Business Networking Groups Las Vegas
business networking groups las vegas
A Survey on Botnets with Cryptography
Abstract.
As technology has been developed, the network of bot, botnet, has been huge matter in computer science society. Most botnet causes network security threats and they are based on C&C server such as IRC, HTTP common protocol [1] and recently botnet also constructs P2P connection and the bot’s characteristics and activities are all different according to the structure of botnet. That is why the existed research is numerous, too, and it is beneficial to categorize and to classify defense mechanism of bot. The bot activities result in a lot of negative effects such as DDoS (Distributed Denial of Service) and Spamming. The mechanisms for bot detection and defenses can be categorized into C&C based bot detection and P2P based bot detection. A vital aspect of botnet administration is the authenticity and integrity of commands. Asymmetric cryptography offers a simple, yet effective way to do this and the methodology is discussed here.
Keywords: botnet, bot detection, P2P bot, C&C bot ,cryptography
1. INTRODUCTION
The untraceable feature of coordinated attacks is just what hackers/attackers demand to compromise a computer or a network for their illegal purposes. Once a group of hosts with different locations are controlled by a malicious individual or organization to initiate an attack, one can hardly trace back the origins due to the complexity of the Internet. For this reason, the increase of events and threat against legitimate Internet activities such as information leakage, click fraud, denial of service (DoS) attack, and E-mail spam, etc., have become very serious problems nowadays[1]. Those victims controlled by coordinated attackers are called zombies, or bots which derives from the word “robot”. The term of bots is commonly referred to software applications running automated tasks over the Internet [2]. Under such a command and control (C2, or C&C) infrastructure, a group of bots are able to form a self-propagating, self-organizing, and autonomous framework, named botnet [3]. Generally, to compromise a series of systems, the botnet’s master (also called as herder or perpetrator) will remotely control bots to install worms, Trojan horses, or backdoors on them [3]. The majority of those victims are running Microsoft Windows operating system [3]. The process of stealing hosts resources to consist a botnet is so called “scrumping” [3].
Botnets can be classified into two major categories based on their topologies [4]. One typical and the most common type is Internet Relay Chat (IRC) based botnets. Because of its centralized architecture, researchers have designed some feasible countermeasures to detect and destroy such botnets [5, 6]. Hence, newer and more sophisticated hackers/attackers start to use Peer to Peer (P2P) technologies in botnets [4,7]. P2P botnets are distributed and do not have central point of failure. Comparing to IRC-based botnets, they are more difficult to detect and take down [4]. Besides, most of its existing studies are still in the analysis phase [4, 7].
The organization of the paper is as follows. In Section 2, botnet classification is given.Section 3 describes the relevant attacks. Section 4 elaborates the detection and tracing mechanisms. Preventive measures are given in Section 5. The conclusion and future challenges are shown in Section 6.
2. CLASSIFICATION
Botnets are emerging threats with billions’ hosts worldwide infected. Bots can spread over thousands of computers at a very high speed like worms do. Unlike worms, bots in a botnet are able to cooperate towards a common malicious purpose. For that reason, botnets nowadays play a very important role in the Internet malware epidemic [16]. In [19] the W. T. Strayer et al. presented some metrics by flow analysis on detecting botnets. After filtering IRC session out of the traffic, flow based methods were applied to discriminate malicious from benign IRC channels. The methods proposed by [20] and [21] combined both application and network layer analysis. E. Cooke et al. [22] dealt with IRC activities at the application layer, using information coming from the monitoring of network activities. Some authors had introduced machine learning techniques into botnet detection [23], since they led a better way to characterize botnets. Currently, honeynets and Intrusion Detection System (IDS) are two major techniques to prevent their attacks. Honeynets can be deployed in both distributed and local context [9]. They are capable of providing botnet attacking information, but can not tell the details like whether the victim has a certain worm [9]. The IDS uses the signatures or behavior of existing botnet for references to detect potential attack. Thus, to summarize the characteristics of botnet is significant for a secure network. To the best of our knowledge, we have not found any other work about anomaly-based detection for botnet.
2.1 Formation and Exploitation
To illustrate the formation and exploitation, we take spamming botnet as an example. A typical formation of botnet can be described as following steps [3],
1) The perpetrator of botnet sends out worms or viruses to infect victims’ machines, whose payload are bots.
2) The bots on the infected hosts log into an IRC server or other communications medium, forming a botnet.
3) Spammer makes payment to the owner of this botnet to gain the access right.
4) Spammer sends commands to this botnet to order the bots to send out spam.
5) The infected hosts send the spam messages to various mail servers in the Internet.
2.2 IRC-based Bot
IRC is a protocol for text based instant messaging among people connected with the Internet. It is based on Client/Server (C/S) model but suited for distributed environment as well [18]. Typical IRC severs are interconnected and pass messages from one to another [18]. One can connect with hundreds of clients via multiple servers. It is so called multiple IRC (mIRC), in which communications among clients and server are pushed to those who are connected to the channel. The functions of IRC based bots include managing access lists, moving files, sharing clients, sharing channel information, and so on [18].
• Bot: is typically an executable file triggered by a specific command from the IRC sever. Once a bot is installed on a victim host, it will make a copy into a configurable directory and let the malicious program to start with operating system. Generally, bots are just the payload of worms or the way to open a backdoor [18].
• Control channel: is a secured IRC channel set up by the attacker to manage all the bots.
• IRC Server: may be a compromised machine or even a legitimate provider for public service.
• Attacker: is the one who control the IRC bot attack.
The attacker’s operations have four stages [16]:
1) Creation Stage, where the attacker may add malicious code or just modify an existing one out of numerous highly configurable bots over the Internet [16].
2) Configuration Stage, where the IRC server and channel information can be collected [16]. As long as the bot is installed on the victim, it will automatically connect to the selected host [16]. Then, the attacker may restrict the access and secure the channel to the bots for business or some other purpose [16]. For example, the attacker is able to provide a list of bots for authorized users who want to further customize and use them for their own purpose.
3) Infection Stage, where bots are propagated by various direct and indirect means [16]. As the name implies, direct techniques exploit vulnerabilities of the services or operating systems, and are usually associated with the use of viruses [16]. While the vulnerable systems are compromised, they continue the infection process such that saving the time of attacker to add other victims [16]. The most vulnerable systems are Windows 2000 and XP SP1, where the attacker can easily find unpatched or unsecured (e.g., without firewall) hosts[16]. By contrary, indirect approaches use other programs as a proxy to spread bots, e.g., using distributed malware through DCC (Direct Client-to-Client) file exchange on IRC or P2P networks to exploit the vulnerabilities of target machines [16].
4) Control Stage, where the attacker can send the instructions to a group of bots via IRC channel to do some malicious tasks.
2.3 P2P-based Bot
Few papers focus on P2P-based bot so far [4, 24-29, 46]. It is still a challenging issue. In fact, using P2P adhoc network to control victim hosts is not a novel technique [26].P2P communication system is much harder to disrupt. This means that the compromise of a single bot does not necessarily mean the loss of the entire botnet. However, the design of P2P systems are more complex and there are typically no guarantees on messages delivery or latency. A worm with a P2P fashion, named Slapper [27], infected Linux system by DoS attack in 2002. It used hypothetical clients to send commands to compromised hosts and receive responses from them [27]. Thereby, its network location could be anonymous and hardly be monitored [27]. One year after, another P2P-based bot appeared, called Dubbed Sinit [28]. It used public key cryptography for update authentication. Later, in 2004, Phatbot [29] was created to send commands to other compromised hosts using a P2P system. Currently, Storm Worm [24] may be the most wide-spread P2P bot over the Internet. T. Holz et al. have analyzed it using binary and network tracing [24]. Besides, they also proposed some techniques to disrupt the communication of P2P-based botnet, such as eclipsing content and polluting the file.
Nevertheless, the above P2P-based bots are not mature and have many weaknesses. Many P2P networks have a central server or a seed list of peers who can be contacted for adding a new peer. This process named bootstrap has a single point of failure for aP2P-based botnet [25]. For this reason, authors in [25] presented a specific hybrid P2P botnet to overcome this problem.
2.4 Types of Bots
Many types of bots in the network have already been discovered and studied [9, 16, 17]. Table I will present several widespread and well-known bots, together with their basic features.
Types
Features
Agobot
Phatbot
Forbot
Xtrembot
- They are so prevalent that over 500 variants exist in the Internet today. Agobot is the only bot that can use other control protocols besides IRC [9]. It offers various approaches to hide bots on the compromised hosts,including NTFS Alternate Data Stream, Polymorphic
Encryptor Engine and Antivirus Killer [16].
