Skip to main content
SpringerLink
Log in

Analysis of Peer-to-Peer Botnet Attacks and Defenses

  • Chapter
  • First Online:
Propagation Phenomena in Real World Networks

Part of the book series: Intelligent Systems Reference Library ((ISRL,volume 85))

Abstract

A “botnet” is a network of computers that are compromised and controlled by an attacker (botmaster). Botnets are one of the most serious threats to today’s Internet. Most current botnets have centralized command and control (C&C) architecture. However, peer-to-peer (P2P) structured botnets have gradually emerged as a new advanced form of botnets. Due to the distributive nature of P2P networks, P2P botnets are more resilient to defense countermeasures. In this chapter, first we systematically study P2P botnets along multiple dimensions: bot candidate selection, network construction, C&C communication mechanisms/protocols, and mitigation approaches. Then we provide mathematical analysis of two P2P botnet elimination approaches—index poisoning defense and Sybil defense, and one P2P botnet monitoring technique—passive monitoring based on infiltrated honeypots or captured bots. Simulation experiments show that our mathematical analysis is accurate.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 84.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Hardcover Book
USD 109.99
Price excludes VAT (USA)
  • Durable hardcover edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    Index poisoning was introduced by media companies to prevent illegal distribution of copyrighted content in P2P networks [36], while Sybil attack was to subvert a reputation system in P2P networks [17].

  2. 2.

    The value of \(\Delta {b}\) was estimated in [58]. 3.25 is the worst case, while 6.98 is the best case.

  3. 3.

    An estimate was given in [58] that the Kad network has around 980,000 concurrent peers. Authors of [51] claimed that the population of peers in Kad network is between 12,000\(\times \)2\(^8\) and 20,000\(\times \)2\(^8\).

  4. 4.

    Please refer to the paper [58] for the detailed formulas to compute \(\Delta {b}\) given the routing table structure \(D(b,r,k)\).

References

  1. http://www.symantec.com/security_response/index.jsp

  2. http://en.wikipedia.org/wiki/Kad_network

  3. emule. http://www.emule-project.net/

  4. SdDrop. http://www.viruslist.com/en/viruses/encyclopedia?virusid=24282

  5. Andriesse, D., Rossow, C., Stone-Gross, B., Plohmann, D., Bos, H.: Highly resilient peer-to-peer botnets are here: an analysis of Gameover Zeus. In: Proceeding of 8th International Conference on Malicious and Unwanted Software: “The Americas” (MALWARE) (2013)

    Google Scholar 

  6. Bailey, M., Cooke, E., Jahanian, F., Xu, Y., Karir, M.: A survey of botnet technology and defenses. In: Proceeding of the 2009 Cybersecurity Applications and Technology Conference for Homeland Security (2009)

    Google Scholar 

  7. Barford, P., Yegneswaran, V.: An Inside Look at Botnets. Advances in Information Security, In Series (2006)

    Google Scholar 

  8. Baumgart, I., Heep, B., Krause, S.: OverSim: a flexible overlay network simulation framework. In: Proceedings of the 10th IEEE Global Internet Symposium (GI’07) in Conjunction with IEEE INFOCOM’07, Anchorage, AK (2007)

    Google Scholar 

  9. Bhaduri, K., Das, K., Kargupta, H.: Peer-to-peer data mining, privacy issues, and games. 4476, 1–10 (2007)

    Google Scholar 

  10. Chang, S., Daniels, T.E.: P2P botnet detection using behavior clustering and statistical tests. In: Proceedings of the 2nd ACM workshop on Security and Artificial Intelligence (AISec’09), Chicago (2009)

    Google Scholar 

  11. Chang, S., Zhang, L., Guan, Y., Daniels, T.E.: A framework for P2P botnets. In: Proceedings of the 2009 International Conference on Communications and Mobile Computing (CMC’09), Kunming,Yunnan, China (2009)

    Google Scholar 

  12. Chox, C.Y., Caballeroyx, J., Grierx, C., Paxsonzx, V., Song, D.: Insights from the inside: a view of botnet management from infiltration. In: Proceedings of the 3rd USENIX Workshop on Large-Scale Exploits and Emergent Threats, San Jose (2010)

