Presentation is loading. Please wait.

Presentation is loading. Please wait.

Appear in IEEE TDSC 2008 Presented by Wei-Cheng Xiao.

Published byWalter Henderson Modified over 9 years ago

Similar presentations

Presentation on theme: "Appear in IEEE TDSC 2008 Presented by Wei-Cheng Xiao."— Presentation transcript:

1 Appear in IEEE TDSC 2008 Presented by Wei-Cheng Xiao

2  Introduction  Proposed hybrid P2P botnet  Two classes of bots  Command and control  Botmaster's monitoring  Botnet construction  Botnet robustness study  Defences against the proposed botnet  Discussions  Summary

3  Most of current research focuses on existing botnets.  Studying current botnets is important, but not enough.  Botmasters may upgrade their future botnets.  It is necessary to conduct research on possible advanced future botnets.  How botnets will evolve?  How can we defend future botnets?

4  Phatbot utilizes Gnutella cache servers for the bootstrap process.  Easy to shut down or block  Sinit removes the bootstrap procedure and uses random probing to find other bots.  Poor connectivity  Slapper does not implement command encryption and authentication.  Easy to hijack

5  Proposed a hybrid P2P botnet with the following features  Two classes of bots – servent and client  Command authentication and individualized encryption  Limited-sized peer lists  Dynamically changeable sensor for bots monitoring  No bootstrap procedure  Balanced and robust connectivity  Analyzed several possible defences against this botnet

6  Servent (server + client) bot  Public static IP address  Client bot  Dynamic IP, private IP, behind firewalls…  Only servents appear in the peer list.  Servents act as C&C servers.  Contains much more C&C servers than other botnets do

7  Command authentication  Digital signature  Prevent hijacking  Individualized command encryption key  Symmetric encryption is used instead.  Each bot keeps a list of tuples (IP i, K i, P i ) in its peer list.  Messages between bots and servent i are encrypted with the key K i.

8  Individualized service port  Each servent i picks port P i for communication.  The port can be randomly selected or chosen from standard encryption port like SSH (22), HTTPS (443), IMAPS (993), etc.  Benefits for botmasters  Prevent hijacking  No global exposure if some bots are captured  Dispersed network traffic, difficult to detect

9  Botmasters need to know  Bot ID (used to find NAT and DHCP)  Bot population, connectivity, bandwidth, diurnal dynamics, …  IP address types (DHCP ones can be used for spam)  Challenges – monitoring should be easy for botmasters but difficult for defenders.  Monitor via dynamically changeable sensors  Each bot sends its information to one or some sensors after receiving the report command.  A botmaster can change the role of sensors each time she issues the report command.

10  A botnet is networked by peer lists.  There are some initial servent bots.  New infection  Bot A passes its peer list to B when infecting B.  A and B may add each other into their lists.  Reinfection (A infects B)  B updates its list based on A's list.  Reinfection improves connectivity.  A cannot get B's list (prevent recursive infection).

11  The updating procedure  It is triggered by the update command.  Every bot gets an updated peer list from a specified sensor.  Benefits  Balance the connectivity  Reconnect broken botnets  Risks  Expose parts of the botnet to defenders

12  20,000 bots, including 5000 servents  Peer list size = 20.  The peer-list updating procedure runs once when 1000 servents are infected.  Connection degree  300 ~ 500 for the first 1000 servents  20 ~ 30 for the rest

13

14 Formula: C(p) = 1 - p M

15  Annihilation  Attack initial bots  Quick detection is required for defenders.  Attack servents  It is easier to attack if the # of servent is small.  Use the honeypot techniques  Defenders can pretend to be servents and then shut down the botnet.  Large amount of defenders are required because the botnet can survive with 20% servents left.

16  Opportunities  Collect information as bots reporting themselves to sensors  Know the target in an attack command and try to prevent the attack  Get peer list during peer-list updating

17

18  I = 20000, # of bots  K = 1000, # of servents before peer- list updating  M = 20, peer list size  n: # of honeypots

19  K = 1000, # of servents used in peer- list updating  M = 20, peer list size  x: # of infection attempts

20  Detecting honeypots is important for botmasters.  Shutting down a botnet is harder than monitoring it.  The centralized sensor hosts are not as week as C&C servers in other botnets.  Connectivity maintenance and C&C communication is separated.

21  It is important to be well prepared for such possible attack in the future.  A robust P2P botnet is proposed.  Two classes of bots  Command authentication and individualized encryption and service port  Botmaster's monitoring capability  Botnet construction  The botnet robustness is studied.  Honeypot-based defences are analyzed.

