Information Security

Defending the digital infrastructure


Problem solve Get help with specific problems with your technologies, process and projects.

Be prepared: How to prevent and detect botnets

Sooner or later, enterprises have to deal with a remote-controlled compromise. By treating botnets as a disaster preparedness problem, they'll be on the right track.

While teaching a class on intrusion detection techniques, I asked my students to make usage graphs of their networks....

A few days later, a student called me at 2 a.m. because he had found 3,000-plus machines on his network that were broadcasting IRC traffic. It was a botnet -- a nasty one.

Botnets are highly evolved versions of DoS tools and remote-control Trojans that hackers developed in the late '90s. Instead of controlling a few hundred machines, today's botnets can control up to 25,000 zombies. Hackers are using them not just to crash target networks, but to send spam and generate click-throughs to ad-laden porn sites.

Once on a compromised network, bots log onto private IRC channels and wait for orders. Using the bot to download more attack tools and wreak more mayhem, the hacker can comfortably eat into a network even if it's behind a firewall, since most firewalls allow inside-outside connections. Bots mostly use IRC for communication, but they could use any other service that your firewall allows: SSL, HTTP, DNS, ICMP, etc. They effectively render your firewall transparent to the bad guys.

Here's a couple of ways to detect and block bots:

  • Monitoring. Most IDSes can identify IRC traffic carrying bot communications. You may wish to monitor for spikes in ICMP or UDP traffic through your firewall, which may indicate your network is being used for a DDoS attack. Fundamentally, detecting illicit traffic means having a clear definition of permitted traffic and looking for policy violations.

  • Hardening. Bots exploit open ports and unnecessary services allowed by permissively configured firewalls. This is a bread-and-butter concept that security graybeards have been advocating ad infinitum. Close unused ports, disallow unnecessary or risky services, install tamper detection on crucial internal systems, strip e-mail attachments at gateways and compartmentalize the network. When in doubt, default deny. .

  • Auditing. Since most botnets rely on IRC, auditing IRC traffic is likely to detect early signs of penetration. If you understand the usage and purpose of your network, it's a lot harder for an intruder to hijack it. If you've got a large population of IRC users, you may need to set up your own relay and audit or block traffic that attempts to bypass it.

  • Awareness training. It's the same as with e-mail-borne viruses: Don't double-click the attachment or hit strange URLs. Users are commonly "botted" through booby-trapped file shares, malicious e-mail attachments or URLs transmitted via IRC or instant messages. The hackers simply tell naive users "run this," and they do. Tell users: When in doubt, delete.

It's tempting to be heavy-handed and block IRC, but even that approach isn't foolproof. Fundamentally, botnets are a symptom of a deeper problem: Most enterprises are oblivious to how their networks are being used, and security policies consistently take second place to connectivity requirements.

Enterprises need to understand that, sooner or later, they'll have to deal with a remote-controlled compromise. They need to plan accordingly and be prepared to audit, backtrack and repair dozens or hundreds of compromised hosts.

By treating botnets as a disaster preparedness problem, enterprises will be on the right track.

About the author
Marcus J. Ranum is a senior scientist at TruSecure Corp. and the author of The Myth of Homeland Security (Wiley, 2003).

Note: This column originally appeared in the August issue of Information Security magazine.
Subscribe to Information Security magazine.

Article 6 of 9
This was last published in August 2004

Dig Deeper on Malware, virus, Trojan and spyware protection and removal

Botnet research suggests progress in cybercrime war The recent arrests of those suspected of being connected to the Mariposa botnet and the legal action by Microsoft to take down the command and control of the Waledac botnet may be a sign that those defending the Internet are gaining ground against botnets and the cybercriminals behind them. But a complex web of legal and jurisdictional issues remain, said botnet expert Joe Stewart, director of malware research at SecureWorks Inc. In a wide ranging interview at the 2010 RSA Conference, Stewart explained whether the tools and the resources are available to win the botnet war. He said more work needs to be done before victory can be declared. As soon as a botnet is taken down, cybercriminals have shown they can quickly rebound, deploying new bots to spread malware and harvest data, Stewart said.

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.

Get More Information Security

Access to all of our back issues View All