Joan Calvet
ABSTRACT
Botnets constitute a serious security problem. A lot of effort has been invested towards understanding them better, while developing and learning how to deploy effective counter-measures against them. Their study via various analysis, modelling and experimental methods are integral parts of the development cycle of any such botnet mitigation schemes. It also constitutes a vital part of the process of understanding present threats and predicting future ones. Currently, the most popular of these techniques are "in-the-wild" botnet studies, where researchers interact directly with real-world botnets. This approach is less than ideal, for many reasons that we discuss in this paper, including scientific validity, ethical and legal issues. Consequently, we present an alternative approach employing "in the lab" experiments involving at-scale emulated botnets. We discuss the advantages of such an approach over reverse engineering, analytical modelling, simulation and in-the-wild studies. Moreover, we discuss the requirements that facilities supporting them must have. We then describe an experiment in which we emulated a 3000-node, fully-featured version of the Waledac botnet, complete with an emulated command and control (C&C) infrastructure. By observing the load characteristics and yield (rate of spamming) of such a botnet, we can draw interesting conclusions about its real-world operations and design decisions made by its creators. Furthermore, we conducted experiments with sybil attacks launched against it and verified their viability. However, we were able to determine that mounting such attacks is not so simple: high resource consumption can cause havoc and partially neutralise them. Finally, we were able to repeat the attacks with varying parameters, in an attempt to optimise them. The merits of this experimental approach is underlined since by the fact that it would have been difficult to obtain these results by other methods.
- P. Barford and M. Blodgett. Toward botnet mesocosms. In Proc. 1st Work. on Hot Topics in Understanding Botnets (HotBots), Apr. 2007. Google Scholar
Digital Library
- T. Benzel, R. Braden, D. Kim, C. Neuman, A. Joseph, K. Sklower, R. Ostrenga, and S. Schwab. Experience with DETER: A testbed for security research. In Proc. IEEE Conf. on Testbeds and Research Infrastructures for the Dev. of Networks and Communities (TridentCom), Mar. 2006.Google ScholarCross Ref
- P.-M. Bureau and J. Fernandez. Optimising networks against malware. In Proc. Int. Swarm Intelligence and Other Forms of Malware Work. (MALWARE), Apr. 2007.Google Scholar
- J. Calvet, C. Davis, and P.-M. Bureau. Malware authors don't learn, and that's good! In Proc. Int. Conf. on Malicious and Unwanted Software (MALWARE), Oct. 2009.Google Scholar
- J. Calvet, C. Davis, J. Fernandez, W. Guizani, M. Kaczmarek, J.-Y. Marion, and P.-L. St-Onge. Isolated virtualised clusters: testbeds for high-security experimentation and training. In Proc. 3rd USENIX Work, on Cyber Sec. Experimentation and Test (CSET), Aug. 2010. Google ScholarDigital Library
- E. Cooke, F. Jahanian, and D. McPherson. The zombie roundup: Understanding, detecting, and disrupting botnets. In Proc. Work. on Steps to Reducing Unwanted Traffic on the Internet (SRUTI), July 2005. Google ScholarDigital Library
- D. Dagon, G. Gu, C. Zou, J. Grizzard, S. Dwivedi, W. Lee, and R. Lipton. A taxonomy of botnets. In Proc. of CAIDA DNS-OARC Work, July 2005.Google Scholar
- D. Dagon, C. Zou, and W. Lee. Modeling botnet propagation using time zones. In Proc. 13th Network and Distributed System Security Symp. (NDSS), Feb. 2006.Google Scholar
- C. Davis, J. Fernandez, and S. Neville. Optimising sybil attacks against P2P-based botnets. Proc. 4
th
Int. Conf. on Malicious and Unwanted Software (MALWARE), Oct. 2009.Google ScholarCross Ref
- C. Davis, J. Fernandez, S. Neville, and J. McHugh. Sybil attacks as a mitigation strategy against the storm botnet. In Proc. 3rd Int. Conf. on Malicious and Unwanted Software (MALWARE), Oct. 2008.Google ScholarCross Ref
- C. Davis, S. Neville, J. Fernandez, J.-M. Robert, and J. McHugh. Structured peer-to-peer overlay networks: Ideal botnets command and control infrastructures? In Proc. 13th European Symp. on Research in Computer Security (ESORICS), Oct. 2008. Google ScholarDigital Library
- S. Gaudin. Storm botnet puts up defenses and starts attacking back, http://informationweek.com, Aug. 2007.Google Scholar
- A. Jackson, D. Lapsley, C. Jones, M. Zatko, C. Golubitsky, and W. Strayer. Slingbot: A system for live investigation of next generation botnets. In Proc. of IEEE Conf. for Homeland Security, Cybersecurity Applications and Technology (CATCH '09), Mar. 2009. Google ScholarDigital Library
- J. John, A. Moshchuk, S. Gribble, and A. Krishnamurthy. Studying spamming botnets using botlab. In Proc. 6th USENLX Symp. on Networked Systems Designs and Implementation (NSDI), Apr. 2009. Google ScholarDigital Library
- C. Kanich, C. Kreibich, K. Levchenko, B. Enright, G. Voelker, V. Paxson, and S. Savage. Spamalytics: an empirical analysis of spam marketing conversion. In Proc. 15th ACM Conf. Comp. & Comm. Security (CCS), Oct. 2008. Google ScholarDigital Library
- C. Kanich, K. Levchenko, B. Enright, G. Voelker, and S. Savage. The Heisenbot uncertainty problem: Challenges in separating bots from chaff. In Proc. 1st USENLX Work. Large-Scale Exploits & Emergent Threats (LEET), Apr. 2008. Google ScholarDigital Library
