Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
An Analysis of Botnet
Attack for SMTP Server
using Software Define
NetworkMohd Zafran (PhD Candidate) & Koji Okamura
Graduate School of Information Science and Electrical Engineering
Kyushu University
15/4/2016Kyushu University , Japan 1
RHUL workshop on February 29
Introduction (Problem Statement &
Research Proposal)
Related Works
Methodology
Experiment Setup / Simulation /Result
15/4/2016Kyushu University , Japan 2
Control
plane
Data
Plane
Switch
Control
plane
Data
Plane
Switch
Control
plane
Data
Plane
Switch
Control
plane
Data
Plane
Switch
SDN
Controller
Data
Plane
Switch
Data
Plane
Switch
Data
Plane
Switch
Data
Plane
Switch
Distributed Control
Previous/Current NetworkCentralized Control
Current/Future Network
OpenFlow
A distributed denial-of-service
(DDoS) Botnet attack on SMTP server
15/4/2016Kyushu University , Japan 5
Mail transfer Agent
Fig. 1 Botnet Attack using syn flood attack technique scenario
BotnetBotnet
Problem Statement
Botnet attack will consume all resource such as cpu, network and storage.
These attack also term as Distributed Denial of Services (Ddos) attacks as the
flood traffic comes from many machines, and is not a single flow on the
network.When an attack target host upstreams network bandwith,these
attack also named as bandwith attack
The bigger network bandwidth , different IDS and IPS capacity need to be use
15/4/2016Kyushu University , Japan 6
Fig. 2 Intrusion Detection System & Intrusion Prevention System
Introduction:
1.0 The proposed approach By using SDN Technology at multi domain , SDN Control can detect the spam
botnet flow before the botnet arrive to destination ip.
Existing spam filtering database such as spamhaus and spamcop, can be integrate by develop new app at SDN CTRL layer to retrieve the information about spam botnet source blacklisted IP and feed new information about botnet IP source blacklisted.
By having the information on botnet blacklisting source IP. The early mitigation on botnet can be done.
Flows can be specified using any or a combination the following ten tuples, match fields:In Port, VLAN-ID, Source MAC, Destination MAC, Ethernet Type, Source IP, Destination IP, Protocol, Source Port, Destination Port
By using 10 tuples field be use to create a new algorithm to detect the flow of botnet .
15/4/2016Kyushu University , Japan 7
1.1 Botnet attack scenario
SDN Domain
Controlller
SDN Domain B
SDN Domain
Controlller
SDN Domain C
SDN Domain
Controlller
SDN Domain A
SMTP
server BSMTP
server C
SMTP
server A
Spam
Haus
Server
WAN
WANWAN
15/4/2016Kyushu University , Japan 8
Fig. 3 Botnet attack from two domain
2.0 Related Works
An approach detecting a flooding Attacks Based on Entropy measurement of Multiple Email Protocols
1.Method to detect the Botnet attack to smtp server :
2.Method to communicate between Multi Domain using SDN platform:DISCO: Distributed Multi-domain SDN Controllers
15/4/2016Kyushu University , Japan 9
3. Study of email spam characteristics on network layer :Study of email spam characteristics on network layer A large-scale empirical analysis of email spam
detection through network characteristics in a stand-alone enterprise
Related Works:
2.1 Several protocol email protocol
• SMTP (Simple Mail Transfer Protocol)
• POP3 (Post Office Protocol Version 3)
• IMAP (Internet Message Access Protocol)
Fig 4. SMTP message flows
15/4/2016Kyushu University , Japan 10
File
Server
File
Server
2.1.1 Recap on SMTP Protocol
Fig 5. SMTP message flows
Kyushu University , Japan
Connection Establishment
1. . (Client) --> [SYN] -------->(Server)
