04-07-2012, 03:34 PM
An Advanced Hybrid Peer-to-Peer Botnet
Advanced Hybrid Peer-to-Peer.pdf (Size: 1.39 MB / Downloads: 69)
Abstract
A “botnet” consists of a network of compromised computers controlled by an attacker (“botmaster”). Recently, botnets have
become the root cause of many Internet attacks. To be well prepared for future attacks, it is not enough to study how to detect and
defend against the botnets that have appeared in the past. More importantly, we should study advanced botnet designs that could be
developed by botmasters in the near future.
INTRODUCTION
IN the last several years, Internet malware attacks have
evolved into better-organized and more profit-centered
endeavors. E-mail spam, extortion through denial-of-service
attacks [1], and click fraud [2] represent a few examples of
this emerging trend. “Botnets” are a root cause of these
problems [3], [4], [5]. A “botnet” consists of a network of
compromised computers (“bots”) connected to the Internet
that is controlled by a remote attacker (“botmaster”) [5], [6].
Since a botmaster could scatter attack tasks over hundreds or
even tens of thousands of computers distributed across the
Internet, the enormous cumulative bandwidth and large
number of attack sources make botnet-based attacks extremely
dangerous and hard to defend against.
Current P2P Botnets and Their Weaknesses
Considering the above weaknesses inherent to the centralized
architecture of current C&C botnets, it is a natural
strategy for botmasters to design a peer-to-peer (P2P)
control mechanism into their botnets. In the last several
years, botnets such as Slapper [8], Sinit [9], Phatbot [10], and
Nugache [11] have implemented different kinds of P2P
control architectures. They have shown several advanced
designs. For example, some of them have removed the
“bootstrap” process used in common P2P protocols.1 Sinit
uses public key cryptography for update authentication [9].
Nugache attempts to thwart detection by implementing an
encrypted/obsfucated control channel [11].
Paper Organization
The rest of this paper is organized as follows: Section 2
introduces related studies. Section 3 introduces the control
communication architecture of the proposed botnet. Section 4
discusses the designs to ensure authentication, security, and
traffic dispersion of command communication. In Section 5,
we present how a botmaster is able to monitor her botnet
reliably and easily. We present how to construct the
proposed botnet in Section 6 and study its robustness
against defense in Section 7. In Section 8, we present possible
defenses against the botnet, and provide simulation studies
and performance analytical models of several defense
themes. We give a few discussions in Section 9, and finally
conclude this paper in Section 10.
RELATED WORK
Botnets are an active research topic in recent years. In 2003,
Puri [13] presented an overview of bots and botnets, and Fig. 1. C&C architecture of a C&C botnet.
McCarty [14] discussed how to use a honeynet to monitor
botnets. Arce and Levy presented a good analysis of how
the Slapper worm built its P2P botnet. Barford and
Yegneswaran [15] gave a detailed and systematic dissection
of many well-known botnets that have appeared in the past.
Current research on botnets is mainly focused on
monitoring and detection. The authors of [3], [6], [16],
and [17] presented comprehensive studies on using honeypots
to join botnets in order to monitor botnet activities in
the Internet. With the help from Dynamic DNS service
providers, Dagon et al. [4] presented a botnet monitoring
system by redirecting the DNS mapping of a C&C server to
a botnet monitor. Ramachandran et al. [5] presented how
to passively detect botnets by finding botmasters’ queries to
spam DNS-based blackhole list servers (DNSBL).
Command Authentication
Compared with a C&C botnet, because bots in the proposed
botnet do not receive commands from predefined places, it
is especially important to implement a strong command
authentication. A standard public-key authentication would
be sufficient. A botmaster generates a pair of public/private
keys, hKþ;Ki, and hard codes the public key Kþ into the
bot program before releasing and building the botnet. There
is no need for key distribution because the public key is
hard-coded in bot program. Later, the command messages
sent from the botmaster could be digitally signed by the
private key K to ensure their authentication and integrity.
This public-key-based authentication could also be readily
deployed by current C&C botnets. So botnet hijacking is
not a major issue.
CONCLUSION
To be well prepared for future botnet attacks, we should
study advanced botnet attack techniques that could be
developed by botmasters in the near future. In this paper,
we present the design of an advanced hybrid P2P botnet.
Compared with current botnets, the proposed one is harder
to be monitored, and much harder to be shut down. It
provides robust network connectivity, individualized encryption
and control traffic dispersion, limited botnet
exposure by each captured bot, and easy monitoring and
recovery by its botmaster.