Embed Size (px)
Citation preview
Botnets
What is a BotNet?
A BotNet is collection of compromised ordinary machines (bots) controlled by an attacker (Bot
Master)
Can be rent for all sorts of malicious activities
• Click fraud
• SPAM
• Facebook/Twitter Likes or Retweets
• Distributed Denial of Service (DDoS) attacks
Centralized BotNet: Bot master controls the BotNet through a hidden command and control
channel (C&C). Bots periodically check this channel to receive new commands. Command
payload is encrypted.
P2P Botnet: The botmaster can connect to any P2P bot in the network and operate it as the
C&C server. The P2P botnet can realize highly scalable and extensible network structure which
is resilient to firewall sanctions and node/path failures.
Your Botnet is My Botnet: Analysis of a Botnet Takeover
Describes the experience in actively seizing control of a BotNet called Torpig and performed
comprehensive analysis of its operations for a period of ten days.
What’s special about Torpig BotNet?
• Torpig Botnet is a centralized malware program, designed to harvest sensitive
information.
• It’s large, targets a variety of applications, and gathers a rich and diverse set of data
from the infected victims.
• It’s possible to identify unique bot infections and relate that number to the more than
1.2 million IP addresses that contacted our command and control server. (details later)
Approaches to study BotNets
Passive analysis:
Analysing secondary effects that are caused by the activity of compromised machines such as:
• Spam mails, that were likely sent by bots
• Measurements on DNS queries or DNS blacklist queries performed by bot-infected
machines.
• Analysing network traffic at the tier 1 ISP level for cues that are characteristic for certain
botnets.
While the analysis provides interesting insights into botnet-related behaviours, one can
typically only monitor a small portion of the Internet.
Active Analysis (infiltration of the BotNet)
• The Use of an actual malware or a client simulating a bot to join a botnet to perform an
inside analysis.
o By obtaining a copy of a malware sample (spam traps).
o Executing the sample in a controlled environment
• Observe the traffic that is exchanged between the bot and its C&C server.
Hijacking the entire botnet:
In the case of centralized IRC and HTTP botnets – one can attempt to hijack the entire botnet,
typically by taking control of the C&C channel.
• One way to achieve this is to directly seize the physical machines that host the C&C
• Alternatively, one can tamper with the domain name service (DNS), as bots typically
resolve domain names to connect to their command and control infrastructure
Several Botnets including Torpig use Domain flux locate active C&C servers. With domain flux,
1. Each bot periodically (and independently) generates a list of domains that it contacts.
2. The bot then proceeds to contact them one after another.
3. The first host that sends a reply that identifies it as a valid C&C server is considered
genuine, until the next period of domain generation is started.
By reverse engineering the domain generation algorithm:
• It is possible to pre-register domains that bots will contact at some future point, thus
denying access to the Botmaster
• Redirect bot requests to a server under one’s own control.
This way the authors took over the control of the BotNet.
Torpig Analysis:
• Torpig bots transmit unique identifiers, which aided in:
o Distinguishing individual infections.
o Precise estimate of the botnet size; by counting the unique IDs.
• Torpig is a data harvesting bot that targets a wide variety of applications and extracts a
wealth of information from the infected victims. Information that was sent by more
than 180 thousand infected machines was obtained.
Background
Torpig has been distributed to its victims as part of Mebroot. Mebroot is a rootkit that takes
control of a machine by replacing the system’s Master Boot Record (MBR). This allows Mebroot
to be executed at boot time, before the operating system is loaded, and to remain undetected
by most antivirus tools.
Victims are infected through drive-by-download attacks
Webpages on legitimate but vulnerable websites:
1. Are modified with the inclusion of HTML tags
2. These tags cause the victim’s browser to request JavaScript code
3. This JavaScript code launches several exploits against the browser or its components
(plugins)
4. If any exploit is successful, an executable installer for Mebroot is downloaded from the
drive-by-download server to the victim machine, and it is executed.
a. The installer injects a DLL into the file manager, loads a kernel driver to get raw
disk access and then overwrites the MBR of the machine with Mebroot.
5. Mebroot contacts its C&C server periodically, in two-hour intervals, to report its current
configuration and to potentially receive updates (obtain malicious modules)
a. The malicious are injects these modules into several applications. E.g. Web
browsers, Email clients, Instant messengers and system programs (cmd.exe).
After the injection, Torpig retrieves pieces of information, e.g. credentials.
6. Periodically the Torpig C&C server is contacted to upload the data stolen since the
previous reporting time.
