Beginning Questions

Question 1 : What is IRC?

Generally, the use runs a client program (for example mirc under windows), to connect to a server on one of the IRC nets. The server relays information to and from other servers on the same net.

Once connected to an IRC server on an IRC network, the user will usually join one or more "channels" and discuss with others there. Conversations may be public or private (messages between only two people, who may or may not be on the same channel).

Question 2 : What message is sent by an IRC client when it asks to join an IRC network?

When a client asks to join an IRC network, it issue the JOIN command to start listening on a specific channel. Whether or not a client is allowed to join a channel is checked only by the server the client is connected to; all other servers automatically add the user to the channel when it is received from other servers. The conditions which affect this are as follows:

The JOIN command needs to be broadcast to all servers so that each server knows where to find the users who are on the channel. If a JOIN is successful, The channel's topic and the list of users who are on the channel are sent to the user.

Question 3 : What is a botnet

Before giving the botnet definition, let's first explain, what is a bot ?

Bots are automated programs which connect to and monitor IRC channels. Bots were first created and used to help maintain channel operator status on a particular channel; the current ChanOp (a previleged user that have the ability to arbitrarily kick users off a chanel and prevent their return) would establish bots with shared ChanOp privileges on multiple client systems, thereby reducing the possibility that a channel would be orphaned and ChanOp privileges lost to another user. Bots are typically run from high-availability servers with reliable and fast Internet connections; bot control is typically maintained via a shell account on the server. This allows the human ChanOp to establish multiple bots with ChanOp privileges for a given channel, then to disconnect from the channel; the bots will retain ChanOp status, and will grant that status back to the original owner when he returns (or he can connect to the bot hosts and execute commands via the bots).

Given the preliminary information above, the definition of a BotNet is now obvious: a BotNet is a connected collection of IRC Bots, but not all bots can participate in a BotNet. There are two main types of BotNet structures: Hub-Leaf and Channel.

Question 4 : What are botnets commonly used for?

Bots were originally developed to facilitate IRC channel administration and monitoring; but they can be used maliciously. First, BotNets enable the creation and operation of "private" networks; traffic on these networks does not traverse the IRC server infrastructure, and so is harder to detect unless the monitor is in the path of, or part of, the private network. Such networks are widely used for file transfer and distributed file storage; of course, no controls enforce what type of files are stored or transferred, and such files may include illegal material (stolen software, illegal data, etc.). It is certainly possible to use normal IRC capabilities to exchange illegal material as well, but such activity is easier to detect. Second, BotNets can be used to launch coordinated network attacks in the same manner as any collection of systems under single control. BotNets are most often used for Denial of Service attacks, either against Channel Operators (so that channel control may be obtained), or against distinct targets like web servers. It is also possible to use BotNets for distributed scanning, vulnerability exploitation, distributed computation (for example breaking codes by brute force), and any activity which can be partitioned among multiple systems.

Question 5 : What TCP ports does IRC generally use?

Question 6 : What is a binary log file and how is one created?

A binaty log file, are generally smaller than text log files, faster to access, and can be used to record a snapshot network traffic that travelled on the sniffed interface. the result file will be used for further analysis with standard tools like Ethereal and tcpdump. To be able to used these tools, Libpcap provide function libraries and data structures to allow this type of network traffic capture.

As it was mentionned in the challenge, the file has been created using snort intrusion detection system (Tcpdump and Ethereal can create and read these binary log files as well). It is possible to run snort against this log in NIDS mode to create ids alert warnings.

Question 7: What IRC servers did the honeypot, which has the IP address 172.16.134.191, communicate with?

The honeypot having the IP address 172.16.134.191 is trying to communicate with the following servers :

But only the following servers respond:

Question 7: During the observation period, how many distinct hosts accessed the botnet associated with the server having IP address 209.196.44.172?

Question 7: Assuming that each botnet host has a 56 kbps network link, what is the aggregate bandwidth of the botnet?

With maximum of 4765 gloab users, the aggregate bandwidth of the botnet is equal to 56*4765/1024 = 260.585 Mb/s.

Intermediate Questions

Question 1: What IP source addresses were used in attacking the honeypot?

A huge number of IP address, have been used to attack the honeypot, we sort them by vulnerability attempted to be exploited

IIS attacks: 24.197.194.106, 24.197.194.106, 66.8.163.125

Netbios attacks: principally the following address

spp_port_scan: 24.197.194.106

MS-SQL worm propagatio : linked-list

Question 2: What vulnerabilities did attackers attempt to exploit?

Question 3: Which attacks were successful?

The IIS attacks have failed.
The spp-port-scan was successfully enumerated the honeypot port state.
The MS-SQL worm has failed to connect to the Honeypot.
The netbios null-session SMB attack was successfull, it permitted to transfer, install, execute, and delete files on the honeypot machine.