1、 International Telecommunication Union ITU-T Series XTELECOMMUNICATION STANDARDIZATION SECTOR OF ITU Supplement 8(12/2010) SERIES X: DATA NETWORKS, OPEN SYSTEM COMMUNICATIONS AND SECURITY ITU-T X.1205 Supplement on best practices against botnet threats ITU-T X-series Recommendations Supplement 8 ITU
2、-T X-SERIES RECOMMENDATIONS DATA NETWORKS, OPEN SYSTEM COMMUNICATIONS AND SECURITY PUBLIC DATA NETWORKS X.1X.199 OPEN SYSTEMS INTERCONNECTION X.200X.299 INTERWORKING BETWEEN NETWORKS X.300X.399 MESSAGE HANDLING SYSTEMS X.400X.499 DIRECTORY X.500X.599 OSI NETWORKING AND SYSTEM ASPECTS X.600X.699 OSI
3、MANAGEMENT X.700X.799 SECURITY X.800X.849 OSI APPLICATIONS X.850X.899 OPEN DISTRIBUTED PROCESSING X.900X.999 INFORMATION AND NETWORK SECURITY General security aspects X.1000X.1029 Network security X.1030X.1049 Security management X.1050X.1069 Telebiometrics X.1080X.1099 SECURE APPLICATIONS AND SERVI
4、CES Multicast security X.1100X.1109 Home network security X.1110X.1119 Mobile security X.1120X.1139 Web security X.1140X.1149 Security protocols X.1150X.1159 Peer-to-peer security X.1160X.1169 Networked ID security X.1170X.1179 IPTV security X.1180X.1199 CYBERSPACE SECURITY Cybersecurity X.1200X.122
5、9 Countering spam X.1230X.1249 Identity management X.1250X.1279 SECURE APPLICATIONS AND SERVICES Emergency communications X.1300X.1309 Ubiquitous sensor network security X.1310X.1339 CYBERSECURITY INFORMATION EXCHANGE Overview of cybersecurity X.1500X.1519 Vulnerability/state exchange X.1520X.1539 E
6、vent/incident/heuristics exchange X.1540X.1549 Exchange of policies X.1550X.1559 Heuristics and information request X.1560X.1569 Identification and discovery X.1570X.1579 Assured exchange X.1580X.1589 For further details, please refer to the list of ITU-T Recommendations. X series Supplement 8 (12/2
7、010) i Supplement 8 to ITU-T X-series Recommendations ITU-T X.1205 Supplement on best practices against botnet threats Summary Supplement 8 to ITU-T X-series Recommendations provides practical solutions as best practices for countermeasures against botnet threats. These best practices can be utilize
8、d by network operators in implementing countermeasures against botnet threats. The best practices are applicable to management, control, and user activities to mitigate security incidents caused by botnet. This Supplement features two best practices. History Edition Recommendation Approval Study Gro
9、up 1.0 ITU-T X Suppl. 8 2010-12-17 17 ii X series Supplement 8 (12/2010) FOREWORD The International Telecommunication Union (ITU) is the United Nations specialized agency in the field of telecommunications, information and communication technologies (ICTs). The ITU Telecommunication Standardization
10、Sector (ITU-T) is a permanent organ of ITU. ITU-T is responsible for studying technical, operating and tariff questions and issuing Recommendations on them with a view to standardizing telecommunications on a worldwide basis. The World Telecommunication Standardization Assembly (WTSA), which meets e
11、very four years, establishes the topics for study by the ITU-T study groups which, in turn, produce Recommendations on these topics. The approval of ITU-T Recommendations is covered by the procedure laid down in WTSA Resolution 1. In some areas of information technology which fall within ITU-Ts purv
12、iew, the necessary standards are prepared on a collaborative basis with ISO and IEC. NOTE In this publication, the expression “Administration“ is used for conciseness to indicate both a telecommunication administration and a recognized operating agency. Compliance with this publication is voluntary.
