Botnet & DDoS Deep Dive – Part I
COMP90073 Security Analytics
Dr. , CIS Semester 2, 2021
COMP90073 Security Analytics © University of Melbourne 2021
Outline
• Botnet Deep Dive • DDoS Deep Dive
COMP90073 Security Analytics © University of Melbourne 2021
Botnet Deep Dive
• How Big is the Botnet Problem • Terminologies
• Botnet Architectures
• Botnet Lifecycle
• Botnet Propagation
COMP90073 Security Analytics © University of Melbourne 2021
How Big is the Botnet Problem
https://www.spamhaustech.com/threat-map/
COMP90073 Security Analytics © University of Melbourne 2021
How Big is the Botnet Problem
Gameover Zeus botnet infection map on July 25, 2014
COMP90073 Security Analytics © University of Melbourne 2021
Terminologies
• Botnet
A network of compromised computers controlled by attackers from remote
location via C&C (Command and Control) channels
• Zombies / Drones / Bots Compromised computers
• Botmaster
Attacker who is controlling the botnet
COMP90073 Security Analytics © University of Melbourne 2021
Botnet Architecture
• Topology: Centralized model
• Communication protocol: IRC (Internet Relay Chat) / HTTP
• Pros: Speed of control
• Cons: Single point of failure
COMP90073 Security Analytics © University of Melbourne 2021
Botnet Architecture
• Topology: Decentralized model
• Communication protocol: P2P (Peer to Peer)
• Pros: No single point of failure
• Cons: Complicated network and non-efficient control
COMP90073 Security Analytics © University of Melbourne 2021
Botnet Architecture
• Topology: Hybrid model
• Communication protocol:
P2P (Peer to Peer)
• Pros: High resilient
• Cons: Command latency
COMP90073 Security Analytics © University of Melbourne 2021
Botnet Lifecycle
• Recruitment
Infecting vulnerable computes via compromised websites, email attachment
and removable media, and etc.
• Interaction
Membership registering & maintenance operations such as code update
• Marketing
Advertising for profit or other reasons
• Attackexecution
Launching attacks such as DDoS, Spam, and etc.
COMP90073 Security Analytics © University of Melbourne 2021
Botnet Propagation
• Push-based
Employ network scanning techniques to find the vulnerable hosts and infect
them to turn into a bot
e.g., Conficker and Simda botnets
• Pull-based
Botmasters compromise Web servers, upload the malicious codes, and lure
users to download the malicious codes e.g., MegaD and Srizbi botnets
COMP90073 Security Analytics © University of Melbourne 2021
DDoS Deep Dive
• An early example: Morris worm
• How Big is the DDoS Problem
• Who is Behind the Attacks
• Common Types of DDoS Attacks • Low-rate DoS attacks
• Trends
COMP90073 Security Analytics © University of Melbourne 2021
Morris worm
• An early example: Morris worm
– November, 1988
– , graduate student @Cornell
http://www.flickr.com/photos/ intelfreepress/10477292993/
COMP90073 Security Analytics © University of Melbourne 2021
Morris worm
• An early example: Morris worm
– November, 1988
– , graduate student @Cornell
http://www.flickr.com/photos/ intelfreepress/10477292993/
COMP90073 Security Analytics © University of Melbourne 2021
Morris worm
• An early example: Morris worm
– November, 1988
– , graduate student @Cornell
Multiple copiesroll a dice to decide which to kill But 1/7 times the program would not terminate itself
http://www.flickr.com/photos/ intelfreepress/10477292993/
COMP90073 Security Analytics © University of Melbourne 2021
Morris worm
• An early example: Morris worm
– November, 1988
– , graduate student @Cornell
http://www.flickr.com/photos/ intelfreepress/10477292993/
COMP90073 Security Analytics © University of Melbourne 2021
How Big is the DDoS Problem
https://horizon.netscout.com/
COMP90073 Security Analytics © University of Melbourne 2021
Who is Behind the Attacks
• Cyber-criminal
– Motivation: financial gain
• Hacktivist
– Motivation: political or ideologically driven
• Thrill&statusseekers
– Motivation:havingdonesomethingdisruptive
• Angryanddisgruntledusers
– Motivation:seekingrevenge
COMP90073 Security Analytics © University of Melbourne 2021
What DDoS Looks Like
Zombie: Internet connected compromised computers
Structure of a typical DDoS attack (Source: [2])
COMP90073 Security Analytics © University of Melbourne 2021
Common Types of DDoS Attacks
• Volumetric Floods