2. . (Client) <-- [SYN/ACK] <--(Server)
3. . (Client) --> [ACK]-- ------>(Server)
Connection Termination
1. . (Client) --> ACK/FIN ---->(Server)
2. . (Client) <-- ACK <--------(Server)
3. . (Client) <-- ACK/FIN <----(Server)
4. . (Client) --> ACK -------->(Server)
Fig 6. TCP flows
SMTP
Server
2.2 Objective
15/4/2016Kyushu University , Japan 16
1.Design the mechanism of SDN Multi Domain for detecting the Botnet Attack based on attack on smtp server
2.Performance Analysis to detect the Botnet Attack that attack on smtp server
3. Comparization Analysis study with other related works
Methodology:
3.0 Design mechanism of SDN
Every Domain SDN Controller
Sending information
about flow count /flow size
and packet size
Specific on port number &
Destination IP to Main SDN
controller
Main SDN Controller SpamHaus server
Feed information to spamhaus
Decision for identify botnet attack
Install the domain with blacklist ip15/4/2016Kyushu University , Japan 17
SMTP
Server
Main SDN Controller
SpamHaus server
Drop
packet
Check src
ip
(blacklist)
yes
New flow entry
coming at
Domain R1,R2,
R3
No
Send flow entry match
information (TCP /UDP
25/110) DST IP to SDN
controller in every
Domain
Controller check the Botnet Attacks Based on
Decision Tree Algorithm
Permit the flow message and forward
the packet to next node
Drop the next packet from the same ip
src flow message update information
blacklist ip to spamhaus server
NO
Yes
3.1 The flowchart mechanism of SDN
15/4/2016Kyushu University , Japan
18
SMTP
Server
SDN Domain B
Controlller
SDN Domain B
SDN Domain C
Controlller
SDN Domain C
SDN Domain A
Controlller
SDN Domain A
SMTP
server BSMTP
server C
SMTP
server A
Spam
Haus
Server
WAN
WANWAN
Time stamp
Flow entry
Ip src
Ip dst
Time stamp
Flow exit
Ip src
Ip dst
15/4/2016Kyushu University , Japan 19
3.2 Retrieve flow
information
before arrive at
targeted Domain
Fig. 7 Botnet attack from domain A
3.3 Early Botnet Attack detection close to
smtp server attack target on multi Domain
using SDN technology
Scenario:
Assume that there 1 protocols serving for smtp
Server are monitored at 4 different periods,
where the time-period series is listed as :
15/4/2016Kyushu University , Japan 20
Fig. 8 Botnet attack from domain A
3.4.1 Related works on study characteristics smtp flow and packet on smtp flood or
syn flood on smtp server :T. Ouyang, S. Ray, M. Allman, and M. Rabinovich, “A large-
scale empirical analysis of email spam detection through network characteristics in
a stand-alone enterprise,” Comput. Networks, vol. 59, pp. 101–121, 2014
15/4/2016Kyushu University , Japan 21
“Content blind” techniques
Network Layer Application Layer
Fig.9 The proses flow to filter the spam from network layer until application layer
3.4.2 SMTP Network Traffic analysis technic :T. Ouyang, S. Ray, M. Allman, and M. Rabinovich, “A large-
scale empirical analysis of email spam detection through network characteristics in a stand-alone
enterprise,” Comput. Networks, vol. 59, pp. 101–121, 2014
15/4/2016Kyushu University , Japan 22
Dataset May 2009 to April 2011
BRO
Spamflow,Bro and p0f
Packet & Flow features
Network
traffic
characteristics
Decision Tree Algorithm using Weka tool
Fig. 10 Process SMTP network traffic analysis technic
3.4.3 Related works:T. Ouyang, S. Ray, M. Allman, and M. Rabinovich, “A large-scale empirical analysis of
email spam detection through network characteristics in a stand-alone enterprise,”
Comput. Networks, vol. 59, pp. 101–121, 2014
15/4/2016Kyushu University , Japan 23
Machine Learning Algorithm
Decision trees (using Weka Tool)
1•Create Root nodes
• (fins_local)
2
•Create Decision Nodes
•3whs
•GeoDistance
