DETECTION AND MITIGATION

DETECTION:

Snort IDS: Several signatures are available in the Emerging Threats Snort IDS rulesets:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:?Emerging-EDGE CURRENT_EVENTS Unknown Proxy Method/Bot Initial Packet?; flow:established,to_server; dsize:24; content:?|9a 02 06 00|?; offset:0; depth:4; flowbits:set,BS.BPcheckin; flowbits:noalert; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2006396; sid:2006395; rev:1;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:?Emerging-EDGE CURRENT_EVENTS Unknown Proxy Method/Bot Connect Command Packet?; flowbits:isset,BS.BPcheckin; flow:established,from_server; dsize:10; content:?|9a 02 07 00|?; offset:0; depth:4; flowbits:set,BS.BPset; classtype:trojan-activity; reference:url,doc.emergingthreats.net/ 2006396; sid:2006396; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:?Emerging-EDGE CURRENT_EVENTS Unknown Proxy Method/Bot Successful Connect Packet Packet?; flowbits:isset,BS.BPset; flow:established,to_server; dsize:16; content:?|9a 02 08 00|?; offset:0; depth:4; flowbits:set,BS.BPcheckin; tag:session; classtype:trojan-activity; reference:url,doc.emergingthreats.net/ 2006396; sid:2006397; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:?Emerging-EDGE CURRENT_EVENTS Unknown Proxy Method/Bot Checkin Packet?; flow:established,to_server; dsize: 30; content:?|9a 02 01 00|?; offset:0; depth:4; flowbits:set,BS.BPcheckin1; flowbits:noalert; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2006396; sid:2006398; rev:1;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:?Emerging-EDGE CURRENT_EVENTS Unknown Proxy Method/Bot Checkin Success Packet?; flowbits:isset,BS.BPcheckin1; flow:established,from_server; dsize:4; content:?|9a 02 05 00|?; offset:0; depth:4; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2006396; sid:2006399; rev: 1;)

Service providers should become suspicious when protocols such as SMTP or SSL are detected flowing inbound to user networks over non-standard ports. There are IDS signatures in the Emerging Threats rulesets for this purpose. Check out the ?unusual-client-port-connection? class of EmergingSnort rules for examples.

NETWORK FLOW

A number of methods exist for collecting and aggregating IP accounting information from switches, routers, or probes. One popular solution which is implemented on many network devices is Netflow. Netflow was developed at Cisco in 1996 and allows for visibility into large network segments which would be impractical to monitor with packet capture methods. Netflow records contain several fields of interest to us in detecting reverse-connect proxy bots: Timestamps for the flow start and finish time, Number of bytes and packets observed in the flow, Source & destination IP addresses, Source and destination port numbers, IP protocol, Cumulative TCP flags.

1. High resolution netflow may provide generic proxy and stepping stone detection methods.
2. Sampled netflow may also be used to detect policy violations and large or long duration flows.
3. Watchlists of known bad IPs such as proxy bot controllers can be used to look for suspicious flows.
4. Baselines of typical activity per system or per segment can be created based on metrics such as: bytes transferred per day, number of unique IP addresses contacted per day, and the number of packets per day per port/protocol.
5. Monitoring for deviations from these baselines can help identify systems whose personality changes abruptly such as one becoming a spam sender or proxy.

DNS

1. DNS query logs can be monitored for clients attempting to resolve known bad domains.
2. Statistics can also be maintained to create baselines of DNS resolution activity and to monitor for increases in resolution attempts either by client or by domain. This is especially useful in monitoring MX (mail exchange) record queries for detecting spambots or proxied spam attempts.

MITIGATION

1. Known bad domains can be squashed at the DNS level by using blacklisting or poisoning techniques on your internal DNS servers or security devices which support this feature. There is also a benefit to forcing internal clients to use DNS servers under your control so these blacklists can be enforced.
2. Many threats can be mitigated by developing a security policy which includes approved applications and ports/protocols required for people to do their jobs and implementing technical controls to enforce these policies. Firewall filters can be of some help, but many recent threats require application-layer inspection using proxies or Intrusion Prevention Systems (IPS).
3. Use best practices for restricting outbound mail. Makes the proxy bot less useful for external abuse.
4. Deploying Intrusion Detection/Prevention Devices (IDS/IPS) technology internally to monitor for insider abuse. This will also cover the case of an external party proxying attacks through an internal asset.