7. Torpig uses phishing attacks to actively elicit additional, sensitive information from its
victims.
a. Via an Injection Server mapped to one of the domains specified in the config file
to launch a trigger page.
b. When the user visits the trigger page, Torpig requests the injection URL from the
injection server and injects the returned content into the user’s browser. This
content typically consists of an HTML form that asks the user for sensitive
information (e.g. credit card numbers)
c. The injected content carefully reproduces the style and look-and-feel of the
target web site.
DOMAIN FLUX
Each bot uses a domain generation algorithm (DGA) to compute a list of domain names. This list
is computed independently by each bot and is regenerated periodically. Then, the bot attempts
to contact the hosts in the domain list in order until one succeeds i.e., the domain resolves to
an IP address and the corresponding server provides a response that is valid in the botnet’s
protocol. If a domain is blocked the bot simply rolls over to the following domain in the list.
In Torpig, the DGA is seeded with the current date and a numerical parameter.
1. The algorithm computes a “weekly” domain name, “dw”, that depends on the current
week and year
2. Then the bot appends a few TLD to the domain name s: e.g. dw.com, dw.net, dw.biz.
3. Then it resolves each domain and attempts to connect to its C&C server.
4. If all three connections fail, Torpig computes a “daily” domain, say dd, which in addition
depends on the current day.
a. If “daily” domains also fail, it tries to contact the domains hardcoded in its
configuration
The DGA used in Torpig is completely deterministic; i.e., once the current date is determined,
all bots generate the same list of domains, in the same order.
There are two requirements that the botmasters must satisfy to maintain their grip on the
botnet:
• They must control at least one of the domains that will be contacted by the bots.
• They must use mechanisms to prevent suffix other groups from seizing domains that will
be contacted by bots before the domains under their control.
o Torpig controllers did not register all the weekly domains in advance, which
was a critical factor in enabling hijacking.
The use of domain flux in botnets has important consequences in the arms race between
botmasters and defenders:
• Attacker: If the current domain is taken down, the botmasters simply must register the
next domain in the domain list to regain control of their botnet.
• Defender: Domain flux opens the possibility of hijacking a botnet, by registering an
available domain that is generated by the botnet’s DGAs and returning an answer that is
a valid C&C response.
o The feasibility of hijacking doesn’t depend only on reverse engineering the
botnet protocol and to forge a valid C&C server’s response.
o It depends on the cost of registering several domains sufficient to make the
hijacking effective. Domain registration comes at a price
▪ Active countermeasure: forcing defenders to register a disproportionate
number of names.
The security community should build a stronger relationship with registrars. Registrars, in fact,
are the entity best positioned to mitigate malware that relies on DNS
Taking Control of the BotNet
The hijacking occurred from the authors by registering the .com and .net domains that were to
be used by the botnet before the botmasters.
The botmasters retrieved control after 10 days by distributing a new Torpig binary that updated
the domain algorithm.
BotNet Analysis
Almost 70GB of data over a period of ten days was collected.
Data Collection and Format
All bots communicate with the Torpig C&C through HTTP POST requests.
• The Request contains the hexadecimal representation of the bot identifier and a
submission header.
• The body of the request contains the data stolen from the victim’s machine,
• The bot identifier (a token computed based on HW & SW characteristics of the infected
machine) is used as the symmetric key
The (decrypted) submission header has key-value pairs that provide basic information about
the bot. It contains:
• The time stamp when the configuration file was last updated (ts),
• The IP address of the bot
• The port numbers of the HTTP and SOCKS proxies that Torpig opens on the infected
machine
• The OS Version and locale (os, cn)
• The bot identifier (nid)
• The build and version number of Torpig (bld, ver).
The request body consists of zero or more data items of different types, depending on the
information that was stolen. Such configuration data and credentials. Table 1 shows the
different data types
5.2 Botnet Size
The size of Torpig botnet is defined with two parameters
• The botnet’s footprint, which indicates the aggregated total number of machines that
have been compromised over time
• The botnet’s live population which denotes the number of compromised hosts that are
simultaneously communicating with the C&C server
Torpig generates and transmits unique and persistent IDs that make for good identifiers of
infected machines.
Counting Bots by nid
The Nid 8-byte value is constructed by hashing the model and serial number of the primary
hard disk of each bot. If that failed, the nid was the concatenation of a hardcoded value
(0xBAD1D222) with the Windows volume serial number.
