Abstract
A “botnet” is a network of computers that are compromised and controlled by an attacker (botmaster). Botnets are one of the most serious threats to today’s Internet. Most current botnets have centralized command and control (C&C) architecture. However, peer-to-peer (P2P) structured botnets have gradually emerged as a new advanced form of botnets. Due to the distributive nature of P2P networks, P2P botnets are more resilient to defense countermeasures. In this chapter, first we systematically study P2P botnets along multiple dimensions: bot candidate selection, network construction, C&C communication mechanisms/protocols, and mitigation approaches. Then we provide mathematical analysis of two P2P botnet elimination approaches—index poisoning defense and Sybil defense, and one P2P botnet monitoring technique—passive monitoring based on infiltrated honeypots or captured bots. Simulation experiments show that our mathematical analysis is accurate.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
References
SdDrop. http://www.viruslist.com/en/viruses/encyclopedia?virusid=24282
Andriesse, D., Rossow, C., Stone-Gross, B., Plohmann, D., Bos, H.: Highly resilient peer-to-peer botnets are here: an analysis of Gameover Zeus. In: Proceeding of 8th International Conference on Malicious and Unwanted Software: “The Americas” (MALWARE) (2013)
Bailey, M., Cooke, E., Jahanian, F., Xu, Y., Karir, M.: A survey of botnet technology and defenses. In: Proceeding of the 2009 Cybersecurity Applications and Technology Conference for Homeland Security (2009)
Barford, P., Yegneswaran, V.: An Inside Look at Botnets. Advances in Information Security, In Series (2006)
Baumgart, I., Heep, B., Krause, S.: OverSim: a flexible overlay network simulation framework. In: Proceedings of the 10th IEEE Global Internet Symposium (GI’07) in Conjunction with IEEE INFOCOM’07, Anchorage, AK (2007)
Bhaduri, K., Das, K., Kargupta, H.: Peer-to-peer data mining, privacy issues, and games. 4476, 1–10 (2007)
Chang, S., Daniels, T.E.: P2P botnet detection using behavior clustering and statistical tests. In: Proceedings of the 2nd ACM workshop on Security and Artificial Intelligence (AISec’09), Chicago (2009)
Chang, S., Zhang, L., Guan, Y., Daniels, T.E.: A framework for P2P botnets. In: Proceedings of the 2009 International Conference on Communications and Mobile Computing (CMC’09), Kunming,Yunnan, China (2009)
Chox, C.Y., Caballeroyx, J., Grierx, C., Paxsonzx, V., Song, D.: Insights from the inside: a view of botnet management from infiltration. In: Proceedings of the 3rd USENIX Workshop on Large-Scale Exploits and Emergent Threats, San Jose (2010)
Dagon, D., Gu, G., Lee, C., Lee, W.: A taxonomy of botnet structures. In: Proceedings of the 23rd Annual Computer Security Applications Conference (ACSAC’07) (2007)
Dagon, D., Zou, C.C., Lee, W.: Modeling botnet propagation using time zones. In: Proceedings of the 13th Annual Network and Distributed System Security Symposium (NDSS’06) (2006)
Damfling, H.: Gnutella web caching system. http://www.gnucleus.org/gwebcache/specs.html
Davis, C.R., Fernandez, J.M., Neville, S., McHugh, J.: Sybil attacks as a mitigation strategy against the storm botnet. In: Proceedings of the 3rd International Conference on Malicious and Unwanted Software (Malware’08) (2008)
Douceur, J.R.: The sybil attack. In: Proceedings of the 1st International Workshop on Peer-to-Peer Systems (2002)
Enright, B., Voelker, G., Savage, S., Kanich, C., Levchenko, K.: Storm: when researchers collide. USENIX Login 33(4) (2008)
