1,016 research outputs found
OnionBots: Subverting Privacy Infrastructure for Cyber Attacks
Over the last decade botnets survived by adopting a sequence of increasingly
sophisticated strategies to evade detection and take overs, and to monetize
their infrastructure. At the same time, the success of privacy infrastructures
such as Tor opened the door to illegal activities, including botnets,
ransomware, and a marketplace for drugs and contraband. We contend that the
next waves of botnets will extensively subvert privacy infrastructure and
cryptographic mechanisms. In this work we propose to preemptively investigate
the design and mitigation of such botnets. We first, introduce OnionBots, what
we believe will be the next generation of resilient, stealthy botnets.
OnionBots use privacy infrastructures for cyber attacks by completely
decoupling their operation from the infected host IP address and by carrying
traffic that does not leak information about its source, destination, and
nature. Such bots live symbiotically within the privacy infrastructures to
evade detection, measurement, scale estimation, observation, and in general all
IP-based current mitigation techniques. Furthermore, we show that with an
adequate self-healing network maintenance scheme, that is simple to implement,
OnionBots achieve a low diameter and a low degree and are robust to
partitioning under node deletions. We developed a mitigation technique, called
SOAP, that neutralizes the nodes of the basic OnionBots. We also outline and
discuss a set of techniques that can enable subsequent waves of Super
OnionBots. In light of the potential of such botnets, we believe that the
research community should proactively develop detection and mitigation methods
to thwart OnionBots, potentially making adjustments to privacy infrastructure.Comment: 12 pages, 8 figure
Command & Control: Understanding, Denying and Detecting - A review of malware C2 techniques, detection and defences
In this survey, we first briefly review the current state of cyber attacks,
highlighting significant recent changes in how and why such attacks are
performed. We then investigate the mechanics of malware command and control
(C2) establishment: we provide a comprehensive review of the techniques used by
attackers to set up such a channel and to hide its presence from the attacked
parties and the security tools they use. We then switch to the defensive side
of the problem, and review approaches that have been proposed for the detection
and disruption of C2 channels. We also map such techniques to widely-adopted
security controls, emphasizing gaps or limitations (and success stories) in
current best practices.Comment: Work commissioned by CPNI, available at c2report.org. 38 pages.
Listing abstract compressed from version appearing in repor
Recommended from our members
Modelling the Spread of Botnet Malware in IoT-Based Wireless Sensor Networks
The propagation approach of a botnet largely dictates its formation, establishing a foundation of bots for future exploitation. The chosen propagation method determines the attack surface, and consequently, the degree of network penetration, as well as the overall size and the eventual attack potency. It is therefore essential to understand propagation behaviours and influential factors in order to better secure vulnerable systems. Whilst botnet propagation is generally well-studied, newer technologies like IoT have unique characteristics which are yet to be thoroughly explored. In this paper, we apply the principles of epidemic modelling to IoT networks consisting of wireless sensor nodes. We build IoT-SIS, a novel propagation model which considers the impact of IoT-specific characteristics like limited processing power, energy restrictions, and node density on the formation of a botnet. Focusing on worm-based propagation, this model is used to explore the dynamics of spread using numerical simulations and the Monte Carlo method, and to discuss the real-life implications of our findings
Taking Back the Internet: Defeating DDoS and Adverse Network Conditions via Reactive BGP Routing
In this work, we present Nyx, a system for mitigating Distributed Denial of Service (DDoS) attacks by routing critical traffic from known benign networks around links under attack from a massively distributed botnet. Nyx alters how Autonomous Systems (ASes) handle route selection and advertisement in the Border Gateway Protocol (BGP) in order to achieve isolation of critical traffic away from congested links onto alternative, less congested paths. Our system controls outbound paths through the normal process of BGP path selection, while return paths from critical ASes are controlled through the use of existing traffic engineering techniques. To prevent alternative paths from including attacked network links, Nyx employs strategic lying in a manner that is functional in the presence of RPKI. Our system only exposes the alternate path to the networks needed for forwarding and those networks\u27 customer cones, thus strategically reducing the number of ASes outside of the critical AS that receive the alternative path. By leaving the path taken by malicious traffic unchanged and limiting the amount of added traffic load placed on the alternate path, our system causes less than 10 ASes on average to be disturbed by our inbound traffic migration.Nyx is the first system that scalably and effectively mitigates transit-link DDoS attacks that cannot be handled by existing and costly traffic filtering or prioritization techniques. Unlike the prior state of the art, Nyx is highly deployable, requiring only minor changes to router policies at the deployer, and requires no assistance from external networks. Using our own Internet-scale simulator, we find that in more than 98% of cases our system can successfully migrate critical traffic off of the network segments under transit-link DDoS. In over 98% of cases, the alternate path provides some degree of relief over the original path. Finally, in over 70% of cases where Nyx can migrate critical traffic off attacked segments, the new path has sufficient capacity to handle the entire traffic load without congestion
- …