Validation whether the nid is unique by correlating nid with the other information provided in
the submission header (os, cn, …) didn’t meet the criteria of 2079 nid thus it wasn’t satisfying
Counting Bots by Submission Header Fields
The combination of the nid, os, cn, bld, and ver values from the submission header provided
more reliable results.
• Counting the tuples from the Torpig headers consisting of (nid, os, cn…)
• Excluding the machines that were likely belonging to researchers such as VMs (VMs
have virtual devices with a fixed serial number and invalid requests to the C&C Server
After subtracting these bots, the final estimate of the botnet’s footprint is 182,800 hosts.
Botnet Size vs. IP Count
Network effects such as DHCP churn and NAT, counting the number of infected bots by
counting the unique IP addresses that connect to the botnet’s C&C server is problematic.
During the ten days of monitoring, 182,800 bots were observed. In contrast, during the same
time, 1,247,642 unique IP addresses contacted the server.
The difference between IP count and the actual bot count can be attributed to:
• DHCP and NAT effects where an IP address is allocated to a connecting client from a
pool of available IPs. (Allocation is often dynamic)
o Short leases (The length of time for which the allocation is valid) magnifies the
effect. E.g. a single host had changed IP addresses 694 times in 10 days
• The same host was associated with different IP addresses on the same autonomous
systems, but different class B /16 subnets. Because the ISPs recycle IP addresses
frequently
• Impact of NAT, (used to enable shared Internet access for an entire private network
through a single public access). This technique reduces the number of IPs observed at
the C&C server
Approximately 50k new Infections occurred during the 10 days period of the hijacking where
the most using the timestamp of the most recently received configuration file. Speculation of
days with the highest infections were that a popular website was compromised.
Threats and Data Analysis
Financial Data Stealing
Torpig is crafted to obtain information that can be readily monetized in the underground
market (bank accounts, credit card numbers).
• The Torpig configuration file lists roughly 300 domains belonging to banks and other
financial institutions that will be the target of the “man-in-the-browser” phishing attacks.
• In ten days, Torpig obtained the credentials of 8,310 accounts at 410 different
institutions and 1,660 unique credit/debit card numbers
• It’s interesting that 38% of the credentials stolen by Torpig were obtained from the
password manager of browsers, rather than by intercepting an actual login session.
According to Symantec the price of credit cards is between $0.10–$25 and bank accounts from
$10–$1,000. Therefore, the Torpig controller may have profited anywhere between $83K and
$8.3 M in 10 days.
Spamming via Proxies
Torpig opens two ports on the local machine one to be used as a SOCKS proxy, the other as an
HTTP proxy.
• 20.2% of the machines we observed were publicly accessible. Their proxies could be easily
leveraged by miscreants to, for example, send spam or navigate anonymously.
• Torpig has the potential to drag its victims into a variety of malicious activities.
Denial-of-Service
• By mapping the IP addresses to their network speed, it was determined that cable and
DSL lines account for 65% of the infected hosts (At 435kpbs aggregation 17Gbps)
• The same network speed for the unknown IP addresses is assumed (At 435kpbs)
• Corporate networks, typically have significantly larger upstream connections
Considering that there were more than 70,000 active hosts at peak intervals a botnet of this
size could cause a massive distributed denial-of-service (DDoS) attack.
Password Analysis
Torpig bots stole 297,962 unique credentials (username and password pairs), sent by 52,540
different Torpig-infected machines, over the period of the 10 days.
The analysis found that almost 28% of the victims reused their credentials for accessing 368,501
web sites.
CONCLUSIONS
Controlling hundreds of thousands of hosts that were volunteering Gigabytes of sensitive
information provided a unique opportunity to understand both the characteristics of the botnet
victims and the potential for profit and malicious activity of the botnet creators.
• A naïve evaluation of botnet size based on the count of distinct IPs yields grossly
overestimated results
• The victims of botnets are often users with poorly maintained machines that choose easily
guessable passwords to protect access to sensitive sites.
o Even though people understand well concepts such as the physical security, they do
not understand the consequences of irresponsible behaviour when using a
computer.
Therefore, in addition to novel tools and techniques to combat botnets and other forms of
malware, it is necessary to better educate the Internet citizens so that the number of potential
victims is reduced.