Grizzard, J.B., Sharma, V., Nunnery, C., Kang, B.B., Dagon, D.: Peer-to-Peer botnets: overview and case study. In: Proceedings of the 1st USENIX Workshop on Hot Topics in Understanding Botnets (HotBots’07), Cambridge, MA (2007)
Gu, G., Perdisci, R., Zhang, J., Lee, W.: BotMiner: clustering analysis of network traffic for protocol—and structure-independent botnet detection. In: Proceedings of the 17th USENIX Security Symposium (Security’08) (2008)
Gu, G., Porras, P., Yegneswaran, V., Fong, M., Lee, W.: BotHunter: Detecting malware infection through IDS-driven dialog correlation. In: Proceedings of the 16th USENIX Security Symposium (Security’07) (2007)
Gu, G., Yegneswaran, V., Porras, P., Stoll, J., Lee, W.: Active botnet probing to identify obscure command and control channels. In: Proceedings of the Annual Computer Security Applications Conference (ACSAC’09), Hawaii (2009)
Gu, G., Zhang, J., Lee, W.: BotSniffer: detecting botnet command and control channels in network traffic. In: Proceedings of the 15th Annual Network and Distributed System Security Symposium (NDSS’08) (2008)
Ha, D.T., Yan, G., Eidenbenz, S., Ngo, H.Q.: On the effectiveness of structural detection and defense against P2P-based botnets. In: Proceedings of the 39th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN’09), Estoril, Lisbon, Portugal (2009)
Han, Q., Yu, W., Zhang, Y., Zhao, Z.: Modeling and evaluating of typical advanced peer-to-peer botnet. Perform. Eval. 72, 1–15 (2014)
Hayes, T.P., Saia, J., Trehan, A.: The forgiving graph: a distributed data structure for low stretch under adversarial attack. Distrib. Comput. 25(4), 261–278 (2012)
Holz, T., Steiner, M., Dahl, F., Biersack, E.W., Freiling, F.: Measurements and mitigation of peer-to-peer-based botnets: a case study on storm worm. In: Proceedings of the 1st Usenix Workshop on Large-scale Exploits and Emergent Threats (LEET), San Francisco,USA (2008)
Jelasity, M., Bilicki, V.: Towards automated detection of peer-to-peer botnets: on the limits of local approaches. In: Proceedings of the 2nd USENIX Workshop on Large-Scale Exploits and Emergent Threats (LEET’09), Boston, MA (2009)
Kang, B.B., Chan-Tin, E., Lee, C.P., Tyra, J., Kang, H.J., Nunnery, C., Wadler, Z., Sinclair, G., Hopper, N., Dagon, D., Kim, Y.: Towards complete node enumeration in a peer-to-peer botnet. In: Proceedings of the 2009 ACM Symposium on Information, Computer and Communications Security (ASIACCS), Sydney, Australia (2009)
Kanich, C., Levchenko, K., Enright, B., Voelker, G.M., Savage, S.: The heisenbot uncertainty problem: challenges in separating bots from chaff. In: Proceedings of the USENIX Workshop on Large-Scale Exploits and Emergent Threats, San Franciso, CA (2008)
Kolesnikov, O., Dagon, D., Lee, W.: Advanced polymorphic worms: evading IDS by blending in with normal traffic. Technical Report, Georgia Technology, Georgia (2004–2005)
Kreibich, C., Kanich, C., Levchenko, K., Enright, B., Voelker, G.M., Paxson, V., Savage, S.: On the spam campaign trail. In: Proceedings of the USENIX Workshop on Large-Scale Exploits and Emergent Threats, San Franciso, CA (2008)
Kreibich, C., Kanich, C., Levchenko, K., Enright, B., Voelker, G.M., Paxson, V., Savage, S.: Spamcraft: an inside look at spam campaign orchestration. In: Proceedings of the USENIX Workshop on Large-Scale Exploits and Emergent Threats, Boston, MA (2009)
Król, D.: Propagation phenomenon in complex networks: theory and practice. New Gener. Comput. 32(3–4), 187–192 (2014)
