SoK: P2PWNED - Modeling and Evaluating the Resilience of Peer-to-Peer Botnets

Centralized botnets are easy targets for takedown efforts by computer security researchers and law enforcement. Thus, botnet controllers have sought new ways to harden the infrastructures of their botnets. In order to meet this objective, some botnet operators have (re)designed their botnets to use Peer-to-Peer (P2P) infrastructures. Many P2P botnets are far more resilient to takedown attempts than centralized botnets, because they have no single points of failure. However, P2P botnets are subject to unique classes of attacks, such as node enumeration and poisoning. In this paper, we introduce a formal graph model to capture the intrinsic properties and fundamental vulnerabilities of P2P botnets. We apply our model to current P2P botnets to assess their resilience against attacks. We provide assessments on the sizes of all eleven active P2P botnets, showing that some P2P botnet families contain over a million bots. In addition, we have prototyped several mitigation strategies to measure the resilience of existing P2P botnets. We believe that the results from our analysis can be used to assist security researchers in evaluating mitigation strategies against current and future P2P botnets.

[1]  R. Stephenson A and V , 1962, The British journal of ophthalmology.

[2]  Beom Jun Kim,et al.  Attack vulnerability of complex networks. , 2002, Physical review. E, Statistical, nonlinear, and soft matter physics.

[3]  Guofei Gu,et al.  A Taxonomy of Botnet Structures , 2007, Twenty-Third Annual Computer Security Applications Conference (ACSAC 2007).

[4]  Sven Dietrich,et al.  Analysis of the Storm and Nugache Trojans: P2P Is Here , 2007, login Usenix Mag..

[5]  Felix C. Freiling,et al.  Measurements and Mitigation of Peer-to-Peer-based Botnets: A Case Study on Storm Worm , 2008, LEET.

[6]  Christopher Krügel,et al.  Overbot: a botnet protocol based on Kademlia , 2008, SecureComm.

[7]  Chris Kanich,et al.  The Heisenbot Uncertainty Problem: Challenges in Separating Bots from Chaff , 2008, LEET.

[8]  Thorsten Holz,et al.  As the net churns: Fast-flux botnet observations , 2008, 2008 3rd International Conference on Malicious and Unwanted Software (MALWARE).

[9]  John McHugh,et al.  Structured Peer-to-Peer Overlay Networks: Ideal Botnets Command and Control Infrastructures? , 2008, ESORICS.

[10]  T. Holz,et al.  Towards Next-Generation Botnets , 2008, 2008 European Conference on Computer Network Defense.

[11]  Yongdae Kim,et al.  Towards complete node enumeration in a peer-to-peer botnet , 2009, ASIACCS '09.

[12]  Brent Byunghoon Kang,et al.  The waledac protocol: The how and why , 2009, 2009 4th International Conference on Malicious and Unwanted Software (MALWARE).

[13]  Christopher Krügel,et al.  Your botnet is my botnet: analysis of a botnet takeover , 2009, CCS.

[14]  Jian Kang,et al.  Application Entropy Theory to Detect New Peer-to-Peer Botnet with Multi-chart CUSUM , 2009, 2009 Second International Symposium on Electronic Commerce and Security.

[15]  Felix C. Freiling,et al.  Walowdac - Analysis of a Peer-to-Peer Botnet , 2009, 2009 European Conference on Computer Network Defense.

[16]  Guillaume Pierre,et al.  A survey of DHT security techniques , 2011, CSUR.

[17]  Guanhua Yan,et al.  RatBot: Anti-enumeration Peer-to-Peer Botnets , 2011, ISC.

[18]  Pierre-Marc Bureau SAME BOTNET, SAME GUYS, NEW CODE , 2011 .

[19]  Guanhua Yan,et al.  AntBot: Anti-pollution peer-to-peer botnets , 2011, Comput. Networks.

[20]  Felix C. Freiling,et al.  Sandnet: network traffic analysis of malicious software , 2011, BADGERS '11.

[21]  Michael K. Reiter,et al.  Revisiting Botnet Models and Their Implications for Takedown Strategies , 2012, POST.

[22]  W. Marsden I and J , 2012 .

[23]  Elmar Gerhards-Padilla,et al.  Case study of the Miner Botnet , 2012, 2012 4th International Conference on Cyber Conflict (CYCON 2012).

[24]  David Dittrich,et al.  So You Want to Take Over a Botnet , 2012, LEET.

[25]  Roberto Perdisci,et al.  From Throw-Away Traffic to Bots: Detecting the Rise of DGA-Based Malware , 2012, USENIX Security Symposium.

[26]  Aaas News,et al.  Book Reviews , 1893, Buffalo Medical and Surgical Journal.