1. B O T N E T S ’
N E T W O R K S
Z S O L T B E D E R N A
2. S H O R T I N T R O D U C T I O N
• IT security consultant
• CTO of a startup that is dealing with the human factor of IT security
• Doctoral student at the Doctoral School of Security
Sciences of the Óbuda University, Hungary
• Eötvös Lorand University (ELTE) Institute of Business Economics MBA student
• ISACA, ISC2, and EC-Council member, regular volunteer
• He is one of the organizers of the National Cyber Competition series
• Member of the editorial board of Külügyi Műhely journal
2
3. R E F E R E N C E S
• Bederna, Zsolt & Váczi, Dániel & Pollner, Péter & Szádeczky, Tamás (2019). Támadás
hálózatba szervezve. In Hálózatok a közszolgálatban. pp. 223-247. Ludovika
Egyetemi Kiadó Nonprofit Kft. ISBN 978-963-531-081-4.
• Bederna, Zsolt & Dr. Szádeczky, Tamás. (2019). Cyber espionage through Botnets.
Security Journal. pp 1-20. Doi 10.1057/s41284-019-00194-6.
• Bederna, Zsolt & Dr. Prof. Rajnai, Zoltán (2020). Analysis of static and dynamic
parameters of players in cyberspace. TIEES 2020 konferencia.
• Bederna, Zsolt & Dr. Prof Rajnai, Zoltán & Dr. Szádeczky, Tamás (2020) Attacks against
energy, water and other critical infrastructure in the EU. IEEE Cando EPE 2020.
(Megjelenés alatt)
• Bederna, Zsolt (2015). Fuzzy-based intrusion detection. Hadmérnök. Volume X. Issue
1. pp. 147-160.
3
6. B O T N E T S
A botnet is a group of computers available on the Internet which resources are used by an
attacker or group of attackers without the knowledge and permission of the owner to
engage in illegal activities to carry out one or more cyber-attacks.
Directive 2013/40 / EU distinguishes between:
• Unlawful access to information systems (Article 3)
• Unlawful interference with the system (Article 4)
• Unlawful interference with data (Article 5)
• Unlawful acquisition of data (Article 6)
6
9. B O T N E T ’ S C O M P O N E N T S
Botnets also vary in structure, capabilities, and technical implementation, but generally
include one or more control parties (botmaster or botherder), one or more control servers
(Command and Control – C&C, or C2), and one or more controlled machines (bot).
9
10. S T R U C T U R E O F B O T N E T S
Type Number and connections of C&C servers
Centralised
In the case of a centralized structure, one or more fixed number of
servers perform the C&C function, which (in the case of several servers)
can also be organised hierarchically . The number of layers increases the
complexity of the given botnet and the probability of hiding the botmaster,
while the number of C&C servers per layer serves is for load balancing and
redundant design.
Decentralised
There is no differentiated C&C server, each bot loads (can load) this
function.
Hybrid Some C&C servers work in peer-to-peer mode.
10
14. B O T N E T S ’ O P E R AT I O N C Y C L E
(1) Beginning of infection: The botmaster starts to infect network nodes via at least one attack vector with the
exploitation of contained vulnerability or vulnerabilities.
(2) Second injection: After successful infection, nodes start to download the agent’s code.
(3) Connection: Each agent connects to one of the C&C servers.
(4) Command and Control: C&C servers relay the commands of the botmaster to bots, for example, to take
part in an attacking campaign.
(5) Updates and maintenance: Bug repairs and new features may be created and sent to bots which install
updates. Sometimes botmaster activates sleeping mode temporarily or a complete switch-off status
command for the whole or partial network.
14
16. C H A R A C T E R I S AT I O N O F AT TA C K E R S
Generally, the following threat actors are distinguished in cyberspace by security industry: (1) script kiddies,
(2) malicious insider, (3) cybercriminals, (4) hacktivists, (5) cyber terrorists, and (6) state-sponsored.
Actors are listed in increased order according to knowledge and capability levels, but as a negative result, a
huge amount of information wastes with the application of this kind of over-simplification categorization.
My advice on the parameters of threat includes the followings: (1) Motivation; (2) Capabilities; (3) Source of
attack; (4) Applied business model; and (5) Cooperation willingness.
16
17. D I S T I N G U I S H I N G C A PA B I L I T I E S
17
Capabilities represent the application of tools
that reside in the attacker's portfolio. Social
engineering, technical tools, and physical
capabilities can be distinguished. Each of them
has its effect and usability in the cyber kill chain
model.