– Goal: to saturate the bandwidth of the targeted site – Measurement: bits per second (bps)
• Network Protocol Attacks
– Goal: to consumes actual server resources, or intermediate network
devices such as firewalls and load balancers
– Measurement: packets per second (pps)
• Application Layer Attacks
– Goal: to crash the targeted web server
– Measurement: requests per second (rps)
COMP90073 Security Analytics © University of Melbourne 2021
Volumetric Floods – Examples
• Ping (ICMP) flood – an attacker takes down a victim’s computer by overwhelming it with ICMP echo requests
Source: www.cloudflare.com
COMP90073 Security Analytics © University of Melbourne 2021
Volumetric Floods – Examples
• UDP flood – an attacker overwhelms random ports on the targeted host with IP packets containing UDP datagrams
Source: www.cloudflare.com
COMP90073 Security Analytics © University of Melbourne 2021
Volumetric Floods – Examples
• Distributed reflector attacks: aims to obscure the sources of attack traffic by using third parties to relay attack traffic to the victim. These innocent third parties are also called reflectors
– Stage 1, to compromise vulnerable systems that are available in the Internet and install attack tools in these compromised systems, i.e., turning the computers into “zombies”
– Stage 2, the attacker instructs the “zombies” to send to the third parties spoofed traffic with the victim’s IP address as the source IP address
– Stage3, the third parties will then send the reply traffic to the victim, which constitutes a DDoS attack
COMP90073 Security Analytics © University of Melbourne 2021
Volumetric Floods – Examples
Structure of a distributed reflector attacks (Source: [2])
COMP90073 Security Analytics © University of Melbourne 2021
Volumetric Floods – Examples
• DNS amplification attack, a reflection-based attack, an attacker leverages the functionality of open DNS resolvers in order to overwhelm a target with an amplified amount of traffic
Steps of a DNS amplification attack (Source: [2])
COMP90073 Security Analytics © University of Melbourne 2021
Volumetric Floods – Examples
attack volume in Mbps
An example of DNS amplification attack (source: www.cloudflare.com)
COMP90073 Security Analytics © University of Melbourne 2021
Network Protocol Attacks – Examples
• SYN flood – an attack exploits part of the normal TCP three-way handshake to consume resources on the targeted server and render it unresponsive
Progression of a SYN flood (Source: www.imperva.com)
COMP90073 Security Analytics © University of Melbourne 2021
Network Protocol Attacks – Examples
• SYN flood DoS attack example – client 10.131.87.112 is sending SYN packet continuously to server 10.131.87.111 on port 80
Wireshark screenshot (Source: vlab.amrita.edu)
COMP90073 Security Analytics © University of Melbourne 2021
Network Protocol Attacks – Examples
• Ping of death attack – an attack attempts to crash, destabilize, or freeze the targeted computer or service by sending malformed or oversized packets using a simple ping command
Source: www.cloudflare.com
COMP90073 Security Analytics © University of Melbourne 2021
Application Layer Attacks – Examples
• HTTP flood attack – an attacker takes down a victim’s web server by overwhelming it with HTTP requests
Source: www.cloudflare.com
COMP90073 Security Analytics © University of Melbourne 2021
Application Layer Attacks – Examples
• Http flood example – a massive DDoS attacks coming from IoT cameras in 2016
Source: www.cloudflare.com
COMP90073 Security Analytics © University of Melbourne 2021
Application Layer Attacks – Examples
• DNS query flood – a symmetrical DDoS attack that attempts to exhaust server-side assets with a flood of UDP requests, generated by scripts running on several compromised botnet machines
Source: www.imperva.com
COMP90073 Security Analytics © University of Melbourne 2021
Application Layer Attacks – Examples
• DHCP-based DoS
– DHCP starvation: the attacker floods the DHCP server by sending a large number of DHCP requests and uses all of the available IP addresses that the DHCP server can issue
– HCP server attack: the attacker creates a rogue DHCP server to offer IP addresses. The rogue server can intercept and disrupt the network access for all its clients, causing DoS.
