This week, Georgia Tech unveiled BotSniffer, a prototype system designed to detect and disable botnets. Using traffic analysis the BotSniffer tries to identify botnet members by looking for command and control channels.Apparently the BotSniffer detector has been built as an independent plug-in for the popular open source intrusion detection system Snort. With a host system that’s as widely used as Snort, there could be a good possibility of such a system eventually making it in to the real-world. The paper released by Georgia Tech’s School of Computer Science  says, “We evaluated BotSniffer using many real-world network traces. The results show that BotSniffer can detect real-world botnets with high accuracy and has a very low false positive rate.”

本周,Georgia Tech(佐治亚理工学院)公开了BotSniffer,这是一个设计用于检测和禁用僵尸网络的原型。利用流量分析,BotSniffer试图通过寻找指挥和控制通道来鉴别僵尸网络成员。显然,BotSniffer检测器已建成为流行的开源入侵检测软件系统Snort的一个独立插件。借助一个如Snort这样的广泛使用的宿主系统,该系统极有可能进入现实世界。佐治亚理工学院的计算机科学学校公布的文件称:“我们使用一些真实世界中的网络跟踪来评估BotSniffer。结果显示BotSniffer可以以高精确度和极低误报率检测真实世界中的僵尸网络。”

The paper suggests that botnets’ command and control mechanism may be their Achilles heel. These command and control channels are used by botmasters to relay instructions to the infected hosts. Instructions are either delivered ‘live’ via IRC channels or via HTTP where the bot will connect at pre-specified intervals and collect instructions from a Web server. If these channels of communication are detected and cut off then the botmaster no longer has control of his zombies: “If we can take down an active command and control or simply interrupt the communication to the command and control, the botmaster will not be able to control his botnet. Moreover, the detection of the command and control channel will reveal the command and control servers and the bots in a monitored network.”


There are normally multiple bots on a network so thorough analysis of traffic or host activity can pick out behavioural traits and detect bot-like activity: “We observe that the bots of a botnet demonstrate spatial-temporal correlation and similarities due to the nature of their pre-programmed response activities to control commands. This helps us identify command and control within network traffic. For instance, at a similar time, the bots within a botnet will execute the same command — obtain system information, scan the network — and report to the command and control server with the progress/result of the task.”


BotSniffer is certainly not the only attempt to stamp out what has quickly become one of the Internets biggest problems. Desktop antivirus and security packages from all of the big brand security vendors are incorporating features aimed at locking out botnets by detecting and removing the malicious software that turns so many desktop computers in to evil zombies.I think this highlights an important point-if botnets can be beaten then the problem has to be attacked from several different angles. ISPs trying to detect command and control channels will most likely never have complete success. Once ISPs or network admins start to detect and isolate infected hosts, bots will undoubtedly find ways to avoid detection in just the same way that viruses do. They can encrypt communications, randomize behaviour, and so on. The analysis will get smarter, but it becomes a game of catch-up. If botnets are losing hosts due to improved desktop protection, then they come under pressure on several fronts and will find it hard to grow.


Spam blocking would be a good example of how various types of filtering can work together to block unsolicited junk e-mail. Around 85 percent of all incoming e-mail is blocked by my Barracuda Spam Firewall. This is achieved by combining techniques such as virus scanning, user policies, rate control, Bayesian analysis, rule-based scoring, and IP reputational analysis. Alone, no one of these forms of detection would be adequate-however, once combined they form a sturdy defence blocking 90-95 percent of the unwanted junk mail thrown at our servers daily.

拦截垃圾邮件将是一个好例子,说明各类型的过滤能够共同努力,阻止来路不明的垃圾电子邮件。大约85%的来件被我的Barracuda Spam Firewall(梭子鱼垃圾邮件防火墙)拦截。实现这个目标,是通过联合技术,如病毒扫描,用户策略,速率控制,贝叶斯过滤分析,基于规则的评分技术和IP地址信誉评价。不必说,这个检测组合中的无一能单独胜任——然而一旦联合,它们结成了一个强健的防线,每天在我们的服务器上拦截了90-95%的有害垃圾邮件。

Network based detection of botnets seems like a very good idea and with programs like BotSniffer able to plug in to existing Intrusion Detection Systems, we could well see that tables turn on Botmasters. I could see this type of traffic analysis being very effective at an ISP level-they already analyse traffic for illegal downloads, so I couldn’t see that listening for bots would be much of an additional burden.


Do you currently take any measures to detect or block unwanted and potentially dangerous network traffic? Bots or even P2P and other rogue applications can have a massive impact on network security and performance. If you do, I’d be interested to know what techniques you use-leave a comment and share your experience.


