The case for in-the-lab botnet experimentation: creating and taking down a 3000-node botnet

Botnets constitute a serious security problem. A lot of effort has been invested towards understanding them better, while developing and learning how to deploy effective counter-measures against them. Their study via various analysis, modelling and experimental methods are integral parts of the development cycle of any such botnet mitigation schemes. It also constitutes a vital part of the process of understanding present threats and predicting future ones. Currently, the most popular of these techniques are "in-the-wild" botnet studies, where researchers interact directly with real-world botnets. This approach is less than ideal, for many reasons that we discuss in this paper, including scientific validity, ethical and legal issues. Consequently, we present an alternative approach employing "in the lab" experiments involving at-scale emulated botnets. We discuss the advantages of such an approach over reverse engineering, analytical modelling, simulation and in-the-wild studies. Moreover, we discuss the requirements that facilities supporting them must have. We then describe an experiment in which we emulated a 3000-node, fully-featured version of the Waledac botnet, complete with an emulated command and control (C&C) infrastructure. By observing the load characteristics and yield (rate of spamming) of such a botnet, we can draw interesting conclusions about its real-world operations and design decisions made by its creators. Furthermore, we conducted experiments with sybil attacks launched against it and verified their viability. However, we were able to determine that mounting such attacks is not so simple: high resource consumption can cause havoc and partially neutralise them. Finally, we were able to repeat the attacks with varying parameters, in an attempt to optimise them. The merits of this experimental approach is underlined since by the fact that it would have been difficult to obtain these results by other methods.

[1]  Wenke Lee,et al.  Modeling Botnet Propagation Using Time Zones , 2006, NDSS.

[2]  W. Timothy Strayer,et al.  SLINGbot: A System for Live Investigation of Next Generation Botnets , 2009, 2009 Cybersecurity Applications & Technology Conference for Homeland Security.

[3]  Arvind Krishnamurthy,et al.  Studying Spamming Botnets Using Botlab , 2009, NSDI.

[4]  Larry L. Peterson,et al.  The design principles of PlanetLab , 2006, OPSR.

[5]  José M. Fernandez,et al.  Optimising Networks Against Malware , 2007, 2007 IEEE International Performance, Computing, and Communications Conference.

[6]  Brent Byunghoon Kang,et al.  The waledac protocol: The how and why , 2009, 2009 4th International Conference on Malicious and Unwanted Software (MALWARE).

[7]  Dongho Kim,et al.  Experience with DETER: a testbed for security research , 2006, 2nd International Conference on Testbeds and Research Infrastructures for the Development of Networks and Communities, 2006. TRIDENTCOM 2006..

[8]  Yao Zhao,et al.  BotGraph: Large Scale Spamming Botnet Detection , 2009, NSDI.

[9]  John McHugh,et al.  Structured Peer-to-Peer Overlay Networks: Ideal Botnets Command and Control Infrastructures? , 2008, ESORICS.

[10]  Mike Hibler,et al.  An integrated experimental environment for distributed systems and networks , 2002, OPSR.

[11]  José M. Fernandez,et al.  Optimising sybil attacks against P2P-based botnets , 2009, 2009 4th International Conference on Malicious and Unwanted Software (MALWARE).

[12]  Andreas Terzis,et al.  A multifaceted approach to understanding the botnet phenomenon , 2006, IMC '06.

[13]  William H. Sanders,et al.  Modeling Peer-to-Peer Botnets , 2008, 2008 Fifth International Conference on Quantitative Evaluation of Systems.

[14]  John McHugh,et al.  Sybil attacks as a mitigation strategy against the Storm botnet , 2008, 2008 3rd International Conference on Malicious and Unwanted Software (MALWARE).

[15]  Joan Calvet,et al.  Malware authors don't learn, and that's good! , 2009, 2009 4th International Conference on Malicious and Unwanted Software (MALWARE).

[16]  Chris Kanich,et al.  The Heisenbot Uncertainty Problem: Challenges in Separating Bots from Chaff , 2008, LEET.

[17]  Ping Wang,et al.  An Advanced Hybrid Peer-to-Peer Botnet , 2007, IEEE Transactions on Dependable and Secure Computing.

[18]  Chris Kanich,et al.  Spamalytics: an empirical analysis of spam marketing conversion , 2009, CACM.

[19]  Felix C. Freiling,et al.  Walowdac - Analysis of a Peer-to-Peer Botnet , 2009, 2009 European Conference on Computer Network Defense.

[20]  Richard J. Lipton,et al.  A Taxonomy of Botnets , 2006 .

[21]  Farnam Jahanian,et al.  The Zombie Roundup: Understanding, Detecting, and Disrupting Botnets , 2005, SRUTI.

[22]  Jean-Yves Marion,et al.  Isolated Virtualised Clusters: Testbeds for High-Risk Security Experimentation and Training , 2010, CSET.

[23]  Paul Barford,et al.  Toward Botnet Mesocosms , 2007, HotBots.