Download ppt "Appear in IEEE TDSC 2008 Presented by Wei-Cheng Xiao."

Similar presentations

Network Systems Sales LLC

Network Systems Sales LLC
A Survey of Botnet Size Measurement PRESENTED: KAI-HSIANG YANG ( 楊凱翔 ) DATE: 2013/11/04 1/24.

A Survey of Botnet Size Measurement PRESENTED: KAI-HSIANG YANG ( 楊凱翔 ) DATE: 2013/11/04 1/24.
5-Network Defenses Dr. John P. Abraham Professor UTPA.

5-Network Defenses Dr. John P. Abraham Professor UTPA.
Information Security 1 Information Security: Security Tools Jeffy Mwakalinga.

Information Security 1 Information Security: Security Tools Jeffy Mwakalinga.
Operating Systems Concepts 1/e Ruth Watson Chapter 11 Chapter 11 Network Maintenance Ruth Watson.

Operating Systems Concepts 1/e Ruth Watson Chapter 11 Chapter 11 Network Maintenance Ruth Watson.
MOSQUITO BREEDING ATTACK: Spread of bots using Peer To Peer INSTRUCTOR: Dr.Cliff Zou PRESENTED BY : BHARAT SOUNDARARAJAN & AMIT SHRIVATSAVA.

MOSQUITO BREEDING ATTACK: Spread of bots using Peer To Peer INSTRUCTOR: Dr.Cliff Zou PRESENTED BY : BHARAT SOUNDARARAJAN & AMIT SHRIVATSAVA.
A Hierarchical Hybrid Structure for Botnet Control and Command A Hierarchical Hybrid Structure for Botnet Control and Command Zhiqi Zhang, Baochen Lu,

A Hierarchical Hybrid Structure for Botnet Control and Command A Hierarchical Hybrid Structure for Botnet Control and Command Zhiqi Zhang, Baochen Lu,
The Aerospace Clinic 2002 Team Members Nick Hertl (Project Manager) Will Berriel Richard Fujiyama Chip Bradford Faculty Advisor Professor Michael Erlinger.

The Aerospace Clinic 2002 Team Members Nick Hertl (Project Manager) Will Berriel Richard Fujiyama Chip Bradford Faculty Advisor Professor Michael Erlinger.
 What is a botnet?  How are botnets created?  How are they controlled?  How are bots acquired?  What type of attacks are they responsible for? 

 What is a botnet?  How are botnets created?  How are they controlled?  How are bots acquired?  What type of attacks are they responsible for? 
BotMiner Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology.

BotMiner Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology.
Wide-scale Botnet Detection and Characterization Anestis Karasaridis, Brian Rexroad, David Hoeflin.

Wide-scale Botnet Detection and Characterization Anestis Karasaridis, Brian Rexroad, David Hoeflin.
This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed.

This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed.
Botnets Abhishek Debchoudhury Jason Holmes. What is a botnet? A network of computers running software that runs autonomously. In a security context we.

Botnets Abhishek Debchoudhury Jason Holmes. What is a botnet? A network of computers running software that runs autonomously. In a security context we.
Threat infrastructure: proxies, botnets, fast-flux

Threat infrastructure: proxies, botnets, fast-flux
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter 8.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter 8.
Botnets An Introduction Into the World of Botnets Tyler Hudak

Botnets An Introduction Into the World of Botnets Tyler Hudak
Introduction to Honeypot, Botnet, and Security Measurement

Introduction to Honeypot, Botnet, and Security Measurement
MSIT 458 – The Chinchillas. Offense Overview Botnet taxonomies need to be updated constantly in order to remain “complete” and are only as good as their.

MSIT 458 – The Chinchillas. Offense Overview Botnet taxonomies need to be updated constantly in order to remain “complete” and are only as good as their.
B OTNETS T HREATS A ND B OTNETS DETECTION Mona Aldakheel 434920317 1.

B OTNETS T HREATS A ND B OTNETS DETECTION Mona Aldakheel
An Evaluation model of botnet based on peer to peer Gao Jian KangFeng ZHENG,YiXian Yang,XinXin Niu 2012 Fourth International Conference on Computational.

An Evaluation model of botnet based on peer to peer Gao Jian KangFeng ZHENG,YiXian Yang,XinXin Niu 2012 Fourth International Conference on Computational.

Similar presentations

Ads by Google