Appear in IEEE TDSC 2008

Presented by Wei-Cheng Xiao

Introduction Proposed hybrid P2P botnet

Two classes of bots Command and control Botmaster's monitoring Botnet construction

Botnet robustness study Defences against the proposed botnet Discussions Summary

Most of current research focuses on existing botnets. Studying current botnets is important, but not

enough. Botmasters may upgrade their future

botnets. It is necessary to conduct research on

possible advanced future botnets. How botnets will evolve? How can we defend future botnets?

Phatbot utilizes Gnutella cache servers for the bootstrap process. Easy to shut down or block

Sinit removes the bootstrap procedure and uses random probing to find other bots. Poor connectivity

Slapper does not implement command encryption and authentication. Easy to hijack

Proposed a hybrid P2P botnet with the following features Two classes of bots – servent and client Command authentication and individualized

encryption Limited-sized peer lists Dynamically changeable sensor for bots monitoring No bootstrap procedure Balanced and robust connectivity

Analyzed several possible defences against this botnet

Servent (server + client) bot Public static IP address

Client bot Dynamic IP, private IP,

behind firewalls…

Only servents appear in the peer list. Servents act as C&C servers.

Contains much more C&C servers than other botnets do

Command authentication Digital signature Prevent hijacking

Individualized command encryption key Symmetric encryption is used instead. Each bot keeps a list of tuples (IPi, Ki, Pi) in its peer

list. Messages between bots and servent i are

encrypted with the key Ki.

Individualized service port Each servent i picks port Pi for communication. The port can be randomly selected or chosen from

standard encryption port like SSH (22), HTTPS (443), IMAPS (993), etc.

Benefits for botmasters Prevent hijacking No global exposure if some bots are captured Dispersed network traffic, difficult to detect

Botmasters need to know Bot ID (used to find NAT and DHCP) Bot population, connectivity, bandwidth, diurnal

dynamics, … IP address types (DHCP ones can be used for spam)

Challenges – monitoring should be easy for botmasters but difficult for defenders.

Monitor via dynamically changeable sensors Each bot sends its information to one or some sensors

after receiving the report command. A botmaster can change the role of sensors each time

she issues the report command.

A botnet is networked by peer lists. There are some initial servent bots. New infection

Bot A passes its peer list to B when infecting B. A and B may add each other into their lists.

Reinfection (A infects B) B updates its list based on A's list. Reinfection improves connectivity. A cannot get B's list (prevent recursive infection).

The updating procedure It is triggered by the update command. Every bot gets an updated peer list from a

specified sensor. Benefits

Balance the connectivity Reconnect broken botnets

Risks Expose parts of the botnet to defenders

20,000 bots, including 5000 servents

Peer list size = 20. The peer-list updating

procedure runs once when 1000 servents are infected.

Connection degree 300 ~ 500 for the

first 1000 servents 20 ~ 30 for the

rest

Formula: C(p) = 1 - pM

Annihilation Attack initial bots

Quick detection is required for defenders. Attack servents

It is easier to attack if the # of servent is small. Use the honeypot techniques

Defenders can pretend to be servents and then shut down the botnet.

Large amount of defenders are required because the botnet can survive with 20% servents left.

Opportunities Collect information as bots reporting

themselves to sensors Know the target in an attack command and

try to prevent the attack Get peer list during peer-list updating

I = 20000, # of bots K = 1000, # of

servents before peer-list updating

M = 20, peer list size

n: # of honeypots

M

osed K

nINE 11exp

x

osed K

MKNE 11'exp

K = 1000, # of servents used in peer-list updating

M = 20, peer list size

x: # of infection attempts

Detecting honeypots is important for botmasters.

Shutting down a botnet is harder than monitoring it.

The centralized sensor hosts are not as week as C&C servers in other botnets. Connectivity maintenance and C&C

communication is separated.

It is important to be well prepared for such possible attack in the future.

A robust P2P botnet is proposed. Two classes of bots Command authentication and individualized

encryption and service port Botmaster's monitoring capability Botnet construction

The botnet robustness is studied. Honeypot-based defences are analyzed.