13、 However, the publication may contain certain mandatory provisions (to ensure, e.g., interoperability or applicability) and compliance with the publication is achieved when all of these mandatory provisions are met. The words “shall“ or some other obligatory language such as “must“ and the negative
14、equivalents are used to express requirements. The use of such words does not suggest that compliance with the publication is required of any party. INTELLECTUAL PROPERTY RIGHTS ITU draws attention to the possibility that the practice or implementation of this publication may involve the use of a cla
15、imed Intellectual Property Right. ITU takes no position concerning the evidence, validity or applicability of claimed Intellectual Property Rights, whether asserted by ITU members or others outside of the publication development process. As of the date of approval of this publication, ITU had not re
16、ceived notice of intellectual property, protected by patents, which may be required to implement this publication. However, implementers are cautioned that this may not represent the latest information and are therefore strongly urged to consult the TSB patent database at http:/www.itu.int/ITU-T/ipr
17、/. ITU 2011 All rights reserved. No part of this publication may be reproduced, by any means whatsoever, without the prior written permission of ITU. X series Supplement 8 (12/2010) iii Table of Contents Page 1 Scope 1 2 References. 1 3 Definitions 1 4 Abbreviations and acronyms 1 5 Conventions 2 6
18、Overview 2 7 Best Practice 1: Alert operation based on the detection of bot-infected PCs (project name: Cyber Clean Center (CCC) . 3 7.1 Introduction 3 7.2 Purpose of CCC 3 7.3 Basic operation flow: Public awareness activities in collaboration with ISPs . 3 7.4 Effectiveness of CCC . 5 8 Best Practi
19、ce 2: DNS sinkhole 5 8.1 Introduction 5 8.2 Operation of the DNS sinkhole 6 8.3 Effectiveness of the DNS sinkhole . 7 Bibliography. 9 X series Supplement 8 (12/2010) 1 Supplement 8 to ITU-T X-series Recommendations ITU-T X.1205 Supplement on best practices against botnet threats 1 Scope This Supplem
20、ent provides practical solutions as best practices for countermeasures against botnet threats. These best practices can be utilized by network operators in implementing countermeasures against botnet threats. The best practices are applicable to management, control, and user activities to mitigate s
21、ecurity incidents caused by botnet. This Supplement features two best practices. 2 References ITU-T X.1205 Recommendation ITU-T X.1205 (2008), Overview of cybersecurity. 3 Definitions For purposes of this Supplement, the definitions given in ITU-T X.1205 apply. Additionally, the following definition
22、s apply: 3.1 bot: An automated software program used to carry out specific tasks designed for malicious purposes. It is interchangeable with a robot. 3.2 botmaster: An individual responsible for controlling and maintaining a botnet. 3.3 botnet: Remotely controlled malicious software robots (bots) th
23、at are run autonomously or automatically on compromised computers together with a command-and-control server owned by botmasters. 3.4 command-and-control server: A host that allows the botmaster to control indirectly a sub-group or a group of bots in the botnet to forward an attack instruction to la
24、unch attacks. 3.5 DNS sinkhole: A scheme for countering bot threats that is designed to block communication between the bots and a command-and-control server by using the sinkhole scheme; it may render the bots dormant or inactive. 3.6 sinkhole: A scheme for redirecting specific IP traffic to a sink
25、hole device (e.g., sinkhole router) for the purpose of traffic analysis, diversion of attacks, and detection of anomalous behaviours on a network. 4 Abbreviations and acronyms This Supplement uses the following abbreviations and acronyms: C it has the purpose of reducing the number of bot-infected u
26、sers computers in Japan. 7.2 Purpose of CCC As a type of fraudulent program characterized by augmented infection in recent years, bot has a tremendous number of variants. This makes cleaning bots using a conventional type of elimination means against computer viruses difficult. Since attack and infe
27、ction activities of bots occur in constrained portions of programs and are unseen to the outside, users do not realize what is going on in their computers. For a safe Internet environment, this is a serious situation. Given the circumstances above, CCC has been established with the aim of providing
28、botnet countermeasures as an integrated base organization to coordinate among related institutions, ISPs (Internet service providers), and security vendors. The primary purpose of CCC is to investigate the mechanisms of bots attack and infection in an effective, safe manner and to encourage users to
29、 remove bots from their once-infected computers by providing countermeasures (bots removal tool) against bots. Another important purpose of CCC is to detect and remove new types of bots which may not be detected by the existing antivirus software and to share the new bot malware executables with ant
30、ivirus software companies to allow updating their virus patterns at the earliest opportunity. 7.3 Basic operation flow: Public awareness activities in collaboration with ISPs According to the CCC investigation of bot, as one of the factors of bot proliferation, a bot infection unlike earlier viruses
31、 advances in a secret, undetectable manner; the infection route is also unknown to Internet users. To detect bot, the Cyber Clean Center provides decoy machines, “honeypots“, obtains the IP addresses of the infected users computers, and also draws the attention of the infected users in collaboration
