botnets are a symptom of a deeper problem: Most enterprises are oblivious to how their networks are being used, and security policies consistently take second place to connectivity requirements.

Enterprises need to understand that, sooner or later, they'll have to deal with a remote-controlled compromise. They need to plan accordingly and be prepared to audit, backtrack and repair dozens or hundreds of compromised hosts.

By treating botnets as a disaster preparedness problem, enterprises will be on the right track.

About the author
Marcus J. Ranum is a senior scientist at TruSecure Corp. and the author of The Myth of Homeland Security (Wiley, 2003).

Note: This column originally appeared in the August issue of Information Security magazine.
Subscribe to Information Security magazine.

Rate this Tip To rate tips, you must be a member of SearchSecurity.com. Register now to start rating these tips. Log in if you are already a member. BROWSE BY TAG Guest Commentary,   Network Intrusion Detection (IDS),   Network Intrusion Detection and Analysis,   Enterprise Network Security,   Information Security Threats,   Emerging Information Security Threats,   Malware, Viruses, Trojans and Spyware,   VIEW ALL TAGS Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Guest Commentary Google hacking exposes a world of security flaws Eliminating the threat of spam email attacks Outsourcing IT services: Is it worth the security risk? How permanent is your storage solution? Honeypots can strengthen reconnaissance and lower intrusion noise Freedom of speech or lack of professional responsibility? This year compliance, next year control Senior security member explains his position on Abagnale Computer Security Institute's leader responds to Abagnale flap Spokesman or poster child? Network Intrusion Detection (IDS) Preventing SQL injection attacks: A network admin's perspective Lifecycle of a network security vulnerability Best Intrusion Prevention and Detection Products Rogue AP containment methods SIMs tools and tactics for business intelligence IPS and IDS deployment strategies Know when you need IDS, IPS or both Trend Micro to acquire Third Brigade for virtualization, cloud security New product aims to control rogue applications that avoid firewalls How to perform a network forensic analysis and investigation Network Intrusion Detection (IDS) Research Emerging Information Security Threats RSA security conference 2010: news, interviews and updates Hackers to sharpen malware, malicious software in 2010 Modern malware, stealthy botnets, adapt quickly, expert says New ransomware Trojan pushes victims to buy software Bruce Schneier on outsourcing, awareness training US-CERT warns of BlackBerry snooping software Marcus Ranum on cyberwarfare, infosec careers Researchers find thousands of flawed embedded devices Enterprise botnets contain thousands of malware variants Nuke and pave to eradicate botnets RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary computer forensics  (SearchSecurity.com) Diffie-Hellman key exchange  (SearchSecurity.com) Einstein  (SearchSecurity.com) HIDS/NIDS  (SearchSecurity.com) network behavior analysis  (SearchSecurity.com) ultrasound  (SearchSecurity.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.