ABSTRACT
Botnets constitute a serious security problem. A lot of effort has been invested towards understanding them better, while developing and learning how to deploy effective counter-measures against them. Their study via various analysis, modelling and experimental methods are integral parts of the development cycle of any such botnet mitigation schemes. It also constitutes a vital part of the process of understanding present threats and predicting future ones. Currently, the most popular of these techniques are "in-the-wild" botnet studies, where researchers interact directly with real-world botnets. This approach is less than ideal, for many reasons that we discuss in this paper, including scientific validity, ethical and legal issues. Consequently, we present an alternative approach employing "in the lab" experiments involving at-scale emulated botnets. We discuss the advantages of such an approach over reverse engineering, analytical modelling, simulation and in-the-wild studies. Moreover, we discuss the requirements that facilities supporting them must have. We then describe an experiment in which we emulated a 3000-node, fully-featured version of the Waledac botnet, complete with an emulated command and control (C&C) infrastructure. By observing the load characteristics and yield (rate of spamming) of such a botnet, we can draw interesting conclusions about its real-world operations and design decisions made by its creators. Furthermore, we conducted experiments with sybil attacks launched against it and verified their viability. However, we were able to determine that mounting such attacks is not so simple: high resource consumption can cause havoc and partially neutralise them. Finally, we were able to repeat the attacks with varying parameters, in an attempt to optimise them. The merits of this experimental approach is underlined since by the fact that it would have been difficult to obtain these results by other methods.
- P. Barford and M. Blodgett. Toward botnet mesocosms. In Proc. 1st Work. on Hot Topics in Understanding Botnets (HotBots), Apr. 2007. Google ScholarDigital Library
- T. Benzel, R. Braden, D. Kim, C. Neuman, A. Joseph, K. Sklower, R. Ostrenga, and S. Schwab. Experience with DETER: A testbed for security research. In Proc. IEEE Conf. on Testbeds and Research Infrastructures for the Dev. of Networks and Communities (TridentCom), Mar. 2006.Google ScholarCross Ref
- P.-M. Bureau and J. Fernandez. Optimising networks against malware. In Proc. Int. Swarm Intelligence and Other Forms of Malware Work. (MALWARE), Apr. 2007.Google Scholar
- J. Calvet, C. Davis, and P.-M. Bureau. Malware authors don't learn, and that's good! In Proc. Int. Conf. on Malicious and Unwanted Software (MALWARE), Oct. 2009.Google Scholar
- J. Calvet, C. Davis, J. Fernandez, W. Guizani, M. Kaczmarek, J.-Y. Marion, and P.-L. St-Onge. Isolated virtualised clusters: testbeds for high-security experimentation and training. In Proc. 3rd USENIX Work, on Cyber Sec. Experimentation and Test (CSET), Aug. 2010. Google ScholarDigital Library
- E. Cooke, F. Jahanian, and D. McPherson. The zombie roundup: Understanding, detecting, and disrupting botnets. In Proc. Work. on Steps to Reducing Unwanted Traffic on the Internet (SRUTI), July 2005. Google ScholarDigital Library
- D. Dagon, G. Gu, C. Zou, J. Grizzard, S. Dwivedi, W. Lee, and R. Lipton. A taxonomy of botnets. In Proc. of CAIDA DNS-OARC Work, July 2005.Google Scholar
- D. Dagon, C. Zou, and W. Lee. Modeling botnet propagation using time zones. In Proc. 13th Network and Distributed System Security Symp. (NDSS), Feb. 2006.Google Scholar
- C. Davis, J. Fernandez, and S. Neville. Optimising sybil attacks against P2P-based botnets. Proc. 4 th Int. Conf. on Malicious and Unwanted Software (MALWARE), Oct. 2009.Google ScholarCross Ref
- C. Davis, J. Fernandez, S. Neville, and J. McHugh. Sybil attacks as a mitigation strategy against the storm botnet. In Proc. 3rd Int. Conf. on Malicious and Unwanted Software (MALWARE), Oct. 2008.Google ScholarCross Ref
- C. Davis, S. Neville, J. Fernandez, J.-M. Robert, and J. McHugh. Structured peer-to-peer overlay networks: Ideal botnets command and control infrastructures? In Proc. 13th European Symp. on Research in Computer Security (ESORICS), Oct. 2008. Google ScholarDigital Library
