Clean up your House First: A Proposal to Detect Bots On Your Own Domain Using Netflow


Giovane C. M. Moura


28 January 2010






Botnets have become one of the largest security threats on the Internet. Usually they consist of a large number of infected computers (named bots, usually running Windows) that are coordinated to perform malicious task, such as spam campaigns. When fighting against bot and their attacks, most of the proposals focus on a reactive approach, by analyzing the incoming traffic to a particular network domain. In this presentation we introduce a proactive approach, in which we analyze the outgoing traffic, and try to detect (and block) machines under the particular domain that are performing malicious actives on other computers on the Internet. Since we are working with high speed scalable networks, Netflow was the data source employed in our analysis. This presentation covers an ongoing work and contains the initial results on detecting bots by analyzing outgoing traffic on a domain using Netflow.