Botnets: An Analysis of Attack Techniques, Detection and Mitigation Methods using Open Source Software
A Bot is a piece of software or program used to very quickly perform repetitive commands or tasks. A Botnet or network of robots is a collection of these systems with the purpose of carrying out a series of distributed commands or tasks. Initial Bots were not malicious. They were developed in the late 1980’s early 1990’s to work within and alongside the release of Internet Relay Chat or IRC.
Over the last two decades the sophisticated design and complexity of Bots as well as their purpose has evolved. Botnets are now recognised as one of the favourite tools of cybercriminals and hackers.
Spitz and Hunter (2005) explain that these original Bots were developed to provide services to users and highlight that Napster, the peer to peer file sharing system developed in 1999 was one of the biggest successes for Botnets. However Hoque, Bhattacharyya, and Kalita (2015) suggest that various malicious Botnet techniques such as Distributed Denial of Service (DDoS), Malware and Spam attacks provide criminals with the ability to exploit systems and gain access to personal data or even prevent access to systems.
Wainwright and Kettani (2019) reflect that to detect and mitigate against these attacks is an ongoing and ever increasing problem as systems migrate to a more mobile and expansive range of IoT connected devices.
To analyse Botnet attack behaviours, evaluate detection methods and propose a framework of mitigation techniques to protect networks and systems using Open Source Software
- Investigate the design and behaviours of Botnets
- Investigate existing Botnet detection mechanisms
- Examine current mitigation techniques
- Investigate relevant Open Source Software
- Design a controlled environment for test purposes
- Design a test framework
- Document the processes
- Document the environment
- Design a schedule of testing
- Analyse results
- Design a recommended mitigation framework
2 x Desktop Computers
- 2 x Monitors
- 2 x Keyboards
- 2 x Mice
- 2 x Network Interface Cards
Performance (Per System)
- Quad Core Processors, min 2.7GHz
- 16 – 32 Gb Ram
- Large / Fast hard drives (SSD / SATA)
- External USB hard drives
- Router / Switch for connectivity between systems
- Wired and Wi-Fi Connectivity
- Internet Connectivity
- Operating System software for the host systems (Windows / Linux)
- Web Browsers
- Word Processor
- Email Client
- Presentation software
- Recording software
- Open Source Virtualisation software
Open Source applications
- Intrusion Detection software
- Intrusion Detection and Prevention software
- Botnet malware
- Firewall solution
- IRC software
- Penetration Testing tools
- Multiple network utilities
- IEEE Xplore Digital Library
- ACM Library
- Various reference guides as listed in the reference section
- Oracle Virtual Box
- SANS Institute
Write a literature review to include
- Botnet design and behaviours and how they can be controlled through Command and Control servers
- Detection mechanisms including, how they are implemented and how they detect Botnet attacks
- Mitigation techniques and how they have developed and the processes required to remove detected Botnet Bots
- Research, categorise and obtain the various open source software required for the project
- Create a controlled, virtualised sandbox environment to protect the physical systems while allowing for the deployment of Botnet detection software and the distribution of Botnet malware within the environment
- Produce a series of tests to be generated in the controlled environment
- Produce a detailed report on the structure of the controlled environment and the processes used in the testing phase
- Create a detailed schedule to be included in the overall project plan. for the build of the controlled environment, the installation and configuration of the various systems and software and the testing phase
- Produce a detailed report highlighting the results of the various tests.
- Create a recommended mitigation framework based on the information gathered in the literature reviews and the detailed results of the testing phase.
The area being researched is quite broad with a combination of attack, detection and mitigation techniques at the core. This will require a strong understanding of each of these areas both individually and collectively. Extensive research will be required to generate an indebt understanding of each area. This understanding will be required to ensure the tests being created fulfil the requirements to simulate a real world environment and therefore provide results that can be realistically analysed. From the attack perspective the coding and understanding of the creation of a specific type of Bot will be an area that the researcher will have the least amount of exposure to. This learning will be both important and beneficial within the project to assist with the design of tests and create a better awareness of the requirements of the detection methods and the implementation of mitigation techniques.
As this proposal has outlined the research will be a combination of literature reviews and practical work to be followed by comparative analysis and proposals. There will be no participants aside from the researcher. It is important therefore from an ethical perspective that all the tests and experiments are confined to this environment and not used in a wider scope.
From a professional perspective and to comply with the standards of ethical and professional conduct all research will be conducted in a proper Academic manner with reference to the BCS code of conduct which includes employing a professional approach, necessary care and the passing of information to others to enhance the area of IT.
Malware or Malicious software comes in many forms and many different purposes. One form of distribution and control of malware is through Botnets. These malicious Botnets can be characterised as an initial single Bot whose purpose it is to grow by replicating to multiple systems with the intent of using the replicated malware to perform large scale attacks.
Kumar, Kumar Sehgal, and Chamotra, (2016) categorise such attacks as DDoS attacks, Phishing attacks, Spam attacks and P2P attacks and this can be supported by Symantec’s annual Internet Security Threat Report where they recorded that a single Bot distributed over 67000 malicious emails in the latter half of 2017. Symantec (2018)
Wainwright and Kettani (2019) in their research explain that a Bot is not itself malware and has many legitimate purposes and has been in existence on the internet since the development of the Internet Relay Channel however Shanthi and Seenivasan (2015) take this a step further by separately defining malicious Botnets as a collection of systems infected with the same Bot with one or more malware payloads.
These systems acting as zombies differ from traditional malware infection as they are under the control of a remote Bot Master operating from a Command and Control Server(s) or C&C with the capability to send commands to these zombies to carry out tasks very quickly and simultaneously.
