1 / 19

Sybil attacks as a mitigation strategy against the Storm botnet

Sybil attacks as a mitigation strategy against the Storm botnet. Authors:Carlton R. Davis, Jos´e M. Fernandez, Stephen Neville†, John McHugh. Presenter: Chia-Li Lin. Outline . Introduction Storm botnet DHT k-buckets && lists Dynamic lists Four message types Sybil attack

fraley
Download Presentation

Sybil attacks as a mitigation strategy against the Storm botnet

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Sybil attacks as a mitigation strategy against the Storm botnet Authors:Carlton R. Davis, Jos´e M. Fernandez, Stephen Neville†, John McHugh Presenter: Chia-Li Lin

  2. Outline • Introduction • Storm botnet • DHT • k-buckets && lists • Dynamic lists • Four message types • Sybil attack • Goalsand parameter • Simulation Data • Fail Factor • Conclution

  3. Introduction The Storm botnet is currently one of the most sophisticated botnet infrastructures. • IRC bot • easy to detect and disrupt once the server is identified • peer-to-peer (P2P) bot • more resilient

  4. Storm Botnet • Storm uses a modified Overnet P2P protocol for its communication architecture. • The main difference between the Storm and overnet P2P infrastructure • Overnet P2P network is that Storm nodes XOR encrypts their messages using a 40-bit encryption key • The regular Overnet nodes do not encrypt their messages

  5. DHT • Overnet implements a distributed hash table algorithm called “Kademlia” • Each node participating in an Overnet network generates a 128-bit ID for itself when it first joins the network.

  6. k-buckets and lists • Each node in an Overnet network stores contact informationabout some of the other nodes in the network, in orderto appropriately route query messages. This information isorganised in lists • Lists of (IP address, UDP port, ID) triplets • The triplets are in the form <ID>=<IP><port>00 • <ID> is the 128-bit node ID • <IP><port>00 is the IP address and UDP port in hexadecimal format format:008052D5853A3B3D2A9B84190975BAFD=53855152054A00

  7. Dynamic k-bucket (lists) • If a peer is already in the recipient k-bucket • Move it to the tail of the k-bucket. • Otherwise • If there are rooms left in the k-bucket, the peer’s triplet is simply added to the tail of the k-bucket. • If there is no room left, ping the head node • If a node does not respond, it is evicted from the k-bucket and the recipient adds the peer to the tail. • If all nodes respond, the peer contact is discarded.

  8. Four Message Types The Kademlia protocol (which Overnet implements) provides the four message types outlined below: • PING: if it is on-line • STORE: store a <key, value> pair • FIND_NODE: search for a node ID • FIND_VALUE: search for a <key, value> pair

  9. Sybil Attack • Holz, Steiner, Dahl, Biersack, and Freiling presented “Measurements and Mitigation of Peer-to-Peer-based Botnets: A Case Study on Storm Worm” showing how to use sybils to infiltrate the Storm botnet. • That is able to create thousands of sybils on one single physical machine

  10. Simulation step (a) Send PING, FIND_NODE, and FIND_VALUE messages to non-sybil nodes in attempt to get their IDs in the peerlist of the nodes (b) Respond to FIND_NODE and FIND_VALUE queries with false information

  11. Three Goals • What effects do Sybil growth rate is : • equal to the botnet growth rate • half the botnet growth rate • twice the botnet growth rate • What effects do time duration of Sybil attacks have on the degree of success in disrupting the botnet communication • Do botnet design choices, such as the size of the peerlist, have any bearing on the effectiveness of the Sybil attacks

  12. R-Reachability • To assess the effectiveness of the Sybil attack in disrupting the botnet C&C infrastructure

  13. Insertion Ratio of Sybils • (IR) : insertion ratio of sybils in the peer-lists • (SI) : the total occurrences of sybils in the peer-lists • (N) : the product of the final number of nodes • (l) : the peer-list size

  14. Parameter • Sybil birth rate (SBR) varies • from 0 to 2 times the net botnet growth rate (BGR) • Peer list sizes l {100, 200, 300} • Time-steps {10, 20, 30} • R-Reachability (r = 1 radius)

  15. Simulation Data[1/2]

  16. Simulation Data[2/2]

  17. Fail Factor • Fault tolerant voting schemes • Fastest response pathand time • Detectable by the botnet operators

  18. Fastest Response Path

  19. Conclution • Sybil atack is not very efficientto mitigate Storm worm peer-to-peer botnet.

More Related