https://info-savvy.com/rogue-dhcp-server-attack/
COMP90073 Security Analytics © University of Melbourne 2021
Low-rate DoS Attack
• Low-rateDoSattack
– •
TCP congestion control mechanism Slow start
Congestion avoidance (AIMD)
Fast retransmit
•
• •…
SS CA
SS: Slow start
CA: Congestion avoidance
T
COMP90073 Security Analytics © University of Melbourne 2021
Congestion window
Low-rate DoS Attack
• Low-rateDoSattack
– •
TCP congestion control mechanism Slow start
Congestion avoidance (AIMD)
Fast retransmit
Time out
•
• •…
SS CA
SS: Slow start
CA: Congestion avoidance
T
COMP90073 Security Analytics © University of Melbourne 2021
Congestion window
Low-rate DoS Attack
• Low-rateDoSattack
– •
TCP congestion control mechanism Slow start
Congestion avoidance (AIMD)
Fast retransmit
Time out
•
• •…
SS CA
SS: Slow start
CA: Congestion avoidance
T
COMP90073 Security Analytics © University of Melbourne 2021
Congestion window
Low-rate DoS Attack
• Low-rateDoSattack
– •
TCP congestion control mechanism Slow start
Congestion avoidance (AIMD)
Fast retransmit
Time out
•
• •…
SS CA
SS: Slow start
CA: Congestion avoidance
T
COMP90073 Security Analytics © University of Melbourne 2021
Congestion window
of DDoS Attack
•
New trends of DDoS attack
– Increase in quantity and severity – Application-layerattack
– Internet-of-Things
– 5G
Trend in maximum DDoS attack rate [Source: Arbor 12th Annual World Infrastructure Security Report, 2017]
COMP90073 Security Analytics © University of Melbourne 2021
of DDoS Attack
•
New trends of DDoS attack
– Increase in quantity and severity – Application-layerattack
– Internet-of-Things
– 5G
https://commons.wikimedia.org/wiki/File:Osi-model-jb.svg
COMP90073 Security Analytics © University of Melbourne 2021
of DDoS Attack
•
New trends of DDoS attack
– Increase in quantity and severity – Application-layerattack
– Internet-of-Things
– 5G
https://commons.wikimedia.org/wiki/File:Chain_of_home_devices_(i ncluding_IoT)_with_passwords_or_pin.png
COMP90073 Security Analytics © University of Melbourne 2021
of DDoS Attack
•
New trends of DDoS attack
– Increase in quantity and severity – Application-layerattack
– Internet-of-Things
– 5G
https://commons.wikimedia.org/wiki/File:5G_Architecture.png
COMP90073 Security Analytics © University of Melbourne 2021
Summary
• BotnetDeepDive
– BotnetArchitectures
• Describe three different botnet topologies and their pros and cons – BotnetLifecycle
• Explain phases of botnet lifecycle – BotnetPropagation
• Compare the difference between push and pull based methods
• DDoSDeepDive
– CommonTypesofDDoSAttacks
• Compare three types of DDoS attacks
• Explain how the following DDoS attacks work, and how to detect
– Pingflood,UDPflood,Distributedreflectorattacks,DNSamplificationattack – SYNflood
– HTTPflood,DNSqueryflood,DHCP-based
– Low-rate DoS Attacks
COMP90073 Security Analytics © University of Melbourne 2021
Summary
• & , 2018, Machine Learning and Security, Chapter 1, O’ OMP90073 Security Analytics © University of Melbourne 2021
Summary
• , et al., 2017, CCNA Cyber Ops SECFND #210-250 Official Cert Guide (Certification Guide), Chapter 13, Cisco Press
– Reconnaissance Attacks
– Social Engineering
– Privilege Escalation Attacks – Backdoors
– Code Execution
– Man-in-the Middle Attacks – Denial-of-Service Attacks
– Data Exfiltration
– ARP Cache Poisoning
– Spoofing Attacks
– Route Manipulation Attacks – Password Attacks
– Wireless Attacks
COMP90073 Security Analytics © University of Melbourne 2021
Summary
• Jiang,W.,Tian,Z.,Cui,X.. DMAT: A New Network and Computer Attack Classification. Journal of Engineering Science and Technology Review, 6, 101-106, 2013
COMP90073 Security Analytics © University of Melbourne 2021
Summary
• Simmons,C.B.,Ellis,C., Shiva, S., Dasgupta, D., Wu, Q. AVOIDIT: A Cyber Attack Taxonomy. CTIT technical reports series, 2009.
COMP90073 Security Analytics © University of Melbourne 2021
Reference
• [1] and Rich Groves, 2016, Distributed Denial of Service, O’ , Inc.
• [2] , , and , Survey of Network-Based Defense Mechanisms Countering the DoS and DDoS Problems, ACM Computing Surveys
COMP90073 Security Analytics © University of Melbourne 2021