Botnets and DDoS

From SuperbHosting.net Support Wiki

Jump to: navigation, search

What is a Botnet?

Botnet is a collection of software robots, or bots, which run autonomously and automatically. They run on groups of "zombie" computers controlled remotely. This can also refer to the network of computers using distributed computing software. A botnet's originator (aka "bot herder") can control the group remotely, usually through a means such as IRC, and usually for nefarious purposes. Individual programs manifest as IRC "bots". Often the command and control takes place via an IRC server or a specific channel on a public IRC network.

Types of activity a botnet is utilized for:

  • Denial-of-service attack where multiple systems autonomously access a single Internet system or service in a way that appears legit, but much more frequently than normal use and cause the system to become busy.
  • Adware exists to advertise some commercial entity actively and without the user's permission or awareness.
  • Spyware is software which sends information to its creators about a user's activities.
  • E-mail spam are e-mail messages disguised as messages from people, but are either advertising, annoying, or malicious in nature.
  • Click fraud is the user's computer visiting websites without the user's awareness to create false web traffic for the purpose of personal or commercial gain.

Detection

Since IRC services are prohibited on Superb Internet Corp's network it is easy to see probably botnet activity by looking for communication commonly on port 6665-6667, 7000. Other methods include sniffing for specific text used in the [IRC protocol]. Server owners can detect this activity using commonly available utilities on their server. [Ngrep] is extremely useful here for linux/unix hosts as well as [Wireshark] for Windows hosts. Other utilities that are useful and included in most linux/unix installations are tcpdump and netstat. For windows you may use netstat.

Some usage examples for linux/unix are:
# tcpdump -nn -i eth0 'tcp and portrange 6665-6667'
# ngrep -qq -d eth0 'PRIVMSG' 
# lsof -i tcp:6665
# lsof -i tcp:6666
etc...

If any of the above produce no results you may want to test for something you know should produce a result to make sure the binary/utility is not compromised (eg. "lsof -i tcp:22" should always show sshd's process information).

Cleanup

You may want to block the outgoing packets used for this botnet with iptables or ipfw or the [Windows firewall]

See My Server may be Compromised-Hacked-Rooted for other information.

Retrieved from "http://www.superbhosting.net/support-wiki/Botnets_and_DDoS"
Personal tools