32、 with the supported ISPs in this project. Unlike the conventional notification of procedure for removing viruses by e-mail, this CCC alerting method uses e-mail and website in combination. This method directly sends e-mails to an infected user together with a URL of the “bot countermeasure website“
33、that shows how to disinfect bots. In other words, this method can directly give the infected users easy-to-understand explanations on how dangerous bots are and how to remove bots from their computers. Figure 2 shows the conceptual diagram and operational flow of CCC activity. 4 X series Supplement
34、8 (12/2010) Figure 2 Workflow of bots detection and response in CCC 1) Capturing bots The Cyber Clean Center has designed and implemented many “decoy“ machines (Honeypots) to efficiently capture bots executables which are attacked by users infected computers in Japan (Steps (1), and (2) in Figure 2)
35、. In this bot capturing phase, several “logs“ such as the infected PCs IP addresses and time stamps (date and time) of the infection are collected to correctly identify the infected user PC for the corresponding ISPs. 2) Analysis of bots and generation of removal tools The bot executables obtained i
36、n 1) above are carefully analysed by analysts. These executables are appropriately managed and uniquely identified by means of Hash values. Furthermore, based on the result of analysis that carefully considers the priority of the processes, removal tools against bots executables are generated for us
37、e in later process. These removal tools are stored in a bot countermeasures website (Step (3), Figure 2). In addition to the above, captured bots executables are to be distinguished carefully as to the new types from the existing types and are carried out by means of dynamic behaviour analysis for f
38、urther research and studies. The new types of bots executables are also shared with several antivirus companies to allow updating virus patterns for their use. 3) Identifying infected users Based on the collected logs at 1) above containing the corresponding IP address and date and time, the Cyber C
39、lean Center identifies an ISP to which the infected PC users are subscribed to and informs the identified ISP of related data. The ISP further identifies the infected PC user by means of log information (Steps (4), and (5), Figure 2). The relevant ISP above sends the infected PC user an alerting e-m
40、ail containing the URL of the bot countermeasure website (see 2) above). The URL contains a user-specific character string (tracking ID) that enables the ISP to monitor and track the progress of the removal activity at the users PC (Step (6) in Figure 2). The alerting e-mail above, as a communicatio
41、n media, may be an e-mail and/or a postal letter depending on the country and ISP. 1 Counter-measures websiteInternetInternetHoney - pots Bot-infected PCs(Users of participating ISPs) (7) Accessing the countermeasures website (8) Downloading the bot removal tools (4)Requesting foridentification of i
42、nfected PCs(6)Sending e - mail to alert theuse of the infection and urge the removal of botsISP! Analysts and related information(3)Preparation of bot removal tools Analysis(1)Infection activities(2)Detection of infection activities Capture of bot analystsCyber Clean Center(5)Identifying infected PC
43、sDisclosure websiteBot -infected PCs (General users)Accessing the disclosure websiteDownloading the bot removal toolsX series Supplement 8 (12/2010) 5 4) Accessing the bot countermeasure website In response to the alert mail to the user (4), the infected PC user is expected to access the indicated U
44、RL (bot countermeasures website) to make the user become aware of botnet threat in his/her computer environment and to download the bot removal tool (Step (7) in Figure 2). The infected user downloads the free bot removal tool and executes it to disinfect bots. The removal tool should be usable with
45、out any pre-installation, and it should not conflict with the existing antivirus software already operating in the PC. The user is strongly recommended to perform Windows Update and to install an antivirus software. Likewise, the user is requested to issue a notice of completion of bot cleaning usin
46、g the communication items on the website. Through this notice, the Cyber Clean Center would be able to confirm that the users removal activity is complete (Step (8) in Figure 2). 7.4 Effectiveness of CCC CCC has been operating since March 2007. For nearly three years, according to the statistical da
47、ta summarized in January 2010, the total number of bots executables captured through CCC was 15808843, with 472481 alert e-mails sent to 96771 infected PC users in Japan. The average rate of downloading removal tools was 31.1%. Furthermore, CCC has been operating a public website that is freely down
48、loadable from any PC user, and 1152689 hits have been recorded in this open website among PC users because of CCC security awareness activities. According to statistical data obtained on CCC operations, before the commencement of CCC activities, the bot infection rate was around 2.02.5% (as of 2005)
49、 among Japanese broadband users. After the CCC operation was carried out, however, the infection rate plummeted to as much as 0.6% (as of 2010). Therefore, CCC activities can be said to be of great help to decrease the number of bot-infected PC users in Japan. 8 Best Practice 2: DNS sinkhole 8.1 Introduction The DNS (domain name system) sinkhole scheme has been developed and operated by Korea Internet and Security Agency (KISA) b-KISA to counter or combat attacks by bot-infected computer
