This preview has intentionally blurred sections. Sign up to view the full version.View Full Document
Unformatted text preview: An Advanced Hybrid Peer-to-Peer Botnet Ping Wang, Sherri Sparks, and Cliff C. Zou Member, IEEE, Abstract —A “botnet” consists of a network of compromised computers controlled by an attacker (“botmaster”). Recently botnets have become the root cause of many Internet attacks. To be well prepared for future attacks, it is not enough to study how to detect and defend against the botnets that have appeared in the past. More importantly, we should study advanced botnet designs that could be developed by botmasters in the near future. In this paper, we present the design of an advanced hybrid peer-to-peer botnet. Compared with current botnets, the proposed botnet is harder to be shut down, monitored, and hijacked. It provides robust network connectivity, individualized encryption and control traffic dispersion, limited botnet exposure by each bot, and easy monitoring and recovery by its botmaster. In the end, we suggest and analyze several possible defenses against this advanced botnet. Index Terms —Botnet, peer-to-peer, robustness, honeypot ✦ 1 INTRODUCTION In the last several years, Internet malware attacks have evolved into better organized and more profit-centered endeavors. Email spam, extortion through denial-of-service attacks , and click fraud  represent a few examples of this emerging trend. “Botnets” are a root cause of these problems , , . A “botnet” consists of a network of compromised computers (“bots”) connected to the Internet that is controlled by a remote attacker (“botmaster”) , . Since a botmaster could scatter attack tasks over hundreds or even tens of thousands of computers distributed across the Internet, the enormous cumulative bandwidth and large number of attack sources make botnet-based attacks extremely dangerous and hard to defend against. Compared to other Internet malware, the unique feature of a botnet lies in its control communication network. Most botnets that have appeared until now have had a common centralized architecture. That is, bots in the botnet connect directly to some special hosts (called “ command-and-control ” servers, or “C&C” servers). These C&C servers receive commands from their botmaster and forward them to the other bots in the network. From now on we will call a botnet with such a control communication architecture a “C&C botnet”. Fig. 1 shows the basic control communication architecture for a typical C&C botnet (in reality, a C&C botnet usually has more than two C&C servers). Arrows represent the directions of network connections. As botnet-based attacks become popular and dangerous, security researchers have studied how to detect, monitor, and defend against them , , , , , . Most of the current research has focused upon the C&C botnets that have appeared in the past, especially Internet Relay Chat (IRC) based botnets. It is necessary to conduct such research in order to deal with the threat we are facing today. However,order to deal with the threat we are facing today....
View Full Document
- Spring '08
- IP address, Peer-to-peer, Botnet, servent bots, botmaster