International Journal of Engineering Trends and Technology (IJETT) – Volume23 Number 3- May 2015
Botnet Abolish Using Honey pot
Komal singh
1M.Tech Student, Department of CSE, B.S.Anangpuria Institute of Technology and Management, Alampur, India
2Assistant Professor, Department of CSE, B.S.Anangpuria Institute of Technology and Management, Alampur,
India
ABSTRACT
Honeypots are a modern approach to network
security. Because “botnet” can be used for illicit
financial gain they have become quite popular in
internet attacks. ”Honeypot” have been successfully
deployed in many defense systems. Thus attacker
constructing and maintaining botnet will be forced to
find a many way to avoid honeypot traps.
Independent honeypot detection methodology based
on following assumption : security professional
deploying honeypot have liability constraints such
that they can’t allow there honeypotto practice in real
attacks. Based on this assumption ,attackers can’t
detect honeypot in their botnet by checking whether
the compromised machine in botnet can successfully
send out unmodified malicious traffic to attackers
,sensor or whether the compromised machine in
botnet can successfully send out unmodified
malicious traffic to attacker.
Keywords:- BOTNET , HONEYPOT, DDoS
INTRODUCTION
The rapid development of the Internet over the
past decade appeared to have facilitated an
increase in the incidents of online attacks .One
such powerful and harmful attack is the denial
of service (DoS) attack. A DoS attack
significantly threatens the network, especially if
such an attack is distributed. A distributed DoS
(DDoS) attack is launched by a mechanism
called Botnet through a network of controlled
computers. A software program controls the
computers and for specific purposes, known as
bots. Bots are small scripts that have been
designed to perform specific, automated
functions. Bots are utilized by agents for Web
indexing or spearing, as well as to collect online
product prices or to performing such duties as
chatting. However, bots are negatively
associated with remote access Trojan Horses
(e.g., Zeus bot) and zombie computers that are
created for less favorable purposes. Bots in large
quantities provide the power of a computer to
ISSN: 2231-5381
create prime tools for such activities as the
widespread delivery of SPAM email, click
fraud, spyware installation, virus and worm
dissemination, and DDoS attacks (e.g., black
energy bot) .DDoS attacks .usually take
advantage of the weaknesses of a network layer,
particularly, SYN, UDP, and Internet control
message protocol (ICMP) flooding. Such attacks
encroach the network bandwidth and resources
of the victim, thus facilitating the denial of
legitimate access.
BOTNETS BASED DDOS ATTACKS:
This section provides a background on Botnets
and how they facilitate DDoS attacks that
hamper the Web server. Botnets compromise a
network of machines with programs (usually
referred to as a bot, zombie, or drone) and
implement under a command and control (C&C)
management infrastructure. The management of
Botnets typically affects a series of systems
through numerous tools and through the
installation of a bot that can remotely control the
victim using Internet relay chat (IRC) . Present
Botnets are most frequently used to spread
DDoS attacks on the Web. Moreover, the
attackers can change their communication
approach during the creation of the bots.
Majority of bots varied its potentials to
participate in such attacks. The most typical and
commonly implemented Botnet attack on
application layer is the HTTP/S flooding attack,
which launches bots created by the HTTP
server. Such bots are thus called Web based bots
.The goal of a Botnet based DDoS attack is to
entail damage at the victim side. In general, the
ulterior motive behind this attack is personal
which means block the available resources
or degrade the performance of the service which
is required by the target machine. Therefore,
DDoS attack is committed for the revenge
purpose. Another aim to perform these attacks
can be to gainpopularity in the hacker
http://www.ijettjournal.org
Page 142
International Journal of Engineering Trends and Technology (IJETT) – Volume23 Number 3- May 2015
community. In addition to this, these attacks can
and the agents. The terms handler and agents
also perform for the material gain, which means
are sometimes replaced with master and demons,
to break the confidentiality and use data for their
respectively, in descriptions of DDoStools .
use.
Fig:1BOTNET
BOTNET
BASED
ARCHITECTURE
DDOS
ATTACK
Botnet based DDoS attack networks fall under
three categories, namely, the agent-handler,
IRC-based, and Web-based models.
Agent-Handler Model
The agent-handler model[6] of a DDoS attack
comprises clients, handlers, and agents as shown
in fig.2 The client is one with whom the attacker
communicates in the DDoS attack system. The
handlers are software packages located
throughout the Internet. The client uses these
packages to communicate with the agents. The
agent software thrives in compromised systems,
eventually conducting the attack at the
appropriate time. The attacker communicates
with any of the handlers to identify operational
agents and to determine when to attack or to
upgrade agents. Owners and users of agent
systems are typically unaware that their system
has been compromised and is under a DDoS
attack. Depending on the configuration of the
DDoS attack network, agents can be instructed
to communicate with one handler or with
multiple handlers. Attackers often attempt to
install the handler software on a compromised
router or network server. The target typically
handles large volumes of traffic, making
message identification difficult between the
client and the handler and between the handler
ISSN: 2231-5381
Fig 2:AGENT HANDLER MODEL
 Internet Relay Chat (IRC) Model
The architectures of the IRC-based[6]DDoS
attack as shown in Figure 3 and of the agent–
handler model are almost similar. However,
instead of employing a handler program that is
installed on a network server, the client is
connected to the agents through an IRC
communication channel. An IRC channel
benefits an attacker with the use of legitimate
IRC ports to send commands to agents. The use
of legitimate portshinders the tracking DDoS
command packets. Additionally, IRC servers
tend to have large volumes of traffic, enabling
an attacker to conceal its presence easily. The
attacker does not necessarily maintain a list of
the agents because it can immediately enter the
IRC server and view all available agents . The
agent software in the IRC network sends and
receives messages through the IRC channel and
informs the attacker when an agent becomes
operational.
