Lifecycle: Preventing, detecting and removing bots

Learn how to use security devices to monitor networks for signs of botnet infection, and get advice for hardening systems, blocking bot activity and preserving evidence.

The most effective means of guarding against botnets are preventing attackers from planting bots on your network and removing them once they're detected. Enterprises need to harden systems against botnet infiltration and restore compromised machines to trusted states to prevent further compromises.

Prevention
Harden end hosts. Make sure your servers, desktops and mobile machines have up-to-date patches; harden your TCP/IP stack (e.g., using syncookies and maximizing TCP queue handling capacity); eliminate unnecessary services; partition required services as much as possible; and make use of back door networks for things like file services and DNS to limit externally exposed points of attack.

Overprovision hosts and networks. Make sure your servers have more than enough RAM and the fastest hard drives, drive interfaces and interface cards (possibly using multiple interfaces to segregate front-end network services from back-end file services, and DNS from internal hosts); and tune/monitor system performance on a regular basis.

Leverage IPSes/IDSes and firewalls. Restrict all externally exposed access to only those services that are absolutely necessary (e.g., only allow TCP ports 80 and 443 on Web servers, TCP/UDP ports 53 on DNS servers, etc.). Use your IDS/IPS to monitor access attempts on any open ports, and tune it to look for specific OS-version and patch-level vulnerabilities. Also, monitor what services are running--there's no need to check for Windows/x86-based IIS attacks aimed at a DNS server running BIND on Solaris/SPARC.

Detection
Monitor and respond to incidents. Security managers should dedicate human and automated resources to check their IDS/IPS and other network monitoring devices for anomalous activity, such as spikes in traffic, unusual protocols, unauthorized connection attempts and large volumes of e-mail. Security managers should monitor ports and protocols commonly used by bots, such as TCP port 6667.

Watch network traffic. Flow-level monitoring and logging, even for short periods -- a few days or weeks -- is critical for addressing multifaceted network attacks. Botnets are great at concealing the source of attacks, making host-based logging ineffective for diagnosis. In DDoS attacks, having a full picture of traffic to and from the victim host can often lead you closer to the attackers by noticing when they check to see if their attacks are succeeding.

Reaction/Remediation
Filter the flood. In many cases, filters can drop incoming traffic from some or all of the attacking hosts in a DDoS attack. Attackers can, and usually do, vary their attack methods, so change your filters frequently. Bots can be blocked with enough precise information about command and control traffic patterns, ports, protocols, peers and servers. (Note: It's risky to do this with routers, as you may disrupt legitimate traffic. It's even riskier to use firewalls, since a failure will open your entire network to attack.)

Remediate and recover. If you aren't already using integrity-checking software that fingerprints files and file system metadata, it can be extremely difficult to clean up bot-infested hosts. Effective cleanup requires detailed knowledge of the specific bots, how they're used and how their variants are altered or configured. Some antivirus/antispyware applications may be able to remove bots, but nastier variants require manual removal of both the software and registry keys. The most resilient bots and rootkits require wiping the hard drive and reinstalling the OS.

Preserve the evidence. This is tricky; doing the "right thing" by preserving evidence is costly, while "wipe-and-reinstall" is cheap. Victims may soon not have a choice, since downstream liability cases and law enforcement efforts are compelling enterprises to preserve any and all evidence. Victims should attempt to get a hard drive image of at least one bot-compromised system to assist investigations.


MORE INFORMATION:

About the author
David Dittrich is an Information Assurance researcher at the University of Washington Information School, and has over 20 years of programming, system administration and information security-related experience. Dittrich is also a founding member of the Honeynet Project and co-author of "Internet Denial of Service: Attack and Defense Mechanisms."

Note: This article originally appeared on Information Security magazine.

This was first published in March 2005

Dig deeper on Monitoring Network Traffic and Network Forensics

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close