Be prepared: How to prevent and detect botnets

Sooner or later, enterprises have to deal with a remote-controlled compromise. By treating botnets as a disaster preparedness problem, they'll be on the right track.

While teaching a class on intrusion detection techniques, I asked my students to make usage graphs of their networks....

A few days later, a student called me at 2 a.m. because he had found 3,000-plus machines on his network that were broadcasting IRC traffic. It was a botnet -- a nasty one.

Botnets are highly evolved versions of DoS tools and remote-control Trojans that hackers developed in the late '90s. Instead of controlling a few hundred machines, today's botnets can control up to 25,000 zombies. Hackers are using them not just to crash target networks, but to send spam and generate click-throughs to ad-laden porn sites.

Once on a compromised network, bots log onto private IRC channels and wait for orders. Using the bot to download more attack tools and wreak more mayhem, the hacker can comfortably eat into a network even if it's behind a firewall, since most firewalls allow inside-outside connections. Bots mostly use IRC for communication, but they could use any other service that your firewall allows: SSL, HTTP, DNS, ICMP, etc. They effectively render your firewall transparent to the bad guys.

Here's a couple of ways to detect and block bots:

  • Monitoring. Most IDSes can identify IRC traffic carrying bot communications. You may wish to monitor for spikes in ICMP or UDP traffic through your firewall, which may indicate your network is being used for a DDoS attack. Fundamentally, detecting illicit traffic means having a clear definition of permitted traffic and looking for policy violations.

  • Hardening. Bots exploit open ports and unnecessary services allowed by permissively configured firewalls. This is a bread-and-butter concept that security graybeards have been advocating ad infinitum. Close unused ports, disallow unnecessary or risky services, install tamper detection on crucial internal systems, strip e-mail attachments at gateways and compartmentalize the network. When in doubt, default deny. .

  • Auditing. Since most botnets rely on IRC, auditing IRC traffic is likely to detect early signs of penetration. If you understand the usage and purpose of your network, it's a lot harder for an intruder to hijack it. If you've got a large population of IRC users, you may need to set up your own relay and audit or block traffic that attempts to bypass it.

  • Awareness training. It's the same as with e-mail-borne viruses: Don't double-click the attachment or hit strange URLs. Users are commonly "botted" through booby-trapped file shares, malicious e-mail attachments or URLs transmitted via IRC or instant messages. The hackers simply tell naive users "run this," and they do. Tell users: When in doubt, delete.

It's tempting to be heavy-handed and block IRC, but even that approach isn't foolproof. Fundamentally, botnets are a symptom of a deeper problem: Most enterprises are oblivious to how their networks are being used, and security policies consistently take second place to connectivity requirements.

Enterprises need to understand that, sooner or later, they'll have to deal with a remote-controlled compromise. They need to plan accordingly and be prepared to audit, backtrack and repair dozens or hundreds of compromised hosts.

By treating botnets as a disaster preparedness problem, enterprises will be on the right track.

About the author
Marcus J. Ranum is a senior scientist at TruSecure Corp. and the author of The Myth of Homeland Security (Wiley, 2003).

Note: This column originally appeared in the August issue of Information Security magazine.
Subscribe to Information Security magazine.

This was last published in August 2004

Dig Deeper on Malware, virus, Trojan and spyware protection and removal