2. OUTLINE
Introduction to Cyber Security
Botnet
Watering Hole attack
Spear Phishing attacK
Distributed Denial of Service(DDoS)
Conclusion
3. BOTNET
A Botnet is a network of compromised computers
under the control of a remote attacker
controller of a botnet is able to direct the activities of
these compromised computers
Botnet Terminology
Bot Herder (Bot Master)
Bot
Bot Client
IRC Server
Command and Control Channel (C&C)
5. BOTNET IN NETWORK SECURITY
Internet users are getting infected by bots
Many times corporate and end users are trapped in
botnet attacks
Today 16-25% of the computers connected to the
internet are members of a botnet
In this network bots are located in various locations
It will become difficult to track illegal activities
This behavior makes botnet an attractive tool for
intruders and increase threat against network
security
6. HOW BOTNET IS USED??
Distributed Denial of Service (DDoS) attacks
Sending Spams
Phishing
Addware
Spyware
Click Fraud
7. BOTNET DETECTION
Two approaches for botnet detection based on
Setting up honeynets
Passive traffic monitoring
Signature based
Anomaly based
DNS based
8. BOTNET DETECTION:SETTING UP HONEYNETS
Windows Honey pot
Honeywall Responsibilities:
DNS/IP-address of IRC server and port number
(optional) password to connect to IRC-server
Nickname of bot
Channel to join and (optional) channel-password
9. BOTNET DETECTION:SETTING UP HONEYNETS
Bot
1. Malicious Traffic
Sensor
3. Authorize
2. Inform bot’s IP
Bot Master
10. BOTNET DETECTION:TRAFFIC MONITORING
Signature based: Detection of known botnets
Anomaly based: Detect botnet using following
anomalies
High network latency
High volume of traffic
Traffic on unusual port
Unusual system behaviour
DNS based: Analysis of DNS traffic generated
by botnets
11. BOTNET DETECTION
Determining the source of a botnet-based attack is
challenging:
Traditional approach:
Every zombie host is an attacker
Botnets can exist in a benign state for an
arbitrary amount of time before they are used
for a specific attack
New trend:
P2P networks
12. PREVENTING BOTNET INFECTIONS
Use a Firewall
Use Antivirus (AV) software
Deploy an Intrusion Prevention System (IPS)
Define a Security Policy and
Share Policies with your users systematically
13. WATERING HOLE ATTACK
• Watering Hole is a computer attack strategy identified in 2012 by RSA
Security, in which the victim is a particular group (organization,
industry, or region). In this attack, the attacker guesses or observes
which websites the group often uses and Infects one or more of them
with malware.
• How does it work ?
Determine Target Group
Identify Vulnerabilities on those Websites
Inject Threat into Website
Sit in the Tall Grass and Wait for Targets to Come to You
Why it is effective ??
15. SPEAR PHISHING ATTACK
• Spear phishing is an email that appears to be from an individual or
business that you know. But it isn't. It's from the same criminal hackers
who want your credit card and bank account numbers, passwords, and
the financial information on your PC.
Business impact
• Theft of sensitive information
• Secondary use of compromised machines
• Incident response and recovery costs
16. HOW TO DEFEND AGAINST SPEAR
PHISHING ATTACKS
• Security awareness training
• Boundary defence
• Continuous vulnerability assessment and remediation
17. DDoS Attack
• Distributed-Denial-of-Service attack
– DDoS is a type of DOS attack where multiple compromised
systems, which are often infected with a Trojan, are used
to target a single system causing a Denial of Service (DoS)
attack.
• DoS vs DDoS
– DoS: when a single host attacks
– DDos: when multiple hosts attacks simultaneously
18. How does DDos Attack work?
• build a network of computers
• discover vulnerable sites or hosts on the network
• exploit to gain access to these hosts
• install new programs (known as attack tools) on the compromised
hosts
• hosts that are running these attack tools are known as zombies
• many zombies together form what we call an army
• building an army is automated and not a difficult process
nowadays
19. How to find Vulnerable Machines?
• Random scanning
• Hit-list scanning
• Topological scanning
• Local subnet scanning
• Permutation scanning
20. How to propagate Malicious Code?
• Central source propagation
This mechanism commonly uses HTTP, FTP, and remote-
procedure call (RPC) protocols
21. • Back-chaining propagation :
• copying attack toolkit can be supported by simple port listeners or
by full intruder-installed Web servers, both of which use the Trivial
File Transfer Protocol (TFTP)
• Autonomous propagation
22. DDos Attack Taxonomy
– There are mainly two kinds of DDoS attacks
• Typical DDoS attacks, and
• Distributed Reflector DoS (DRDoS) attacks
– Typical DDoS Attacks:
23. – DRDoS Attacks:
• slave zombies send a stream of packets with the victim's IP
address as the source IP address to other uninfected machines
(known as reflectors)
• the reflectors then connects to the victim and sends greater
volume of traffic, because they believe that the victim was the
host that asked for it
• the attack is mounted by noncompromised machines without
being aware of the action