    Google Scholar 

  13. Dagon, D., Gu, G., Lee, C., Lee, W.: A taxonomy of botnet structures. In: Proceedings of the 23rd Annual Computer Security Applications Conference (ACSAC’07) (2007)

    Google Scholar 

  14. Dagon, D., Zou, C.C., Lee, W.: Modeling botnet propagation using time zones. In: Proceedings of the 13th Annual Network and Distributed System Security Symposium (NDSS’06) (2006)

    Google Scholar 

  15. Damfling, H.: Gnutella web caching system. http://www.gnucleus.org/gwebcache/specs.html

  16. Davis, C.R., Fernandez, J.M., Neville, S., McHugh, J.: Sybil attacks as a mitigation strategy against the storm botnet. In: Proceedings of the 3rd International Conference on Malicious and Unwanted Software (Malware’08) (2008)

    Google Scholar 

  17. Douceur, J.R.: The sybil attack. In: Proceedings of the 1st International Workshop on Peer-to-Peer Systems (2002)

    Google Scholar 

  18. Enright, B., Voelker, G., Savage, S., Kanich, C., Levchenko, K.: Storm: when researchers collide. USENIX Login 33(4) (2008)

    Google Scholar 

  19. Grizzard, J.B., Sharma, V., Nunnery, C., Kang, B.B., Dagon, D.: Peer-to-Peer botnets: overview and case study. In: Proceedings of the 1st USENIX Workshop on Hot Topics in Understanding Botnets (HotBots’07), Cambridge, MA (2007)

    Google Scholar 

  20. Gu, G., Perdisci, R., Zhang, J., Lee, W.: BotMiner: clustering analysis of network traffic for protocol—and structure-independent botnet detection. In: Proceedings of the 17th USENIX Security Symposium (Security’08) (2008)

    Google Scholar 

  21. Gu, G., Porras, P., Yegneswaran, V., Fong, M., Lee, W.: BotHunter: Detecting malware infection through IDS-driven dialog correlation. In: Proceedings of the 16th USENIX Security Symposium (Security’07) (2007)

    Google Scholar 

  22. Gu, G., Yegneswaran, V., Porras, P., Stoll, J., Lee, W.: Active botnet probing to identify obscure command and control channels. In: Proceedings of the Annual Computer Security Applications Conference (ACSAC’09), Hawaii (2009)

    Google Scholar 

  23. Gu, G., Zhang, J., Lee, W.: BotSniffer: detecting botnet command and control channels in network traffic. In: Proceedings of the 15th Annual Network and Distributed System Security Symposium (NDSS’08) (2008)

    Google Scholar 

  24. Ha, D.T., Yan, G., Eidenbenz, S., Ngo, H.Q.: On the effectiveness of structural detection and defense against P2P-based botnets. In: Proceedings of the 39th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN’09), Estoril, Lisbon, Portugal (2009)

    Google Scholar 

  25. Han, Q., Yu, W., Zhang, Y., Zhao, Z.: Modeling and evaluating of typical advanced peer-to-peer botnet. Perform. Eval. 72, 1–15 (2014)

    Article  Google Scholar 

  26. Hayes, T.P., Saia, J., Trehan, A.: The forgiving graph: a distributed data structure for low stretch under adversarial attack. Distrib. Comput. 25(4), 261–278 (2012)

    Article  MATH  Google Scholar 

  27. Holz, T., Steiner, M., Dahl, F., Biersack, E.W., Freiling, F.: Measurements and mitigation of peer-to-peer-based botnets: a case study on storm worm. In: Proceedings of the 1st Usenix Workshop on Large-scale Exploits and Emergent Threats (LEET), San Francisco,USA (2008)

    Google Scholar 

  28. Jelasity, M., Bilicki, V.: Towards automated detection of peer-to-peer botnets: on the limits of local approaches. In: Proceedings of the 2nd USENIX Workshop on Large-Scale Exploits and Emergent Threats (LEET’09), Boston, MA (2009)