3
•Create Leaf Nodes
•Ham
•Spam
Fig. 11 Decision trees process Fig. 12 Fragment of tree using packet + flow features
3.5 Decision Tree Algorithm
15/4/2016Kyushu University , Japan 24
Rtt_C_S <= 0.03s
3whs<=0.045
Ham
fgnr_ttl<=98
Ham
Spam
RTO_s_c<= 2.2s
Ham
Spam
Symbols
Ham = Legitimate Email
Spam = Spam Email
Rtt_C_S = RTT packet in Switch Flow Table Client<-> Server
3whs = Flow duration between the arrival of SYN from Client and Flow Duration Ack of Syn/ACK by Server
Fngr_ttl = time to live packet client, if more 98 will be windows platform
RTO_s_c = Retransmission timeout from server to client in second
T
F
T
F
T
F
T
F
Fig. 13 Fragment of tree using packet + flow features
3.5.1 PSEUDOCODE
15/4/2016Kyushu University , Japan25
If dst port= 25 Then
Forward to controller
Packet_in Flow count
go to module 1
Else drop the packetModule 1 (RTT Client between Server)
If rtt client <-> server between two switch t>= 0.0087 s Then
go to module 2
Else
go to module 3
Module 2 (3 way hand shake flow count and time)
If flow count packet_in = 2 ,same src ip same dist ip,time arrival for 2nd flow <= 0.087 for
between client <-> server Then install the flow in flow table, forward the next packet
Else
go to module 4
Fig. 14 Pseudocode using decision tree algorithm
3.5.2 PSEUDOCODE
15/4/2016Kyushu University , Japan 26
Module 3 (RTO_s_c)
If RTO from server less than 2.2 second Then
install the flow in the flow table and forward the next packet
Else
blacklist the ip source send information to spamhaus
Module 4 TTL feature
If ip ttl <= 96 Then
install the flow in the flow table and forward the next packet
Else
blacklist the ip source send information to spamhaus
Fig. 14 Pseudocode using decision tree algorithm
SDN Domain B
Controlller
SDN Domain B
SDN Domain C
Controlller
SDN Domain C
SDN Domain A
Controlller
SDN Domain A
SMTP
server BSMTP
server C
SMTP
server A
Spam
Haus
Server
WAN
WANWAN
Packet_in First
time, Start flow
count=1
Time stamp
Flow entry
Packet out
15/4/2016Kyushu University , Japan 27
3.5.3 RTT (module 1)
Time record started
after packet out (server
-> client)
Time stamp
Packet_in 2nd
Time
Flow count =2
1 RTT complete
Client<-> Server
Fig. 15 Roundtrip time calculation in Openflow
SDN Domain B
Controlller
SDN Domain B
SDN Domain C
Controlller
SDN Domain C
SDN Domain A
Controlller
SDN Domain A
SMTP
server BSMTP
server C
SMTP
server A
Spam
Haus
Server
WAN
WANWAN
Packet_in First
time, Start flow
count=1
Time stamp
Flow entry
Packet out
15/4/2016Kyushu University , Japan 28
3.5.4 3 way handshake
time (module 2)Time
record started after packet
out (server -> client)
Time stamp
Packet_in 2nd
Time
Flow count =2
3whs complete
Client<-> Server
Sym:
Syn
Syn-Ack
Ack
Fig. 16 3 way handshake time calculation in Openflow
3.5.5 Module 4 : TTL (hop limit) feature (Recap)
15/4/2016Kyushu University , Japan 29
Most of botnet came from windows platform
http://openmaniak.com/ping.php
4.0 Experiment setup
SDN Domain
Controlller
SDN Domain B
SDN Domain
Controlller
SDN Domain C
SDN Domain
Controlller
SDN Domain A
SMTP
server BSMTP
server C
SMTP
server A
Spam
Haus
Server
WAN
WANWAN
15/4/2016Kyushu University , Japan 30
Fig. 17 Proposed Experiment setup
4.1 Simulation setup using Mininet
15/4/2016Kyushu University , Japan 32
internet
Wireshark
& Tcpreplay
Fig. 18 Simulation setup using Mininet
4.1.1 Parameter Dataset internet traffic from
University New Brunswick (UNB) Canada
15/4/2016Kyushu University , Japan 33
Day Date Description Size (GB)
Saturday 12/6/2010Normal Activity. No
malicious activity4.22
Sunday 13/6/2010
Infiltrating the
network from inside
+ Normal Activity
3.95
Monday 14/6/2010