SDBot
RBot
UrBot
UrXBot
SDBot is the basis of the other three bots and probably many more [9]. Different from Agobot, its code is unclear and only has limited functions. Even so, this group of bots is still widely used in the Internet [16].
SpyBot
NetBIOS
Kuang
Netdevil
KaZaa
There are hundreds of variants of SpyBot nowadays [17]. Most of their C2 frameworks appear to be shared with or evolved from SDBot [17]. But it doesn’t provide accountability or conceal their malicious purpose in codebase [17].
mIRC-based
GT-Bots
GT (Global Threat) bot is mIRC-based bot. It enables a mIRC chat-client based on a set of binaries (mainly DLLs) and scripts [16]. It often hides the application window in
compromised hosts to make mIRC invisible to the user [9].
DSNX Bots
The DSNX (Data Spy Network X) bot has a convenient plug-in interface for adding a new function [16]. Albeit the default version does not meet the requirement of spreaders, plugins can help to address this problem [9].
Q8 Bots
It is designed for Unix/Linux OS with the common features of a bot, such as dynamic HTTP updating, various DDoS-attacks, execution of arbitrary commands etc. [9].
Kaiten
It is quite similar to Q8 Bots due to the same runtime environment and lacking of spreader as well. Kaiten has an easy remote shell, thus it is convenient to check further
vulnerabilities via IRC [9].
Perl-Based Bots
Many variants written on Perl nowadays [9]. They are so small that only have a few hundred lines of the bots code [9]. Thus, limited fundamental commands are available for attacks, especially for DDoS-attacks in Unix-based systems [9].
3. BOTNET ATTACKS
Botnets can serve both legitimate and illegitimate purposes [6]. One legitimate purpose is to support the operations of IRC channels using administrative privileges on specific individuals. Nevertheless, such goals do not meet the vast number of bots that we have seen. Based on the wealth of data logged in Honeypots [9], the possibilities to use botnets for criminally motivated or for destructive goals are able to be categorized as follows.
3.1 DDoS Attacks
Botnets are often used for DDoS attacks [9], which can disable the network services of victim system by consuming its bandwidth. For instance, a perpetrator may order the botnet to connect a victim’s IRC channel at first, and then this target can be flooded by thousands of service requests from the botnet. In this kind of DDoS attack, the victim IRC network is taken down. Evidence reveals that most commonly implemented by botnets are TCP SYN and UDP flooding attacks [30].
General countermeasure against DDoS attacks requires: (1) controlling a large number of compromised machines; (2) disabling the remote control mechanism [30]. However, we still need more efficient ways to avoid this kind of attack. F. C. Freiling et al. [30] have presented an approach to prevent DDoS attack via exploring the hiding bots in Honeypots.
3.2 Spamming and Spreading Malware
About 70% to 90% of the world’s spam is caused by botnets nowadays, which has most experienced in the Internet security industry concerned [47, 49]. Study report indicates that, once the SOCKS v4/v5 proxy (TCP/IP RFC 1928) on compromised hosts is opened by some bots, those machines may be used for nefarious tasks, e.g., spamming. Besides, some bots are able to gather email addresses by some particular functions [9]. Therefore, attackers can use such a botnet to send massive amounts of spam [31]. Researchers in [32] have proposed a distributed content independent spam classification system, called Trinity, against spamming from botnets. The designer assumes that the spamming bots will send a mass of e-mails within a short time. Hence, any letter from such address can be a spam.
In order to discover the aggregate behaviors of spamming botnet and benefit its detection in the future, Y. Xie et al. [33] have designed a spam signature generation framework named AutoRE. They also found several characteristics of spamming botnet: (1) spammer often appends some random and legitimate URLs into the letter to evade detection [33]; (2) botnet IP addresses are usually distributed over many ASes (Autonomous Systems), with only a few participating machines in each AS on average [33]; (3) despite the contents of spam are different, their recipients’ addresses may be similar [33]. How to use these features to capture the botnets and avoid spamming is worth to research in the future. Similarly, botnets can be used to spread malware too[9]. For instance, botnet can launch Witty worm to attack ICQ protocol since the victims’ system may have not activated Internet Security Systems (ISS) services [9].
3.3 Information Leakage
Because some bots may sniff not only the traffic passing by the compromised machines but also the command data within the victims, perpetrators can retrieve sensitive information like usernames and passwords from botnets easily[9]. Evidences indicate that, botnets are becoming more sophisticated at quickly scanning in the host for significant corporate and financial data [47]. Since the bots rarely affect the performance of the running infected systems, they are often out of the surveillance area and hard to be caught. Keylogging is the very solution to the inner attack [9,16]. Such kind of bot listens for keyboard activities and then reports to its master the useful information after filtering the meaningless inputs. This enables the attacker to steal thousands of private information and credential data [16].
3.4 Click Fraud
With the help of botnet, perpetrators are able to install advertisement add-ons and browser helper objects (BHOs) for business purpose[9]. Just like Google’s AdSense program, for the sake of obtaining higher click-through rate (CTR), perpetrators may usebotnets to periodically click on specific hyperlinks and thus promote the CTR artificially [9]. This is also effective to online polls or games [9]. Because each victim’s host owns a unique IP address scattered across the globe, every single click will be regarded as a valid action from a legitimate person.
3.5 Identity Fraud
Identity Fraud, also called as Identity Theft, is a fast growing crime on the Internet [9]. Phishing mail is a typical case. It usually includes legitimate-like URLs and asks the receiver to submit personal or confidential information. Such mails can be generated and sent by a botnet through spamming mechanisms [9]. In a further step, botnets also can set up several fake websites pretending to be an official business sites to harvest victims’ information. Once a fake site is closed by its owner, another one can pop up, until you shut down the computer.
4. DETECTION AND TRACING
By now, several different approaches of identifying and tracing back botnets have been proposed or attempted. First and the most generally, the use of Honeypots, where a subnet pretends to be compromised by a Trojan, but actually observing the behavior of attackers, was enabling the controlling hosts to be identified[22]. In a relevant case, Freiling et al. [30] have introduced a feasible way to detect certain types of DDoS attacks lunched by the botnet. To begin with, use honeypot and active responders to collect bot binaries. Then, pretend to join the botnet as a compromised machine by running bots on the honeypot and allowing them to access the IRC server. At the end, the botnet is infiltrated by a “silent drone” for information collecting, which may be useful in botnet dismantling. Another and also commonly used method is that, using the information form insiders to track an IRC-based botnet [11]. The third but not the least prevalent approach to detect botnets is probing DNS caches on the network to resolve the IP addresses of the destination servers [11].
4.1 Honeypot and Honeynet
Honeypots are well-known by their strong ability to detect security threats, collect malwares, and to understand the behaviors and motivations of perpetrators. Honeynet, for monitoring a large-scale diverse network, consists of more than one honeypot on a network. Most of researchers focus on Linux-based honeynet, due to the obvious reason that, compared to any other platform, more freely honeynet tools are available on Linux [6]. As a result, only few tools support the honeypots deployment on Windows and intruders start to proactively dismantle the honeypot.
Some scholars aim at the design of a reactive firewall or related means to prevent multiple compromises of honeypots [6]. While a compromised port is detected by such a firewall, the inbound attacks on it can be blocked [6]. This operation should be carried on covertly to avoid raising suspicions of the attacker. Evidence tells us, we need operate less covert on protection of honeypots against multiple compromises by worms, due to worms are used to detect its presence [6]. Because many intruders download toolkits in a victim immediate aftermath, we should block correspond traffic only selectively. Such toolkits are significant evidences for future analysis. Hence, to some extent, attackers’ access to honeypots should not be prevented very well [6].
As honeypots have become more and more popular in monitoring and in defense systems, intruders begin to seek a way to avoid evade honeypot traps [34]. There are some feasible techniques to detect honeypots. For instance, to detect VMware or other emulated virtual machines [35,36], or, to detect the responses of program’s faulty in honeypot [37]. In [38], Bethencourt et al. have successfully identified honeypots using intelligent probing according to public report statistics. In addition, Krawetz [39] have presented a commercial spamming tool capable of anti-honeypot function, called “Send-Safe’s Honeypot Hunter”. By checking the reply from remote proxy, spammer is able to detect honeypot open proxies [39]. However, this tool cannot effectively detect others except open proxy honeypot. Recently, C.C. Zou et al. [34] have proposed another methodology for honeypot detection based on independent software and hardware. In their paper, they also have introduced an approach to effectively locate and remove infected honeypots using a P2P structured botnet [34]. All above evidences indicate that, in case that botnet becomes invisible to honeypot, the relevant research should be improved.