    Google Scholar 

  29. Kang, B.B., Chan-Tin, E., Lee, C.P., Tyra, J., Kang, H.J., Nunnery, C., Wadler, Z., Sinclair, G., Hopper, N., Dagon, D., Kim, Y.: Towards complete node enumeration in a peer-to-peer botnet. In: Proceedings of the 2009 ACM Symposium on Information, Computer and Communications Security (ASIACCS), Sydney, Australia (2009)

    Google Scholar 

  30. Kanich, C., Levchenko, K., Enright, B., Voelker, G.M., Savage, S.: The heisenbot uncertainty problem: challenges in separating bots from chaff. In: Proceedings of the USENIX Workshop on Large-Scale Exploits and Emergent Threats, San Franciso, CA (2008)

    Google Scholar 

  31. Kolesnikov, O., Dagon, D., Lee, W.: Advanced polymorphic worms: evading IDS by blending in with normal traffic. Technical Report, Georgia Technology, Georgia (2004–2005)

    Google Scholar 

  32. Kreibich, C., Kanich, C., Levchenko, K., Enright, B., Voelker, G.M., Paxson, V., Savage, S.: On the spam campaign trail. In: Proceedings of the USENIX Workshop on Large-Scale Exploits and Emergent Threats, San Franciso, CA (2008)

    Google Scholar 

  33. Kreibich, C., Kanich, C., Levchenko, K., Enright, B., Voelker, G.M., Paxson, V., Savage, S.: Spamcraft: an inside look at spam campaign orchestration. In: Proceedings of the USENIX Workshop on Large-Scale Exploits and Emergent Threats, Boston, MA (2009)

    Google Scholar 

  34. Król, D.: Propagation phenomenon in complex networks: theory and practice. New Gener. Comput. 32(3–4), 187–192 (2014)

    Article  Google Scholar 

  35. Li, Z., Goyal, A., Chen, Y., Paxson, V.: Automating analysis of large-scale botnet probing events. In: Proceedings of ACM Symposium on Information, Computer and Communications Security (2009)

    Google Scholar 

  36. Liang, J., Naoumov, N., Ross, K.W.: The index poisoning attack in P2P file sharing systems. In: Proceedings of the Infocom, Barcelona (2006)

    Google Scholar 

  37. Louzada, V.H., Daolio, F., Herrmann, H.J., Tomassini, M.: Smart rewiring for network robustness. J. Complex Netw. 1(2), 150–159 (2013)

    Article  Google Scholar 

  38. Lu, W., Tavallaee, M., Ghorbani, A.A.: Automatic discovery of botnet communities on large-scale communication networks. In: Proceedings of the 2009 ACM Symposium on Information, Computer and Communications Security (ASIACCS), Sydney, Australia (2009)

    Google Scholar 

  39. Maymounkov, P., Mazieres, D.: Kademlia: a peer-to-peer information system based on the xor metric. In: Proceedings of the 1st International Workshop on Peer-to-Peer Systems, pp. 53–65 (2002)

    Google Scholar 

  40. Micro, T.: Taxonomy of botnet threats (2006)

    Google Scholar 

  41. Nunnery, C., Sinclair, G., Kang, B.B.: Tumbling down the rabbit hole: exploring the idiosyncrasies of botmaster systems in a multi-tier botnet infrastructure. In: Proceedings of the 3rd USENIX Workshop on Large-Scale Exploits and Emergent Threats, San Jose,CA (2010)

    Google Scholar 

  42. Pitsillidis, A., Levchenko, K., Kreibich, C., Kanich, C., Voelker, G.M., Paxson, V., Weaver, N., Savage, S.: Botnet judo: fighting spam with itself. In: Proceedings of the Network and Diestributed System Security Symposium (NDSS), San Diego, CA (2010)

    Google Scholar 

  43. Porras, P., Saidi, H., Yegneswaran, V.: A Multi-perspective analysis of the storm (Peacomm) Worm. Technical Report, SRI (2007)

    Google Scholar 

  44. Ramachandran, K., Sikdar, B.: Modeling malware propagation in Gnutella type peer-to-peer networks. In: Proceedings of the 20th International Parallel and Distributed Processing Symposium (IPDPS’06), Rhodes Island, Greece (2006)