Li, Z., Goyal, A., Chen, Y., Paxson, V.: Automating analysis of large-scale botnet probing events. In: Proceedings of ACM Symposium on Information, Computer and Communications Security (2009)
Liang, J., Naoumov, N., Ross, K.W.: The index poisoning attack in P2P file sharing systems. In: Proceedings of the Infocom, Barcelona (2006)
Louzada, V.H., Daolio, F., Herrmann, H.J., Tomassini, M.: Smart rewiring for network robustness. J. Complex Netw. 1(2), 150–159 (2013)
Lu, W., Tavallaee, M., Ghorbani, A.A.: Automatic discovery of botnet communities on large-scale communication networks. In: Proceedings of the 2009 ACM Symposium on Information, Computer and Communications Security (ASIACCS), Sydney, Australia (2009)
Maymounkov, P., Mazieres, D.: Kademlia: a peer-to-peer information system based on the xor metric. In: Proceedings of the 1st International Workshop on Peer-to-Peer Systems, pp. 53–65 (2002)
Micro, T.: Taxonomy of botnet threats (2006)
Nunnery, C., Sinclair, G., Kang, B.B.: Tumbling down the rabbit hole: exploring the idiosyncrasies of botmaster systems in a multi-tier botnet infrastructure. In: Proceedings of the 3rd USENIX Workshop on Large-Scale Exploits and Emergent Threats, San Jose,CA (2010)
Pitsillidis, A., Levchenko, K., Kreibich, C., Kanich, C., Voelker, G.M., Paxson, V., Weaver, N., Savage, S.: Botnet judo: fighting spam with itself. In: Proceedings of the Network and Diestributed System Security Symposium (NDSS), San Diego, CA (2010)
Porras, P., Saidi, H., Yegneswaran, V.: A Multi-perspective analysis of the storm (Peacomm) Worm. Technical Report, SRI (2007)
Ramachandran, K., Sikdar, B.: Modeling malware propagation in Gnutella type peer-to-peer networks. In: Proceedings of the 20th International Parallel and Distributed Processing Symposium (IPDPS’06), Rhodes Island, Greece (2006)
Rossow, C., Andriesse, D., Werner, T., Stone-Gross, B., Plohmann, D., Dietrich, C.J., Bos, H.: SoK: P2PWNEDł modeling and evaluating the resilience of peer-to-peer botnets. In: Proceedings of 2013 IEEE Symposium on Security and Privacy (2013)
Ruitenbeek, E.V., Sanders, W.H.: Modeling peer-to-peer botnets. In: Proceedings of the 5th International Conference on Quantitative Evaluation of Systems (QEST’08), St Malo (2008)
Schneider, C.M., Moreira, A.A., Andrade, J.S., Havlin, S., Herrmann, H.J.: Mitigation of malicious attacks on networks. In: Proceedings Nat Acad Sci USA 108, p. 3838C3841 (2011)
Singh, K., Guntuku, S.C., Thakur, A., Hota, C.: Big data analytics framework for peer-to-peer botnet detection using random forests. Inf. Sci. (2014)
Spitzner, L.: Honeypots: Tracking Hackers. Addison-Wesley Longman Publishing Co., Inc, Boston (2002)
Starnberger, G., Kruegel, C., Kirda, E.: Overbot—a botnet protocol based on kademlia. In: Proceedings of the 4th International Conference on Security and Privacy in Communication Networks (SecureComm) (2008)
Steiner, M., En-Najjary, T., Biersack, E.W.: A global view of KAD. In: Proceedings of the ACM Internet Measurement Conf. (IMC), San Diego, USA (2007)
Steiner, M., En-Najjary, T., Biersack, E.W.: Exploiting KAD: possible uses and misuses 37(5), 65–70 (2007)
Stewart, J.: Inside the storm: protocols and encryption of the storm botnet. Black Hat Conference, USA (2008) http://www.blackhat.com/presentations/bh-usa-08/Stewart/BH_US_08_Stewart_Protocols_of_the_Storm.pdf
Stock, B., Goel, J., Engelberth, M., Freiling, F.C.: Walowdac—analysis of a peer-to-peer botnet. In: Proceedings of the European Conference on Computer Network Defense (EC2ND’09) (2009)
Stoica, I., Morris, R., Karger, D., Kaashoek, M.F., Balakrishnan, H.: Chord: a scalable peer-to-peer lookup service for internet applications, AC. In: Proceedings of the ACM SIGCOMM, San Deigo, CA (2001)