SoK: P2PWNED — Modelling and Evaluating the Resilience of Peer-to-
Peer Botnets
• The most common type of architecture for botnets a central Command-and-Control Server.
o Compromizing the C&C takes down the entire Botnet
o Consequently, these C&C servers have received an increasing amount of attention from
security researchers and law enforcement for takedown attempts
• Botmasters have designed and implemented new architectures to make their botnets more
resilient
o Fast-Flux DNS
o Domain Generation Algorithms (GDA) to generate domain names
▪ Seed values such as the current date/time and Twitter trends)
• A more radical and increasingly popular way to increase botnet resilience is to organize the
botnet as a Peer-to-Peer (P2P) network.
o In a P2P botnet, bots connect to other bots to exchange C&C traffic
▪ As a result, P2P botnets cannot be disrupted using the traditional approach of
attacking critical centralized infrastructure.
o It is difficult to estimate a P2P botnet’s size, for several reasons.
▪ P2P botnets often use custom protocols, so that researchers must first reverse
engineer the protocol and encryption before they can track the botnet’s
population.
▪ Approximations based on IP addresses alone have been shown to be inaccurate
unless care is taken to account for IP address churn [24].
▪ Another significant problem is that there is currently no systematic way to analyse
the resilience of P2P botnets against takedown attempts.
This paper presents a graph-theoretical model of P2P botnets that aids in analysing the
resilience of some botnets and evaluates the accuracy of two P2P botnet enumeration
techniques, namely crawling and sensor injection.
This model highlights two resilience aspects:
• Intelligence gathering resilience modelling and evaluation on current P2P botnets.
o Evaluation to what extent the P2P botnets can:
▪ deter malware analysts from enumerating the bots in the network
▪ Are susceptible to attacks like command injection
• Disruption resilience.
o Formalization of attacks that can be used to disrupt P2P botnets such as sink holing and
testing on real-world P2P botnets.
▪ All bots are redirected to an attacker-controlled machine called a sinkhole, and
partitioning, which aims to split a botnet into unusable sub-networks.
II. OVERVIEW OF P2P BOTNETS
Terminology:
• Botnet family is specific strain of a botnets.
• Botnet variant is a variant within a botnet family.
• Botnet to refer to a coherent collection of hosts infected with a specific botnet variant.
Some botnet variants contain several disjoint botnets.
A. P2P Botnet Characteristics
Figure 1 shows four Botnet Families with their Variants and corresponding BotNets that are
active in November 2012.
Table I: Overview of P2P botnet families showing their protocol, message propagation method,
communication direction, C&C architecture, and purpose. The main purpose is highlighted in bold. C =
Click Fraud, D=DDoS, M=Bitcoin Mining, N=Network Services, P=Pay-Per-Install, S=Spam, T=Credential
Theft.
• A gossip protocol is a procedure or process of computer-computer communication that
is based on the way social networks disseminate information
• Hybrid architectures means the botnets incorporate centralized servers, for instance to
collect stolen data.
o Shutting down these centralized components usually has a minimal effect, as the
P2P layer can easily be used to redirect bots to alternative servers.
III. A FORMAL MODEL FOR P2P BOTNETS
This section presents a formal model to capture the fundamental characteristics of all
previously described P2P botnets.
• A non-routable peer cannot be reached by other peers, but can contact one or more peers
• A routable peer as a peer that can also be contacted by other peers
• An unreachable peer cannot be reached by any peers nor contact other peers (e.g. is
offline) but is still known to one or more peers.
Definition 1: A peer-to-peer (P2P) botnet is a directed graph G: = (V, E), where V is a set of peers
and E ⊆ V ×V edges (u,v) with u,v ∈ V . The set of peers V: =Vr∪ Vn∪ Vu is the disjoint union of
routable peers Vr, non-routable peers Vn and unreachable peers Vu.
All P2P botnets implement the concept of peer lists to keep track of neighbouring peers. These
lists can be highly dynamic and do not necessarily have to be stored explicitly.
Definition 2: Let G =(V,E) denote a P2P botnet. The set of edges Ev := {(v,u) ∈ E} for a peer v ∈ V
is called the peer list of v.
Definition 3: The out-degree of v is defined as 𝑑𝑒𝑔+(𝑣) ≔ |𝐸𝑣|
The in-degree of v is defined as 𝑑𝑒𝑔−(𝑣) ≔ |{(u, v) ∈ E}|
Several operations can be expressed based on the format tool:
Delete: an edge (u,v) in the graph is represented by a transformation D : G → G’ with G’:= (V,E’)
and E’:= E’ \ (u,v).
Insert: an edge (u,v) in the graph is represented by a transformation I : G → G’ with G’ := (V’ ,E’)
where V’ := V ∪{v} and E’:= E ∪ {(u,v)}. I∗ is the composition of multiple inserts.