Capabilities
Humans
Technology
18. C O O P E R AT I O N W I T H I N T H E
O R G A N I S AT I O N
According to Dr. Charlie Miller's
investigation:
• 592 people
• $45.9 mil in annual salary
• (Average annual salary $77,534)
• $3 mil in equipment
Source: Charlie Miller (2018). DefCon presentation.
https://www.defcon.org/images/defcon-18/dc-18-presentations/Miller/DEFCON-18-Miller-Cyberwar.pdf
18
19. C O O P E R AT I O N B E T W E E N
O R G A N I S AT I O N S
Source: MIT (2018). Inside the business model for botnets.
https://www.technologyreview.com/2018/05/14/142895/inside-the-
business-model-for-botnets/
Source: Denis Makrushin (2017). The cost of launching a DDoS attack.
SecureList. https://securelist.com/the-cost-of-launching-a-ddos-
attack/77784/
19
20. C O O P E R AT I O N B E T W E E N
O R G A N I S AT I O N S
• In Crimeware as a Service, identified vulnerabilities and the related exploits are offered generally or for a
specifically targeted scenario. Zero-day vulnerabilities, Advanced Persistent Threats (APTs), malware such
as rootkits, ransomwares are included as well as droppers, keyloggers, and hiding tools like cryptors or
polymorphism.
• Criminals offer infrastructural elements, specifically clients and servers, in the model of Cybercrime
Infrastructure as a Service. Clients as part of a botnet are ready to process commands. On the other hand,
the information about the vulnerabilities of scanned servers is put up for sale.
• By the usage of Hacking as a Service, the complete process is outsourced to the “service provider”
including planning and performing on-demand
20
21. B U S I N E S S
21
Source: MIT (2018). Inside the business model for botnets.
https://www.technologyreview.com/2018/05/14/142895/inside-the-business-model-for-botnets/
Crimeware as a
Service
Cybercrime
Infrastructure as a
Service
Dr. Charlie Miller’s
DefCon
presentation
Cybercrime
Infrastructure as a
Service
22. T E C H N O L O G I C A L C A PA B I L I T I E S
• Infection, ability to spread
• Connection to C&C server
• Receive new commands, update
• Hiding on the infected device and network
• Self-destruction
• Type of attack implemented depending on the target (spam, ransomware, DDoS,
spyware, etc.)
22
23. AT TA C K S A G A I N S T E S S E N T I A L
S E R V I C E S ( E U )
DDoS ransomware
23
24. A P T 2 8 A N D B O T N E T S – E X A M P L E
In May 2018, one of the most extensive campaigns reported about a
botnet consisting of approximately 500,000 devices as a result of
VPNFilter malware infection. Cisco Talos researchers found
interrelation between VPNFilter and BlackEnergy that targeted
the Ukrainian power grid in the winter of 2015-2016
The stage one relied on connecting either to one of twelve hardcoded
Photobucket URLs, or the Toknowall website.
The stage two malware had the capabilities of an intelligence-
collection platform, such as file collection, command execution, data
exfiltration, and device management, as well as some versions
possessed a self-destruct capability that overwrites a critical portion
of the device's firmware and reboots the device.
There were multiple stage three modules as plugins for stage two
malware with additional functionality, such as packet sniffer and
communications module allowing communication over Tor.
24
26. D E F E N S E C A P A B I L I T I E S
Limitation
Knowing the relevant characteristics of existing and
operational botnets plays an important and decisive role in
the design of effective protection methodologies
Parameters that can be analyzed
• Start and end of communication,
• Protocol used,
• Number of active flags used during TCP communication,
• Number of packets sent during communication,
• Number of bytes sent during communication,
• The amount of time elapsed during communication,
• Initiator of the communication (server or client),
• The average number of bytes sent per packet,
• Number of successful C&C contacts,
• The number of DNS queries as well
• Periodicity of communication with the C&C server.
26
27. P R O P A G A T I O N P A T T E R N S – P O R T S C A N
27
29. F U Z Z Y L O G I C ( E X A M P L E )
Predefined parameters are:
• ART as average time between received
packets,
• NSP as number of sent packets,
• NRP as number of received packets
If (ART is high) and (NSP is med) and (NRP
is high) then (output is high)
29
30. N E T W O R K M O D E L S
Source: Barabási Albert-László & Eric Bonabea (2003). Scale-free networks. Scientific American. https://barabasi.com/f/124.pdf
30
32. C O N C L U S I O N :
W H E R E D O E S T H E N E T W O R K A P P E A R ?
Cooperation within the
organisation
Cooperation (or competition)
between organisations
32
33. C O N C L U S I O N :
W H E R E D O E S T H E N E T W O R K A P P E A R ?
Logical structure Propagation and attack patterns
33
34. T H A N K Y O U F O R Y O U R A T T E N T I O N
34