- L. Peterson and T. Roscoe. The design principles of PlanetLab. ACM SIGOPS Operating Systems Review, 40:11--16, Jan. 2006. Google ScholarDigital Library
- M. A. Rajab, J. Zarfoss, F. Monrose, and A. Terzis. A multifaceted approach to understanding the botnet phenomenon. In Proc. 6th ACM SIGCOMM Conf. on Internet measurement (IMC), Oct. 2006. Google ScholarDigital Library
- E. Ruitenbeek and W. Sanders. Modeling peer-to-peer botnets. In Proc. 5th Int. Conf. on Quantitative Evaluation of Systems (QuEST), pages 307--316, Sept. 2008. Google ScholarDigital Library
- G. Sinclair, C. Nunnery, and B. Kang. The Waledac protocol: The how and why. In Proc. 4th Int. Conf. on Malicious and Unwanted Software (MALWARE), Oct. 2009.Google ScholarCross Ref
- J. Stewart. Storm worm DDoS attack. http://www.secureworks.com/research/threats/storm-worm, Feb. 2007.Google Scholar
- B. Stock, J. Goebel, M. Engelberth, F. Freiling, and T. Holz. Walowdac analysis of a peer-to-peer botnet. In Proc. Europ. Conf. Computer Network Defense (EC2ND), Nov. 2009. Google ScholarDigital Library
- P. Wang, S. Sparks, and C. C. Zou. An advanced hybrid peer-to-peer botnet. In Proc. 1st Work. on Hot Topics in Understanding Botnets (HotBots), Apr. 2007. Google ScholarDigital Library
- B. White, J. Lepreau, L. Stoller, R. Ricci, S. Guruprasad, M. Newbold, M. Hibler, C. Barb, and A. Joglekar. An integrated experimental environment for distributed systems and networks. In Proc. of 5th Symp. on Operating systems design and implementation (OSDI), pages 255--270, 2002. Google ScholarDigital Library
- Y. Zhao, Y. Xie, F. Yu, Q. Ke, Y. Yu, Y. Chen, and E. Gillum. Botgraph: Large scale spamming botnet detection. In Proc. 6th USENIX Symp. on Networked Systems Designs and Implementation (NSDI), 2009. Google ScholarDigital Library
Index Terms
- The case for in-the-lab botnet experimentation: creating and taking down a 3000-node botnet
Recommendations
Your botnet is my botnet: analysis of a botnet takeover
CCS '09: Proceedings of the 16th ACM conference on Computer and communications securityBotnets, networks of malware-infected machines that are controlled by an adversary, are the root cause of a large number of security problems on the Internet. A particularly sophisticated and insidious type of bot is Torpig, a malware program that is ...
A Survey of Botnet and Botnet Detection
SECURWARE '09: Proceedings of the 2009 Third International Conference on Emerging Security Information, Systems and TechnologiesAmong the various forms of malware, botnets are emerging as the most serious threat against cyber-security as they provide a distributed platform for several illegal activities such as launching distributed denial of service attacks against critical ...
Honeypot detection in advanced botnet attacks
Botnets have become one of the major attacks in the internet today due to their illicit profitable financial gain. Meanwhile, honeypots have been successfully deployed in many computer security defence systems. Since honeypots set up by security ...
Reviews
Alessandro Berni
The battle against botnets drives the need for specific studies aimed at achieving an in-depth understanding of the dynamics of their diffusion and operation. This is an essential prerequisite to the development of effective countermeasures. The current approach is to conduct studies of botnets "in the wild," observing the behavior of botnets while they execute their evil mission (whether it is the diffusion of spam or the conduction of denial of service attacks). Such an approach, however, comes loaded with ethical and legal concerns. One could also question its scientific validity, since one cannot control or repeat in-the-wild trials. In this study, Calvet et al. present their approach to "in-the-lab" experimentation with significant-scale botnets that enables fine-grained control of experimental parameters and provides a complete description of the internal dynamics of individual nodes, which would be difficult if not impossible to obtain using reverse engineering approaches. This paper includes a complete description of the hardware/software infrastructure they used to build their test bed, and provides an in-depth description of their highly secure implementation of a 3,000-node Waledac botnet using an air-gapped virtualized cluster. Results provide significant evidence that the Waledac botnet exposes a vulnerability to a Sybil attack, which we can exploit to reverse the asymmetric advantage that is typically associated with botnet operations. Observing key performance indicators such as "spam output" and connectivity between the participating nodes and the botnet authors demonstrated that targeting just five percent of the botnet repeater nodes with a Sybil attack leads to full disruption of the botnet within an hour. Conclusions indicate that botnet emulation in laboratory conditions yields a significant improvement in comparison with in-the-wild experimentation in terms of security, scalability, realism, and flexibility. Improvements are still necessary in the modeling of the network links between the different virtualized nodes (to include representative network topologies and the associated latency information), and in the definition of a (bio-inspired) model to describe oscillations in botnet population (birth-death process). Online Computing Reviews Service
Access critical reviews of Computing literature here
Become a reviewer for Computing Reviews.
Comments