    Google Scholar 

  45. Rossow, C., Andriesse, D., Werner, T., Stone-Gross, B., Plohmann, D., Dietrich, C.J., Bos, H.: SoK: P2PWNEDł modeling and evaluating the resilience of peer-to-peer botnets. In: Proceedings of 2013 IEEE Symposium on Security and Privacy (2013)

    Google Scholar 

  46. Ruitenbeek, E.V., Sanders, W.H.: Modeling peer-to-peer botnets. In: Proceedings of the 5th International Conference on Quantitative Evaluation of Systems (QEST’08), St Malo (2008)

    Google Scholar 

  47. Schneider, C.M., Moreira, A.A., Andrade, J.S., Havlin, S., Herrmann, H.J.: Mitigation of malicious attacks on networks. In: Proceedings Nat Acad Sci USA 108, p. 3838C3841 (2011)

    Google Scholar 

  48. Singh, K., Guntuku, S.C., Thakur, A., Hota, C.: Big data analytics framework for peer-to-peer botnet detection using random forests. Inf. Sci. (2014)

    Google Scholar 

  49. Spitzner, L.: Honeypots: Tracking Hackers. Addison-Wesley Longman Publishing Co., Inc, Boston (2002)

    Google Scholar 

  50. Starnberger, G., Kruegel, C., Kirda, E.: Overbot—a botnet protocol based on kademlia. In: Proceedings of the 4th International Conference on Security and Privacy in Communication Networks (SecureComm) (2008)

    Google Scholar 

  51. Steiner, M., En-Najjary, T., Biersack, E.W.: A global view of KAD. In: Proceedings of the ACM Internet Measurement Conf. (IMC), San Diego, USA (2007)

    Google Scholar 

  52. Steiner, M., En-Najjary, T., Biersack, E.W.: Exploiting KAD: possible uses and misuses 37(5), 65–70 (2007)

    Google Scholar 

  53. Stewart, J.: Inside the storm: protocols and encryption of the storm botnet. Black Hat Conference, USA (2008) http://www.blackhat.com/presentations/bh-usa-08/Stewart/BH_US_08_Stewart_Protocols_of_the_Storm.pdf

  54. Stock, B., Goel, J., Engelberth, M., Freiling, F.C.: Walowdac—analysis of a peer-to-peer botnet. In: Proceedings of the European Conference on Computer Network Defense (EC2ND’09) (2009)

    Google Scholar 

  55. Stoica, I., Morris, R., Karger, D., Kaashoek, M.F., Balakrishnan, H.: Chord: a scalable peer-to-peer lookup service for internet applications, AC. In: Proceedings of the ACM SIGCOMM, San Deigo, CA (2001)

    Google Scholar 

  56. Stone-Gross, B., Cova, M., Cavallaro, L., Gilbert, B., Szydlowski, M., Kemmerer, R., Kruegel, C., Vigna, G.: Your botnet is my botnet: analysis of a botnet takeover. In: Proceedings of the ACM CCS, Chicago, IL (2010)

    Google Scholar 

  57. Stover, S., Dittrich, D., Hernandez, J., Dietrich, S.: Analysis of the storm and nugache trojans: P2P is here. USENIX login 32(6), 18–27 (2007)

    Google Scholar 

  58. Stutzbach, D., Rejaie, R.: Improving lookup performance over a widely-deployed DHT. In: Proceedings of the IEEE INFOCOM, Barcelona, Spain (2006)

    Google Scholar 

  59. Thommes, R., Coates, M.: Epidemiological modelling of peer-to-peer viruses and pollution. In: Proceedings of the IEEE Infocom, Barcelona (2006)

    Google Scholar 

  60. Villamarín-Salomón, R., Brustoloni, J.C.: Bayesian bot detection based on DNS traffic similarity. In: Proceedings of the the 24th Annual ACM Symposium on Applied Computing (SAC’09), Honolulu, Hawaii (2009)

    Google Scholar 

  61. Vogt, R., Aycock, J., Jacobson, M.: Army of botnets. In: Proceedings of the 2007 Network and Distributed System Security Symposium (NDSS) (2007)

