Post on 01-Jan-2016
1
An Advanced Hybrid Peer-to-Peer Botnet
Ping Wang, Sherri Sparks, Cliff C. ZouSchool of Electrical Engineering & Computer
ScienceUniversity of Central Florida, Florida
2
Motivation
Most researches target current botnets only Rely on current botnet’s architecture,
infection methods, and control network Study current botnets is important, but not enough
May not work if botmasters upgrade their future botnets
We must study one step ahead How botnets will evolve? How to defend future botnets?
3
Current Botnet Control Architecture
bot bot
C&C
botmaster
bot
C&C
4
Peer-to-Peer (P2P) based Control Architecture?
C&C P2P control is a natural evolution P2P-based botnet is much harder to shut
down But the P2P upgrade is not so simple
Current P2P protocols are not suitable Easy exposure of botnet members Excess traffic susceptible to detection Bootstrap process against the design goal
Botmasters need easy control/monitor of their botnets
5
Proposed Hybrid P2P Botnet
Servent bots: static IPs, able to receive connections Static IP requirement ensures a stable, long lifetime control topology
Each bot connects to its “peer list” Only servent bot IPs are in peer lists
Servent bots
Client botsbot bot
C&C
botmaster
bot
C&C
Dramatically increase the number of C&C servers
6
Botnet Command and Control
Individualized encryption key Servent bot i generates its own symmetric key Ki
Any bot connecting with bot i uses Ki
A bot must have (IPi, Ki) in its peer list to conect bot i
Individualized service port Servent bot i chooses its port Pi to accept connections A bot must have (IPi, Ki, Pi) in its peer list to connect
bot i Benefits to botmasters:
No global exposure if some bots are captured Dispersed network traffic Go through some firewalls (e.g., HTTP, SMTP, SSH holes)
7
Botnet Monitor by Botmaster
Botmasters need to know their weapons Botnet size; bot IPs, types (e.g., DHCP ones used for
spam) Distribution, bandwidth, diurnal …
Monitor via dynamical sensor Sensor IP given in monitor command One sensor, one shot, then destroy it Use a sensor’s current service to blend
incoming bot traffic
8
P2P Botnet Construction
Botnet networked by peer list Basic procedures
New infection: pass on peer list Reinfection: mix two peer lists
Ensure balanced connectivity
9
P2P Botnet Construction
OK? No! Real botnet is small compared to vulnerable
population Most current botnet size 20,000 Reinfection happens rarely
Not balanced topology via new infection only Simulation results:
500,000 vulnerable population Botnet stops infection after reach 20,000
Peer list = 20, 21 initial servent bots, 5000 bots are servent bots
Results: < 1000 reinfection events Initial servent bots: > 14,000 in-degree 80% of servent bots: < 30 in-degree
10
P2P Botnet Construction
Peer-list updating procedure Obtain current servent bots information Ask every bot connect to sensor to obtain a
new peer list
Result: all bots have balanced connectivity to servent bots used in this procedure Use once is enough for a robust botnet Can be used to reconnect a broken botnet
11
Botnet Robustness Study
500,000 vulnerable population, botnet = 20,000 Peer list = 20, 5000 bots are servent bots Run peer-list updating once when having 1000 servent bots
12
Botnet Robustness Analysis
C(p)=1-pM
M: peer list size
5 25 50 75 100
13
Defense Against the Botnet
Shut down a botnet before the first peer-list updating procedure Initial servent bots are the weak points at
beginning
Honeypot based defense: Poison control by pretending as servent bots
But the botnet can survive with 20% servent bots left
Clone a large set of “servent” bots
14
Monitor Against the Botnet
Forensic analysis of botmaster’s sensor Could obtain IPs of all reported bots Challenge:
Logging of unknown port service and IP beforehand
Distinguish normal clients from reporting bots
Honeypot-based monitoring Obtain peer lists in incoming infections Obtain many copies of new peer lists in
peer-list updating procedure
15
Summary
P2P based botnets are much harder to defend
Proposed a hybrid P2P botnet Two classes of bots Individualized encryption and service port Limited exposure by each bot Botmaster’s monitoring capability Peer-list updating procedure
16
Discussion
Any other effective ways to monitor/defend botnets besides honeypot?
Is there a way to solve the dilemma of: No exposure of a large part of botnet? Easy botmaster’s monitoring and botnet
construction without centralized sensor?
How soon will botmasters really upgrade current C&C-based architecture?
How soon will botmasters care of honeypot threat?
17
Points to Add
Peer-list updating can be used to change the topology of current botnet
Study how honeypot monitoring changes if more and more honeypots being as servent bots Could have an analytical model
18
19
Weaknesses of Current Botnets
Control structure by one layer of C&C servers Bottleneck in control Susceptible to monitor/interception of C&C
servers
Most rely on IRC based C&C servers Susceptible to IRC traffic based monitor/detection
Other issues: Most have no or simple encryption, authentication Have no honeypot detection feature
20
Botnet Command and Control
Command authentication Botmaster: private key used for commands Each bot: public key contained in bot code
Can be done in current botnets Not the focus of this paper