Update: an edge cannot be expressed directly. The operation U: = I ◦ D, is defined as an edge
deletion followed by an edge insertion. U∗ denotes multiple subsequent updates.
The insert, update and delete operations on a P2P botnet graph provide us with the primitives
necessary to describe the reconnaissance and mitigation strategies.
IV. ATTACKS AGAINST P2P BOTNETS
This section presents generic attack methods (Intelligence Gathering, Disruption and
Destruction), which can be applied to any P2P botnet that is compliant with the model. The
attacks are based on the following two observations:
1. For a P2P botnet to be functional, participating peers must be cooperative, i.e., they must
communicate with other peers.
2. Peers cannot be authenticated, as a secure authentication scheme conflicts with the
dynamic, self-organizing nature of P2P networks.
In summary, P2P botnets rely on the cooperation of untrusted parties, two weaknesses that can
be exploited.
Basic attacks are represented by the Insert, Update, and Delete primitives. (e.g. Deleting an
edge from a P2P graph results in reduced overall connectivity and potentially has an influence
on the speed at which information propagates)
1) Graph Search: Many attacks rely on knowledge about the P2P topology of a botnet. One
approach to explore the peer lists of all routable peers (Crawling).
a. In practice: Most P2P botnet topologies are so dynamic that they change during the
graph search or some peers may not be explorable. This leads to inaccurate results.
Algorithm 1 describes a generic P2P botnet graph search algorithm.
In line 1, it is initialized with a set of seed peers, which can be obtained through reverse
engineering bot samples or dynamic analysis. Peers that reply to peer list requests are added to
the set of cached routable peers in line 5. Next, their neighbouring peers are added to the peer
cache. The list of edges is updated in line 7. Another parameter is the peer selection strategy
(line 9).
2) Peer Injection: Most attacks against P2P botnets are based on changes of the graph topology
by manipulating the set of edges or the set of vertices. A newly added peer cannot affect the
topology if it is unknown to other peers. To affect the topology, manipulations of E are
mandatory.
3) Peer List Destruction: Describes “corrupting changes” to a peer’s peer list. The context here
is an individual peer, not the entire P2P graph. To destroy a peer list, entries can either be
deleted or replaced with invalid (unreachable or non-routable) entries, i.e., peers from 𝑉\𝑉𝑟.
B. Class I: Intelligence Gathering
Attacks against P2P botnets are often preceded by attempts to enumerate the infected hosts
and collect information about them. Two complementary approaches are crawling and sensor
nodes.
1. Crawling as many peers as possible and collect information about them.
a. The collected information can be anything that is accessible to other peers, which
depends on the specific communication protocol.
b. This approach depends heavily on the P2P protocol details. (e.g. only routable peers are
included in local peer lists; the crawler’s view is very limited).
2. Sensor Nodes: P2P botnets peers are periodically contacted by their neighbouring peers,
e.g., during regular peer list verification cycles.
a. Introducing a sensor can be achieved through peer injection.
b. Sensors can also be contacted by non-routable peers, which potentially overcomes
some of the shortcomings of crawling.
C. Class II: Disruption and Destruction Disruption and Destruction can be achieved via the following methods:
1. The distribution of information is prohibited by partitioning the graph. Meaning, try to
isolate specific nodes by eliminating all edges with other peers. To invalidate an edge, it can
be deleted or replaced by applying the peer list destruction method.
a. Partitioning requires knowledge about the graph topology, i.e., the edges to eliminate.
Such knowledge can be obtained by crawling.
b. The more edges are eliminated, the harder it becomes to crawl the network. Injecting a
sensor node can help alleviate this problem.
c. A more general destructive transformation decreases the popularity of nodes by
deleting certain edges from the P2P graph, resulting slowing down the information
propagation.
2. Sinkholing: All edges are either invalidated or replaced with edges pointing to special nodes
sinkholes.
a. This attack type transforms the infrastructure into a centralized network, with the set
of sinkholes being the central component for all P2P communication.
b. A strategy is to announce the sinkholes’ existence in the botnet. Due to its popularity,
lots of peers contact the sinkhole on a regular basis.
3. Communication Layer Poisoning: describes a class of attacks where specially crafted
information is injected into a botnet. This requires access to the P2P infrastructure, which
can be achieved by peer injection.
a. The range of poisoning attacks is huge: Depending on a botnet’s command protocol
one could distribute commands to other bots or transmit invalid messages that put
recipients in a non-functional state.