    Google Scholar 

  62. Wang, P., Aslam, B., Zou, C.C.: Peer-to-peer botnets. In: Stavroulakis, P., Stamp, M. (eds.) Handbook of Information and Communication Security. Springer, New York (2010)

    Google Scholar 

  63. Wang, P., Sparks, S., Zou, C.C.: An advanced hybrid peer-to-peer botnet. In: Proceedings of the 1st USENIX Workshop on Hot Topics in Understanding Botnets (HotBots’07), Cambridge, MA (2007)

    Google Scholar 

  64. Wang, P., Tyra, J., Chan-Tin, E., Malchow, T., Kune, D.F., Hopper, N., Kim, Y.: Attacking the kad network. In: Proceedings of the 4th International Conference on Security and Privacy in Communication Netowrks (SecureComm’08) (2008)

    Google Scholar 

  65. Wang, P., Wu, L., Aslam, B., Zou, C.C.: A systematic study on peer-to-peer botnets. In: Proceedings of International Conference on Computer Communications and Networks (ICCCN) (2009)

    Google Scholar 

  66. Wurzinger, P., Bilge, L., Holz, T., Goebel, J., Kruegel, C., Kirda, E.: Automatically generating models for botnet detection. In: Proceedings of the 14th European Symposium on Research in Computer Security (ESORICS), Saint Malo, France (2009)

    Google Scholar 

  67. Xie, L., Zhu, S.: A feasibility study on defending against ultra-fast topological worms. In: Proceedings of the 7th IEEE International Conference on Peer-to-Peer Computing (P2P’07), Galway, Ireland (2007)

    Google Scholar 

  68. Yu, W., Boyer, P.C., Chellappan, S., Xuan, D.: Peer-to-peer system-based active worm attacks: modeling and analysis. In: Proceedings of the IEEE International Conference on Communications (ICC) (2005)

    Google Scholar 

  69. Zhou, L., Zhang, L., McSherry, F., Immorlica, N., Costa, M., Chien, S.: A first look at peer-to-peer worms: threats and defenses. In: Proceedings of the 4th International Workshop on Peer-to-Peer Systems (IPTPS’05) (2005)

    Google Scholar 

  70. Zhu, Z., Lu, G., Chen, Y., Fu, Z.J., Roberts, P., Han, K.: Botnet research survey. In: Proceedings of the 32nd Annual IEEE International Computer Software and Applications (COMPSAC’08) (2008)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Symantec Corporation, Lake Mary, Florida, 32746, USA

    Ping Wang

  2. Department of Computer Science, North Carolina State University, Raleigh, North Carolina, 27695, USA

    Lei Wu

  3. National University of Sciences and Technology, Islamabad, Pakistan

    Baber Aslam

  4. Department of Electrical Engineering and Computer Science, University of Central Florida, Orlando, 32816, USA

    Cliff C. Zou

Authors
  1. Ping Wang
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Lei Wu
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Baber Aslam
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Cliff C. Zou
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Ping Wang .

Editor information

Editors and Affiliations

  1. Department of Information Systems, Wrocław University of Technology, Wrocław, Poland

    Dariusz Król

  2. School of Design, Engineering and Computing, Bournemouth University, Fern Barrow Poole, United Kingdom

    Damien Fay

  3. Computational Intelligence Research Group, Bournemouth University Smart Technology Research Centre, Poole, United Kingdom

    Bogdan Gabryś

Rights and permissions

Reprints and permissions

Copyright information

© 2015 Springer International Publishing Switzerland

About this chapter

Cite this chapter

Wang, P., Wu, L., Aslam, B., Zou, C.C. (2015). Analysis of Peer-to-Peer Botnet Attacks and Defenses. In: Król, D., Fay, D., Gabryś, B. (eds) Propagation Phenomena in Real World Networks. Intelligent Systems Reference Library, vol 85. Springer, Cham. https://doi.org/10.1007/978-3-319-15916-4_8

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-15916-4_8

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-15915-7

  • Online ISBN: 978-3-319-15916-4

  • eBook Packages: EngineeringEngineering (R0)

Publish with us

Policies and ethics

Search

Navigation