Stone-Gross, B., Cova, M., Cavallaro, L., Gilbert, B., Szydlowski, M., Kemmerer, R., Kruegel, C., Vigna, G.: Your botnet is my botnet: analysis of a botnet takeover. In: Proceedings of the ACM CCS, Chicago, IL (2010)
Stover, S., Dittrich, D., Hernandez, J., Dietrich, S.: Analysis of the storm and nugache trojans: P2P is here. USENIX login 32(6), 18–27 (2007)
Stutzbach, D., Rejaie, R.: Improving lookup performance over a widely-deployed DHT. In: Proceedings of the IEEE INFOCOM, Barcelona, Spain (2006)
Thommes, R., Coates, M.: Epidemiological modelling of peer-to-peer viruses and pollution. In: Proceedings of the IEEE Infocom, Barcelona (2006)
Villamarín-Salomón, R., Brustoloni, J.C.: Bayesian bot detection based on DNS traffic similarity. In: Proceedings of the the 24th Annual ACM Symposium on Applied Computing (SAC’09), Honolulu, Hawaii (2009)
Vogt, R., Aycock, J., Jacobson, M.: Army of botnets. In: Proceedings of the 2007 Network and Distributed System Security Symposium (NDSS) (2007)
Wang, P., Aslam, B., Zou, C.C.: Peer-to-peer botnets. In: Stavroulakis, P., Stamp, M. (eds.) Handbook of Information and Communication Security. Springer, New York (2010)
Wang, P., Sparks, S., Zou, C.C.: An advanced hybrid peer-to-peer botnet. In: Proceedings of the 1st USENIX Workshop on Hot Topics in Understanding Botnets (HotBots’07), Cambridge, MA (2007)
Wang, P., Tyra, J., Chan-Tin, E., Malchow, T., Kune, D.F., Hopper, N., Kim, Y.: Attacking the kad network. In: Proceedings of the 4th International Conference on Security and Privacy in Communication Netowrks (SecureComm’08) (2008)
Wang, P., Wu, L., Aslam, B., Zou, C.C.: A systematic study on peer-to-peer botnets. In: Proceedings of International Conference on Computer Communications and Networks (ICCCN) (2009)
Wurzinger, P., Bilge, L., Holz, T., Goebel, J., Kruegel, C., Kirda, E.: Automatically generating models for botnet detection. In: Proceedings of the 14th European Symposium on Research in Computer Security (ESORICS), Saint Malo, France (2009)
Xie, L., Zhu, S.: A feasibility study on defending against ultra-fast topological worms. In: Proceedings of the 7th IEEE International Conference on Peer-to-Peer Computing (P2P’07), Galway, Ireland (2007)
Yu, W., Boyer, P.C., Chellappan, S., Xuan, D.: Peer-to-peer system-based active worm attacks: modeling and analysis. In: Proceedings of the IEEE International Conference on Communications (ICC) (2005)
Zhou, L., Zhang, L., McSherry, F., Immorlica, N., Costa, M., Chien, S.: A first look at peer-to-peer worms: threats and defenses. In: Proceedings of the 4th International Workshop on Peer-to-Peer Systems (IPTPS’05) (2005)
Zhu, Z., Lu, G., Chen, Y., Fu, Z.J., Roberts, P., Han, K.: Botnet research survey. In: Proceedings of the 32nd Annual IEEE International Computer Software and Applications (COMPSAC’08) (2008)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2015 Springer International Publishing Switzerland
About this chapter
Cite this chapter
Wang, P., Wu, L., Aslam, B., Zou, C.C. (2015). Analysis of Peer-to-Peer Botnet Attacks and Defenses. In: Król, D., Fay, D., Gabryś, B. (eds) Propagation Phenomena in Real World Networks. Intelligent Systems Reference Library, vol 85. Springer, Cham. https://doi.org/10.1007/978-3-319-15916-4_8
Download citation
DOI: https://doi.org/10.1007/978-3-319-15916-4_8
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-15915-7
Online ISBN: 978-3-319-15916-4
eBook Packages: EngineeringEngineering (R0)