4.2 IRC-based Detection
IRC-based botnet is wildly studied and therefore several characteristics have been discovered for detection so far. One of the easy ways to detect this kind of botnets is to sniff traffic on common IRC ports (TCP port 6667), and then check whether the payloadsmarch the strings in our knowledge database [22]. Nevertheless, botnets can use random ports to communicate. Therefore, another approach looking for behavioral characteristics of bots comes up. S. Racine [40] found IRC-based bots were often idle and only responded upon receiving a specific instruction. Thus, the connections with such features can be marked as potential enemies. Nevertheless, it still has a high false positive rate in the result.
There are also other methodologies exist for IRC-based botnet detection. Barford et al. [17] proposed some approaches based on the source code analysis. Rajab et al. [11] introduced a modified IRC client called IRC tracker, which was able to connect the IRC sever and reply the queries automatically. Given a template and relevant fingerprint, the IRC tracker could instantiate a new IRC session to the IRC server [11]. In case the bot master could find the real identity of the tracker, it appeared as a powerful and responsive bot on the Internet and run every malicious command, including the responses to the attacker [11]. Following, we will introduce some detection methods against IRC-based botnet.
4.2.1 Detection Based on Traffic Analysis
Signature technology is often used in anomaly detection. The basic idea is to extract feature information on the packets from the traffic and march the patterns registered in the knowledge base of existing bots. Apparently, it is easy to carry on by simply comparing every byte in the packet, but it also goes with several drawbacks [45]. Firstly, it is unable to identify the undefined bots [45]. Second, it should always update the knowledge base with new signatures, which enhances the management cost and reducesthe performance [45]. Third, new bots may launch attacks before they are patched in the knowledge base [45].
Based on the features of IRC, some other techniques to detect botnet come up. Basically, two kinds of actions are involved in a normal IRC communication. One is interactive commands and another is messages exchanging [45]. If we can identify the IRC operation with a specified program, it is possible to detect a botnet attack [45]. For instance, the private information is copied to other place by some IRC commands, we claim the system is under an attack since a normal chatting behavior will never do that [45]. On the other hand, the traffic may be encrypted or be concealed by network noises [21]. Any situation will make the bots invisible.
In [45], authors observed the real traffic on IRC communication ports ranging from 6666 to 6669. They found some IRC clients repeated sending login information while the server refused its connection [45]. Based on the experiment result, they claimed that bots would repeat these actions at certain intervals after refused by the IRC server, and those time intervals are different [45]. However, they did not consider a real IRC-based botnet attack into their experiment. It is a possible future work to extend their achievements.
In [49], P. Sroufe et al. proposed a different method for botnet detection. Their approach can efficiently and automatically identify spam or bots. The main idea is to extract the shape of the Email (lines and the character count of each line) by applying a Gaussian kernel density estimator [49]. Emails with similar shape are suspected. However, authors did not show the way to detect botnet by using this method. It may be another future work worth to study.
4.2.2 Detection Based on Anomaly Activities
In [21], authors proposed an algorithm for anomaly-based botnet detection. It combined IRC mesh features with TCP-based anomaly detection module. It first observed and recorded a large number of TCP packets with respect to IRC hosts. Based on the ratio computed by the total amount of TCP control packets (e.g., SYN, SYNACK, FIN, and RESETS) over total number of TCP packets, it is able to detect some anomaly activities [21]. They called this ratio as the TCP work weight and claimed that high value implied a potential attack by a scanner or worm [21]. However, this mechanism may not work if the IRC commands have been encoded, as the discussion in [21].
4.3 DNS Tracking
Since bots usually send DNS queries in order to access the C2 servers, if we can intercept their domain names, the botnet traffic is able to be captured by blacklisting the domain names [41, 42]. Actually, it also provides an important secondary avenue to take down botnets by disabling their propagation capability [11]. H. Choi et al. [41] have discussed the features of botnet DNS. According to their analysis, botnets’ DNS queries can be easily distinguished from legitimate ones [41]. First of all, only bots will send DNS queries to the domain of C2 servers, legitimate one never do this [41]. Secondly, botnet’s members act and migrate together simultaneously, as well as their DNS queries [41]. Whereas the legitimate one occurs continuously, vary from botnet [41]. Third, legitimate hosts will not use DDNS very often while botnet usually use DDNS for C2 Server [41]. Based on the above features, they developed an algorithm to identify botnet DNS query [41]. Their main idea is to compute the similarity for group activities and then distinguish the botnet from them based on its value. The similarity value is defined as 0.5 (C/A+C/B), where A and B stand for the size of two requested IP lists which have somecommon IP addresses and the same domain name, and C stands for the size of duplicated IP addresses [41]. If the value approximated zero, such common domain will be suspected [41].
There are also some other approaches. Dagon et al. [42] presented a method by examining the query rates of DDNS domain. Abnormally high rates or temporally concentrated were suspected, since the attackers changed their C2 servers quite often [44]. They utilized both Mahalanobis distance and Chebyshev’s inequality to quantify how anomalous the rate is [44]. Schonewille et al. [43] found that when C2 servers had been taken down, DDNS would often response name error. Hosts who repeatedly did such queries could be infected and thus to be suspected [43]. In [44], authors evaluated the above two methods through experiments on real world. They claimed that, Dagon’s approach was not as effective since it misclassified some C2 server domains with short TTL, while Schonewille’s method was comparative effective due to the suspicious name came from independent individuals [44]. In [48], X. Hu et al. proposed a botnet detection system called RB-Seeker (Redirection Botnet Seeker). It is able to automatically detect botnets in any structure. RB-Seeker first gathers information about bots redirection activities (e.g., temporal and spatial features) from two subsystems. Then it utilizes the statistical methodology and DNS query probing technique to distinguish the malicious domain from legitimate ones. Experiment result shows that RB-Seeker is an efficient tool to detect both “aggressive” and “stealthy” botnets.
5. Strong Cryptography
5.1Tamper-proof command and update scheme
A vital aspect of botnet administration is the authenticity and integrity of commands. A bot should only accept commands issued by the botmaster. In current botnets, the botmasters commonly use only a very weak form of authenticity, eg., by using a simple password scheme before sending the actual command. Even if the botnets use stronger authentication schemes, these can typically be broken, eg., Storm Worm uses a 64 bit RSA implementation which can be defeated. In centralized IRC botnets, this lack of authenticity could for example be overcome by patching the IRC server used for command distribution in such a way that only the botmaster can send messages in the designated channel. However, when dealing with a decentralized network of equal peers, a botmaster needs to ensure that no hostile parties like defenders or other botnet groups can poison the botnet by injecting malicious commands.
Asymmetric cryptography offers a simple, yet effective way to do this: before releasing a bot in the wild, the botmaster creates a public/private pair of cryptographic keys of which the former one is hardcoded into the bot’s binary. Doing so enables the botmaster to securely sign any commands or files using his private key. All peers in the botnet are able to verify the commands employing the hardcoded public key, but given a reasonable key length(eg.2048 bits for RSA), no defender will manage to forge the signature.
5.2Rent a botnet
With the help of asymmetric cryptography, a botmaster can take on the role of a trusted certificate authority, which provides an efficient way to rent the botnet to others in parts or as a whole, for a variable amount of time, and for certain purposes.To protect against malicious lessees, it is advisable to implement a blacklist containing all invalidated public keys.This blacklist is saved on each bot’s computer and only the botmaster may add or remove public keys using his private key to sign the order. Thus, all certificates which belong to an attacker can be revoked.
However, such a blacklist is of little use against attacks which require only a short timeframe to be carried out successfully. For example, a malicious lessee could buy a botnet certificate for spam distribution and misuse it by ordering all bots to send an e-mail to a specified address, thereby revealing their IP address or other sensitive data. In effect, an attacker could conveniently obtain valuable information about a botnet’s size as well as its overall structure. Therefore , renting a botnet should be considered as an option which has to be used with caution by a botmaster.
6. PREVENTIVE MEASURES
Only need a couple of hours for conventional worms to circle the globe since released from a single host. If worms using botnet appear from multiple hosts simultaneously, they are able to infect the majority of vulnerable hosts worldwide in minutes [7]. Some botnets have been discussed in previous sections. Nevertheless, there still plenty of them are unknown to us. How to minimize the risk caused by botnets in the future is the topic we discussed in this section.
6.1 Countermeasures on Botnet Attacks
Unfortunately, few solutions exist for a host to against a botnet DoS attack so far [3]. Albeit it is hard to find the patterns of malicious hosts, network administrators can still identify botnet attacks based on passive operating system fingerprinting extracted from the latest firewall equipment [3]. The lifecycle of botnet tell us, bots often utilize free DNS hosting services to redirect a subdomain to an inaccessible IP address. Thus, removing those services may take down such a botnet [3]. At present, many security companies focus on offerings to stop botnets [3]. Some of them protect consumers, whereas most others are designed for ISPs or enterprises [3]. The individual products try to identify bot behavior by anti-virus software. The enterprise products have nothing better solutions than nullrouting DNS entries or shutting down the IRC and other main servers after a botnet attack identified [3].