- S. Gaudin. Storm botnet puts up defenses and starts attacking back, http://informationweek.com, Aug. 2007.Google Scholar
- A. Jackson, D. Lapsley, C. Jones, M. Zatko, C. Golubitsky, and W. Strayer. Slingbot: A system for live investigation of next generation botnets. In Proc. of IEEE Conf. for Homeland Security, Cybersecurity Applications and Technology (CATCH '09), Mar. 2009. Google ScholarDigital Library
- J. John, A. Moshchuk, S. Gribble, and A. Krishnamurthy. Studying spamming botnets using botlab. In Proc. 6th USENLX Symp. on Networked Systems Designs and Implementation (NSDI), Apr. 2009. Google ScholarDigital Library
- C. Kanich, C. Kreibich, K. Levchenko, B. Enright, G. Voelker, V. Paxson, and S. Savage. Spamalytics: an empirical analysis of spam marketing conversion. In Proc. 15th ACM Conf. Comp. & Comm. Security (CCS), Oct. 2008. Google ScholarDigital Library
- C. Kanich, K. Levchenko, B. Enright, G. Voelker, and S. Savage. The Heisenbot uncertainty problem: Challenges in separating bots from chaff. In Proc. 1st USENLX Work. Large-Scale Exploits & Emergent Threats (LEET), Apr. 2008. Google ScholarDigital Library
- L. Peterson and T. Roscoe. The design principles of PlanetLab. ACM SIGOPS Operating Systems Review, 40:11--16, Jan. 2006. Google ScholarDigital Library
- M. A. Rajab, J. Zarfoss, F. Monrose, and A. Terzis. A multifaceted approach to understanding the botnet phenomenon. In Proc. 6th ACM SIGCOMM Conf. on Internet measurement (IMC), Oct. 2006. Google ScholarDigital Library
- E. Ruitenbeek and W. Sanders. Modeling peer-to-peer botnets. In Proc. 5th Int. Conf. on Quantitative Evaluation of Systems (QuEST), pages 307--316, Sept. 2008. Google ScholarDigital Library
- G. Sinclair, C. Nunnery, and B. Kang. The Waledac protocol: The how and why. In Proc. 4th Int. Conf. on Malicious and Unwanted Software (MALWARE), Oct. 2009.Google ScholarCross Ref
- J. Stewart. Storm worm DDoS attack. http://www.secureworks.com/research/threats/storm-worm, Feb. 2007.Google Scholar
- B. Stock, J. Goebel, M. Engelberth, F. Freiling, and T. Holz. Walowdac analysis of a peer-to-peer botnet. In Proc. Europ. Conf. Computer Network Defense (EC2ND), Nov. 2009. Google ScholarDigital Library
- P. Wang, S. Sparks, and C. C. Zou. An advanced hybrid peer-to-peer botnet. In Proc. 1st Work. on Hot Topics in Understanding Botnets (HotBots), Apr. 2007. Google ScholarDigital Library
- B. White, J. Lepreau, L. Stoller, R. Ricci, S. Guruprasad, M. Newbold, M. Hibler, C. Barb, and A. Joglekar. An integrated experimental environment for distributed systems and networks. In Proc. of 5th Symp. on Operating systems design and implementation (OSDI), pages 255--270, 2002. Google ScholarDigital Library
- Y. Zhao, Y. Xie, F. Yu, Q. Ke, Y. Yu, Y. Chen, and E. Gillum. Botgraph: Large scale spamming botnet detection. In Proc. 6th USENIX Symp. on Networked Systems Designs and Implementation (NSDI), 2009. Google ScholarDigital Library
Index Terms
- The case for in-the-lab botnet experimentation: creating and taking down a 3000-node botnet
Recommendations
Your botnet is my botnet: analysis of a botnet takeover
CCS '09: Proceedings of the 16th ACM conference on Computer and communications securityBotnets, networks of malware-infected machines that are controlled by an adversary, are the root cause of a large number of security problems on the Internet. A particularly sophisticated and insidious type of bot is Torpig, a malware program that is ...
A Survey of Botnet and Botnet Detection
SECURWARE '09: Proceedings of the 2009 Third International Conference on Emerging Security Information, Systems and TechnologiesAmong the various forms of malware, botnets are emerging as the most serious threat against cyber-security as they provide a distributed platform for several illegal activities such as launching distributed denial of service attacks against critical ...
Honeypot detection in advanced botnet attacks
Botnets have become one of the major attacks in the internet today due to their illicit profitable financial gain. Meanwhile, honeypots have been successfully deployed in many computer security defence systems. Since honeypots set up by security ...
Comments