A Taxonomy of Botnets

Attackers are increasingly using large networks of compromised machines to carry out further attacks (e.g., using botnets, or enormous groups of compromised hosts under the control of a single attacker). We consider the problem of responding to entire networks of attacking computers. We identify key metrics for measuring the utility of a botnet, and describe various topological structures they may use to coordinate attacks. Using the performance metrics, we consider the ability of different response techniques to degrade or disrupt botnets. Our models show that for scale free botnets, targeted responses are particularly effective. Further, botmasters’ efforts to improve the robustness of scale free networks comes at a cost of diminished transitivity. Botmasters do not appear to have any structural solutions to this problem in scale free networks. Our models also show that random graph botnets (e.g., those using structured P2P formations) are highly resistant to both random and targeted responses. This suggests the urgent need for further research into response strategies. We validated our model on a particular class of botnets using star topologies. After tracking dozens of botnets over months, we located and performed a targeted response on a very large (100K member) botnet. This resulted in an over 90% reduction in the botnet population, and confirmed the utility of our taxonomy.

[1]  Alan M. Frieze,et al.  Random graphs , 2006, SODA '06.

[2]  Stefan Savage,et al.  Inferring Internet denial-of-service activity , 2001, TOCS.

[3]  Andrew Byde,et al.  Virus Throttling for Instant Messaging , 2004 .

[4]  Ian T. Foster,et al.  Mapping the Gnutella Network: Properties of Large-Scale Peer-to-Peer Systems and Implications for System Design , 2002, ArXiv.

[5]  Robert S. Gray,et al.  Using sensor networks and data fusion for early detection of active worms , 2003, SPIE Defense + Commercial Sensing.

[6]  Yakov Rekhter,et al.  Dynamic Updates in the Domain Name System (DNS UPDATE) , 1997, RFC.

[7]  Shishir Nagaraja,et al.  The Topology of Covert Conflict , 2005, WEIS.

[8]  Albert-László Barabási,et al.  Statistical mechanics of complex networks , 2001, ArXiv.

[9]  Massimo Marchiori,et al.  Error and attacktolerance of complex network s , 2004 .

[10]  Beom Jun Kim,et al.  Attack vulnerability of complex networks. , 2002, Physical review. E, Statistical, nonlinear, and soft matter physics.

[11]  David Moore,et al.  The Spread of the Witty Worm , 2004, IEEE Secur. Priv..

[12]  Helen J. Wang,et al.  Virtual Playgrounds for Worm Behavior Investigation , 2005, RAID.

[13]  Donald F. Towsley,et al.  Code red worm propagation modeling and analysis , 2002, CCS '02.

[14]  Matthew C. Elder,et al.  Recent worms: a survey and trends , 2003, WORM '03.

[15]  Donald F. Towsley,et al.  Monitoring and early warning for internet worms , 2003, CCS '03.

[16]  Felix C. Freiling,et al.  Botnet Tracking: Exploring a Root-Cause Methodology to Prevent Distributed Denial-of-Service Attacks , 2005, ESORICS.

[17]  Edward S. K. Chien,et al.  Malicious threats and vulnerabilities in instant messaging , 2003 .

[18]  David R. Karger,et al.  Chord: A scalable peer-to-peer lookup service for internet applications , 2001, SIGCOMM '01.

[19]  George Danezis,et al.  Low-cost traffic analysis of Tor , 2005, 2005 IEEE Symposium on Security and Privacy (S&P'05).

[20]  David Moore,et al.  Internet quarantine: requirements for containing self-propagating code , 2003, IEEE INFOCOM 2003. Twenty-second Annual Joint Conference of the IEEE Computer and Communications Societies (IEEE Cat. No.03CH37428).

[21]  David Moore,et al.  Code-Red: a case study on the spread and victims of an internet worm , 2002, IMW '02.

[22]  Albert-László Barabási,et al.  Error and attack tolerance of complex networks , 2000, Nature.

[23]  Mark Handley,et al.  A scalable content-addressable network , 2001, SIGCOMM '01.

[24]  Farnam Jahanian,et al.  The Zombie Roundup: Understanding, Detecting, and Disrupting Botnets , 2005, SRUTI.

[25]  Robert K. Cunningham,et al.  A taxonomy of computer worms , 2003, WORM '03.

[26]  Christophe Kalt Internet Relay Chat: Architecture , 2000, RFC.

[27]  Guofei Gu,et al.  Worm detection, early warning and response based on local victim information , 2004, 20th Annual Computer Security Applications Conference.

[28]  Donald F. Towsley,et al.  Worm propagation modeling and analysis under dynamic quarantine defense , 2003, WORM '03.

[29]  Don Towsley,et al.  Routing worm: a fast, selective attack worm based on IP address information , 2005, Workshop on Principles of Advanced and Distributed Simulation (PADS'05).

[30]  C. Hanna Using snort to detect rogue IRC bot programs , 2004 .

[31]  M. Newman,et al.  Random graphs with arbitrary degree distributions and their applications. , 2000, Physical review. E, Statistical, nonlinear, and soft matter physics.

[32]  Erland Jonsson,et al.  How to systematically classify computer security intrusions , 1997, S&P 1997.

[33]  Kymie M. C. Tan,et al.  A defense-centric taxonomy based on attack manifestations , 2004, International Conference on Dependable Systems and Networks, 2004.

[34]  Sharon L. Milgram,et al.  The Small World Problem , 1967 .

[35]  David Brumley Tracking hackers on IRC , 1999 .

[36]  Stefan Savage,et al.  Inside the Slammer Worm , 2003, IEEE Secur. Priv..

[37]  Carl E. Landwehr,et al.  A Taxonomy of Computer Program Security Flaws, with Examples , 1993 .

[38]  Srikanth Kandula,et al.  Botz-4-sale: surviving organized DDoS attacks that mimic flash crowds , 2005, NSDI.

[39]  Edith Cohen,et al.  Search and replication in unstructured peer-to-peer networks , 2002, ICS '02.

[40]  Yin Zhang,et al.  Detecting Stepping Stones , 2000, USENIX Security Symposium.

[41]  Carl E. Landwehr,et al.  A taxonomy of computer program security flaws , 1993, CSUR.