Home

Detecting Botnets

Issue 177

From Issue #177
January 2009

Jan 01, 2009  By Grzegorz Landecki
 in
A simple solution combining Darknet and IDS.
Not All Traffic Is Malicious

Although you decided to block IRC access from inside the network, it might not be that clear for other employees in your company. If Mary from another department tries to connect to her favorite IRC channel at lunchtime, you'll probably catch it, but that doesn't mean there is a malware on Mary's workstation trying to contact the control center. However, a number of the same type of connections from one or multiple computers often is a good indication that something is going wrong.

In my work every day, I see some strange behavior. People always are trying to install illegitimate software, sometimes without even knowing it. Sometimes an employee's children try continuously installing Limewire on a company laptop given to them for playing a game or browsing the Internet.

With a little bit of information, you should be able to gather some statistics and distinguish real threats from normal misuse or other isolated incidents.

Securing information systems is a very hard task. Today we are in ongoing war against attackers—fighting the battles of time and money. Time is crucial in securing all environments when there is a threat in the wild, but first you need to know about it. If you know your enemies, their intentions and weapons, it is much easier to react and mitigate attacks. That's what Darknet and honeypots are all about.

Resources

ShadowServer Foundation: www.shadowserver.org

Damballa: www.damballa.com

Snort IDS: www.snort.org

Argus: www.qosient.com/argus/flow.htm

Team Cymru Project: www.team-cymru.org/Services/darknets.html

Setting an Evil Bit RFC3514: rfc.net/rfc3514.html

Snort IDS: www.engagesecurity.com/products/idscenter

Honeywall Project: https://projects.honeynet.org/honeywall

HIHAT Project: hihat.sourceforge.net

CAIDA Network Telescope Research: www.caida.org/research/security/telescope

University of Michigan—The Internet Motion Sensor: A Distributed Blackhole Monitoring System: www.isoc.org/isoc/conferences/ndss/05/proceedings/papers/ims-ndss05.pdf

Tracking Global Threats with the Internet Motion Sensor: www.nanog.org/mtg-0410/pdf/bailey.pdf

Commercial Example of the Darknet Implementation: https://tms.symantec.com/Default.aspx

The Honeynet Project: www.honeynet.org

Grzegorz Landecki, CCNP, CISSP, is a security technologist at Cyber Security Team in Dublin, Ireland, responsible for protecting a major US company's 85K+, globally located computers.

______________________

Webcast
More Resources
How to Build an Optimal Hadoop Cluster to Store and Maintain Unlimited Amounts of Data Using Microservers

Realizing the promise of Apache® Hadoop® requires the effective deployment of compute, memory, storage and networking to achieve optimal results. With its flexibility and multitude of options, it is easy to over or under provision the server infrastructure, resulting in poor performance and high TCO. Join us for an in depth, technical discussion with industry experts from leading Hadoop and server companies who will provide insights into the key considerations for designing and deploying an optimal Hadoop cluster.

Learn More

Sponsored by AMD

White Paper
More Resources
Private PaaS for the Agile Enterprise

If you already use virtualized infrastructure, you are well on your way to leveraging the power of the cloud. Virtualization offers the promise of limitless resources, but how do you manage that scalability when your DevOps team doesn’t scale? In today’s hypercompetitive markets, fast results can make a difference between leading the pack vs. obsolescence. Organizations need more benefits from cloud computing than just raw resources. They need agility, flexibility, convenience, ROI, and control.

Stackato private Platform-as-a-Service technology from ActiveState extends your private cloud infrastructure by creating a private PaaS to provide on-demand availability, flexibility, control, and ultimately, faster time-to-market for your enterprise.

Learn More

Sponsored by ActiveState