Use Existing Data and Equipment

By Darren Grabowski  |  Posted 2009-07-07

How to Mitigate the Increasing Botnet Threat

The Internet is in the midst of a global network pandemic, with millions of computers on the Internet compromised in some fashion. It is estimated that the number of recent malware infections on the Internet is over 7 million, and over 70 percent of all e-mail messages are spam. It is also believed that 85 percent of spam comes from just six botnets. It was recently reported that there is an average of ten million active botnet members on any given day, and that botnets are winning the spam war.

These types of high-profile security threats receive significant publicity. However, another threat, a silent one, centers around low-bandwidth consumption, compared to legitimate traffic on a network. A large number of compromised machines, if directed by a malicious botnet, can take down key Internet infrastructure.

The compromised machines can also be used for other harmful activities that could cause a severe financial impact (that is, phishing). According to a recent survey, 3.6 million adults have lost money in phishing schemes, resulting in an estimated loss of $3.2 billion. Phishing is only one part of the problem. Attacks have already caused issues for countries such as Estonia and infrastructure such as the Domain Name System (DNS).

To help mitigate this threat, one of the many tools used is a darknet. According to Team Cymru's Darknet Project, a darknet is "a portion of routed, allocated IP space in which no active services or servers reside. These are 'dark' because there is, seemingly, nothing within these networks." In short, there should be no reason for any traffic to enter this space.

Actually, there is one server in a darknet which collects entering packets. This data can be used for immediate action or stored for further analysis. The levels of nefarious traffic from this silent threat are low compared to legitimate traffic, so many network operators may choose to ignore the traffic or they may not even realize the silent threat hiding in their legitimate traffic.

Most users and operators know a problem exists, but few are in a position to see how big the problem is. Solutions are simple: the right tools, dedicated staff and cooperation. Implementation is the most difficult part. Networks large and small must work together to mitigate this threat.

What can be done to mitigate this threat?

We are not going to rid the Internet of compromised machines. That does not mean the problem should be ignored or that we can't mitigate it. What we need to do is reduce the capability of botnets, which means reducing the number of infected machines. Networks of all sizes can assist by properly monitoring their networks and removing infected machines.

Tools exist to monitor traffic at relatively low costs. A darknet, or any other similar monitoring device, allows networks to find potential compromised machines by watching their IP space. Some monitoring devices can be deployed at a relatively low cost using existing hardware or using data from existing intrusion detection systems. Let's look at some solutions:

Solution No. 1: Use scripts and NetFlow data

Using some scripts and NetFlow data, you can monitor your network for activities such as denial of service (DoS) attacks. IP addresses participating in a DoS attack can be investigated a bit further. By combining data from a DoS attack or a darknet and other sources (such as greylisting or spam traps), you can potentially find a botnet member.

Once suspicious hosts are located, you can check to see if these hosts are communicating with a common host-which could be a command-and-control (C&C) server. Taking down a C&C server can disrupt a botnet, even for a short while. If the compromised host's owner can be contacted, there may be a chance that a list of bots can be obtained and further notifications can be sent out.

Use Existing Data and Equipment

Solution No. 2: Use existing data and equipment

Clever use of existing data and equipment is one way to keep costs down, while helping to secure your network. Providers based in the United States may have already purchased equipment for CALEA compliance. The Communications Assistance for Law Enforcement Act (CALEA) is a United States statute that covers lawful intercepts on digital transmissions, including data and voice over IP (VOIP).

Many companies sell surveillance platforms. These devices are capable of doing deep packet inspection, stealth packet filtering, transparent redirection, as well as a host of other services. A network operator could leverage the pattern-matching capabilities of these machines in their hunt for compromised hosts on their network. Even if CALEA is not a concern, these devices could be useful to a network operator who wants to monitor their network for harmful activities.

Solution No. 3: Block port 25 and use a walled garden

Most Internet providers block port 25 from their dynamic IP space and, in some cases, from their static IP space. This is great in helping to stop the flow of spam and other nefarious activity using e-mail, but it does not stop infected machines from launching attacks, nor does it fix the underlying problem of a compromised host.

There is now a trend to move toward a walled garden approach, which allows providers to restrict the activity of a user until their machine is clean. This also allows for another method of communicating the issue to the user. While users may ignore e-mail notifications sent to them, with a walled garden, those users can be notified via a redirect to a Web site on their browser, and access to the Internet can be severely restricted or cut off completely.

There are those who argue that providers should call these infected customers but, depending on the size of the provider and the number of infections, that may not be practical. Providers should also be willing to suspend infected user accounts if the problem persists. A walled garden does not have to be limited to an ISP. Networks of any size could benefit from this approach.

Solution No. 4: Hunt for compromised machines

The hunt for compromised machines is not limited to network providers. Anyone hooked up to the Internet can watch their traffic and report their findings. Instead of ignoring warnings from an intrusion detection system, automated reports could be sent out. Tools exist to locate the source network.

A good example of such a tool is Team Cymru's IP to ASN Mapping project. Other tools such as the whois or DNS-based lookup services can be used to find out the correct reporting address. Most intrusion detection systems have some sort of reporting process and hopefully include enough automation so that it does not become like a second job. Automation means people might be willing to spend a little bit of time reporting intrusions.

These are only a few suggested solutions to this problem. The cost of tools for monitoring this threat can be very low if budget is a concern. If you take stock of what is already on your network, chances are you may already have the tools needed. It just takes a little bit of time and effort to use them to your advantage.

Darren Grabowski is Manager of the NTT America Security & Abuse Team, which is tasked with responding to security and abuse issues (port scans, malware, DoS attacks, spam, etc.) across the entire NTT Com Global IP Network. Darren joined NTT America in 1996 and has been active in the security and abuse department for more than 10 years. The majority of his time on the security and abuse team has been in a leadership role. Darren and his team are based at the Global IP Network Operations Center located in Dallas, TX.  Previously, Darren worked for OnRamp Technologies, which was acquired by Verio. He joined NTT America upon the acquisition of Verio by NTT America.

Rocket Fuel