Sybil attacks as a mitigation strategy against the Storm botnet

The Storm botnet is one of the most sophisticated botnet active today, used for a variety of illicit activities. A key requirement for these activities is the ability by the botnet operators to transmit commands to the bots, or at least to the various segmented portions of the botnet. Disrupting these command and control (C&C) channels therefore becomes an attractive avenue to reducing botnets effectiveness and efficiency. Since the command and control infrastructure of Storm is based on peer-to-peer (P2P) networks, previous work has explored the use of index poisoning, a disruption method developed for file-sharing P2P networks, where the network is inundated with false information about the location of files. In contrast, in this paper we explore the feasibility of Sybil attacks as a mitigation strategy against Storm. The aim here is to infiltrate the botnet with large number of fake nodes (sybils), that seek to disrupt the communication between the bots by inserting themselves in the peer lists of ldquoregularrdquo bots, and eventually re-reroute or disrupt ldquorealrdquo C&C traffic. An important difference with index poisoning attacks is that sybil nodes must remain active and participate in the underlying P2P protocols, in order to remain in the peer list of regular bot nodes. However, they do not have to respond to the botmasterpsilas commands and participate into illicit activities. First, we outline a methodology for mounting practical Sybil attacks on the Storm botnet. Then, we describe our simulation studies, which provide some insights regarding the number of sybils necessary to achieve the desired level of disruption, with respect to the net growth rate of the botnet. We also explore how certain parameters such as the duration of the Sybil attack, and botnet design choices such as the size of a botpsilas peer list, affect the effectiveness of the attack.

[1]  Albert,et al.  Emergence of scaling in random networks , 1999, Science.

[2]  John R. Douceur,et al.  The Sybil Attack , 2002, IPTPS.

[3]  David Mazières,et al.  Kademlia: A Peer-to-Peer Information System Based on the XOR Metric , 2002, IPTPS.

[4]  Thomas Fuhrmann,et al.  Measuring Large Overlay Networks - The Overnet Example , 2005, KiVS.

[5]  Aleksandar Kuzmanovic,et al.  Denial-of-service resilience in peer-to-peer file sharing systems , 2005, SIGMETRICS '05.

[6]  Nicolas Christin,et al.  Content availability, pollution and poisoning in file sharing peer-to-peer networks , 2005, EC '05.

[7]  Farnam Jahanian,et al.  The Zombie Roundup: Understanding, Detecting, and Disrupting Botnets , 2005, SRUTI.

[8]  Alan M. Frieze,et al.  Random graphs , 2006, SODA '06.

[9]  Atul Singh,et al.  Eclipse Attacks on Overlay Networks: Threats and Defenses , 2006, Proceedings IEEE INFOCOM 2006. 25TH IEEE International Conference on Computer Communications.

[10]  Keith W. Ross,et al.  Exploiting P2P systems for DDoS attacks , 2006, InfoScale '06.

[11]  Keith W. Ross,et al.  The Index Poisoning Attack in P2P File Sharing Systems , 2006, Proceedings IEEE INFOCOM 2006. 25TH IEEE International Conference on Computer Communications.

[12]  Phillip A. Porras,et al.  A Multi-perspective Analysis of the Storm ( Peacomm ) Worm , 2007 .

[13]  Taoufik En-Najjary,et al.  Exploiting KAD: possible uses and misuses , 2007, CCRV.

[14]  John Markoff,et al.  Attack of the Zombie Computers Is Growing Threat , 2007 .

[15]  John Aycock,et al.  Army of Botnets , 2007, NDSS.

[16]  Felix C. Freiling,et al.  Measurements and Mitigation of Peer-to-Peer-based Botnets: A Case Study on Storm Worm , 2008, LEET.

[17]  Chris Kanich,et al.  The Heisenbot Uncertainty Problem: Challenges in Separating Bots from Chaff , 2008, LEET.

[18]  John McHugh,et al.  Structured Peer-to-Peer Overlay Networks: Ideal Botnets Command and Control Infrastructures? , 2008, ESORICS.

[19]  Ping Wang,et al.  An Advanced Hybrid Peer-to-Peer Botnet , 2007, IEEE Transactions on Dependable and Secure Computing.