Abstract
While current botnets rely on a central server or bootstrap nodes for their operations, in this paper we identify and investigate a new type of botnet, called Tsunami, in which no such bottleneck nodes exist. In particular, we study how a Tsunami botnet can build a parasitic relationship with a widely deployed P2P system, Kad, to successfully issue commands to its bots, launch various attacks, including distributed denial of service (DDoS) and spam, at ease, as well as receive responses from the bots. Our evaluation shows that in a Kad network with four million nodes, even with only 6 % nodes being Tsunami bots, Tsunami can reach 75 % of its bots in less than 4 min and receive responses from 99 % of bots. We further propose how we may defend against Tsunami and evaluate the defense solution.
Similar content being viewed by others
References
Alureon botnet. Website: http://arstechnica.com/security/news/2011/07/4-million-strong-alureon-botnet-practically-indestructable.ars
Analysis of phatbot. Website: http://www.secureworks.com/research/threats/phatbot/
emule. Website: http://www.emule-project.net
Machbot. Website: http://www.team-cymru.com/ReadingRoom/Whitepapers/2008/http-botnets.pdf
Chun B, Culler D, Roscoe T, Bavier A, Peterson L, Wawrzoniak M, Bowman M (2003) Planetlab: an overlay testbed for broad-coverage services. ACM SIGCOMM Comput Commun Rev 33(3):3–12
Dixon C, Anderson T, Krishnamurthy A (2008) Phalanx: withstanding multimillion-node botnets. In: NSDI’08: proceedings of the 5th USENIX symposium on networked systems design and implementation. USENIX Association, Berkeley, pp 45–58
Grizzard JB, Sharma V, Nunnery C, Kang BB, Dagon D (2007) Peer-to-peer botnets: overview and case study. In: Proceedings of the first conference on first workshop on hot topics in understanding botnets. USENIX Association, Berkeley, pp 1–1. http://dl.acm.org/citation.cfm?id=1323128.1323129
Holz T, Steiner M, Dahl F, Biersack E, Freiling F (2008) Measurements and mitigation of peer-to-peer-based botnets: a case study on storm worm. In: LEET’08: proceedings of the 1st usenix workshop on large-scale exploits and emergent threats. USENIX Association, Berkeley, pp 1–9
Kanich C, Kreibich C, Levchenko K, Enright B, Voelker GM, Paxson V, Savage S (2008) Spamalytics: an empirical analysis of spam marketing conversion. In: CCS ’08: proceedings of the 15th ACM conference on computer and communications security. ACM, New York, pp 3–14. http://doi.acm.org/10.1145/1455770.1455774
Maymounkov P, Mazières D (2002) Kademlia: a peer-to-peer information system based on the xor metric. In: IPTPS ’01: revised papers from the first international workshop on peer-to-peer systems. Springer-Verlag, London, pp 53–65
Memon G, Rejaie R, Guo Y, Stutzbach D (2009) Large-scale monitoring of dht traffic. In: IPTPS ’09: proceedings of the 8th international workshop on peer-to-peer systems. http://www.usenix.org/events/iptps09/tech/full_papers/memon/memon.pdf
Memon G, Rejaie R, Guo Y, Stutzbach D (2011) Montra: a large–scale dht traffic monitor. Comput Netw 56(3):1080–1091
Rajab MA, Zarfoss J, Monrose F, Terzis A (2006) A multifaceted approach to understanding the botnet phenomenon. In: IMC ’06: proceedings of the 6th ACM SIGCOMM conference on internet measurement. ACM, New York, pp 41–52. http://doi.acm.org/10.1145/1177080.1177086
Ripeanu M (2001) Peer-to-peer architecture case study: Gnutella network. In: First international conference on peer-to-peer computing. Proceedings, IEEE, pp 99–100
Rowstron AIT, Druschel P (2001) Pastry: scalable, decentralized object location, and routing for large-scale peer-to-peer systems. In: Middleware ’01: proceedings of the IFIP/ACM international conference on distributed systems platforms Heidelberg. Springer-Verlag, London, pp 329–350
Steiner M, Carra D, Biersack EW (2008) Faster content access in kad. In: P2P 2008, 8th IEEE international conference on peer-to-peer computing, Aachen. doi:10.1109/P2P.2008.28
Stoica I, Morris R, Karger D, Kaashoek MF, Balakrishnan H (2001) Chord: a scalable peer-to-peer lookup service for internet applications. In: SIGCOMM ’01: proceedings of the 2001 conference on applications, technologies, architectures, and protocols for computer communications. ACM, New York, pp 149–160. http://doi.acm.org/10.1145/383059.383071
Stone-Gross B, Cova M, Cavallaro L, Gilbert B, Szydlowski M, Kemmerer R, Kruegel C, Vigna G (2009) Your botnet is my botnet: analysis of a botnet takeover. In: Proceedings of the 16th ACM conference on computer and communications security. ACM, pp 635–647
Stover S, Dittrich D, Hernandez J, Dietrich S (2007) Analysis of the Storm and Nugache Trojans: P2P Is Here. ;login: The USENIX Magazine 32(6): 18–27. http://www.usenix.org/publications/login/2007-12/pdfs/stover.pdf
Stutzbach D, Rejaie R (2006) Understanding churn in peer-to-peer networks. In: IMC ’06: Proceedings of the 6th ACM SIGCOMM conference on internet measurement. ACM, New York, pp 189–202. http://doi.acm.org/10.1145/1177080.1177105
Wang P, Sparks S, Zou CC (2007) An advanced hybrid peer-to-peer botnet. In: HotBots’07: proceedings of the first conference on first workshop on hot topics in understanding botnets. USENIX Association, Berkeley
Zhao BY, Kubiatowicz JD, Joseph AD (2001) Tapestry: an infrastructure for fault-tolerant wide-area location and Tech. rep., Berkeley
Acknowledgments
We are extremely grateful to Sven Dietrich, Geoffrey Voelker, Peter Reiher and Jelena Mirkovic for their comments and suggestions on earlier drafts of this work. We are also thankful to anonymous reviewers of our earlier conference submissions, who helped in improving the clarity of this paper. Finally, we thank the members of Mirage and Netsec research groups at the University of Oregon for their continued feedback, comments and suggestions.
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Memon, G., Li, J. & Rejaie, R. Tsunami: A parasitic, indestructible botnet on Kad. Peer-to-Peer Netw. Appl. 7, 444–455 (2014). https://doi.org/10.1007/s12083-013-0202-x
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s12083-013-0202-x