A Systematic Study on Peer-to-Peer Botnets

Botnet" is a network of computers that are compro- mised and controlled by an attacker. Botnets are one of the most serious threats to today's Internet. Most current botnets have centralized command and control (C&C) architecture. However, peer-to-peer (P2P) structured botnets have gradually emerged as a new advanced form of botnets. Without central C&C servers, P2P botnets are more resilient to defenses and coun- termeasures than traditional centralized botnets. In this paper, we systematically study P2P botnets along multiple dimensions: bot candidate selection, network construction, C&C mechanisms and communication protocols, and mitigation approaches. We carefully study two defense approaches: index poisoning and sybil attack. According to the common idea shared by them, we are able to give analytical results to evaluate their performance. We also propose possible counter techniques which might be developed by attackers against index poisoning and sybil attack defenses. In addition, we obtain one interesting finding: compared to traditional centralized botnets, by using index poisoning technique, it is easier to shut down or at least effectively mitigate P2P botnets that adopt existing P2P protocols and rely on file index to disseminate commands.

[1]  Robert Morris,et al.  Chord: A scalable peer-to-peer lookup service for internet applications , 2001, SIGCOMM 2001.

[2]  David R. Karger,et al.  Chord: A scalable peer-to-peer lookup service for internet applications , 2001, SIGCOMM '01.

[3]  John R. Douceur,et al.  The Sybil Attack , 2002, IPTPS.

[4]  David Mazières,et al.  Kademlia: A Peer-to-Peer Information System Based on the XOR Metric , 2002, IPTPS.

[5]  Stefan Schmid,et al.  A Self-repairing Peer-to-Peer System Resilient to Dynamic Adversarial Churn , 2005, IPTPS.

[6]  Wenke Lee,et al.  Advanced Polymorphic Worms: Evading IDS by Blending in with Normal Traffic , 2005 .

[7]  Steve Chien,et al.  A First Look at Peer-to-Peer Worms: Threats and Defenses , 2005, IPTPS.

[8]  Daniel Stutzbach,et al.  Improving Lookup Performance Over a Widely-Deployed DHT , 2006, Proceedings IEEE INFOCOM 2006. 25TH IEEE International Conference on Computer Communications.

[9]  Keith W. Ross,et al.  The Index Poisoning Attack in P2P File Sharing Systems , 2006, Proceedings IEEE INFOCOM 2006. 25TH IEEE International Conference on Computer Communications.

[10]  Brent Byunghoon Kang,et al.  Peer-to-Peer Botnets: Overview and Case Study , 2007, HotBots.

[11]  Sencun Zhu,et al.  A Feasibility Study on Defending Against Ultra-Fast TopologicalWorms , 2007 .

[12]  Hillol Kargupta,et al.  Peer-to-Peer Data Mining, Privacy Issues, and Games , 2007, AIS-ADM.

[13]  Sencun Zhu,et al.  A Feasibility Study on Defending Against Ultra-Fast TopologicalWorms , 2007, Seventh IEEE International Conference on Peer-to-Peer Computing (P2P 2007).

[14]  Taoufik En-Najjary,et al.  Exploiting KAD: possible uses and misuses , 2007, CCRV.

[15]  Sven Dietrich,et al.  Analysis of the Storm and Nugache Trojans: P2P Is Here , 2007, login Usenix Mag..

[16]  Taoufik En-Najjary,et al.  A global view of kad , 2007, IMC '07.

[17]  John Aycock,et al.  Army of Botnets , 2007, NDSS.

[18]  Vinod Yegneswaran,et al.  BotHunter: Detecting Malware Infection Through IDS-Driven Dialog Correlation , 2007, USENIX Security Symposium.

[19]  Felix C. Freiling,et al.  Measurements and Mitigation of Peer-to-Peer-based Botnets: A Case Study on Storm Worm , 2008, LEET.

[20]  Yongdae Kim,et al.  Attacking the Kad network , 2008, SecureComm.

[21]  John McHugh,et al.  Sybil attacks as a mitigation strategy against the Storm botnet , 2008, 2008 3rd International Conference on Malicious and Unwanted Software (MALWARE).

[22]  Christopher Krügel,et al.  Overbot: a botnet protocol based on Kademlia , 2008, SecureComm.

[23]  Ping Wang,et al.  An Advanced Hybrid Peer-to-Peer Botnet , 2007, IEEE Transactions on Dependable and Secure Computing.