6.2 Countermeasures for Public
Personal or corporation security inevitably depends on the communication partners [7]. Building a good relationship with those partners is essential. Firstly, one should continuously request the service supplier for security packages, such as firewall, anti-virus tool-kit, intrusion detection utility etc. [7]. Once something goes wrong, there should be a corresponding contact number to call [7]. Secondly, one should also pay much attention on network traffic and report to ISP if attacked by DDoS attack. ISP can help blocking those malicious IP addresses [7]. Thirdly, one is better to establish accountability on its system, together with a law enforcement authority [7]. More specifically, scholars and industries have proposed some strategies for both home users and system administrators, to prevent, detect and respond botnet attacks [16, 18]. Here we summarize their suggestions.
6.2.1 Home Users
TABLE II: RULES OF PREVENTION BY HOME USERS [18]
Type
Strategies
Personal Habits
Attention while downloading
Avoid to install useless things
Read carefully before you click
Routine
Use anti-virus/trojan utilities
Update system frequently
Shutdown PC when you leave
Optional Operations
Back-up all systems regularly
Keep all software up-to-date
Deploy personal firewall
6.2.2 System Administrator
In the same way, there are correspond rules for system administrator to prevent, detect, and respond botnet attacks [16, 18]. As the prevention methods, administrator should follow vendor guidelines for updating the system and applications [18]. Also, keep informed of latest vulnerabilities and use access control and log files to achieve accountability [18]. As illustrated in Table III, these can help the system administrator to minimize the possibilities of botnets attacking.
TABLE III: RULES OF DETECTION BY SYSTEM ADMINISTRATORS [18]
Rules
Notes
Regular monitor logs
Analyze the internet traffic for anomalies
Use network packet sniffer
Identify the malicious traffic in intranet
Isolate the malicious subnet
Verify IRC activity on host
Scan individual machine
They may contain malware
Once an attack is detected, system administrator should isolate those compromised hosts and notice the home users [16]. Then preserve the data on those infected hosts including the log files [16]. Besides, identify the number of victims via sniffer tools [16]. Finally, report the infection to security consultant [16].
7. CONCLUSION AND FUTURE CHALLENGES
To better understand the botnet and stop its attack eventually, we provide a botnet survey on existing researches. The content of discussion involves botnet formation and exploitation, and two typical topologies.
According to the discussion in Section 2, we have several ideas on different topologies. For IRC-based botnet issues, the thorny problem is that we can not get the source code of most of bots. Hence, depth analysis at networking level and system level for bots’ behaviors are hardly carried on. For P2P-based botnet issues, following practical challenges should be further considered: (1) maintaining the rest of bots after some have been taken down by defenders; (2) hiding the botnet topology while some bots are captured by defenders; (3) managing the botnet more easily; (4) changing the traffic patterns more often and make it harder for detection.
As we can see, detecting and tracking compromised host in botnet will continue to be a challenging task. Traffic fingerprinting is useful for identifying botnet. Nevertheless, just like previous signature technologies discussed in Section 3, its drawbacks are obvious. We need an up-to-date knowledge base for all released bots in the world, which seems to be an impossible mission. Anomaly detection is another feasible approach. However, when infected hosts do not behave as unusual, it may be unable to detect such a potential threat. Since current detecting technology depends on the happened attacking event, no guarantee for us to find every possible compromised hosts. One interesting issue about anomaly detection is the time efficiency. If an attack is occurs and we can capture the anomaly at first place and fix the relevant problems before it is used for malicious purposes, we say this anomaly detection is time efficient. We need focus on its time efficiency in the future work.
In wireless context, especially for ad hoc network, we still have not got related research on both attacking and defending so far. There are lots of open issues: (1) How to find the shortest routing to attack target; (2) How to prevent the compromised hosts fromdetecting in the wireless network; (3) How to propagate the bots in the wireless network, especially before some compromised hosts off line.
There are also some other interesting open issues need to be considered. To the best of our knowledge, by now, we cannot avoid DDoS attack derived from botnets. Even the attacking has been detected, no effective way to trace back and fight against it. Instead, we just simply shut down the compromised hosts or disconnect with the network, waiting for further command such as scanning virus or formatting the operating system. As the matter of fact, what we need indeed is avoiding bots propagating in the first step. Perhaps the only effective approach to eliminate botnets is deploying new protocols on routers worldwide. It is really a huge and beyond reality project. Then, why not consider installing it on a local gateway? Imagining, if the gateway could block the communication of bots between several domains, the attacker would not easily manage the compromised hosts worldwide. At the meantime, the gateway might give our information as to where the malicious command came from. Based on the plenty of evidences over network, it would be possible tracing back the initial attack. Nevertheless, it is very difficult to implement such an idea due to the following reasons: (1) It is hard to distinguish the malicious packets from the traffic flow; (2) Cooperating among domains is not very easy, and should consider the situation that some gateways are compromised; (3) How to trace the potential attack and who should be noticed for further analysis need to be studied.
REFERENCES
[1] K. Ono, I. Kawaishi, and T. Kamon, “Trend of botnet activities,” in 41st Annual IEEE International Carnahan Conference on Security Technology, Ottawa, CA,
Oct., 2007, pp. 243-249.
[2] Wikipedia, “Internet bot” [Online]. Available: http://en.wikipedia.org/ wiki/Internet_bot.
[3] Wikipedia, “Botnet” [Online]. Available: http://en.wikipedia.org/wiki/ Botnet.
[4] B. Thuraisingham, “Data mining for security applications: Mining concept-drifting data streams to detect peer to peer botnet traffic,” in IEEE International
Conference on Intelligence and Security Informatics, ISI 2008, Taipei, Taiwan, Jun. 2008, pp. xxix-xxx.
[5] C. Mazzariello, “IRC traffic analysis for botnet detection,” in 4th International Conference on Information Assurance and Security, Naples, Italy, Sept., 2008,
pp. 318-323.
[6] B. McCarty, “Botnets: Big and bigger,” IEEE Security and Privacy, vol. 1, no. 4, pp. 87-90, Jul., 2003.
[7] G. P. Schaffer, “Worms and viruses and botnets, oh my!: Rational responses to emerging internet threats,” IEEE Security and Privacy, vol. 4, no. 3, pp. 52-58, May
2006.
[8] J. Mirkovic, G. Prier, and P. Reiher, “Attacking DDoS at the source,” in ICNP’02: Proceedings of the 10th IEEE International Conference on Network
Protocols, Paris, France, Nov., 2002, pp. 312-321.
[9] P. Bacher, T. Holz, M. Kotter, and G. Wicherski, “Know your Enemy: Tracking Botnets” [Online]. Available: http://www.honeynet.org/papers/bots/.
[10] T. Holz, S. Marechal, and F. Raynal, “New threats and attacks on the world wide web,” IEEE Security & Privacy, vol. 4, no. 2, pp.72-75, Mar/Apr., 2006.
[11] M. A. Rajab, J. Zarfoss, F. Monrose, and A. Terzis, “A multifaceted approach to understanding the botnet phenomenon,” in Proceedings of the 6th ACM
SIGCOMM Conference on Internet Measurement, Rio de Janeriro, Brazil, Oct., 2006, pp. 41-52.
[12] E. Levy, “The making of a spam zombie army: Dissecting the sobig worms,” IEEE Security and Privacy, vol. 1, no. 4, pp. 58-59, Jul., 2003.
[13] D. Cook, J. Hartnett, K. Manderson, and J. Scanlan, “Catching spam before it arrives: domain specific dynamic blacklists,” in Proceedings of the 2006
Australasian workshops on Grid computing and e-research, Hobart, Australia, pp. 193-202, Jan., 2006.
[14] J. Jung and E. Sit, “An empirical study of spam traffic and the use of DNS black lists,” in IMC ’04: Proceedings of the 4th ACM SIGCOMM conference on
Internet measurement, Taormina, Italy, pp. 370-375, Oct., 2004.
[15] A. Ramachandran, N. Feamster, and D. Dagon, “Revealing botnet membership using DNSBL counter-intelligence,” in Proceedings of the 2nd Conference on
Steps To Reducing Unwanted Traffic on the Internet – Volume 2, San Jose, USA, pp. 8-8, 2006.
[16] J. Govil, “Examining the criminology of bot zoo,” in 6th International Conference on Information, Communications & Signal Processing, Singapore, pp. 1-6,
Dec., 2007.
