Scribd Logo
Upload

Welcome to Scribd!

  • Threat Infrastructure

    Uploaded by

    KarpagamSivakumar
    4 views13 pages
    Power point slides for Cyber Security Essentials by James Graham

    Copyright

    © © All Rights Reserved

    Available Formats

    PPT, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    Power point slides for Cyber Security Essentials by James Graham

    Copyright:

    © All Rights Reserved
    Download as PPT, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    4 views13 pages

    Threat Infrastructure

    Uploaded by

    KarpagamSivakumar
    Power point slides for Cyber Security Essentials by James Graham

    Copyright:

    © All Rights Reserved
    Download as PPT, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 13

    THREAT INFRASTRUCTURE

    BOTNETS
    Systems connected to internet are at risk of
    infection
    Compromised machines can wait for
    commands from attacker turns into a bot
    Bot - single node added to a network of
    other infected systems called a botnet
    Botmaster controls bots by issuing
    commands
    Botnets perform activities through
    communciation between bots and
    botmasters

    Network Topology of Botnets


    Communication protocol depends on
    network topology
    2 main categories
    Centralized
    Decentralized
    Hybrid Structure

    CENTRALIZED TOPOLOGY

    CENTRALIZED TOPOLOGY
    Central location of Command-and-Control
    C&C servers
    Basic form uses a server to C&C all bots
    Advanced forms
    Multiservers
    Uses more than one server for C&C
    Makes botnets more reliable and less vulnerable to
    take down attempts
    Can take commands even if one server is
    unreachable
    Eg: Asprox botnet

    Hierarchical Infrastructure
    Multiserver technique using layers of servers to proxy
    communications between bots and C&C servers
    Promotes reliability and longevity
    Covers true location
    Drawbacks
    Increased Infrastructure complexity

    Eg: Waledac

    Most bots initiate communication with C&C


    server and appear to be legitimate and
    bypass network contols

    Centralized botnets can use


    hardcoded IP addresses
    Hardcoded IPs supplied supplied with
    malware inform bot of servers
    address immediately after infection
    Method suffers if server is
    unreachable or taken down

    Botnets rely on DNS for bots to locate C&C server


    DNS allows botmaster to introduce reliability and
    resiliencey for a sever takedown by using
    multiple IP addresses or fast flux to resolve
    domain names
    Fast-flux can be used to cycle IP addresses that
    resolve a domain name
    Thwarts server takedown attempts
    Eg: Conficker and Kraken
    Use domain generation algorithms

    DECENTRALIZED

    Does not have particular server or set of


    servers
    Uses peer-to-peer (P2P) communications to
    send commands between bots
    Bot must locate peers within botnet to receive
    commands
    Uses P2P protocols discovery mechanisms
    Difficult to dismantle without discovering
    each bot
    Introduces complexity and latency before
    each bot receives command
    Uses IRC to manage infected machines

    You might also like