Botnets II: Emerging Threats, Tactics, and Defenses
- Botnet Detection in the Core
- BITSI (Biologically Inspired Tactical Security Infrastructure)
- Defenses Against Botnet-Aided Spam over VoIP
- Botnet Activity Detection Based Upon an Analogy to the RNAi Immune System
- Intel's DDI (Distributed Detection and Inference) Research Program
When Bill Mills of Truth or Consequences, NM put up a website for his ranch, he posted his phone number so people could call about his donkeys for sale. However, his new callers “mostly wanted to give me something for free,” he says. “Then they always said they needed the first four numbers on one of my credit card” to prove his identity. These numbers identify the type of credit card. “Then they asked for more numbers. I kinda went along with one of them, then told him to eat **** and bark at the moon. I don’t know what’s wrong with these people.”
What's wrong is that phone spammers are taking advantage of Voice over Internet Protocol (VoIP) to make international calls at almost no cost, even when connecting with users of traditional public switched telephone networks.
It's going to get worse. According to a recent article in the IEEE Communications magazine, “Spam over IP telephony (SPIT) is expected to become a serious problem in the near future.... Taking into account...botnets, spamming in parallel from huge numbers of these machines, the cost of IP-based SPIT can decrease even more...”
Another new use of botnets appeared on September 6, 2008, when the price of United Airlines stock fell by 75 percent in just minutes. The culprit turned out to be a botnet attack that targeted an undated story about the airline's 2002 bankruptcy filing archived on the Florida Sun Sentinel website, making it appear that thousands of people were clicking on it. This storm of clicks automatically triggered a link on Google News. Lacking a date stamp, Google automatically gave it the current date. In turn, Bloomberg, a news service that caters to investors, grabbed the seemingly breaking news and panic ensued.
Clearly, botnet attacks are growing more ingenious and destructive. Consequently, researchers are seeking ways to combat them without having to rely on outmoded techniques such as signatures or any other a priori knowledge of attack technologies. They seek to detect infected devices, determine the objectives of each botnet attack, illuminate their C&C (command and control) structures and, ideally, trace back to the owner. And—they seek to do all this without accidentally shutting down legitimate network traffic or disabling essential devices such as laptops belonging to top managers.
Examples of these research projects follow.
Botnet Detection in the Core
In the previous examples, the entire schemes took place outside the victim's systems. It is hopeless to expect the owners of devices infected by this sort of botnet to solve the problem. The reason is that they do no obvious harm to infected devices, yet detecting and removing them is expensive. Why should sysadmins go to all that effort to solve someone else's problem?
Hence the botnet problem is a classic tragedy of the commons. A commons is a resource shared by everyone—for example, a meadow where anyone is free to turn out stock to graze and nobody has the power to prevent overexploitation.
A possible solution to this commons problem is that the Internet has a bottleneck: the high-volume backbones that comprise the “core.” Examples of backbone providers include BT Group PLC, Deutsche Telekom AG, MCI Inc., and NTT Communications Corp. These providers already are cooperating against botnets.
Unfortunately, detecting botnet activity in the core is nontrivial. At the November 2005 meeting of the Adaptive and Resilient Computing Security (ARCS) workshop in Santa Fe, NM, Dr. Chenxi Wang (with the Forrester Institute) laid out the challenges of detecting the activities of botnets and other malware within the core.
She noted that operating sensors on edge routers (which manage traffic between autonomous systems and the backbones would be easier from the technical standpoint. However, she argued that if the technical challenges can be overcome, core sensors should, on average, detect attacks faster. Additionally, this tactic would require fewer sensors, and thus might cost less.
A core sensor, she said, should be able to measure:
- Rates of growth by IP address
- Port statistics
- Sources to destinations
- Back scatter traffic (e.g., bad email addresses and TCP resets)
However, Wang noted that attack detection in the core poses technical challenges:
- The throughput in the core is too high for today’s intrusion detection sensors.
- Signal-to-noise ratio is poor.
- Efficient classification of types of traffic (P2P, web, etc.)