Skip to main content
SpringerLink
Log in

Tsunami: A parasitic, indestructible botnet on Kad

  • Published:
Peer-to-Peer Networking and Applications Aims and scope Submit manuscript

Abstract

While current botnets rely on a central server or bootstrap nodes for their operations, in this paper we identify and investigate a new type of botnet, called Tsunami, in which no such bottleneck nodes exist. In particular, we study how a Tsunami botnet can build a parasitic relationship with a widely deployed P2P system, Kad, to successfully issue commands to its bots, launch various attacks, including distributed denial of service (DDoS) and spam, at ease, as well as receive responses from the bots. Our evaluation shows that in a Kad network with four million nodes, even with only 6 % nodes being Tsunami bots, Tsunami can reach 75 % of its bots in less than 4 min and receive responses from 99 % of bots. We further propose how we may defend against Tsunami and evaluate the defense solution.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8

Similar content being viewed by others

References

  1. Alureon botnet. Website: http://arstechnica.com/security/news/2011/07/4-million-strong-alureon-botnet-practically-indestructable.ars

  2. Analysis of phatbot. Website: http://www.secureworks.com/research/threats/phatbot/

  3. emule. Website: http://www.emule-project.net

  4. Machbot. Website: http://www.team-cymru.com/ReadingRoom/Whitepapers/2008/http-botnets.pdf

  5. Chun B, Culler D, Roscoe T, Bavier A, Peterson L, Wawrzoniak M, Bowman M (2003) Planetlab: an overlay testbed for broad-coverage services. ACM SIGCOMM Comput Commun Rev 33(3):3–12

    Google Scholar 

  6. Dixon C, Anderson T, Krishnamurthy A (2008) Phalanx: withstanding multimillion-node botnets. In: NSDI’08: proceedings of the 5th USENIX symposium on networked systems design and implementation. USENIX Association, Berkeley, pp 45–58

    Google Scholar 

  7. Grizzard JB, Sharma V, Nunnery C, Kang BB, Dagon D (2007) Peer-to-peer botnets: overview and case study. In: Proceedings of the first conference on first workshop on hot topics in understanding botnets. USENIX Association, Berkeley, pp 1–1. http://dl.acm.org/citation.cfm?id=1323128.1323129

    Google Scholar 

  8. Holz T, Steiner M, Dahl F, Biersack E, Freiling F (2008) Measurements and mitigation of peer-to-peer-based botnets: a case study on storm worm. In: LEET’08: proceedings of the 1st usenix workshop on large-scale exploits and emergent threats. USENIX Association, Berkeley, pp 1–9

    Google Scholar 

  9. Kanich C, Kreibich C, Levchenko K, Enright B, Voelker GM, Paxson V, Savage S (2008) Spamalytics: an empirical analysis of spam marketing conversion. In: CCS ’08: proceedings of the 15th ACM conference on computer and communications security. ACM, New York, pp 3–14. http://doi.acm.org/10.1145/1455770.1455774

    Google Scholar 

  10. Maymounkov P, Mazières D (2002) Kademlia: a peer-to-peer information system based on the xor metric. In: IPTPS ’01: revised papers from the first international workshop on peer-to-peer systems. Springer-Verlag, London, pp 53–65

    Google Scholar 

  11. Memon G, Rejaie R, Guo Y, Stutzbach D (2009) Large-scale monitoring of dht traffic. In: IPTPS ’09: proceedings of the 8th international workshop on peer-to-peer systems. http://www.usenix.org/events/iptps09/tech/full_papers/memon/memon.pdf

  12. Memon G, Rejaie R, Guo Y, Stutzbach D (2011) Montra: a large–scale dht traffic monitor. Comput Netw 56(3):1080–1091

    Google Scholar 

  13. Rajab MA, Zarfoss J, Monrose F, Terzis A (2006) A multifaceted approach to understanding the botnet phenomenon. In: IMC ’06: proceedings of the 6th ACM SIGCOMM conference on internet measurement. ACM, New York, pp 41–52. http://doi.acm.org/10.1145/1177080.1177086

    Google Scholar 

  14. Ripeanu M (2001) Peer-to-peer architecture case study: Gnutella network. In: First international conference on peer-to-peer computing. Proceedings, IEEE, pp 99–100

  15. Rowstron AIT, Druschel P (2001) Pastry: scalable, decentralized object location, and routing for large-scale peer-to-peer systems. In: Middleware ’01: proceedings of the IFIP/ACM international conference on distributed systems platforms Heidelberg. Springer-Verlag, London, pp 329–350

    Google Scholar 

  16. Steiner M, Carra D, Biersack EW (2008) Faster content access in kad. In: P2P 2008, 8th IEEE international conference on peer-to-peer computing, Aachen. doi:10.1109/P2P.2008.28

  17. Stoica I, Morris R, Karger D, Kaashoek MF, Balakrishnan H (2001) Chord: a scalable peer-to-peer lookup service for internet applications. In: SIGCOMM ’01: proceedings of the 2001 conference on applications, technologies, architectures, and protocols for computer communications. ACM, New York, pp 149–160. http://doi.acm.org/10.1145/383059.383071

    Google Scholar 

  18. Stone-Gross B, Cova M, Cavallaro L, Gilbert B, Szydlowski M, Kemmerer R, Kruegel C, Vigna G (2009) Your botnet is my botnet: analysis of a botnet takeover. In: Proceedings of the 16th ACM conference on computer and communications security. ACM, pp 635–647

  19. Stover S, Dittrich D, Hernandez J, Dietrich S (2007) Analysis of the Storm and Nugache Trojans: P2P Is Here. ;login: The USENIX Magazine 32(6): 18–27. http://www.usenix.org/publications/login/2007-12/pdfs/stover.pdf

  20. Stutzbach D, Rejaie R (2006) Understanding churn in peer-to-peer networks. In: IMC ’06: Proceedings of the 6th ACM SIGCOMM conference on internet measurement. ACM, New York, pp 189–202. http://doi.acm.org/10.1145/1177080.1177105

    Google Scholar 

  21. Wang P, Sparks S, Zou CC (2007) An advanced hybrid peer-to-peer botnet. In: HotBots’07: proceedings of the first conference on first workshop on hot topics in understanding botnets. USENIX Association, Berkeley

    Google Scholar 

  22. Zhao BY, Kubiatowicz JD, Joseph AD (2001) Tapestry: an infrastructure for fault-tolerant wide-area location and Tech. rep., Berkeley

Download references

Acknowledgments

We are extremely grateful to Sven Dietrich, Geoffrey Voelker, Peter Reiher and Jelena Mirkovic for their comments and suggestions on earlier drafts of this work. We are also thankful to anonymous reviewers of our earlier conference submissions, who helped in improving the clarity of this paper. Finally, we thank the members of Mirage and Netsec research groups at the University of Oregon for their continued feedback, comments and suggestions.

Author information

Authors and Affiliations

  1. University of Oregon, 120 Deschutes Hall, 1202 University of Oregon, Eugene, OR, 97403-1202, USA

    Ghulam Memon, Jun Li & Reza Rejaie

Authors
  1. Ghulam Memon
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Jun Li
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Reza Rejaie
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Ghulam Memon.

Rights and permissions

Reprints and permissions

About this article

Cite this article

Memon, G., Li, J. & Rejaie, R. Tsunami: A parasitic, indestructible botnet on Kad. Peer-to-Peer Netw. Appl. 7, 444–455 (2014). https://doi.org/10.1007/s12083-013-0202-x

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s12083-013-0202-x

Keywords

Search

Navigation