[17] P. Barford and V. Yegneswaran, “An inside look at botnets,” in Series: Advances in Information Security, Springer, 2006.
[18] R. Puri, “Bots and botnets: An overview,” Technical report, SANS institute, 2003.
[19] W. T. Strayer, R. Walsh, C. Livadas, and D. Lapsley, “Detecting botnets with tight command and control,” in Proceedings 2006 31st IEEE Conference on Local
Computer Networks, Tampa, USA, pp.195-202, Nov., 2006.
[20] M. Akiyama, T. Kawamoto, M. Shimamura, T. Yokoyama, Y. Kadobayashi, and S. Yamaguchi, “A proposal of metrics for botnet detection based on its
cooperative behavior,” in Proceedings of the 2007 International Symposium on Applications and the Internet Workshops, Washington D.C., USA, pp. 82-82,
Jan., 2007.
[21] J. R. Binkley and S. Singh, “An algorithm for anomaly-based botnet detection,” in Proceedings of the 2nd Conference on Steps to Reducing Unwanted Traffic on
the Internet, San Jose, USA, pp. 7-7, 2006.
[22] E. Cooke, F, Jahanian, and D. Mcpherson, “The zombie roundup: Understanding, detecting, and disrupting botnets,” in Proceedings of the Steps to Reducing
Unwanted Traffic on the Internet, Cambridge, USA, pp. 6-6, 2005.
[23] C. Livadas, R. Walsh, D. Lapsley, and W. Strayer, “Using machine learning techniques to identify botnet traffic,” in Proceedings 2006 31st IEEE Conference on
Local Computer Networks, Tampa, USA, pp. 967-974, Nov., 2006.
[24] T. Holz, M. Steiner, F. Dahl, E. W. Biersack, and F. Freiling, “Measurement and mitigation of peer-to-peer-based botnets: A case study on storm worm,” in
Proceedings of the 1st Usenix Workshop on Large-Scale Exploits and Emergent Threats, San Francisco, USA, pp. 1-9, Apr., 2008.
[25] P. Wang, S. Sparks, and C. C. Zou, “An advanced hybrid peer-to-peer botnet,” in Proceedings of the First Conference on First Workshop on Hot Topics in
Understanding Botnets, Cambridge, USA, pp. 2-2, Jul., 2008.
[26] R. Lemos, “Bot software looks to improve peerage” [Online]. Available: http://www.securityfocus.com/news/11390.
[27] I. Arce and E. levy, “An analysis of the slapper worm,” IEEE Security & Privacy Magazine, vol. 1, no. 1, pp. 82-87, Jan., 2003.
[28] J. Stewart, “Sinit P2P Trojan analysis” [Online]. Available: http://www.secureworks.com/research/threats/sinit/.
[29] J. Stewart, “Phatbot Trojan analysis” [Online]. Available: http://www.secureworks.com/research/threats/phatbot.
[30] F. C. Freiling, T. Holz, and G. Wicherski, “Botnet tracking: Exploring a root-cause methodology to prevent distributed denial-of-service attacks,” Lecture Notes in
Computer Science, Springer-Verlag, Germany, 2005, No. 3679, pp. 319-335.
[31] K. Chiang and L. Lloyd, “A case study of the restock rootkit and spam bot,” in Proceedings of the 1st Workshop on Hot Topics in Understanding Botnets,
Cambridge, USA, pp. 10-10, 2007.
[32] A. Brodsky and D. Brodsky, “A distributed content independent method for spam detection,” in Proceedings of the 1st Workshop on Hot Topics in Understanding
Botnets, Cambridge, USA, pp. 3-3, 2007.
[33] Y. Xie, F. Yu, K. Achan, R. Panigrahy, G. Hulten, and I. Osipkov, “Spamming botnets: Signatures and Characteristics,” in Proceedings of the ACM SIGCOMM
2008 conference on Data communication, Seattle, USA, pp. 171-182, Aug., 2008.
[34] C. C. Zou and R. Cunninqham, “Honeypot-Aware advanced botnet construction and maintenance,” in 2006 International Conference on Dependable Systems
and Networks, Philadelphia, USA, pp. 199-208, Jun., 2006.
[35] J. Corey, “Advanced honey pot identification and exploitation” [Online]. Available: http://www.phrack.org/fakes/p63/p63-0×09.txt, 2004.
[36] K. Seifried, “Honeypotting with VMware basics” [Online]. Available: http://www.seifried.org/security/index.php/Honeypotting_With_VMWare_Basics, 2002.
[37] Honeyd security advisory 2004-001, “Remote detection via simple probe packet” [Online]. Available: http://www.honeyd.org/adv.2004-01.asc, 2004.
[38] J. Bethencourt, J. Franklin, and M. Vernon, “Mapping internet sensors with probe response attacks,” in Proceedings of the 14th Conference on USENIX Security
Symposium, Baltimore, USA, pp. 193-208, Aug., 2005.
[39] N. Krawetz, “Anti-Honeypot technology,” IEEE Security & Privacy Magazine, vol. 2, no. 1, pp. 76-79, Jan., 2004.
[40] S. Racine, “Analysis of internet relay chat usage by DDoS zombies,” Master’s thesis, Swiss Federal Institute of Technology Zurich, Apr., 2004.
[41] H. Choi, H. Lee, H. Lee, and H. Kim, “Botnet detection by monitoring group activities in DNS traffic,” in Proceedings of the 7th IEEE International Conference
on Computer and Information Technology, Washington D.C., USA, pp. 715-720, Oct., 2007.
[42] D. Dagon, “Botnet detection and response, the network is the infection” [Online]. Available: http://www.caida.org/workshops/dns-oarc/200507/
slides/oarc0507-Dagon.pdf, 2005.
[43] A. Schonewille and D. J. van Helmond, “The domain name service as an IDS,” Master’s Project, Univ. of Amsterdam, Netherlands, Feb., 2006,
http://staff.science.uva.nl/~delaat/snb-2005-2006/p12/report.pdf.
[44] R. Villamarin-Salomon and J. C. Brustoloni, “Identifying botnets using anomaly detection techniques applied to DNS traffic,” in Proceedings of the 5th IEEE
Consumer Communications and Networking Conference, Las Vegas, USA, pp. 476-481, Jan., 2008.
[45] Y. Kugisaki, Y. Kasahara, Y. Hori, and K. Sakurai, “Bot detection based on traffic analysis,” in Proceedings of the 2007 International Conference on Intelligent
Pervasive Computing, Washington, DC, USA, pp 303-306, Oct., 2007.
[46] C. Langin, H. Zhou, and S. Rahimi, “A model to use denied internet traffic to indirectly discover internal network security problems,” draft, submitted to WIDA08.
[47] K. Pappas, “Back to basics to fight botnets,” Journal of Communications News, vol. 45, issue 5, pp. 12(1), May, 2008.
[48] X. Hu, M. Knyz, and K. G. Shin, “RB-Seeker: auto-detection of redirection botnets,” in Proceedings of 16th Annual Network & Distributed System Security
Symposium (NDSS’09), Feb., 2009.
[49] P. Sroufe, S. Phithakkitnukoon, R. Dantu, and J. Cangussu, “Email shape analysis for spam botnet detection,” in Consumer Communication and Networking
Conference (CCNC 2009), pp. 1-2, Jan., 2009.
About the Author
Authors
1.G. Satyavathy, Lecturer,Department of Computer Science, Sri Ramakrishna College Of Arts and Science For Women,Coimbatore-641 044.
2.Dr. M. Punithavalli, Director and Head, Department Of Computer Science, Sri Ramakrishna College Of Arts and Science For Women,Coimbatore-641 044.
Does anyone know where I could meet and network with other young professionals in Las Vegas?
I have just moved to Las Vegas a few monthes ago and am just looking to meet and hang out with other business professionals or any other professionals out there in my age group(I am 25)Has anyone else had this problem since moving to Las Vegas as well? Thank you
The guy is called Summer Hollings and he has a network group. It is on TV and radio. I tired to google it. business development. Privately run. But could not get the name. We can edit these comments. I will listen for the commercial and add to the post.
But try googling his name and business coneection, business development.
