Detecting Botnets

A simple solution combining Darknet and IDS.
Traffic Monitoring

One of the many tools for sniffing traffic and gathering statistics is ntop. You can download it from or use a package manager on your system to install it. There already are cooked packages for popular Linux distributions, such as Red Hat, Debian/Ubuntu and SUSE. Before using it, you have to set up an admin password by running the following:

sudo ntop --set-admin-password

And start it with:

sudo /etc/init.d/ntop start

Now you can go to your IP address ( and look for some statistics. This is a very powerful tool that provides a lot of information. You can sort by packets, ports, hosts and so on. Network usage graphs also are helpful in determining the amount of traffic getting into your system.

Remember, no packets should be legitimate in Darknet, so this tool provides great statistical data as to what hosts/networks are responsible for illegal traffic.

Figure 5. ntop breaks down the flagged traffic to help identify the source of illegal traffic.

Figure 5 shows ntop's graphic interface and its ability to detect host operating systems, vendor and other details in Host view.

Figure 6. ntop offers a wide variety of graphed information.

Figure 6 presents standard ntop graph capabilities, thanks to built-in support for RRDTool.

Threat Alerting

To get alerts regarding what exploits are used (if any) on your network, you need a network IDS system. The best one that's publicly available is Snort. You can get it from, and it also is available on many systems as a binary package.

One thing you need to configure in /etc/snort/snort.conf is setting your $HOME_NETWORK variable to match IP addresses and netmask to your configuration. Snort is an intrusion detection system based on a pattern database.

If traffic matches, it will write an alert to a log file (by default in /var/log/snort) and record the packets for later analysis (you can reply to them using the tcpdump -r command or examine them using tools like Wireshark).

With powerful yet not complicated rules, you can write your own signatures or edit existing ones to record traffic that matches your custom criteria. Additionally, you can consider installing Snort support tools, such as IDScenter (see Resources).

Figure 7. The honeypot GUI shows recorded incidents.

There also is a Honeynet project, based on Snort and Sebek technologies. It provides a cut-down Linux system, based on Fedora and custom-built tools with a GUI for incident management (Figure 7).

If you want to go further, there also are projects, such as HIHAT (Highly Interactive Honeypot Analyses Toolkit), that transform popular PHP applications, such as PHPNuke or osCommerce, to fully functional logging, reporting and alerting tools.

You easily can detect commands and SQL injections, cross-site scripting and map involved IPs to geographic locations, as shown in Figure 8.

Figure 8. By mapping IP addresses, we can see geographic trends.


This simple configuration of putting a server on an internal Darknet allows us to detect and receive alerts on the following:

  1. Actively spreading malware.

  2. Covert channels and possible data leakage.

  3. Suspicious activities (deliberate or not), such as abuse of a company's policy and network reconnaissance attempts (for example, port scanning).

  4. Provide audit trails and record evidence for later investigation.

  5. Provide general network usage statistics for base-lining.


White Paper
Linux Management with Red Hat Satellite: Measuring Business Impact and ROI

Linux has become a key foundation for supporting today's rapidly growing IT environments. Linux is being used to deploy business applications and databases, trading on its reputation as a low-cost operating environment. For many IT organizations, Linux is a mainstay for deploying Web servers and has evolved from handling basic file, print, and utility workloads to running mission-critical applications and databases, physically, virtually, and in the cloud. As Linux grows in importance in terms of value to the business, managing Linux environments to high standards of service quality — availability, security, and performance — becomes an essential requirement for business success.

Learn More

Sponsored by Red Hat

White Paper
Private PaaS for the Agile Enterprise

If you already use virtualized infrastructure, you are well on your way to leveraging the power of the cloud. Virtualization offers the promise of limitless resources, but how do you manage that scalability when your DevOps team doesn’t scale? In today’s hypercompetitive markets, fast results can make a difference between leading the pack vs. obsolescence. Organizations need more benefits from cloud computing than just raw resources. They need agility, flexibility, convenience, ROI, and control.

Stackato private Platform-as-a-Service technology from ActiveState extends your private cloud infrastructure by creating a private PaaS to provide on-demand availability, flexibility, control, and ultimately, faster time-to-market for your enterprise.

Learn More

Sponsored by ActiveState