Global Internet threats are undergoing a profound transformation from attacks designed solely to disable infrastructure to those that also target people and organizations. Behind these new attacks is a large pool of compromised hosts sitting in homes, schools, businesses, and governments around the world. These systems are infected with a bot that communicates with a bot controller and other bots to form what is commonly referred to as a zombie army or botnet. Botnets are a very real and quickly evolving problem that is still not well understood or studied. In this paper we outline the origins and structure of bots and botnets and use data from the operator community, the Internet Motion Sensor project, and a honeypot experiment to illustrate the botnet problem today. We then study the effectiveness of detecting botnets by directly monitoring IRC communication or other command and control activity and show a more comprehensive approach is required. We conclude by describing a system to detect botnets that utilize advanced command and control systems by correlating secondary detection data from multiple sources.
[1]
J. Elkinton.
Things that go bump in the night.
,
1970,
Annals of internal medicine.
[2]
Ian Clarke,et al.
Freenet: A Distributed Anonymous Information Storage and Retrieval System
,
2000,
Workshop on Design Issues in Anonymity and Unobservability.
[3]
David R. Karger,et al.
Chord: A scalable peer-to-peer lookup service for internet applications
,
2001,
SIGCOMM '01.
[4]
Laurianne McLaughlin,et al.
Bot software spreads, causes new worries
,
2004,
IEEE Distributed Systems Online.
[5]
Samuel T. King,et al.
Enriching Intrusion Alerts Through Multi-Host Causality
,
2005,
NDSS.
[6]
Farnam Jahanian,et al.
The Internet Motion Sensor - A Distributed Blackhole Monitoring System
,
2005,
NDSS.
[7]
Thomas Dübendorfer,et al.
Analysis of Internet Relay Chat Usage by DDoS Zombies
,
.