A First Step towards Live Botmaster Traceback

Despite the increasing botnet threat, research in the area of botmaster traceback is limited. The four main obstacles are 1) the low-traffic nature of the bot-to-botmaster link; 2) chains of "stepping stones;" 3) the use of encryption along these chains; and 4) mixing with traffic from other bots. Most existing traceback approaches can address one or two of these issues, but no single approach can overcome all of them. We present a novel flow watermarking technique to address all four obstacles simultaneously. Our approach allows us to uniquely identify and trace any IRC-based botnet flow even if 1) it is encrypted (e.g., via SSL/TLS); 2) it passes multiple intermediate stepping stones (e.g., IRC server, SOCKs); and 3) it is mixed with other botnet traffic. Our watermarking scheme relies on adding padding characters to outgoing botnet C&C messages at the application layer. This produces specific differences in lengths between randomly chosen pairs of messages in a network flow. As a result, our watermarking technique can be used to trace any interactive botnet C&C traffic and it only requires a few dozen packets to be effective. To the best of our knowledge, this is the first approach that has the potential to allow real-time botmaster traceback across the Internet. We have empirically validated the effectiveness of our botnet flow watermarking approach with live experiments on PlanetLab nodes and public IRC servers on different continents. We achieved virtually a 100% detection rate of watermarked (encrypted and unencrypted) IRC traffic with a false positive rate on the order of 10i¾? 5. Due to the message queuing and throttling functionality of IRC servers, mixing chaff with the watermarked flow does not significantly impact the effectiveness of our watermarking approach.

[1]  Douglas S. Reeves,et al.  Inter-Packet Delay Based Correlation for Tracing Encrypted Connections through Stepping Stones , 2002, ESORICS.

[2]  Vinod Yegneswaran,et al.  An Inside Look at Botnets , 2007, Malware Detection.

[3]  Thorsten Holz A Short Visit to the Bot Zoo , 2005, IEEE Secur. Priv..

[4]  Yin Zhang,et al.  Detecting Stepping Stones , 2000, USENIX Security Symposium.

[5]  Sushil Jajodia,et al.  Network Flow Watermarking Attack on Low-Latency Anonymous Communication Systems , 2007, 2007 IEEE Symposium on Security and Privacy (SP '07).

[6]  Brian Rexroad,et al.  Wide-Scale Botnet Detection and Characterization , 2007, HotBots.

[7]  Vern Paxson,et al.  Multiscale Stepping-Stone Detection: Detecting Pairs of Jittered Interactive Streams by Exploiting Maximum Tolerable Delay , 2002, RAID.

[8]  Farnam Jahanian,et al.  The Zombie Roundup: Understanding, Detecting, and Disrupting Botnets , 2005, SRUTI.

[9]  Jun Li,et al.  Large-scale IP traceback in high-speed Internet: practical techniques and theoretical foundation , 2004, IEEE Symposium on Security and Privacy, 2004. Proceedings. 2004.

[10]  Zhenhua Chi,et al.  Detecting and Blocking Malicious Traffic Caused by IRC Protocol Based Botnets , 2007, 2007 IFIP International Conference on Network and Parallel Computing Workshops (NPC 2007).

[11]  Douglas S. Reeves,et al.  Robust correlation of encrypted attack traffic through stepping stones by manipulation of interpacket delays , 2003, CCS '03.

[12]  Nicolas Ianelli,et al.  Botnets as a Vehicle for Online Crime , 2007 .

[13]  Anna R. Karlin,et al.  Practical network support for IP traceback , 2000, SIGCOMM.

[14]  Frédéric Cuppens,et al.  Computer Security - ESORICS 2000 , 2000, Lecture Notes in Computer Science.

[15]  Andreas Terzis,et al.  A multifaceted approach to understanding the botnet phenomenon , 2006, IMC '06.

[16]  Aaron Hackworth,et al.  Botnets as a Vehicle for Online Crimes , 2006 .

[17]  Brent Byunghoon Kang,et al.  Peer-to-Peer Botnets: Overview and Case Study , 2007, HotBots.

[18]  Michael T. Goodrich,et al.  Efficient packet marking for large-scale IP traceback , 2002, CCS '02.

[19]  Alex C. Snoeren,et al.  Hash-based IP traceback , 2001, SIGCOMM '01.

[20]  Sushil Jajodia,et al.  Tracking anonymous peer-to-peer VoIP calls on the internet , 2005, CCS '05.

[21]  Dawn Xiaodong Song,et al.  Detection of Interactive Stepping Stones: Algorithms and Confidence Bounds , 2004, RAID.

[22]  Felix C. Freiling,et al.  Botnet Tracking: Exploring a Root-Cause Methodology to Prevent Distributed Denial-of-Service Attacks , 2005, ESORICS.

[23]  Thorsten Holz,et al.  Rishi: Identify Bot Contaminated Hosts by IRC Nickname Evaluation , 2007, HotBots.

[24]  Suresh Singh,et al.  An Algorithm for Anomaly-based Botnet Detection , 2006, SRUTI.

[25]  Hiroaki Etoh,et al.  Finding a Connection Chain for Tracing Intruders , 2000, ESORICS.

[26]  Dieter Gollmann,et al.  Computer Security — ESORICS 2002 , 2002, Lecture Notes in Computer Science.

[27]  Guofei Gu,et al.  BotSniffer: Detecting Botnet Command and Control Channels in Network Traffic , 2008, NDSS.

[28]  Richard J. Lipton,et al.  A Taxonomy of Botnets , 2006 .

[29]  Vinod Yegneswaran,et al.  BotHunter: Detecting Malware Infection Through IDS-Driven Dialog Correlation , 2007, USENIX Security Symposium.