Structured Peer-to-Peer Overlay Networks: Ideal Botnets Command and Control Infrastructures?

Botnets, in particular the Storm botnet, have been garnering much attention as vehicles for Internet crime. Storm uses a modified version of Overnet, a structured peer-to-peer (P2P) overlay network protocol, to build its command and control (C&C) infrastructure. In this study, we use simulation to determine whether there are any significant advantages or disadvantages to employing structured P2P overlay networks for botnet C&C, in comparison to using unstructured P2P networks or other complex network models. First, we identify some key measures to assess the C&C performance of such infrastructures, and employ these measures to evaluate Overnet, Gnutella (a popular, unstructured P2P overlay network), the Erdős-Renyi random graph model and the Barabasi-Albert scale-free network model. Further, we consider the three following disinfection strategies: a) a randomstrategy that, with effort, can remove randomly selected bots and uses no knowledge of the C&C infrastructure, b) a tree-likestrategy where local information obtained from a disinfected bot (e.g. its peer list) is used to more precisely disinfect new machines, and c) a globalstrategy, where global information such as the degree of connectivity of bots within the C&C infrastructure, is used to target bots whose disinfection will have maximum impact. Our study reveals that while Overnet is less robust to random node failures or disinfections than the other infrastructures modelled, it outperforms them in terms of resilience against the targeted disinfection strategies introduced above. In that sense, Storm designers seem to have made a prudent choice! This work underlines the need to better understand how P2P networks are used, and can be used, within the botnet context, with this domain being quite distinct from their more commonplace usages.

[1]  Paul Erdös,et al.  On random graphs, I , 1959 .

[2]  Jarkko Oikarinen,et al.  Internet Relay Chat Protocol , 1993, RFC.

[3]  Duncan J. Watts,et al.  Collective dynamics of ‘small-world’ networks , 1998, Nature.

[4]  Ralf Steinmetz,et al.  Kommunikation in Verteilten Systemen (KiVS) - Toc , 1999 .

[5]  Albert,et al.  Emergence of scaling in random networks , 1999, Science.

[6]  Albert-László Barabási,et al.  Error and attack tolerance of complex networks , 2000, Nature.

[7]  H. Federrath Freenet : A Distributed Anonymous Information Storage and Retrieval System in Designing Privacy Enhancing Technologies , 2001 .

[8]  M. Newman,et al.  Random graphs with arbitrary degree distributions and their applications. , 2000, Physical review. E, Statistical, nonlinear, and soft matter physics.

[9]  David R. Karger,et al.  Chord: A scalable peer-to-peer lookup service for internet applications , 2001, SIGCOMM '01.

[10]  Ian T. Foster,et al.  Mapping the Gnutella Network , 2002, IEEE Internet Comput..

[11]  Ian T. Foster,et al.  Mapping the Gnutella Network: Properties of Large-Scale Peer-to-Peer Systems and Implications for System Design , 2002, ArXiv.

[12]  David Mazières,et al.  Kademlia: A Peer-to-Peer Information System Based on the XOR Metric , 2002, IPTPS.

[13]  Beom Jun Kim,et al.  Attack vulnerability of complex networks. , 2002, Physical review. E, Statistical, nonlinear, and soft matter physics.

[14]  Massimo Marchiori,et al.  Error and attacktolerance of complex network s , 2004 .

[15]  Thomas Fuhrmann,et al.  Measuring Large Overlay Networks - The Overnet Example , 2005, KiVS.

[16]  Farnam Jahanian,et al.  The Zombie Roundup: Understanding, Detecting, and Disrupting Botnets , 2005, SRUTI.

[17]  W. Timothy Strayer,et al.  Detecting Botnets with Tight Command and Control , 2006, Proceedings. 2006 31st IEEE Conference on Local Computer Networks.

[18]  Aaron Hackworth,et al.  Botnets as a Vehicle for Online Crimes , 2006 .

[19]  Andreas Terzis,et al.  A multifaceted approach to understanding the botnet phenomenon , 2006, IMC '06.

[20]  Nick Feamster,et al.  Understanding the network-level behavior of spammers , 2006, SIGCOMM 2006.

[21]  Suresh Singh,et al.  An Algorithm for Anomaly-based Botnet Detection , 2006, SRUTI.

[22]  Vinod Yegneswaran,et al.  An Inside Look at Botnets , 2007, Malware Detection.

[23]  Brent Byunghoon Kang,et al.  Peer-to-Peer Botnets: Overview and Case Study , 2007, HotBots.

[24]  John Markoff,et al.  Attack of the Zombie Computers Is Growing Threat , 2007 .

[25]  Guofei Gu,et al.  A Taxonomy of Botnet Structures , 2007, ACSAC.

[26]  John Aycock,et al.  Army of Botnets , 2007, NDSS.

[27]  Nicolas Ianelli,et al.  Botnets as a Vehicle for Online Crime , 2007 .

[28]  Guofei Gu,et al.  BotSniffer: Detecting Botnet Command and Control Channels in Network Traffic , 2008, NDSS.

[29]  Ping Wang,et al.  An Advanced Hybrid Peer-to-Peer Botnet , 2007, IEEE Transactions on Dependable and Secure Computing.