A Framework for P2P Botnets. Su Chang, Linfeng Zhang, Yong Guan, Thomas E. Daniels Dept of Electrical and Computer Engineering Iowa State University Ames, Iowa 50011, USA. Speaker: Chi-Sheng Chen Date:2010/11/16. Introduction.
Su Chang, Linfeng Zhang, Yong Guan, Thomas E. Daniels
Dept of Electrical and Computer Engineering
Iowa State University
Ames, Iowa 50011, USA
Previously, DDoS and spamming were the primary concern, but now applications such as keylogging and click fraud and other “for profit” purposes are becoming a focus of botnets. To make effective countermeasures against botnets, it is very important to not only study the existing ones of various kinds separately,but the inherent relationships among different botnets/worms (since most current botnets make use of worms to propagate), as well as the ones to appear in the
In this paper, we address the above issues and makecontributions in
1) proposing a general framework for understanding botnet of different kinds;
2) predicting a new botnet from the framework and comparing its performance with known ones.
To the best of our knowledge, we are the first to propose the framework for botnets/worms, the lcbot concept in botnet and related fields
Many schemes are proposed in the literature to detect botnets of centralized structure. To summarize, those schemes are based on one or more of the following techniques:
traffic pattern recognition
tempro or spatial correlation
Encryption, C&C structure (P2P), commonly used protocols
for C&C are the main directions of their evolution.Encryption
makes identifying botnets more difficult resulting in the
inefficacy of schemes based on signatures or abnormal
detections using character distribution.
C&C by other commonly used protocols makes the
communication among bots more covert as it hides its
messages among legitimate traffic. Consequently, there are
reports of botnets using VoIP, Skype, Gmail, and HTTP in
A P2P structure makes the botnet robust and resilient to bot
Lists the timeline of captured botnets using P2P.
The main ideas is that each bot has a “buddy list” or routing
information consisting of IP addresses of n other infected
PUSH” based botnets
The peerlist construction of supernode in is similar to except that only exchange of peerlist is needed, there is no replacement of newly infected supernodes’ IPs, and only client nodes can infect supernodes.
PULL” based botnet
The idea of botnet structure in is similar to , except that the clients periodically communicate with any servant bot in their peerlist to grab the command.
For a network composed of either a worm or a botnet, each
infected host i is associated with three parameters psi, pci, and
ki, which are defined as follows:
From the viewpoint of communication in command delivery,
we can integrate various botnets/worms into a framework
by setting different value
The values of psi and ki are important to current botnets.
On one hand, the botmaster wants the number of bots having psi = 1 and ki as low as possible to make the C&C control more covert.
On the other hand, given certain portion of bots in the botnet will be turned off or cleaned at any time, these values have to be large enough to maintain connectivity with the remaining botnet. Normally it is expected that attackers can adjust the above values to balance the tradeoff in these proposed botnets under specific situations.
The basic concept of lcbot is to consider the botnet being
composed of many groups of different group codes, and
decouple psi into pisi and posi.
Any bot in the lcbot have pisi equal to 1, and the peerlist
contains all the other bots in the same group.
Within each group, a small number of bots in have posi equal
to 1, each of these bots has only one out link to another bot in