Web-based Model
Although the most preferred method for Botnet
command and control (C&C) is the IRC-based
model, Web-based[6] reporting and command
has emerged over the past few years. A number
of bots in the Web-based model simply report
statistics to a
http://www.ijettjournal.org
Page 143
International Journal of Engineering Trends and Technology (IJETT) – Volume23 Number 3- May 2015
Catching False negatives:
Catching false negatives with the help of
honeypots is quiet easy because every
connection made to honeypot is considered
unauthorized. Traditional attack detecting tools
becomes fail in detecting new attacks like
signature based detection tools. These tools
detect only those attacks whose signatures are
already in their database. As per honeypot’s
approach, there is no need of predefined
database.
 Encryption:
Honeypots have the capability to capture the
malicious activity if it is in encrypted form.
Figure 3 INTERNET RELAY CHAT
Encrypted probes and attacks interact with the
honeypots as end point where the activity is
decrypted by the honeypot.
Web site, whereas others are intended to be fully
 Working with IPv6
configured and controlled through complex PHP
Honeypots work in any IP environment,
scripts and encrypted communications over the
including IPv6. IPv6 is the new version of IPv4
80/443 port and the HTTP/HTTPS protocol. The
and actively used by the countries like Japan and
following are the advantages of Web-based
the department of defense. Many current
controls over IRC Ease of set-up and website
technologies like firewalls and Ids sensors do
configuration; improved reporting and command
not work on IPv6.
functions; less bandwidth requirement and the
Flexible :
acceptance of large Botnets for the distributed
Honeypots are extremely adaptable in variety of
load;
environments. From a social security number
Concealment of traffic and hindrance of filtering
embedded into a database, to an entire network
through the use of port 80/443; Resistance to
of computers designed to be broken into.
Botnet hijacking via chat-room hijacking; and
Minimal Resources:
Ease of use and of acquisition.
Honeypot require minimal resources. A simple
Pentium computer can monitor millions of IP
ADVANTAGES OF HONEYPOTS
addresses.
Being a part of network security mechanism
DISADVANTAGES OF HONEYPOTS
honeypots have many advantages. Here we will
Single Data Point:
highlight some specialties of honeypots.
One huge drawback is generally faced by
Small data sets:
honeypots that they are worthless if no one
Any connection made with the honeypot is
attacks them. Obviously, they can accomplish
considered asmalicious. So the thousands of
wonderful things but if the attacker doesn’t send
alerts logged byorganizations can be reduced to
any packet to honeypots then it would blissfully
hundreds of entries.
unaware of any unauthorized activity.
Risk:
 Reduced False Positives:
Once compromised , honeypots can introduce
Honeypots help in reducing false positives. The
risk to organization’s environment. Different
larger the probability that a security resource
kind of honeypots possess different levels of
produce false positives or false alerts the less
risk. Low interact.
likely the technology will be deployed. Any
CONCLUSION
activity with the honeypot is considered
This study on botnet activities examines most
dangerous and making it efficient in detecting
popular botnet types in the network and
attacks.
evolution towards decentralized sophisticated
types of malicious networks with variety of
ISSN: 2231-5381
http://www.ijettjournal.org
Page 144
International Journal of Engineering Trends and Technology (IJETT) – Volume23 Number 3- May 2015
infection mechanism, one of them is obvious
and potentially dangerous – infection through
popular websites. Close inspection of website
code may be done both in server and remotely,
that allows implement various independent tools
both for site users and administrators. Log
analysis and anomaly based traffic detection
methods (such as too many connections or
unexpected source address ranges) may provide
informationabout suspicious activities in
possible compromised website. With different
automation levels and different degree of false
positives all suggested detection method may be
used successfully together or separately.
References
1.
2.
3.
4.
5.
6
7
Navneet Kambow et al, / (IJCSIT) International
Journal of Computer Science and Information
Technologies, Vol. 5 (5)2014, 6098-6101Honeypots:
The Need of Network SecurityNavneet Kambow#,
Lavleen Kaur Passi
Honeypot-Aware Advanced Botnet Construction and
Maintenance Cliff C. Zou Ryan Cunningham School
of Electrical Engineering and Computer Science
University of Central Florida Orlando, FL 32816-2362
{czou,rcunning}@cs.ucf.edu.
Data Mining for Security ApplicationsBhavani
Thuraisingham, Latifur Khan, Mohammad M. Masud,
Kevin W. HamlenThe University of Texas at
Dallas{bhavani.thuraisingham,lkhan,mehedy,hamlen}
@utdallas.edu
International Journal of Scientific and Research
Publications, Volume 3, Issue 8, August 2013 1 ISSN
2250-3153
www.ijsrp.orgWEB
BASED
HONEYPOTS NETWORKSrivathsa S Rao#1,Vinay
Hegde#2 , Boruthalupula Maneesh#3, Jyothi Prasad N
M#4, Suhas Suresh#5.
Int. J. Information and Computer Security, Vol. x, No.
x, xxxx Honeypot Detection in Advanced
BotnetAttack Ping Wang, Lei Wu, Ryan
Cunningham,Cliff C. Zou
International Journal of Computer Applications (0975
– 8887) Volume 49– No.7, July 2012 24Botnet-based
Distributed Denial
of Service (DDoS) Attacks on
Web Servers: Classification and Art
B.B Gupta, M Misra R C.joshi, FVBA A combined
statistical approach for Low Rate Degrading and high
bandwidth disruptive DDOS Attack detection in
ISPDomain,|| in theproceeding of 16th IEEE
international conference onNetwork (ICON-1008),
DOI:10:1109/ICON:2008.4772654,New
Delhi,INDIA,2008
ISSN: 2231-5381
http://www.ijettjournal.org
Page 145