Botnet
Páginas: 34 (8346 palabras)
Publicado: 24 de noviembre de 2011
An Advanced Hybrid Peer-to-Peer Botnet
Ping Wang Sherri Sparks Cliff C. Zou School of Electrical Engineering and Computer Science University of Central Florida, Orlando, FL {pwang, ssparks, czou}@cs.ucf.edu
Abstract— A “botnet” consists of a network of compromised computers controlled by an attacker (“botmaster”). Recently botnets have become the root cause of many Internet attacks. To bewell prepared for future attacks, it is not enough to study how to detect and defend against the botnets that have appeared in the past. More importantly, we should study advanced botnet designs that could be developed by botmasters in the near future. In this paper, we present the design of an advanced hybrid peerto-peer botnet. Compared with current botnets, the proposed botnet is harder to beshut down, monitored, and hijacked. It provides robust network connectivity, individualized encryption and control traffic dispersion, limited botnet exposure by each bot, and easy monitoring and recovery by its botmaster. Possible defenses against this advanced botnet are suggested.
I. I NTRODUCTION In the last several years, Internet malware attacks have evolved into better organized and moreprofit-centered endeavors. Email spam, extortion through denial-of-service attacks [1], and click fraud [2] represent a few examples of this emerging trend. “Botnets” are a root cause of these problems [3], [4], [5]. A “botnet” consists of a network of compromised computers (“bots”) connected to the Internet that is controlled by a remote attacker (“botmaster”) [6], [5]. Since a botmaster couldscatter attack tasks over hundreds or even tens of thousands of computers distributed across the Internet, the enormous cumulative bandwidth and large number of attack sources make botnet-based attacks extremely dangerous and hard to defend against. Compared to other Internet malware, the unique feature of a botnet lies in its control communication network. Most botnets that have appeared until nowhave had a common centralized architecture. That is, bots in the botnet connect directly to some special hosts (called “command-and-control” servers, or “C&C” servers). These C&C servers receive commands from their botmaster and forward them to the other bots in the network. From now on we will call a botnet with such a control communication architecture a “C&C botnet”. Fig. 1 shows the basiccontrol communication architecture for a typical C&C botnet (in reality, a C&C botnet usually has more than two C&C servers). Arrows represent the directions of network connections. As botnet-based attacks become popular and dangerous, security researchers have studied how to detect, monitor, and defend against them [3], [6], [1], [4], [7], [5]. Most of the current research has focused upon the C&Cbotnets that have appeared in the past, especially Internet Relay Chat (IRC) based botnets. It is necessary to conduct such research in
order to deal with the threat we are facing today. However, it is equally important to conduct research on advanced botnet designs that could be developed by attackers in the near future. Otherwise, we will remain susceptible to the next generation of internetmalware attacks. From a botmaster’s perspective, the C&C servers are the fundamental weak points in current botnet architectures. First, a botmaster will lose control of his or her botnet once the limited number of C&C servers are shut down by defenders. Second, defenders could easily obtain the identities (e.g., IP addresses) of all C&C servers based on their service traffic to a large number ofbots [7], or simply from one single captured bot (which contains the list of C&C servers). Third, an entire botnet may be exposed once a C&C server in the botnet is hijacked or captured by defenders [4]. As network security practitioners put more resources and effort into defending against botnet attacks, hackers will develop and deploy the next generation of botnets with a different control...
Ping Wang Sherri Sparks Cliff C. Zou School of Electrical Engineering and Computer Science University of Central Florida, Orlando, FL {pwang, ssparks, czou}@cs.ucf.edu
Abstract— A “botnet” consists of a network of compromised computers controlled by an attacker (“botmaster”). Recently botnets have become the root cause of many Internet attacks. To bewell prepared for future attacks, it is not enough to study how to detect and defend against the botnets that have appeared in the past. More importantly, we should study advanced botnet designs that could be developed by botmasters in the near future. In this paper, we present the design of an advanced hybrid peerto-peer botnet. Compared with current botnets, the proposed botnet is harder to beshut down, monitored, and hijacked. It provides robust network connectivity, individualized encryption and control traffic dispersion, limited botnet exposure by each bot, and easy monitoring and recovery by its botmaster. Possible defenses against this advanced botnet are suggested.
I. I NTRODUCTION In the last several years, Internet malware attacks have evolved into better organized and moreprofit-centered endeavors. Email spam, extortion through denial-of-service attacks [1], and click fraud [2] represent a few examples of this emerging trend. “Botnets” are a root cause of these problems [3], [4], [5]. A “botnet” consists of a network of compromised computers (“bots”) connected to the Internet that is controlled by a remote attacker (“botmaster”) [6], [5]. Since a botmaster couldscatter attack tasks over hundreds or even tens of thousands of computers distributed across the Internet, the enormous cumulative bandwidth and large number of attack sources make botnet-based attacks extremely dangerous and hard to defend against. Compared to other Internet malware, the unique feature of a botnet lies in its control communication network. Most botnets that have appeared until nowhave had a common centralized architecture. That is, bots in the botnet connect directly to some special hosts (called “command-and-control” servers, or “C&C” servers). These C&C servers receive commands from their botmaster and forward them to the other bots in the network. From now on we will call a botnet with such a control communication architecture a “C&C botnet”. Fig. 1 shows the basiccontrol communication architecture for a typical C&C botnet (in reality, a C&C botnet usually has more than two C&C servers). Arrows represent the directions of network connections. As botnet-based attacks become popular and dangerous, security researchers have studied how to detect, monitor, and defend against them [3], [6], [1], [4], [7], [5]. Most of the current research has focused upon the C&Cbotnets that have appeared in the past, especially Internet Relay Chat (IRC) based botnets. It is necessary to conduct such research in
order to deal with the threat we are facing today. However, it is equally important to conduct research on advanced botnet designs that could be developed by attackers in the near future. Otherwise, we will remain susceptible to the next generation of internetmalware attacks. From a botmaster’s perspective, the C&C servers are the fundamental weak points in current botnet architectures. First, a botmaster will lose control of his or her botnet once the limited number of C&C servers are shut down by defenders. Second, defenders could easily obtain the identities (e.g., IP addresses) of all C&C servers based on their service traffic to a large number ofbots [7], or simply from one single captured bot (which contains the list of C&C servers). Third, an entire botnet may be exposed once a C&C server in the botnet is hijacked or captured by defenders [4]. As network security practitioners put more resources and effort into defending against botnet attacks, hackers will develop and deploy the next generation of botnets with a different control...
Leer documento completo
Regístrate para leer el documento completo.