1 MA Rajab, J Zarfoss, F Monrose, A Terzis - Proceedings of the First USENIX Workshop on Hot Topics in Understanding Botnets My Botnet is Bigger than Yours (Maybe, Better than Yours) : why size estimates remain challenging MA Rajab, J Zarfoss, F Monrose, A Terzis - Proceedings of the First USENIX Workshop on Hot Topics in Understanding Botnets, April Reporter: 高嘉男 Advisor: Chin-Laung Lei 2009/06/09

2 Outline Introduction ◦ Botnet size? Definitions & estimation techniques Experiment Hidden botnet connections Conclusion

3 Introduction How big are today’s botnets? ◦ Botnet size is currently poorly defined ◦ Different metrics lead to widely different results ◦ Some issues increase the difficulty  Cloning  Temporary migration  Hidden structures Expecting a definitive answer is unreasonable

4 Definitions Different definitions of botnet size ◦ Footprint : the overall size of the infected population at any point in its lifetime ◦ Live population : the number of live bots simultaneously present in the command and control channel

5 Estimation Techniques Two broad categories ◦ Counting bots connecting to a particular server directly  Botnet infiltration  DNS redirection ◦ Exploiting external information

6 Botnet Infiltration Infiltrating the botnet by joining the command and control channel An IRC tracker mimics the behavior of actual bots and joins many botnets Recording any information observed on the command and control channel Limitations ◦ Botmasters may suppress bot identities ◦ Counting can lead to different estimates

7 DNS Redirection Manipulating the DNS entry associated with a botnet’s IRC server and redirecting connections to a sinkhole The sinkhole completed the three-way TCP handshake with bots attempting to connect to the (redirected) IRC server and recorded their IP addresses Limitations ◦ It can only measure the botnet’s footprint ◦ There is no way of knowing if the bots are connecting to the same command and control channel ◦ Botmasters can redirect their bots to another IRC server

8 Exploiting External Information DNS cache snooping ◦ Bots normally make a DNS query to resolve the IP address of their IRC server ◦ A cache hit implies that at least one bot has queried its nameserver ◦ The total number of cache hits provides an indication of the botnet’s DNS footprint DNS footprint provides (at best) only a lower bound of its actual footprint

9 Experiment

10 Result : Footprint & Live Population

11 Result : DNS Footprint

12 Temporary Bot Migration Botmasters command bots to temporarily migrate from one botnet to another

13 Bot Cloning Botmasters command bots to create copies of themselves and join a new channel on the same server ◦ Clone flooding ◦ Normal cloning

14 Hidden Botnet Connections A d-dimensional structural feature vector Features to represent a botnet’s unique identity ◦ DNS name and/or IP address of IRC Server ◦ IRC server or IRC network name (e.g.,ToXiC.BoTnEt.Net) ◦ Server version (e.g., Unreal3.2.3) ◦ IRC channel name. ◦ Botmaster ID For a pair of vectors the pair-wise score is a weighted dot product of the two vectors

15 Botnet Cluster

16 Number of Botnets Affiliated with Botnet Cluster

17 Conclusion No single metric is sufficient for describing all aspects of a botnet’s size A prudent step towards providing more reliable size estimates is to synthesize the results from multiple concurrent and independent views of a botnet’s behavior

18 References Proceedings of the First USENIX Workshop on Hot Topics in Understanding Botnets Moheeb Abu Rajab, Jay Zarfoss, Fabian Monrose, and Andreas Terzis, “My Botnet is Bigger than Yours (Maybe, Better than Yours) : why size estimates remain challenging.” in Proceedings of the First USENIX Workshop on Hot Topics in Understanding Botnets, April Moheeb Abu Rajab, Jay Zarfoss, Fabian Monrose, and Andreas Terzis, “A Multifaceted Approach to Understanding the botnet phenomenon.” in Proceedings of ACMSIGCOMM/USENIX Internet Measurement Conference (IMC), pages 41–52, 2006.