Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 An Advanced Hybrid Peer-to-Peer Botnet Ping Wang, Sherri Sparks, Cliff C. Zou School of Electrical Engineering & Computer Science University of Central.

Published byPeregrine Warren Modified over 9 years ago

Similar presentations

Presentation on theme: "1 An Advanced Hybrid Peer-to-Peer Botnet Ping Wang, Sherri Sparks, Cliff C. Zou School of Electrical Engineering & Computer Science University of Central."— Presentation transcript:

1 1 An Advanced Hybrid Peer-to-Peer Botnet Ping Wang, Sherri Sparks, Cliff C. Zou School of Electrical Engineering & Computer Science University of Central Florida, Florida

2 2 Motivation Most researches target current botnets only  Rely on current botnet’s architecture, infection methods, and control network  Study current botnets is important, but not enough  May not work if botmasters upgrade their future botnets  We must study one step ahead  How botnets will evolve?  How to defend future botnets?

3 3 Current Botnet Control Architecture bot C&C botmaster bot C&C

4 4 Peer-to-Peer (P2P) based Control Architecture? C&C  P2P control is a natural evolution  P2P-based botnet is much harder to shut down But the P2P upgrade is not so simple  Current P2P protocols are not suitable  Easy exposure of botnet members  Excess traffic susceptible to detection  Bootstrap process against the design goal  Botmasters need easy control/monitor of their botnets

5 5 Proposed Hybrid P2P Botnet Servent bots: static IPs, able to receive connections  Static IP requirement ensures a stable, long lifetime control topology Each bot connects to its “peer list”  Only servent bot IPs are in peer lists Servent bots Client bots bot C&C botmaster bot C&C Dramatically increase the number of C&C servers

6 6 Botnet Command and Control Individualized encryption key  Servent bot i generates its own symmetric key K i  Any bot connecting with bot i uses K i  A bot must have ( IP i, K i ) in its peer list to conect bot i Individualized service port  Servent bot i chooses its port P i to accept connections  A bot must have ( IP i, K i, P i ) in its peer list to connect bot i Benefits to botmasters:  No global exposure if some bots are captured  Dispersed network traffic  Go through some firewalls (e.g., HTTP, SMTP, SSH holes)

7 7 Botnet Monitor by Botmaster Botmasters need to know their weapons  Botnet size;  bot IPs, types (e.g., DHCP ones used for spam)  Distribution, bandwidth, diurnal … Monitor via dynamical sensor  Sensor IP given in monitor command  One sensor, one shot, then destroy it  Use a sensor’s current service to blend incoming bot traffic

8 8 P2P Botnet Construction Botnet networked by peer list Basic procedures  New infection: pass on peer list  Reinfection: mix two peer lists  Ensure balanced connectivity

9 9 P2P Botnet Construction OK? No!  Real botnet is small compared to vulnerable population  Most current botnet size  20,000  Reinfection happens rarely  Not balanced topology via new infection only Simulation results:  500,000 vulnerable population  Botnet stops infection after reach 20,000  Peer list = 20, 21 initial servent bots, 5000 bots are servent bots  Results:  < 1000 reinfection events  Initial servent bots: > 14,000 in-degree  80% of servent bots: < 30 in-degree

10 10 P2P Botnet Construction Peer-list updating procedure  Obtain current servent bots information  Ask every bot connect to sensor to obtain a new peer list Result: all bots have balanced connectivity to servent bots used in this procedure  Use once is enough for a robust botnet  Can be used to reconnect a broken botnet

11 11 Botnet Robustness Study  500,000 vulnerable population, botnet = 20,000  Peer list = 20, 5000 bots are servent bots  Run peer-list updating once when having 1000 servent bots

12 12 Botnet Robustness Analysis C(p)=1-p M M: peer list size 5 25 50 75 100

13 13 Defense Against the Botnet Shut down a botnet before the first peer-list updating procedure  Initial servent bots are the weak points at beginning Honeypot based defense:  Poison control by pretending as servent bots  But the botnet can survive with 20% servent bots left  Clone a large set of “servent” bots

14 14 Monitor Against the Botnet Forensic analysis of botmaster’s sensor  Could obtain IPs of all reported bots  Challenge:  Logging of unknown port service and IP beforehand  Distinguish normal clients from reporting bots Honeypot-based monitoring  Obtain peer lists in incoming infections  Obtain many copies of new peer lists in peer-list updating procedure

15 15 Summary P2P based botnets are much harder to defend Proposed a hybrid P2P botnet  Two classes of bots  Individualized encryption and service port  Limited exposure by each bot  Botmaster’s monitoring capability  Peer-list updating procedure

16 16 Discussion Any other effective ways to monitor/defend botnets besides honeypot? Is there a way to solve the dilemma of:  No exposure of a large part of botnet?  Easy botmaster’s monitoring and botnet construction without centralized sensor? How soon will botmasters really upgrade current C&C-based architecture? How soon will botmasters care of honeypot threat?