Good luck
|
|
Las Vegas $125.02 Las Vegas is located near the beach in central Malaga and close to Plaza de Toros, Gibralfaro Castle, and Alcazaba. Nearby points of interest also include Malaga Ampitheatre and Picasso’s Birthplace. Hotel Features. Las Vegas features a restaurant and a bar/lounge. Room service is available. The hotel serves a complimentary buffet breakfast. Recreational amenities include an outdoor pool. This 3 star property has a business center and offers small meeting rooms and a meeting/conference room. High speed (wired) Internet access (surcharge) is available in public areas. Additional property amenities include a rooftop terrace, multilingual staff, and express check out. Guestrooms. 107 air conditioned guestrooms at Las Vegas feature safes and hair dryers. Balconies offer city or ocean views. Bathrooms feature bathtubs and bidets. Flat panel televisions have satellite channels. |
|
|
Ramada Las Vegas $79 Ramada Las Vegas is located in Las Vegas’s East of The Strip neighborhood, close to Desert Research Institute, University of Nevada Las Vegas, and Las Vegas Convention Center. Nearby points of interest also include Thomas and Mack Center and Fashion Show Mall. Hotel Features. Ramada Las Vegas features a restaurant and a bar/lounge. Recreational amenities include an outdoor pool, a spa tub, and a fitness facility. This hotel offers secretarial services, audio visual equipment, and business services. The property has a roundtrip airport shuttle, which is complimentary. Guest parking is complimentary. Additional property amenities include express check out. Guestrooms. Air conditioned guestrooms at Ramada Las Vegas feature coffee/tea makers and hair dryers. Televisions have pay movies. Guestrooms are all non smoking. |
|
|
Howard Johnson Las Vegas $89 Howard Johnson Las Vegas is located in Las Vegas, close to Nellis Air Force Base. Additional area points of interest include Las Vegas Motor Speedway and Planetarium Observatory. Hotel Features. Recreational amenities include a fitness facility. This 3 star property has a business center and offers a meeting/conference room. High speed Internet access is available in public areas. The hotel serves a complimentary breakfast. Guest parking is complimentary. Additional property amenities include a safe deposit box at the front desk. This is a smoke free property. Guestrooms. Air conditioned guestrooms at Howard Johnson Las Vegas feature coffee/tea makers and hair dryers. Accommodations include refrigerators and microwaves. High speed Internet access is available. Televisions have cable channels. |
|
|
Welcome To Vegas, Las Vegas $19.99 Tosh Welcome To Vegas, Las Vegas – Premium Poster |
|
|
D Las Vegas $49 D Las Vegas is located in Las Vegas’s Fremont Street Downtown Las Vegas neighborhood, close to Fremont Street Experience, Las Vegas Convention Center, and Las Vegas Premium Outlets. Nearby points of interest also include Fremont Street Flightlinez and Mob Museum. Hotel Features. Dining options at D Las Vegas include 2 restaurants. 2 bars/lounges are open for drinks. Room service is available during limited hours. Recreational amenities include a spa tub. This hotel has a business center and offers audio visual equipment and business services. Wireless Internet access (surcharge) is available in public areas. This Las Vegas property has event space consisting of banquet facilities, conference/meeting rooms, and a ballroom. Wedding services and tour assistance are available. Valet parking is complimentary. Additional property amenities include a casino, a coffee shop/caf?, and a concierge desk. Guestrooms. 638 air conditioned guestrooms at D Las Vegas feature safes and blackout drapes/curtains. Bathrooms feature shower/tub combinations, complimentary toiletries, and hair dryers. Wireless Internet access is available for a surcharge. Guestrooms offer phones with voice mail. Televisions have premium cable channels and pay movies. Rooms also include irons/ironing boards and clock radios. Housekeeping is offered daily and guests may request wake up calls. Notifications and Fees:The following fees and deposits are charged by the property at time of service, check in, or check out. Deposit: USD 50 per nightFee for in room wireless Internet: USD 11.99 per 24 hour period (rates may vary)Rollaway bed fee: USD 20 per night The above list may not be comprehensive. Fees and deposits may not include tax and are subject to change. Notifications and Fees:The following fees and deposits are charged by the property at time of service, check in, or check out. Deposit: USD 50 per nightFee for in room wireless Internet: USD 11.99 per 24 hour period (rates may vary)Rollaway bed fee: USD 20 per night The above list may not be comprehensive. Fees and deposits may not include tax and are subject to change. |
|
|
Paris Las Vegas $410 Paris Las Vegas is located in Las Vegas’s The Strip neighborhood, close to Crystals at City Center, University of Nevada Las Vegas, and Las Vegas Convention Center. Nearby points of interest also include Fashion Show Mall and Thomas and Mack Center. Resort Features. Dining options at Paris Las Vegas include a restaurant and a coffee shop/caf?. A poolside bar and a bar/lounge are open for drinks. Room service is available 24 hours a day. Recreational amenities include a spa tub, a sauna, a fitness facility, and a steam room. The property’s full service health spa has massage/treatment rooms. This 4 star property has a business center and offers small meeting rooms, limo/town car service, and audio visual equipment. High speed Internet access is available in public areas. This Las Vegas property has event space consisting of banquet facilities, conference/meeting rooms, a ballroom, and exhibit space. Business services, wedding services, and tour assistance are available. Valet parking and self parking are complimentary. Additional property amenities include a casino, a concierge desk, and multilingual staff. Guestrooms. 2,916 air conditioned guestrooms at Paris Las Vegas feature safes and blackout drapes/curtains. Bathrooms feature separate bathtubs and showers, makeup/shaving mirrors, complimentary toiletries, and hair dryers. Wireless Internet access is available for a surcharge. In addition to desks, guestrooms offer multi line phones with voice mail. Televisions have video game consoles and pay movies. Also included are electronic check out and irons/ironing boards. Guests may request in room massages and wake up calls. Housekeeping is available daily. Notifications and Fees:The following fees and deposits are charged by the property at time of service, check in, or check out. Pet fee: USD 50 per room, per dayDeposit: USD 100 per dayFee for in room wireless Internet: USD 13.99 (for 24 hours, rates may vary)Rollaway bed fee: USD 35 per dayCrib (infant bed) fee: USD 15 per day The above list may not be comprehensive. Fees and deposits may not include tax and are subject to change. Notifications and Fees:The following fees and deposits are charged by the property at time of service, check in, or check out. Pet fee: USD 50 per room, per dayDeposit: USD 100 per dayFee for in room wireless Internet: USD 13.99 (for 24 hours, rates may vary)Rollaway bed fee: USD 35 per dayCrib (infant bed) fee: USD 15 per day The above list may not be comprehensive. Fees and deposits may not include tax and are subject to change. |
|
|
Las Vegas Marriott $210 Near the airport, Las Vegas Marriott is located in Las Vegas’s East of The Strip neighborhood and close to Las Vegas Convention Center, Sands Expo Convention Center, and Clark County Library. Nearby points of interest also include University of Nevada Las Vegas and Fashion Show Mall. Hotel Features. Las Vegas Marriott’s restaurant serves breakfast, lunch, and dinner. A bar/lounge is open for drinks. The hotel serves buffet breakfasts (surcharges apply). Recreational amenities include an outdoor pool and a fitness facility. This 3.5 star property has a business center and offers small meeting rooms, audio visual equipment, and business services. Wireless Internet access (surcharge) is available in public areas. This Las Vegas property has 4,250 square feet of event space consisting of banquet facilities, conference/meeting rooms, and a ballroom. Additional property amenities include gift shops/newsstands and laundry facilities. Guestrooms. 276 air conditioned guestrooms at Las Vegas Marriott feature iPod docking stations and coffee/tea makers. All rooms include separate sitting areas and sofa beds. Bathrooms feature designer toiletries and hair dryers. Wired high speed Internet access is available for a surcharge. Televisions have premium cable channels and pay movies. Rooms also include electronic check out and irons/ironing boards. Housekeeping is offered daily and guests may request wake up calls. Guestrooms are all non smoking. Notifications and Fees:The following fees and deposits are charged by the property at time of service, check in, or check out. Fee for wireless Internet in public areas: USD 12.95 per day (rates may vary) Fee for in room high speed Internet (wired): USD 12.95 per day (rates may vary)Buffet breakfast fee: USD 20 per person (approximate amount) The above list may not be comprehensive. Fees and deposits may not include tax and are subject to change. Notifications and Fees:The following fees and deposits are charged by the property at time of service, check in, or check out. Fee for wireless Internet in public areas: USD 12.95 per day (rates may vary) Fee for in room high speed Internet (wired): USD 12.95 per day (rates may vary)Buffet breakfast fee: USD 20 per person (approximate amount) The above list may not be comprehensive. Fees and deposits may not include tax and are subject to change. |
|
|
