This week, Georgia Tech unveiled BotSniffer, a prototype system designed to detect and disable botnets. Using traffic analysis the BotSniffer tries to identify botnet members by looking for command and control channels.Apparently the BotSniffer detector has been built as an independent plug-in for the popular open source intrusion detection system Snort. With a host system that's as widely used as Snort, there could be a good possibility of such a system eventually making it in to the real-world. The paper released by Georgia Tech's School of Computer Science says, "We evaluated BotSniffer using many real-world network traces. The results show that BotSniffer can detect real-world botnets with high accuracy and has a very low false positive rate."
The paper suggests that botnets' command and control mechanism may be their Achilles heel. These command and control channels are used by botmasters to relay instructions to the infected hosts. Instructions are either delivered ‘live' via IRC channels or via HTTP where the bot will connect at pre-specified intervals and collect instructions from a Web server. If these channels of communication are detected and cut off then the botmaster no longer has control of his zombies: "If we can take down an active command and control or simply interrupt the communication to the command and control, the botmaster will not be able to control his botnet. Moreover, the detection of the command and control channel will reveal the command and control servers and the bots in a monitored network."
There are normally multiple bots on a network so thorough analysis of traffic or host activity can pick out behavioural traits and detect bot-like activity: "We observe that the bots of a botnet demonstrate spatial-temporal correlation and similarities due to the nature of their pre-programmed response activities to control commands. This helps us identify command and control within network traffic. For instance, at a similar time, the bots within a botnet will execute the same command — obtain system information, scan the network — and report to the command and control server with the progress/result of the task."
BotSniffer is certainly not the only attempt to stamp out what has quickly become one of the Internets biggest problems. Desktop antivirus and security packages from all of the big brand security vendors are incorporating features aimed at locking out botnets by detecting and removing the malicious software that turns so many desktop computers in to evil zombies! I think this highlights an important point-if botnets can be beaten then the problem has to be attacked from several different angles. ISPs trying to detect command and control channels will most likely never have complete success. Once ISPs or network admins start to detect and isolate infected hosts, bots will undoubtedly find ways to avoid detection in just the same way that viruses do. They can encrypt communications, randomize behaviour, and so on. The analysis will get smarter, but it becomes a game of catch-up. If botnets are losing hosts due to improved desktop protection, then they come under pressure on several fronts and will find it hard to grow.
Spam blocking would be a good example of how various types of filtering can work together to block unsolicited junk e-mail. Around 85 percent of all incoming e-mail is blocked by my Barracuda Spam Firewall. This is achieved by combining techniques such as virus scanning, user policies, rate control, Bayesian analysis, rule-based scoring, and IP reputational analysis. Alone, no one of these forms of detection would be adequate-however, once combined they form a sturdy defence blocking 90-95 percent of the unwanted junk mail thrown at our servers daily.
Network based detection of botnets seems like a very good idea and with programs like BotSniffer able to plug in to existing Intrusion Detection Systems, we could well see that tables turn on Botmasters. I could see this type of traffic analysis being very effective at an ISP level-they already analyse traffic for illegal downloads, so I couldn't see that listening for bots would be much of an additional burden.
Do you currently take any measures to detect or block unwanted and potentially dangerous network traffic? Bots or even P2P and other rogue applications can have a massive impact on network security and performance. If you do, I'd be interested to know what techniques you use-leave a comment and share your experience.