17 17 Points to Add Peer-list updating can be used to change the topology of current botnet Study how honeypot monitoring changes if more and more honeypots being as servent bots  Could have an analytical model

18 18

19 19 Weaknesses of Current Botnets Control structure by one layer of C&C servers  Bottleneck in control  Susceptible to monitor/interception of C&C servers Most rely on IRC based C&C servers  Susceptible to IRC traffic based monitor/detection Other issues:  Most have no or simple encryption, authentication  Have no honeypot detection feature

20 20 Botnet Command and Control Command authentication  Botmaster: private key used for commands  Each bot: public key contained in bot code Can be done in current botnets Not the focus of this paper

Download ppt "1 An Advanced Hybrid Peer-to-Peer Botnet Ping Wang, Sherri Sparks, Cliff C. Zou School of Electrical Engineering & Computer Science University of Central."

Similar presentations

 IPv6 Has built in security via IPsec (Internet Protocol Security). ◦ IPsec Operates at OSI layer 3 or internet layer of the Internet Protocol Suite.

 IPv6 Has built in security via IPsec (Internet Protocol Security). ◦ IPsec Operates at OSI layer 3 or internet layer of the Internet Protocol Suite.
A Survey of Botnet Size Measurement PRESENTED: KAI-HSIANG YANG ( 楊凱翔 ) DATE: 2013/11/04 1/24.

A Survey of Botnet Size Measurement PRESENTED: KAI-HSIANG YANG ( 楊凱翔 ) DATE: 2013/11/04 1/24.
Predicting Tor Path Compromise by Exit Port IEEE WIDA 2009December 16, 2009 Kevin Bauer, Dirk Grunwald, and Douglas Sicker University of Colorado Client.

Predicting Tor Path Compromise by Exit Port IEEE WIDA 2009December 16, 2009 Kevin Bauer, Dirk Grunwald, and Douglas Sicker University of Colorado Client.
A Scalable Virtual Registry Service for jGMA Matthew Grove CCGRID 2005 - WIP May 2005.

A Scalable Virtual Registry Service for jGMA Matthew Grove CCGRID WIP May 2005.
MOSQUITO BREEDING ATTACK: Spread of bots using Peer To Peer INSTRUCTOR: Dr.Cliff Zou PRESENTED BY : BHARAT SOUNDARARAJAN & AMIT SHRIVATSAVA.

MOSQUITO BREEDING ATTACK: Spread of bots using Peer To Peer INSTRUCTOR: Dr.Cliff Zou PRESENTED BY : BHARAT SOUNDARARAJAN & AMIT SHRIVATSAVA.
A Hierarchical Hybrid Structure for Botnet Control and Command A Hierarchical Hybrid Structure for Botnet Control and Command Zhiqi Zhang, Baochen Lu,

A Hierarchical Hybrid Structure for Botnet Control and Command A Hierarchical Hybrid Structure for Botnet Control and Command Zhiqi Zhang, Baochen Lu,
Peer-to-Peer Networks João Guerreiro Truong Cong Thanh Department of Information Technology Uppsala University.

Peer-to-Peer Networks João Guerreiro Truong Cong Thanh Department of Information Technology Uppsala University.
 What is a botnet?  How are botnets created?  How are they controlled?  How are bots acquired?  What type of attacks are they responsible for? 

 What is a botnet?  How are botnets created?  How are they controlled?  How are bots acquired?  What type of attacks are they responsible for? 
BotMiner Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology.

BotMiner Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology.
Wide-scale Botnet Detection and Characterization Anestis Karasaridis, Brian Rexroad, David Hoeflin.

Wide-scale Botnet Detection and Characterization Anestis Karasaridis, Brian Rexroad, David Hoeflin.
Slides to add  Botnet slides  Security regulations  Do we have similar laws for transportation?  Terrorism (look for some examples if possible)  Company.

Slides to add  Botnet slides  Security regulations  Do we have similar laws for transportation?  Terrorism (look for some examples if possible)  Company.
This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed.

This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed.
Botnet Dection system. Introduction  Botnet problem  Challenges for botnet detection.

Botnet Dection system. Introduction  Botnet problem  Challenges for botnet detection.
Botnets Abhishek Debchoudhury Jason Holmes. What is a botnet? A network of computers running software that runs autonomously. In a security context we.

Botnets Abhishek Debchoudhury Jason Holmes. What is a botnet? A network of computers running software that runs autonomously. In a security context we.
Threat infrastructure: proxies, botnets, fast-flux

Threat infrastructure: proxies, botnets, fast-flux
COEN 252: Computer Forensics Router Investigation.

COEN 252: Computer Forensics Router Investigation.
Botnets Uses, Prevention, and Examples. Background Robot Network Programs communicating over a network to complete a task Adapted new meaning in the security.

Botnets Uses, Prevention, and Examples. Background Robot Network Programs communicating over a network to complete a task Adapted new meaning in the security.
Chapter 6 Configuring, Monitoring & Troubleshooting IPsec

Chapter 6 Configuring, Monitoring & Troubleshooting IPsec
Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology USENIX Security '08 Presented by Lei Wu.

Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology USENIX Security '08 Presented by Lei Wu.
1 Measurements and Mitigation of Peer-to-Peer-based Botnets: A Case Study on Storm Worm T. Holz, M. Steiner, F. Dahl, E. Biersack, and F. Freiling - Proceedings.

1 Measurements and Mitigation of Peer-to-Peer-based Botnets: A Case Study on Storm Worm T. Holz, M. Steiner, F. Dahl, E. Biersack, and F. Freiling - Proceedings.

Similar presentations

Ads by Google