V. P2P BOTNET INTELLIGENCE GATHERING EVALUATION
A P2P botnet topology offers unique possibilities to gather intelligence about the bots.
A. Resilience Against Peer Enumeration:
By reverse engineering the communication protocols an initial analysis was performed of how
botnets are protected against peer enumeration.
• A vital aspect for peer enumeration is the ability to uniquely identify peers.
• The lack of unique IDs can skew enumeration results considerably.
o If a bot changes it’s IP address during a crawl, the number of counted bots will be
too high.
o If multiple bots share an Internet-facing IP address, (common NAT gateway) the
number of infections is underestimated.
• The number of peers shared with other peers also influences peer enumeration.
• The peer selection strategy influences enumeration results as well.
B. Peer Enumeration Real-World Observations
Due to the nature of connectionless protocols, UDP-based botnets can generally be crawled
faster, resulting in greater coverage. Similarly, peer injection is more efficient for UDP. Thus, the
deployment of sensor nodes happened only on UDP-based botnets.
A sensor may have the opportunity to perform additional validity checks for peers in Vn. By
sending packets to the sensor, a peer behind a NAT establishes a punch hole which the sensor
can use to send requests to the peer to check if it responds in a protocol conformant way.
In comparison to Sensor, crawling can generally only provide a limited view on the overall
botnet population.
• Crawlers actively enumerate peers, while sensors are reactive in that they wait to be
contacted by peers.
• Ideal enumeration, one may need to combine crawling and sensor injection.
C. Convergence Analysis
Infected machines may have dynamic IP addresses that change regularly. (peers may be
counted multiple times). Both IP addresses and peer IDs in our experiments, where possible to
show the discrepancy.
Figure 3 also shows the crawling and the sensor node and IP Address counts of BotNet Zeus and
their development over time.
Figure 4 compares the IP address count convergence over 24 hours for all the active P2P
botnets. Figure 5 shows that enumerations via sensor nodes converge at a similar pace. In all
cases, though, the sensors enumerate peers faster than the crawlers, and the sensors find
many more peers than the crawlers.
C. Dynamics of Botnet Populations
Apart from IP address churn, machines joining and leaving the network also cause a steady
churn of peers.
Zeus P2P: variant appears to be designed to withstand the attacks routinely executed against
traditional (centralized) Zeus botnets. It uses an unstructured push/pull based P2P network to
relay commands, stolen data, and configuration/binary updates.
Some botnets do implement simple countermeasures against crawling, like rate limiting of peer
list exchanges and automated blacklisting of hard hitters
VI. P2P BOTNET DISRUPTION AND DESTRUCTION EVALUATION
A. Communication Layer Poisoning Resilience
• It’s possible to poison a P2P botnet using its own commands, or to disrupt the C&C
channel to prevent legitimate commands from spreading.
o If commands are not properly authenticated to originate from the botnet operators
(e.g., through digital signatures)
▪ activities.
Table IV summarizes the most important security aspects of the P2P botnets.
Sinkholing Resilience
Sinkholing a P2P botnet involves manipulation of the peer lists for all bots in the botnet such
that the bots’ peer list entries no longer point to other bots, but instead to sinkholes.
A sinkholing attack is distinguished in the following general steps:
1. Sinkhole announcement to as many peers as possible.
2. Node isolation by eliminating all edges in the P2P graph that do not point to a sinkhole.
3. Fallback prevention of some P2P botnets to use other C&C mechanisms not to activate
backup C&C channels to recover or by disabling the botnet’s backup channel
C. Partitioning Resilience
• Partitioning & Sinkholing are closely related attacks.
• Partitioning may have advantages over sinkholing.
o The injected sinkholes are generally easily identified, as they stand out against other
bots due to their popularity. Thus, botnet operators may start counter attacks
o Partitioning attacks do not expose such attack surfaces
▪ Once a botnet has been partitioned, it is next to impossible to regain control
▪ A partitioning attack may not be successful unless it affects the whole P2P
network by aggressively eliminating edges until all nodes are isolated.
IX. CONCLUSION
• This paper presents a model which formalizes reconnaissance and disruption attacks to
support mitigation efforts against P2P botnets.
• The model is used to analyse several live real-world P2P botnets e.g. the population size
of P2P botnets is estimated using crawlers and sensor nodes.
• Sensor nodes reveal large numbers of bots which cannot be found using crawlers.
o Combining crawlers and sensor nodes can provide much more accurate
population
• The disruption resilience of four P2P botnet families was evaluated
o Has shown weaknesses which could be used to disrupt botnets.