Claremont Hotel Las Vegas $79 Near the airport, Claremont Hotel Las Vegas is located in Las Vegas’s West of The Strip neighborhood and close to Fashion Show Mall, Las Vegas Convention Center, and Sands Expo Convention Center. Nearby points of interest also include University of Nevada Las Vegas and Las Vegas Premium Outlets. Hotel Features. This hotel offers a meeting/conference room and business services. Complimentary wireless Internet access is available in public areas. This Las Vegas property has 1000 square feet of event space consisting of banquet facilities. The hotel serves a complimentary continental breakfast each morning in the breakfast area. Guest parking is complimentary. Additional property amenities include ATM/banking services. This is a smoke free property. Guestrooms. 93 air conditioned guestrooms at Claremont Hotel Las Vegas feature coffee/tea makers and safes. Wireless Internet access is complimentary. In addition to phones, guestrooms offer free local calls (restrictions may apply). Satellite television is provided. Also included are hair dryers and clock radios. Guestrooms are all non smoking. Notifications and Fees:A resort fee is included in the total price displayed There are no room charges for children 17 years old and younger who occupy the same room as their parents or guardians, using existing bedding. The following fees and deposits are charged by the property at time of service, check in, or check out. A pet fee will be charged per room plus a one time pet cleaning feePet deposit: USD 30 per stayEarly check in fee: USD 20Late check out fee: USD 20 The above list may not be comprehensive. Fees and deposits may not include tax and are subject to change. Notifications and Fees:A resort fee is included in the total price displayed There are no room charges for children 17 years old and younger who occupy the same room as their parents or guardians, using existing bedding. The following fees and deposits are charged by the property at time of service, check in, or check out. A pet fee will be charged per room plus a one time pet cleaning feePet deposit: USD 30 per stayEarly check in fee: USD 20Late check out fee: USD 20 The above list may not be comprehensive. Fees and deposits may not include tax and are subject to change. |
|
|
Candlewood Suites Las Vegas $150 Candlewood Suites Las Vegas is located in Las Vegas’s East of The Strip neighborhood, close to Desert Research Institute, University of Nevada Las Vegas, and Las Vegas Convention Center. Nearby points of interest also include Thomas and Mack Center and Fashion Show Mall. Hotel Features. Recreational amenities include an outdoor pool and a fitness facility. High speed Internet access is available in public areas. Guest parking is complimentary. Business services, concierge services, and tour assistance are available. Additional property amenities include barbecue grills, multilingual staff, and gift shops/newsstands. Guestrooms. Air conditioned guestrooms at Candlewood Suites Las Vegas feature CD players and coffee/tea makers. All rooms include separate sitting areas and desks. Kitchens include microwaves, refrigerators, and cookware/dishes/utensils. High speed Internet access is available. In addition to multi line phones, guestrooms offer free local calls (restrictions may apply). Televisions have satellite channels, DVD players, and VCRs. Also included are windows that open and hair dryers. Housekeeping is offered weekly and guests may request wake up calls. Notifications and Fees:The following fees and deposits are charged by the property at time of service, check in, or check out. Pet fee: USD 75 per stay (maximum USD 150 per stay) The above list may not be comprehensive. Fees and deposits may not include tax and are subject to change. Notifications and Fees:The following fees and deposits are charged by the property at time of service, check in, or check out. Pet fee: USD 75 per stay (maximum USD 150 per stay) The above list may not be comprehensive. Fees and deposits may not include tax and are subject to change. |
|
|
Staybridge Suites Las Vegas $164.63 Staybridge Suites Las Vegas is located in Las Vegas’s West of The Strip neighborhood, close to Bali Hai Golf Club, University of Nevada Las Vegas, and Thomas and Mack Center. Nearby points of interest also include Fashion Show Mall and Town Square Las Vegas. Hotel Features. Recreational amenities include an outdoor pool and a fitness facility. This 3 star property has a business center. High speed Internet access is available in public areas. A bar/lounge is open for drinks. Room service is available 24 hours a day. The hotel serves a complimentary breakfast. Additional property amenities include gift shops/newsstands and coffee in the lobby. Guestrooms. Air conditioned guestrooms at Staybridge Suites Las Vegas feature washers/dryers and coffee/tea makers. All rooms include separate sitting areas and sofa beds. Kitchens include stovetops, microwaves, refrigerators, and cookware/dishes/utensils. Wireless Internet access is available. Guestrooms offer cordless phones with voice mail, as well as free local calls (restrictions may apply). Televisions have cable channels and DVD players. Also included are hair dryers and irons/ironing boards. Housekeeping is offered daily and guests may request wake up calls. Notifications and Fees:The following fees and deposits are charged by the property at time of service, check in, or check out. Pet fee: USD 75 per stay (maximum USD 150 per stay) The above list may not be comprehensive. Fees and deposits may not include tax and are subject to change. Notifications and Fees:The following fees and deposits are charged by the property at time of service, check in, or check out. Pet fee: USD 75 per stay (maximum USD 150 per stay) The above list may not be comprehensive. Fees and deposits may not include tax and are subject to change. |
|
|
Renaissance Las Vegas Hotel $159 Near the airport, Renaissance Las Vegas Hotel is located in Las Vegas’s East of The Strip neighborhood and close to Las Vegas Convention Center, Sands Expo Convention Center, and Clark County Library. Nearby points of interest also include University of Nevada Las Vegas and Fashion Show Mall. Hotel Features. Renaissance Las Vegas Hotel’s restaurant serves breakfast, lunch, and dinner. A bar/lounge is open for drinks. Room service is available during limited hours. The hotel serves buffet breakfasts (surcharges apply). Recreational amenities include an outdoor pool, a health club, a spa tub, and a fitness facility. This 4 star property has a business center and offers small meeting rooms, limo/town car service, and audio visual equipment. Wireless Internet access (surcharge) is available in public areas. This Las Vegas property has 20000 square feet of event space consisting of banquet facilities, conference/meeting rooms, a ballroom, and exhibit space. Business services, wedding services, and tour/ticket assistance are available. Valet parking is complimentary. Additional property amenities include a coffee shop/caf?, a concierge desk, and multilingual staff. This is a smoke free property. Guestrooms. 548 air conditioned guestrooms at Renaissance Las Vegas Hotel feature CD players and laptop compatible safes. Beds come with pillowtop mattresses, signature bedding, Egyptian cotton linens, and triple sheeting. Furnishings include desks and ergonomic chairs. Refrigerators and coffee/tea makers are offered. Bathrooms feature separate bathtubs and showers, makeup/shaving mirrors, designer toiletries, and bathrobes. Wired high speed and wireless Internet access is available for a surcharge. In addition to complimentary newspapers, guestrooms offer cordless phones with voice mail, as well as free local calls (restrictions may apply). 32 inch flat panel televisions have premium cable channels and pay movies. Rooms also include complimentary bottled water and blackout drapes/curtains. Guests may request a turndown service, hypo allergenic bedding, and wake up calls. Housekeeping is available daily. Guestrooms are all non smoking. Notifications and Fees:The following fees and deposits are charged by the property at time of service, check in, or check out. Fee for high speed Internet (wired) in business center: USD 5 per day (rates may vary)Fee for wireless Internet in business center: USD 12.95 per day (rates may vary)Fee for wireless Internet in public areas: USD 12.95 per day (rates may vary) Fee for in room high speed Internet (wired): USD 12.95 per day (rates may vary)Fee for in room wireless Internet: USD 12.95 per day (rates may vary)Buffet breakfast fee: USD 11.95 per person (approximate amount) The above list may not be comprehensive. Fees and deposits may not include tax and are subject to change. Notifications and Fees:The following fees and deposits are charged by the property at time of service, check in, or check out. Fee for high spe |
|
|
