RatBot: anti-enumeration peer-to-peer botnets

Yan, Guanhua; Eidenbenz, Stephan; Chen, Songqing

doi:10.1007/978-3-642-24861-0_10

Title: RatBot: anti-enumeration peer-to-peer botnets

Conference · Fri Jan 01 00:00:00 EST 2010

DOI:https://doi.org/10.1007/978-3-642-24861-0_10· OSTI ID:1018696

Yan, Guanhua ^[1]; Eidenbenz, Stephan ^[1]; Chen, Songqing ^[2]

Los Alamos National Laboratory
GEORGE MASON UNIV.

Botnets have emerged as one of the most severe cyber threats in recent years. To obtain high resilience against a single point of failure, the new generation of botnets have adopted the peer-to-peer (P2P) structure. One critical question regarding these P2P botnets is: how big are they indeed? To address this question, researchers have proposed both actively crawling and passively monitoring methods to enumerate existing P2P botnets. In this work, we go further to explore the potential strategies that botnets may have to obfuscate their true sizes. Towards this end, this paper introduces RatBot, a P2P botnet that applies some statistical techniques to defeat existing P2P botnet enumeration methods. The key ideas of RatBot are two-fold: (1) there exist a fraction of bots that are indistinguishable from their fake identities, which are spoofing IP addresses they use to hide themselves; (2) we use a heavy-tailed distribution to generate the number of fake identities for each of these bots so that the sum of observed fake identities converges only slowly and thus has high variation. We use large-scale high-fidelity simulation to quantify the estimation errors under diverse settings, and the results show that a naive enumeration technique can overestimate the sizes of P2P botnets by one order of magnitude. We believe that our work reveals new challenges of accurately estimating the sizes of P2P botnets, and hope that it will raise the awareness of security practitioners with these challenges. We further suggest a few countermeasures that can potentially defeat RatBot's anti-enumeration scheme.

View Conference

Cite

Export

Save

Research Organization:: Los Alamos National Laboratory (LANL), Los Alamos, NM (United States)

Sponsoring Organization:: USDOE

DOE Contract Number:: AC52-06NA25396

OSTI ID:: 1018696

Report Number(s):: LA-UR-10-03929; LA-UR-10-3929; TRN: US201114%%289

Resource Relation:: Journal Volume: 7001; Conference: 2010 Annual Computer Security Applications Conference ; December 6, 2010 ; Austin, TX

Country of Publication:: United States

Language:: English

Similar Records

AntBot: Anti-pollution peer-to-peer botnets

Conference · Thu Jan 01 00:00:00 EST 2009 · OSTI ID:1018696

Yan, Guanhua; Eidenbenz, Stephan; Ha, Duc T

P2P-based botnets: structural analysis, monitoring, and mitigation

Conference · Tue Jan 01 00:00:00 EST 2008 · OSTI ID:1018696

Yan, Guanhua; Eidenbenz, Stephan; Ha, Duc T; +1 more

Detecting Peer-to-Peer Botnets in SCADA Systems

Conference · Thu Dec 08 00:00:00 EST 2016 · OSTI ID:1018696

Yang, Huan; Cheng, Liang; Chuah, Mooi Choo

Related Subjects

97 MATHEMATICS AND COMPUTING
COMPUTERS
DISTRIBUTION
MONITORING
SECURITY
SIMULATION

Title: RatBot: anti-enumeration peer-to-peer botnets

Citation Formats

Similar Records

Related Subjects