HTTP Denial of
Service + Normal
Activity
6.85
Tuesday 15/6/2010
Distributed Denial of
Service using an IRC
Botnet
23.4
Wednesday 16/6/2010Normal Activity. No
malicious activity17.6
Table 1. Dataset internet traffic parameter
4.1.2 Parameter Dataset Botnet
15/4/2016Kyushu University , Japan 34
García, S. (2013). Malware Capture Facility Project. CVUT University. Dataset
CTU-Malware-Capture-Botnet-1. Retrieved February 03, 2013, from
https://mcfp.felk.cvut.cz/publicDatasets/CTU-Malware-Capture-Botnet-1/
Botnet name Type Portion of flows in
dataset
Neris IRC 21159 (12%)
Rbot IRC 39316 (22%)
Virut HTTP 1638 (0.94 %)
NSIS P2P 4336 (2.48%)
SMTP Spam P2P 11296 (6.48%)
Zeus P2P 31 (0.01%)
Zeus control (C & C) P2P 20 (0.01%)
Botnet name Type Portion of flows in dataset
Neris IRC 25967 (5.67%)
Rbot IRC 83 (0.018%)
Menti IRC 2878(0.62%)
Sogou HTTP 89 (0.019%)
Murlo IRC 4881 (1.06%)
Virut HTTP 58576 (12.80%)
NSIS P2P 757 (0.165%)
Zeus P2P 502 (0.109%)
SMTP Spam P2P 21633 (4.72%)
UDP Storm P2P 44062 (9.63%)
Tbot IRC 1296 (0.283%)
Zero Access P2P 1011 (0.221%)
Weasel P2P 42313 (9.25%)
Smoke Bot P2P 78 (0.017%)
Zeus Control(C&
C)
P2P 31 (0.006%)
ISCX IRC bot P2P 1816 (0.387%)
Table 2: Distribution of botnet types in the training dataset
Table 3: Distribution of botnet types in the test dataset
4.1.2 Parameter Dataset Botnet
15/4/2016Kyushu University , Japan 35
Type IP
Neris 147.32.84.180
RBot 147.32.84.170
Menti 147.32.84.150
Sogou 147.32.84.140
Murlo 147.32.84.130
Virut 147.32.84.160
IRCbot and black hole1 10.0.2.15
Black hole 2 192.168.106.141
Black hole 3 192.168.106.131
TBot 172.16.253.130,
172.16.253.131,
172.16.253.129, 172.16.253.240
Weasel Botmaster IP: 74.78.117.238
Bot IP: 158.65.110.24
Zeus(zeus sample 1 and 2 and 3,
bin_zeus)
192.168.3.35, 192.168.3.25,
192.168.3.65, 172.29.0.116
Osx_trojan 172.29.0.109
Zero access (zero access 1 and 2) 172.16.253.132, 192.168.248.165
Smoke bot 10.37.130.4
Type IP
IRC 192.168.2.112 ->131.202.243.84
192.168.5.122 ->198.164.30.2
192.168.2.110 -> 192.168.5.122
192.168.4.118 -> 192.168.5.122
192.168.2.113 -> 192.168.5.122
192.168.1.103 -> 192.168.5.122
192.168.4.120 -> 192.168.5.122
192.168.2.112 -> 192.168.2.110
192.168.2.112 -> 192.168.4.120
192.168.2.112 -> 192.168.1.103
192.168.2.112 -> 192.168.2.113
192.168.2.112 -> 192.168.4.118
192.168.2.112 -> 192.168.2.109
192.168.2.112 -> 192.168.2.105
192.168.1.105 -> 192.168.5.122
Table 4: List of malicious IPs
Table 5: List of malicious IPs
4.2.1 Analysis SYN Flood Attack on smtp
server using Botnet traffic database
15/4/2016Kyushu University , Japan 37
Fig. 19 Flow graph botnet for syn flood
4.2.2 SMTP Packet analysis on RTT & RTO
15/4/2016Kyushu University , Japan 38
---- RTT Packet
---- RTO Packet
Time (12 Jun 2010)
Packets
Fig. 20 Total number of packets per second smtp traffic on 12 jun 2010
4.2.3 SMTP Packet analysis on RTT & RTO
15/4/2016Kyushu University , Japan 39
---- RTT Packet
---- RTO Packet
Time (13 Jun 2010)
Packets
Fig. 21 Total number of packets per second smtp traffic on 13 jun 2010
4.2.4 SMTP Packet analysis on RTT & RTO
15/4/2016Kyushu University , Japan
40
---- RTT Packet
---- RTO Packet
Time (14 Jun 2010)
Packets
Fig. 22 Total number of packets per second smtp traffic on 14 jun 2010
4.2.5 SMTP Packet analysis on RTT & RTO
15/4/2016Kyushu University , Japan 41
---- RTT Packet
---- RTO Packet
Time (15 Jun 2010)
Packets
Fig. 23 Total number of packets per second smtp traffic on 15 jun 2010
4.2.6 SMTP Packet analysis on RTT & RTO
15/4/2016Kyushu University , Japan 42
---- RTT Packet
---- RTO Packet
Time (16 Jun 2010)
Packets
Fig. 24 Total number of packets per second smtp traffic on 16 jun 2010
4.2.7 Botnet Training (SMTP Packet analysis
on RTT & RTO)
15/4/2016Kyushu University , Japan 43
---- RTT Packet
---- RTO Packet
Time (3 Feb 2013)
Packets
Fig. 25 Total number of packets per second smtp traffic on 3 Feb 2013 with botnet training SMTP Spam p2p Attacks
4.2.8 Botnet Test (SMTP Packet analysis
on RTT & RTO)
15/4/2016Kyushu University , Japan 44
---- RTT Packet
---- RTO Packet
Time (3 Feb 2013)
Packets
Fig. 26 Total number of packets per second smtp traffic on 3 Feb 2013 with botnet test SMTP Spam p2p Attacks
4.2.9 Analysis on SMTP Packet characteristic
15/4/2016Kyushu University , Japan 45
0.01
0.1
1
10
Jun-12 Jun-13 Jun-14 Jun-15 Jun-16 BotnetTesting
BotnetTraining
Tim
e (
s)
Dataset
RTT/RTO/3WHS
RTT RTO RTO2 3WHS
DATASET RTT (s) RTO (s) RTO2 (s) 3WHS (s)
Jun-12 0.03 0 0 0.045
Jun-13 0.03 0 0 0.045
Jun-14 0.03 0 0 0.045
Jun-15 0.03 0 0 0.045
Jun-16 0.03 0 0 0.045
Botnet Testing 0 2.9 6 0
Botnet Training 0 2.2 2.9 0
Fig. 27 Max roundtrip time and retransmission time out for7 internet dataset
Table 6 Max roundtrip time and retransmission time out for7 internet dataset
4.2.10 Time to live packet client
15/4/2016Kyushu University , Japan 46
0
20
40
60
80
100
120
140
Jun-12 Jun-13 Jun-14 Jun-15 Jun-16 Botnet Testing BotnetTraining
Hop L
imit
Internet Traffic Dataset (SMTP)
TTL
TTL
DATASET TTL
Jun-12 58
Jun-13 58
Jun-14 58
Jun-15 58
Jun-16 64
Botnet Testing 128
Botnet Training 128
Fig. 28 Average TTL for packet for 7 internet traffic dataset
Table 7 Average TTL for packet for
7 internet traffic dataset
Conclusion
By using Decision Three Algorithm we can study the Botnet attacks at early
stage before arrive to target SMTP Server
Most of botnet attacks come from windows based platform
This approach only valid within under multi domain SDN controller environment.
RTT and RTO are related to the Botnet attacks smtp server.
These research also can be focus on other protocol such as http
15/4/2016Kyushu University , Japan 50
Reference[1] T. Ouyang, S. Ray, M. Allman, and M. Rabinovich, “A large-scale empirical analysis of email spam
detection through network characteristics in a stand-alone enterprise,” Comput. Networks, vol. 59, pp. 101–
121, 2014.
[2] D. Rana, N. Garg, and S. Chamoli, “A Study and Detection of TCP SYN Flood Attacks with IP spoofing
and its Mitigations,” Int. J. …, vol. 3, no. August, pp. 1476–1480, 2012.
[3] H. Chen, C. Mao, and S. Tseng, “An Approach for Detecting a Flooding Attack Based on Entropy
Measurement of Multiple E-Mail Protocols,” vol. 18, no. 1, pp. 79–88, 2015.
[4] K. Phemius, M. Bouet, and J. Leguay, “DISCO: Distributed multi-domain SDN controllers,” IEEE/IFIP
NOMS 2014 - IEEE/IFIP Netw. Oper. Manag. Symp. Manag. a Softw. Defin. World, 2014.
[5] S. Scott-Hayward, G. O’Callaghan, and S. Sezer, “SDN security: A survey,” SDN4FNS 2013 - 2013
Work. Softw. Defin. Networks Futur. Networks Serv., 2013.
[6] S. Lim, J. Ha, H. Kim, Y. Kim, and S. Yang, “A SDN-Oriented DDoS Blocking Scheme for Botnet-Based
Attacks,” pp. 63–68, 2014.
[7] T. Xingl, Z. Xiongl, and D. Huangl, “SDNIPS: Enabling Software-Defined Networking Based Intrusion
Prevention System in Clouds 1,” pp. 308–311, 2014.
[8] M. Vizv and J. Vykopal, “Future of DDoS Attacks Mitigation in Software Defined Networks.”
[9] T. Sochor, “Overview of e-mail SPAM Elimination and its Efficiency,” in Research Challenges in
Information Science (RCIS), 2014 IEEE Eighth International Conference on, 2014, pp. 1 – 11.
[10] P. Lin, P. Lin, P. Chiou, and C. Liu, “Detecting Spamming Activities by Network Monitoring with Bloom
Filters,” pp. 163–168, 2013.15/4/2016
51