Understanding Peer-to-Peer Botnets: A Look into the Future of Cyber Threats, Study Guides, Projects, Research of Electrical and Electronics Engineering

Download Understanding Peer-to-Peer Botnets: A Look into the Future of Cyber Threats and more Study Guides, Projects, Research Electrical and Electronics Engineering in PDF only on Docsity! ECE4112 Internetwork Security P2P Botnets Group Number: _________ Member Names: ___________________ _______________________ Please read the entire lab and any extra materials carefully before starting. Be sure to start early enough so that you will have time to complete the lab. Answer ALL questions in the Answer Sheet and be sure you turn in ALL materials listed in the Turn-in Checklist on or before the Date Due. Goal: The goal of this lab is to introduce you to the concepts and theory behind the peer-to- peer aspect of Botnets and showcase some threats that future bots may pose. Summary: You will install two different bots, use them to carry out attacks, and analyze the results. Background: Peer-to-peer protocols have become very popular in the recent years and have seen much use in the filesharing and internet telephony industries. Peer- to-peer networks, unlike centralized networks, have a very large array of connections from the host machine to the other peers. The other peers in turn have many connections to many other peers. By using this topology, every peer on the network has access to information on the hard drive of every other peer by sending a query that is passed along the hierarchy as shown in Figure 1. Figure 1. Peer-to-peer network topology. The decentralized nature of peer-to-peer networks makes them more self-sufficient and much harder to fragment than traditional centralized networks. As peer-to-peer protocols have grown in popularity, botnets have also become pervasive on the internet as a means for all sorts of attacks and fraud schemes. Currently, botnets mainly use a central server or machine for their command and control structure and information supply line. When centralized structure is used, all that must be done to render the botnet useless is to shut down the central system or prevent the bots from communication with it. However, with increasing effort being put into shutting down botnets, bot-herders have begun to experiment with peer-to-peer protocols as a means to maintain their botnets. It is only a matter of time before a botnet emerges where the system is completely decentralized and when a bot joins the network, it simply downloads all necessary files as well as commands from any other peer already on the network. This is very dangerous because it makes shutting down a botnet exponentially harder. It means that security personnel now have to isolate each machine from the botnet and that the botnet is not dead until every bot has been removed and disinfected. Up until this time, there have been several botnets that have made partial use of peer-to-peer protocols but none have been introduced that are purely P2P…yet. Prelab Questions: None Lab Scenario: For this lab, you will install the provided VMware image (with Rubot, a purely P2P bot written by Chris Lee of Georgia Tech as a proof of concept, installed and configured on it) and then analyze the traffic generated by the Rubot as it connects between different UDP ports on the same virtual machine. Figure 2 - Lab Scenario Network Diagram Rubot Machine The virtual communication link that simulates communication between two bots. Loopback (127.0.0.1) We need to copy Rubot into the root folder. Type cp /mnt/sda1/ece4112/ece4112rubot.rb ece4112rubot.rb in one of the console windows copy it over. Now, in one of console window start Rubot by typing ruby ece4112rubot.rb. You should see something similar to the image below. Rubot is now running and awaiting connections. Gathering Data about Rubot Lets first start Wireshark. Wireshark is newest version of Ethereal. To start Wireshark type ‘wireshark &’ on the unused console window. Next go to Capture-> Options. Select the ‘lo’ interface from the list as shown below. Click Start. Now minimize Wireshark. Rubot has been setup to always have a bot available on port 2000, the other bot will appear on randomly chosen ports. We will netcat to send commands to the botnet. In the console window not running Rubot, use netcat (nc) to use UDP to connect to port 2000 on the localhost. Now type print inside of netcat. Notice what appeared on the other console. The print command identifies the bot you are connected to. Next type printPeers. This command lists the peers that are attached to the current bot. Stop the capture in Wireshark. Screenshot #1: Take a screenshot of the Wireshark window showing the traffic generated by the previous two commands. Also identify one of the commands that transmitted to the bot in the Restart the packet capture in Wireshark. Return the console running netcat. Type the command ‘*printPeers’. Stop the capture again and save the data, you will need this later in the lab. Screenshot #2: Take a screenshot of the traffic generated by the *printPeers command. Question 2.1: What does the the *printPeers command do differently than the printPeers command? *printPeers sends the command to all the peers in the network. printPeers only sends it to the connect node. Pull up the console window running Rubot. The last command should have generated a list of connections between the peers. Screenshot #3: Take a screenshot of the list of connections generated by the *printPeers command. Question 2.2: Draw a map of the different connections between the peers using the list. Answers will vary: End Answer Question 2.3: How many peers does your botnet contain? Answer: Varies, should be fewer than 11. 2000 39725 17312 16007 34847 2278 38885 17404 35230 As botnets become increasingly stealthy, detection will need to be more probing in order to detect botnets. In either the ISP software or the personal firewall system, incoming and outgoing data will have to be closely analyzed and sent to an outside security professional. Question 3.4: Is the threat of botnets great enough to merit this amount of privacy invasion? Explain your answer. If you answered, yes, what amount of invasion is unacceptable? Question 3.5: Whose responsibility is it to keep the internet free of botnets: the ISP or the individual user? Should the ISP have the right to cut you off from the internet if it suspects you are infected with a botnet? An ISP in France was recently alerted to a 500,000 member botnet operating in its domain. It is currently removing approximately 5 bots a day at which rate it will take 271 years to remove the whole botnet. Question 3.6: If you were in charge of cleaning this ISP, what approach would you take to identify and remove this botnet? Section 4:VoIP and Other Encryption Problems Skype is a VoIP program that is been rapidly gaining popularity. Skype is a proprietary (and thus legal) protocol that utilizes encryption for the privacy of its users. The code for the Skype protocol is also a very closely guarded trade secret. Other protocols (including many peer-to-peer protocols) are capable of utilizing encryption and TCP wrapping. If traffic was encrypted and TCP wrapped and sent out of port 80, it would be nearly indistinguishable from other traffic. Questions to think about:  What if a botnet was set up using the Skype network so that the bots appeared to be calling each other but instead sent digitized information? How would this botnet be counteracted?  Other than looking at raw data (not very feasible if it is encrypted) what other ways are there to analyze traffic? (think patterns and activity)  If all these upgrades occur, will the security industry have turn to more blackhat techniques to counteract botnets? General Questions Q4.1. How long did it take you to complete the lab? Q4.2. What corrections and/or improvements do you suggest for this lab? Please be very specific and if you add new material give the exact wording and instructions you would give to future students in the new lab handout. You may cross out and edit the text of the lab on previous pages to make minor corrections/suggestions. General suggestions like add tool xyz to do more capable scanning will not be awarded extras points even if the statement is totally true. Specific text that could be cut and pasted into this lab, completed exercises, and completed solutions may be awarded additional credit. Thus if tool xyz adds a capability or additional or better learning experience for future students here is what you need to do. You should add that tool to the lab by writing new detailed lab instructions on where to get the tool, how to install it, how to run it, what exactly to do with it in our lab, example outputs, etc. You must prove with what you turn in that you actually did the lab improvement yourself. Screen shots and output hardcopy are a good way to demonstrate that you actually completed your suggested enhancements. The lab addition section must start with the form “laboratory Additions Cover Sheet” which may be found on the class web site and is repeated here for the first lab: Turn-in checklist You need to turn in:  Answer sheet.  3 screenshots e Any corrections or additions to the lab.