Blackstone Las Vegas Hotel $84.31 Near the airport, Blackstone Las Vegas Hotel is located in Las Vegas’s East of The Strip neighborhood and close to Desert Research Institute, Clark County Library, and Sands Expo Convention Center. Nearby points of interest also include University of Nevada Las Vegas and Las Vegas Convention Center. Hotel Features. Blackstone Las Vegas Hotel’s restaurant serves breakfast and dinner. A bar/lounge is open for drinks. Room service is available during limited hours. The hotel serves full breakfasts each morning (surcharges apply). Recreational amenities include an outdoor pool, a health club, a spa tub, and a 24 hour fitness facility. This 3 star property has a 24 hour business center and offers small meeting rooms, audio visual equipment, and business services. Complimentary wireless and wired high speed Internet access is available in public areas and the hotel has a computer station. This Las Vegas property has 1400 square feet of event space consisting of a conference center and banquet facilities. The property has a complimentary airport shuttle at scheduled times. Tour/ticket assistance and tour assistance are available. Self parking is complimentary. Additional property amenities include a coffee shop/caf?, a concierge desk, and multilingual staff. Extended parking privileges may be offered to guests after check out (surcharge). This is a smoke free property. Guestrooms. 129 air conditioned guestrooms at Blackstone Las Vegas Hotel feature coffee/tea makers and windows that open. Accommodations offer city views. Beds come with pillowtop mattresses, Egyptian cotton linens, and premium bedding. These individually furnished and decorated rooms include desks and ergonomic chairs. Bathrooms feature shower/tub combinations, complimentary toiletries, and hair dryers. Wired high speed and wireless Internet access is complimentary. Guestrooms offer multi line phones with voice mail, as well as free local calls (restrictions may apply). LCD televisions have premium satellite channels. Also included are blackout drapes/curtains and clock radios. Guests may request hypo allergenic bedding and wake up calls. Guestrooms are all non smoking. Notifications and Fees:There are no room charges for children 17 years old and younger who occupy the same room as their parents or guardians, using existing bedding. Some properties have extra fees for amenities or services that may apply even if you do not use them. Government fees or taxes also may be charged to you when you check in or check out. This property told us they will charge you for the following: Resort fee: USD 11.99 per accommodation, per night (effective 7 April 2012)Hotel resort fee inclusions:Internet access property widePhone calls (local)Faxes (limited)Use of fitness centerAirport shuttleShuttle serviceUse of business center/computerIn room coffeeIn room bottled waterSelf parkingParkingAdditional inclusionsWe have included all charges provided to us by the property. However, charges can vary, |
|
|
Super 8 Las Vegas NM $77.77 Super 8 Las Vegas NM is located in Las Vegas. Property Features. Recreational amenities include a fitness facility. Those traveling on business have access to a business center at this motel. A complimentary continental breakfast is served each morning. Guest parking is complimentary. Additional property amenities include laundry facilities. Guestrooms. Televisions have cable channels. |
|
|
Hyatt Place Las Vegas $120 Hyatt Place Las Vegas is a family friendly hotel located in Las Vegas’s East of The Strip neighborhood, close to Thomas and Mack Center, Desert Research Institute, and Marjorie Barrick Museum. Additional points of interest include Crystals at City Center and Boulevard Mall. Hotel Features. Hyatt Place Las Vegas features a coffee shop/caf? and a bar/lounge. The hotel serves a complimentary breakfast. Recreational amenities include an outdoor pool, a spa tub, and a fitness facility. This 3 star property offers small meeting rooms, audio visual equipment, and business services. Complimentary wireless Internet access is available in public areas. Complimentary shuttle services include a roundtrip airport shuttle (available on request) and an area shuttle. Concierge services and tour assistance are available. Self parking is complimentary. Additional property amenities include express check in. This is a smoke free property. Guestrooms. 202 air conditioned guestrooms at Hyatt Place Las Vegas feature coffee/tea makers and complimentary weekday newspapers. Beds come with signature bedding, triple sheeting, and down comforters. All rooms include separate sitting areas along with desks and sofa beds. Bathrooms feature shower/tub combinations, designer toiletries, and hair dryers. Wireless Internet access is available. Guestrooms offer multi line phones with voice mail. 42 inch high definition televisions have DVD players and pay movies. Rooms also include blackout drapes/curtains and electronic check out. Guests may request extra towels/bedding and wake up calls. Housekeeping is available daily. Guestrooms are all non smoking. Notifications:There are no room charges for children 18 years old and younger who occupy the same room as their parents or guardians, using existing bedding. The photos in this description reflect the brand standard and are provided for illustrative purposes only. Notifications:There are no room charges for children 18 years old and younger who occupy the same room as their parents or guardians, using existing bedding. The photos in this description reflect the brand standard and are provided for illustrative purposes only. |
|
|
Bally’s Las Vegas $229 Bally’s Las Vegas is located in Las Vegas’s The Strip neighborhood, close to Crystals at City Center, Las Vegas Convention Center, and University of Nevada Las Vegas. Nearby points of interest also include Fashion Show Mall and Thomas and Mack Center. Resort Features. Dining options at Bally’s Las Vegas include a restaurant and a coffee shop/caf?. A poolside bar and a bar/lounge are open for drinks. Room service is available 24 hours a day. Recreational amenities include a health club, a spa tub, and a sauna. The property’s full service health spa has massage/treatment rooms. This 3.5 star property has a business center and offers small meeting rooms, limo/town car service, and audio visual equipment. Wireless Internet access (surcharge) is available in public areas. This Las Vegas property has event space consisting of banquet facilities, conference/meeting rooms, a ballroom, and exhibit space. Business services, wedding services, and tour assistance are available. Valet parking and self parking are complimentary. Additional property amenities include a casino, multilingual staff, and gift shops/newsstands. Guestrooms. 3,211 air conditioned guestrooms at Bally’s Las Vegas feature safes and blackout drapes/curtains. Bathrooms feature shower/tub combinations, complimentary toiletries, and hair dryers. Wireless Internet access is available for a surcharge. Guestrooms offer multi line phones with voice mail. Televisions have satellite channels and pay movies. Rooms also include irons/ironing boards and clock radios. Guests may request refrigerators and wake up calls. Housekeeping is available daily. Notifications and Fees:The following fees and deposits are charged by the property at time of service, check in, or check out. Deposit: USD 100 per dayFee for wireless Internet in public areas: USD 24.99 (for 24 hours, rates may vary)Fee for in room wireless Internet: USD 13.99 (for 24 hours, rates may vary)In room safe fee: USD 3.00 per dayRollaway bed fee: USD 30.00 per dayFacilities fee: USD 22 per person, per day and includes use of: Fitness facilities Spa The above list may not be comprehensive. Fees and deposits may not include tax and are subject to change. Notifications and Fees:The following fees and deposits are charged by the property at time of service, check in, or check out. Deposit: USD 100 per dayFee for wireless Internet in public areas: USD 24.99 (for 24 hours, rates may vary)Fee for in room wireless Internet: USD 13.99 (for 24 hours, rates may vary)In room safe fee: USD 3.00 per dayRollaway bed fee: USD 30.00 per dayFacilities fee: USD 22 per person, per day and includes use of: Fitness facilities Spa The above list may not be comprehensive. Fees and deposits may not include tax and are subject to change. |
|
|
Flamingo Las Vegas $225 Near the airport, Flamingo Las Vegas is located in Las Vegas’s The Strip neighborhood and close to Crystals at City Center, Sands Expo Convention Center, and Las Vegas Convention Center. Nearby points of interest also include University of Nevada Las Vegas and Fashion Show Mall. Resort Features. Flamingo Las Vegas features a restaurant, a poolside bar, and a bar/lounge. Room service is available 24 hours a day. Recreational amenities include an outdoor pool, a children’s pool, a health club, a spa tub, and a sauna. The property’s full service health spa has beauty services. This 3.5 star property has a business center and offers small meeting rooms, a technology helpdesk, and limo/town car service. Wireless Internet access (surcharge) is available in public areas. This Las Vegas property has event space consisting of banquet facilities, conference/meeting rooms, a ballroom, and exhibit space. Business services, wedding services, and tour assistance are available. Guest parking is complimentary. Additional property amenities include a casino, a concierge desk, and a fitness facility. Guestrooms. 3,565 air conditioned guestrooms at Flamingo Las Vegas feature safes and electronic check out. Bathrooms feature complimentary toiletries and hair dryers. Wireless Internet access is available for a surcharge. In addition to desks, guestrooms offer phones with voice mail. Televisions have video game consoles and pay movies. Rooms also include irons/ironing boards and clock radios. Guests may request a turndown service, in room massages, and wake up calls. Housekeeping is available daily. Notifications and Fees:The following fees and deposits are charged by the property at time of service, check in, or check out. Deposit: USD 100 per nightFee for wireless Internet in all public areas: USD 24.99 per 24 hour period (rates may vary)Fee for in room high speed Internet (wired): USD 13.99 per 24 hour period (rates may vary)Fee for in room wireless Internet: USD 13.99 per 24 hour period (rates may vary)Refrigerator fee: USD 15.00 per nightRollaway bed fee: USD 30.00 per nightFacilities fee: USD 10 and includes use of: Fitness facilities The above list may not be comprehensive. Fees and deposits may not include tax and are subject to change. Notifications and Fees:The following fees and deposits are charged by the property at time of service, check in, or check out. Deposit: USD 100 per nightFee for wireless Internet in all public areas: USD 24.99 per 24 hour period (rates may vary)Fee for in room high speed Internet (wired): USD 13.99 per 24 hour period (rates may vary)Fee for in room wireless Internet: USD 13.99 per 24 hour period (rates may vary)Refrigerator fee: USD 15.00 per nightRollaway bed fee: USD 30.00 per nightFacilities fee: USD 10 and includes use of: Fitness facilities The above list may not be comprehensive. Fees and deposits may not include tax and are subject to change. |