Czosseck, Klein and Leder (2011) put forward the argument that as most modern Botnets are deployed for malicious purposes, the challenge faced by Antivirus Companies (AV) to keep up to date with new threats is not feasible. Therefore other countermeasures must be developed.
While payloads in the Bots may be designed to steal personal information, create Spam or deny services, it is the behaviour of these Botnets that make detection more difficult. The Botnet Command and Control servers are the critical systems in a successful Botnet attack. Traditionally these C&C servers have been centralised but over time have been replaced in many cases by peer to peer or P2P decentralised C&C servers.
Wang and Yu (2009) suggested a technique based on packet size and timings which targeted a centralised C&C server however Venkatesh et al (2015) through further research suggested a detection technique aimed at P2P or decentralised C&C servers which in themselves are more difficult to take down.
Kumar, Kumar Sehgal and Chamotra (2016) in their research suggest that C&C techniques can be categorised into IRC, HTTP, DNS and P2P with the ultimate intention of activating the malware for Phishing, Spamming or DDoS attacks.
To successfully detect and protect against these Botnet attacks, various techniques have been and are being developed on an ongoing basic.
Zeng Hu and Shin (2010) recommend a multi-layer approach that includes an infrastructure layer such as detection through routers and firewalls as well as a host based software layer using tools such as Intrusion Detection systems or IDS and Intrusion Detection and Prevention systems or IDPS.
Due to the variety of techniques used to distribute the Bots and the complexity of P2P C&C servers no single solution to detect and mitigate against these malicious attacks has been successful. Therefore a framework of mitigation techniques is possibly required to provide a more encompassing solution to protect vulnerable systems and data.
“A positivist, deductive perspective using a quantitative mono method, cross-sectional single-case experiment design approach will be used” (Dudovskiy, J. 2018)
The primary data will be collected by initially creating a series of baselines on the systems and then running a series of tests or experiments against these systems. The purpose of these tests will be to see how well various software operates against specific types of Botnet attacks. These results will be documented and categorised by level of success or failure and will be used in the analysis stage to provide the basis for the proposed mitigation framework.
As in any type of experiment in a controlled environment care will need to be taken to recognise and account for the possibility of false positives and the limited environment that is being used for the tests.
A separate project plan is attached detailing the schedule and stages that will be performed throughout the project duration
- BCS: The British Computer Society ‘Code of conduct’ Available at: https://www.bcs.org/membership/become-a-member/bcs-code-of-conduct/
- Czosseck, C. Klein, G. and Leder, F. (2011) ‘On the Arms Race around Botnets – Setting Up and Taking Down Botnets’ 3rd International Conference on Cyber Conflict
- Dudovskiy, J. (2018) The Ultimate Guide to Writing a Dissertation in Business Studies: A Step-by-Step Assistance Available at: https://research-methodology.net/about-us/ebook/
- Hoque, N, Bhattacharyya, D.K, and Kalita, J.K, (2015) ‘Botnet in DDoS Attacks: Trends and Challenges’. IEEE Communications Surveys & Tutorials (Volume: 17, Issue: 4),
- doi: 10.1109/COMST.2015.2457491
- Spitz, D. and Hunter, S. D. (2005). ‘Contested codes: The social construction of Napster’. The Information Society, doi: 10.1080/01972240490951890
- Symantec Internet Security Threat Report March 2018 Volume 23. Available at: https://www.symantec.com/content/dam/symantec/docs/reports/istr-23-2018-en.pdf
- Venkatesh, B. Hazra, Choudhury, S.H. Nagaraja, S. Balakrishnan, N. (2015) ‘BotSpot: fast graph based identification of structured P2P bots’ Journal of Computer Virology and Hacking Techniques November 2015, Volume 11, Issue 4, pp 247–261 doi:10.1007/s11416-015-0250-2
- Wainwright, P. and Kettani, H. (2019) ‘An Analysis of Botnet Models’ The International Conference on Compute and Data Analysis (ICCDA), doi: 10.1145/3314545.3314562
- Wang, T. Yu, S. (2009) ‘Centralized Botnet Detection by Traffic Aggregation’ International Symposium on Parallel and Distributed Processing with Applications. doi: 10.1109/ISPA.2009.74
- Zainudeen, S. Shaid, M. and Aizaini Maarof, M. (2015) ‘Malware Behavior Image for Malware Variant Identification’ International Symposium on Biometric and Security Technologies (ISBAST) doi: 10.1109/ISBAST.2014.7013128
- Zeng, Y. Hu, X. and Shin, K. (2010). ‘Detection of botnets using combined host and network level information’ International Conference on Dependable Systems and Networks, Chicago, IL doi: 10.1109/DSN.2010.5544306
- Caswell, B. Beale, J. and Baker, A. (2007) Snort IDS and IPS Toolkit Available at: http://www.amazon.co.uk
- Elisan, C. (2012) Malware, Rootkits & Botnets A Beginner’s Guide Available at: http://www.amazon.co.uk
- ICT School (2019) Hacking with Kali Linux Available at: http://www.amazon.co.uk
- Provos, N. (2007) Virtual Honeypots: From Botnet Tracking to Intrusion Detection Available at: http://www.amazon.co.uk
- Schiller, C. et al, (2012) Botnets: The Killer Web Applications Available at: http://www.amazon.co.uk
- Welsh, J. (2017) Hacking with Python Available at: http://www.amazon.co.uk
Cite This Work
To export a reference to this article please select a referencing stye below:
Related ServicesView all
DMCA / Removal Request
If you are the original writer of this essay and no longer wish to have your work published on UKEssays.com then please: