RHUL workshop on February 29 An Analysis of …...A distributed denial-of-service (DDoS) Botnet attack on SMTP serverKyushu University , Japan 15/4/2016 5 Mail transfer Agent Fig

An Analysis of Botnet

Attack for SMTP Server

using Software Define

NetworkMohd Zafran (PhD Candidate) & Koji Okamura

Graduate School of Information Science and Electrical Engineering

Kyushu University

15/4/2016Kyushu University , Japan 1

RHUL workshop on February 29

Introduction (Problem Statement &

Research Proposal)

Related Works

Methodology

Experiment Setup / Simulation /Result


What is Software Define Network ?

Control

plane

Data

Plane

Switch

Control

plane

Data

Plane

Switch

Control

plane

Data

Plane

Switch

Control

plane

Data

Plane

Switch

SDN

Controller

Data

Plane

Switch

Data

Plane

Switch

Data

Plane

Switch

Data

Plane

Switch

Distributed Control

Previous/Current NetworkCentralized Control

Current/Future Network

OpenFlow

A distributed denial-of-service

(DDoS) Botnet attack on SMTP server


Mail transfer Agent

Fig. 1 Botnet Attack using syn flood attack technique scenario

BotnetBotnet

Problem Statement

Botnet attack will consume all resource such as cpu, network and storage.

These attack also term as Distributed Denial of Services (Ddos) attacks as the

flood traffic comes from many machines, and is not a single flow on the

network.When an attack target host upstreams network bandwith,these

attack also named as bandwith attack

The bigger network bandwidth , different IDS and IPS capacity need to be use


Fig. 2 Intrusion Detection System & Intrusion Prevention System

Introduction:

1.0 The proposed approach By using SDN Technology at multi domain , SDN Control can detect the spam

botnet flow before the botnet arrive to destination ip.

Existing spam filtering database such as spamhaus and spamcop, can be integrate by develop new app at SDN CTRL layer to retrieve the information about spam botnet source blacklisted IP and feed new information about botnet IP source blacklisted.

By having the information on botnet blacklisting source IP. The early mitigation on botnet can be done.

Flows can be specified using any or a combination the following ten tuples, match fields:In Port, VLAN-ID, Source MAC, Destination MAC, Ethernet Type, Source IP, Destination IP, Protocol, Source Port, Destination Port

By using 10 tuples field be use to create a new algorithm to detect the flow of botnet .


1.1 Botnet attack scenario

SDN Domain

Controlller

SDN Domain B

SDN Domain

Controlller

SDN Domain C

SDN Domain

Controlller

SDN Domain A

SMTP

server BSMTP

server C

SMTP

server A

Spam

Haus

Server

WAN

WANWAN


Fig. 3 Botnet attack from two domain

2.0 Related Works

An approach detecting a flooding Attacks Based on Entropy measurement of Multiple Email Protocols

1.Method to detect the Botnet attack to smtp server :

2.Method to communicate between Multi Domain using SDN platform:DISCO: Distributed Multi-domain SDN Controllers


3. Study of email spam characteristics on network layer :Study of email spam characteristics on network layer A large-scale empirical analysis of email spam

detection through network characteristics in a stand-alone enterprise

Related Works:

2.1 Several protocol email protocol

• SMTP (Simple Mail Transfer Protocol)

• POP3 (Post Office Protocol Version 3)

• IMAP (Internet Message Access Protocol)

Fig 4. SMTP message flows


File

Server

File

Server

2.1.1 Recap on SMTP Protocol

Fig 5. SMTP message flows

Kyushu University , Japan

Connection Establishment

1. . (Client) --> [SYN] -------->(Server)

2. . (Client) <-- [SYN/ACK] <--(Server)

3. . (Client) --> [ACK]-- ------>(Server)

Connection Termination

1. . (Client) --> ACK/FIN ---->(Server)

2. . (Client) <-- ACK <--------(Server)

3. . (Client) <-- ACK/FIN <----(Server)

4. . (Client) --> ACK -------->(Server)

Fig 6. TCP flows

SMTP

Server

2.2 Objective


1.Design the mechanism of SDN Multi Domain for detecting the Botnet Attack based on attack on smtp server

2.Performance Analysis to detect the Botnet Attack that attack on smtp server

3. Comparization Analysis study with other related works

Methodology:

3.0 Design mechanism of SDN

Every Domain SDN Controller

Sending information

about flow count /flow size

and packet size

Specific on port number &

Destination IP to Main SDN

controller

Main SDN Controller SpamHaus server

Feed information to spamhaus

Decision for identify botnet attack

Install the domain with blacklist ip15/4/2016Kyushu University , Japan 17

SMTP

Server

Main SDN Controller

SpamHaus server

Drop

packet

Check src

ip

(blacklist)

yes

New flow entry

coming at

Domain R1,R2,

R3

No

Send flow entry match

information (TCP /UDP

25/110) DST IP to SDN

controller in every

Domain

Controller check the Botnet Attacks Based on

Decision Tree Algorithm

Permit the flow message and forward

the packet to next node

Drop the next packet from the same ip

src flow message update information

blacklist ip to spamhaus server

NO

Yes

3.1 The flowchart mechanism of SDN

15/4/2016Kyushu University , Japan

18

SMTP

Server

SDN Domain B

Controlller

SDN Domain B

SDN Domain C

Controlller

SDN Domain C

SDN Domain A

Controlller

SDN Domain A

SMTP

server BSMTP

server C

SMTP

server A

Spam

Haus

Server

WAN

WANWAN

Time stamp

Flow entry

Ip src

Ip dst

Time stamp

Flow exit

Ip src

Ip dst


3.2 Retrieve flow

information

before arrive at

targeted Domain

Fig. 7 Botnet attack from domain A

3.3 Early Botnet Attack detection close to

smtp server attack target on multi Domain

using SDN technology

Scenario:

Assume that there 1 protocols serving for smtp

Server are monitored at 4 different periods,

where the time-period series is listed as :


Fig. 8 Botnet attack from domain A

3.4.1 Related works on study characteristics smtp flow and packet on smtp flood or

syn flood on smtp server :T. Ouyang, S. Ray, M. Allman, and M. Rabinovich, “A large-

scale empirical analysis of email spam detection through network characteristics in

a stand-alone enterprise,” Comput. Networks, vol. 59, pp. 101–121, 2014


“Content blind” techniques

Network Layer Application Layer

Fig.9 The proses flow to filter the spam from network layer until application layer

3.4.2 SMTP Network Traffic analysis technic :T. Ouyang, S. Ray, M. Allman, and M. Rabinovich, “A large-

scale empirical analysis of email spam detection through network characteristics in a stand-alone

enterprise,” Comput. Networks, vol. 59, pp. 101–121, 2014


Dataset May 2009 to April 2011

BRO

Spamflow,Bro and p0f

Packet & Flow features

Network

traffic

characteristics

Decision Tree Algorithm using Weka tool

Fig. 10 Process SMTP network traffic analysis technic

3.4.3 Related works:T. Ouyang, S. Ray, M. Allman, and M. Rabinovich, “A large-scale empirical analysis of

email spam detection through network characteristics in a stand-alone enterprise,”

Comput. Networks, vol. 59, pp. 101–121, 2014


Machine Learning Algorithm

Decision trees (using Weka Tool)

1•Create Root nodes

• (fins_local)

2

•Create Decision Nodes

•3whs

•GeoDistance

3

•Create Leaf Nodes

•Ham

•Spam

Fig. 11 Decision trees process Fig. 12 Fragment of tree using packet + flow features

3.5 Decision Tree Algorithm


Rtt_C_S <= 0.03s

3whs<=0.045

Ham

fgnr_ttl<=98

Ham

Spam

RTO_s_c<= 2.2s

Ham

Spam

Symbols

Ham = Legitimate Email

Spam = Spam Email

Rtt_C_S = RTT packet in Switch Flow Table Client<-> Server

3whs = Flow duration between the arrival of SYN from Client and Flow Duration Ack of Syn/ACK by Server

Fngr_ttl = time to live packet client, if more 98 will be windows platform

RTO_s_c = Retransmission timeout from server to client in second

T

F

T

F

T

F

T

F

Fig. 13 Fragment of tree using packet + flow features

3.5.1 PSEUDOCODE

15/4/2016Kyushu University , Japan25

If dst port= 25 Then

Forward to controller

Packet_in Flow count

go to module 1

Else drop the packetModule 1 (RTT Client between Server)

If rtt client <-> server between two switch t>= 0.0087 s Then

go to module 2

Else

go to module 3

Module 2 (3 way hand shake flow count and time)

If flow count packet_in = 2 ,same src ip same dist ip,time arrival for 2nd flow <= 0.087 for

between client <-> server Then install the flow in flow table, forward the next packet

Else

go to module 4

Fig. 14 Pseudocode using decision tree algorithm

3.5.2 PSEUDOCODE


Module 3 (RTO_s_c)

If RTO from server less than 2.2 second Then

install the flow in the flow table and forward the next packet

Else

blacklist the ip source send information to spamhaus

Module 4 TTL feature

If ip ttl <= 96 Then

install the flow in the flow table and forward the next packet

Else

blacklist the ip source send information to spamhaus

Fig. 14 Pseudocode using decision tree algorithm

SDN Domain B

Controlller

SDN Domain B

SDN Domain C

Controlller

SDN Domain C

SDN Domain A

Controlller

SDN Domain A

SMTP

server BSMTP

server C

SMTP

server A

Spam

Haus

Server

WAN

WANWAN

Packet_in First

time, Start flow

count=1

Time stamp

Flow entry

Packet out


3.5.3 RTT (module 1)

Time record started

after packet out (server

-> client)

Time stamp

Packet_in 2nd

Time

Flow count =2

1 RTT complete

Client<-> Server

Fig. 15 Roundtrip time calculation in Openflow

SDN Domain B

Controlller

SDN Domain B

SDN Domain C

Controlller

SDN Domain C

SDN Domain A

Controlller

SDN Domain A

SMTP

server BSMTP

server C

SMTP

server A

Spam

Haus

Server

WAN

WANWAN

Packet_in First

time, Start flow

count=1

Time stamp

Flow entry

Packet out


3.5.4 3 way handshake

time (module 2)Time

record started after packet

out (server -> client)

Time stamp

Packet_in 2nd

Time

Flow count =2

3whs complete

Client<-> Server

Sym:

Syn

Syn-Ack

Ack

Fig. 16 3 way handshake time calculation in Openflow

3.5.5 Module 4 : TTL (hop limit) feature (Recap)


Most of botnet came from windows platform

http://openmaniak.com/ping.php

4.0 Experiment setup

SDN Domain

Controlller

SDN Domain B

SDN Domain

Controlller

SDN Domain C

SDN Domain

Controlller

SDN Domain A

SMTP

server BSMTP

server C

SMTP

server A

Spam

Haus

Server

WAN

WANWAN


Fig. 17 Proposed Experiment setup

4.1 Simulation setup using Mininet


internet

Wireshark

& Tcpreplay

Fig. 18 Simulation setup using Mininet

4.1.1 Parameter Dataset internet traffic from

University New Brunswick (UNB) Canada


Day Date Description Size (GB)

Saturday 12/6/2010Normal Activity. No

malicious activity4.22

Sunday 13/6/2010

Infiltrating the

network from inside

+ Normal Activity

3.95

Monday 14/6/2010

HTTP Denial of

Service + Normal

Activity

6.85

Tuesday 15/6/2010

Distributed Denial of

Service using an IRC

Botnet

23.4

Wednesday 16/6/2010Normal Activity. No

malicious activity17.6

Table 1. Dataset internet traffic parameter

4.1.2 Parameter Dataset Botnet


García, S. (2013). Malware Capture Facility Project. CVUT University. Dataset

CTU-Malware-Capture-Botnet-1. Retrieved February 03, 2013, from

https://mcfp.felk.cvut.cz/publicDatasets/CTU-Malware-Capture-Botnet-1/

Botnet name Type Portion of flows in

dataset

Neris IRC 21159 (12%)

Rbot IRC 39316 (22%)

Virut HTTP 1638 (0.94 %)

NSIS P2P 4336 (2.48%)

SMTP Spam P2P 11296 (6.48%)

Zeus P2P 31 (0.01%)

Zeus control (C & C) P2P 20 (0.01%)

Botnet name Type Portion of flows in dataset

Neris IRC 25967 (5.67%)

Rbot IRC 83 (0.018%)

Menti IRC 2878(0.62%)

Sogou HTTP 89 (0.019%)

Murlo IRC 4881 (1.06%)

Virut HTTP 58576 (12.80%)

NSIS P2P 757 (0.165%)

Zeus P2P 502 (0.109%)

SMTP Spam P2P 21633 (4.72%)

UDP Storm P2P 44062 (9.63%)

Tbot IRC 1296 (0.283%)

Zero Access P2P 1011 (0.221%)

Weasel P2P 42313 (9.25%)

Smoke Bot P2P 78 (0.017%)

Zeus Control(C&

C)

P2P 31 (0.006%)

ISCX IRC bot P2P 1816 (0.387%)

Table 2: Distribution of botnet types in the training dataset

Table 3: Distribution of botnet types in the test dataset

https://mcfp.felk.cvut.cz/publicDatasets/CTU-Malware-Capture-Botnet-1/

4.1.2 Parameter Dataset Botnet


Type IP

Neris 147.32.84.180

RBot 147.32.84.170

Menti 147.32.84.150

Sogou 147.32.84.140

Murlo 147.32.84.130

Virut 147.32.84.160

IRCbot and black hole1 10.0.2.15

Black hole 2 192.168.106.141

Black hole 3 192.168.106.131

TBot 172.16.253.130,

172.16.253.131,

172.16.253.129, 172.16.253.240

Weasel Botmaster IP: 74.78.117.238

Bot IP: 158.65.110.24

Zeus(zeus sample 1 and 2 and 3,

bin_zeus)

192.168.3.35, 192.168.3.25,

192.168.3.65, 172.29.0.116

Osx_trojan 172.29.0.109

Zero access (zero access 1 and 2) 172.16.253.132, 192.168.248.165

Smoke bot 10.37.130.4

Type IP

IRC 192.168.2.112 ->131.202.243.84

192.168.5.122 ->198.164.30.2

192.168.2.110 -> 192.168.5.122

192.168.4.118 -> 192.168.5.122

192.168.2.113 -> 192.168.5.122

192.168.1.103 -> 192.168.5.122

192.168.4.120 -> 192.168.5.122

192.168.2.112 -> 192.168.2.110

192.168.2.112 -> 192.168.4.120

192.168.2.112 -> 192.168.1.103

192.168.2.112 -> 192.168.2.113

192.168.2.112 -> 192.168.4.118

192.168.2.112 -> 192.168.2.109

192.168.2.112 -> 192.168.2.105

192.168.1.105 -> 192.168.5.122

Table 4: List of malicious IPs

Table 5: List of malicious IPs

4.2 Result Performance Analysis SMTP

traffic & Botnet attacks


4.2.1 Analysis SYN Flood Attack on smtp

server using Botnet traffic database


Fig. 19 Flow graph botnet for syn flood

4.2.2 SMTP Packet analysis on RTT & RTO


---- RTT Packet

---- RTO Packet

Time (12 Jun 2010)

Packets

Fig. 20 Total number of packets per second smtp traffic on 12 jun 2010



---- RTT Packet

---- RTO Packet

Time (13 Jun 2010)

Packets



15/4/2016Kyushu University , Japan

40

---- RTT Packet

---- RTO Packet

Time (14 Jun 2010)

Packets




---- RTT Packet

---- RTO Packet

Time (15 Jun 2010)

Packets




---- RTT Packet

---- RTO Packet

Time (16 Jun 2010)

Packets


4.2.7 Botnet Training (SMTP Packet analysis

on RTT & RTO)


---- RTT Packet

---- RTO Packet

Time (3 Feb 2013)

Packets

Fig. 25 Total number of packets per second smtp traffic on 3 Feb 2013 with botnet training SMTP Spam p2p Attacks

4.2.8 Botnet Test (SMTP Packet analysis

on RTT & RTO)


---- RTT Packet

---- RTO Packet

Time (3 Feb 2013)

Packets

Fig. 26 Total number of packets per second smtp traffic on 3 Feb 2013 with botnet test SMTP Spam p2p Attacks

4.2.9 Analysis on SMTP Packet characteristic


0.01

0.1

1

10

Jun-12 Jun-13 Jun-14 Jun-15 Jun-16 BotnetTesting

BotnetTraining

Tim

e (

s)

Dataset

RTT/RTO/3WHS

RTT RTO RTO2 3WHS

DATASET RTT (s) RTO (s) RTO2 (s) 3WHS (s)

Jun-12 0.03 0 0 0.045

Jun-13 0.03 0 0 0.045

Jun-14 0.03 0 0 0.045

Jun-15 0.03 0 0 0.045

Jun-16 0.03 0 0 0.045

Botnet Testing 0 2.9 6 0

Botnet Training 0 2.2 2.9 0

Fig. 27 Max roundtrip time and retransmission time out for7 internet dataset

Table 6 Max roundtrip time and retransmission time out for7 internet dataset

4.2.10 Time to live packet client


0

20

40

60

80

100

120

140

Jun-12 Jun-13 Jun-14 Jun-15 Jun-16 Botnet Testing BotnetTraining

Hop L

imit

Internet Traffic Dataset (SMTP)

TTL

TTL

DATASET TTL

Jun-12 58

Jun-13 58

Jun-14 58

Jun-15 58

Jun-16 64

Botnet Testing 128

Botnet Training 128

Fig. 28 Average TTL for packet for 7 internet traffic dataset

Table 7 Average TTL for packet for

7 internet traffic dataset

Conclusion

By using Decision Three Algorithm we can study the Botnet attacks at early

stage before arrive to target SMTP Server

Most of botnet attacks come from windows based platform

This approach only valid within under multi domain SDN controller environment.

RTT and RTO are related to the Botnet attacks smtp server.

These research also can be focus on other protocol such as http


Reference[1] T. Ouyang, S. Ray, M. Allman, and M. Rabinovich, “A large-scale empirical analysis of email spam

detection through network characteristics in a stand-alone enterprise,” Comput. Networks, vol. 59, pp. 101–

121, 2014.

[2] D. Rana, N. Garg, and S. Chamoli, “A Study and Detection of TCP SYN Flood Attacks with IP spoofing

and its Mitigations,” Int. J. …, vol. 3, no. August, pp. 1476–1480, 2012.

[3] H. Chen, C. Mao, and S. Tseng, “An Approach for Detecting a Flooding Attack Based on Entropy

Measurement of Multiple E-Mail Protocols,” vol. 18, no. 1, pp. 79–88, 2015.

[4] K. Phemius, M. Bouet, and J. Leguay, “DISCO: Distributed multi-domain SDN controllers,” IEEE/IFIP

NOMS 2014 - IEEE/IFIP Netw. Oper. Manag. Symp. Manag. a Softw. Defin. World, 2014.

[5] S. Scott-Hayward, G. O’Callaghan, and S. Sezer, “SDN security: A survey,” SDN4FNS 2013 - 2013

Work. Softw. Defin. Networks Futur. Networks Serv., 2013.

[6] S. Lim, J. Ha, H. Kim, Y. Kim, and S. Yang, “A SDN-Oriented DDoS Blocking Scheme for Botnet-Based

Attacks,” pp. 63–68, 2014.

[7] T. Xingl, Z. Xiongl, and D. Huangl, “SDNIPS: Enabling Software-Defined Networking Based Intrusion

Prevention System in Clouds 1,” pp. 308–311, 2014.

[8] M. Vizv and J. Vykopal, “Future of DDoS Attacks Mitigation in Software Defined Networks.”

[9] T. Sochor, “Overview of e-mail SPAM Elimination and its Efficiency,” in Research Challenges in

Information Science (RCIS), 2014 IEEE Eighth International Conference on, 2014, pp. 1 – 11.

[10] P. Lin, P. Lin, P. Chiou, and C. Liu, “Detecting Spamming Activities by Network Monitoring with Bloom

Filters,” pp. 163–168, 2013.15/4/2016

51

END

Thank You


Documents

RHUL workshop on February 29 An Analysis of …...A distributed denial-of-service (DDoS) Botnet attack on SMTP serverKyushu University , Japan 15/4/2016 5 Mail transfer Agent Fig