A botnet consists of a network of compromised computers controlled by an attacker or botmaster. The term botnet is derived from software robots, or bots [7]. These bots can be controlled remotely to perform large scale Distributed Denial of Service (DDoS) attacks, send spam, deliver Trojans, send phishing emails, distribute copyrighted media or conduct other illegal activities [6]. The unique feature of a botnet is its controlled communication network [3]. Most bots have a centralized architecture. i.e., they are connected to a command and control (C&C) server. In such an architecture, the C&C server acts as a central point of failure for the botnet. That is, the entire botnet can be shutdown if the defender captures the C&C server [5]. Bot masters are now shifting to different architectures to avoid this weakness. In a peer -to- peer (P2P) architecture a node can act as a client as well as a server and there is no centralized point for command and control [2]. A P2P botnet requires little or no formal coordination and even if a node is taken offline by the defender, the network still remains under the control of the attacker. Thus P2P bots have become the choice of architecture for bot masters [4].
Botnets are constantly evolving and are advancing towards more complex functionality and destructive capabilities. Until recently, the term botnet generally referred to a collection of IRC trojans, but today it can be any sophisticated network of malicious bots P2P botnets are difficult to shutdown because they do not have a single point of failure like the C&C botnets.
In the P2P setting, centralized structures don't exist. The structure, albeit varied, allows for some clustering, but there still is no central authority other than the botmaster. In most cases, P2P bots talk to a subset of the network, the set of immediate peers. Discovery of the botnet is now limited to enumeration via a bot-by-bot approach, unless the bots participate in a global botnet activity. Each bot has a limited view of the botnet by design (such as a top limit of peer addresses retained) or by limitation of the network (firewalling or NATing).
As a general technique, one must visit each bot, request a list of peers known to that peer, and build up a prioritized queue to walk through the entire set, removing duplicates. However, there is the issue of hidden bots, such as those behind NAT, for which their presence is only known to certain bots. These hidden bots will only initiate connections (and act as a polling bot), but not receive them, which causes an obstacle to an accurate count. The hidden bots may have knowledge of bots that could act as a bridge to an otherwise completely disconnected botnet. In some cases, encryption is used in this information exchange. A passive observation of P2P traffic will therefore not easily yield information about the complete network, because peers only maintain knowledge of their immediate neighbors. Only the connection data, e.g. link analysis or who talks to whom, will then provide partial network knowledge.
A honeypot is a trap set to detect unauthorized use of information systems. A honeypot appears to be part of a network but which is actually isolated and protected. A honeypot seems to contain information or a resource that would be of value to attackers. A honeypot is valuable as an early-warning tool. Honeypots are useful to understand botnet characteristics and technology [25]. Honeypots can generally be divided into different categories, low-interaction and high-interaction honeypots. Low-interaction honeypots emulate services. Low-interaction honeypots can be used to collect autonomously spreading malware. Examples are Honeyd, Mwcollect and Nepenthes. High interaction honeypots like Argos offer a full operating system to the attacker and when the attackers tries to do something malicious the honeypot will shutdown and makes dumps of memory and disk to get information about what the attacker was trying to do [1]. An analysis of these honeypots is given in table 1.
The rest of the paper is organized as following. Section 2 introduces the research background and related studies, the architecture of our proposed P2P botnet is presented in Section 3 and in Section 4 an analysis is presented over three different honeypots, at last, we discuss future directions and conclude in Section 5.
II. RELATED WORK
Botnets are an active research topic in recent years. In 2002, Puri [17] presented an overview of bots and botnets, and McCarty [18] discussed how to use a honeynet to monitor botnets. Arce and Levy presented a good analysis of how the Slapper worm built its P2P botnet. Barford and Yegneswaran [18] gave a detailed and systematic dissection of many well known botnets that have appeared in the past. Current research on botnets is mainly focused on monitoring and detection. [11], [8], [20], [21] presented comprehensive studies on using honeypots to join botnets in order to monitor botnet activities in the Internet. With the help from Dynamic DNS service providers, [9] presented a botnet monitoring system by redirecting the DNS mapping of a C&C server to a botnet monitor. Ramachandran et al. [51] presented how to passively detect botnets by finding botmasters' queries to spam DNS-based blackhole list servers (DNSBL).
Since most botnets nowadays use Internet Relay Chat (IRC) for their C&C servers, many people have studied how to detect them by detecting their IRC channels or traffic. Binkley and Singh [12] attempted to detect them through abnormal IRC channels. Strayer [22] used machine-learning techniques to detect botnet IRC-based control traffic and tested the system on trace-driven network data. Chen [19] presented a system to detect botnet IRC traffic on high-speed network routers.
Nevertheless, few people have studied how botmasters might improve their attack techniques. [13], [14], [15], [16], [15] only introduced the attack techniques already implemented in several botnets appearing in the past. Zou and Cunningham [23] studied how botmasters might improve their botnets to avoid being monitored by a honeypot. Our research presented in this paper belongs to this category.
In [24], the authors presented a "super-botnet", which is a super-size botnet by inter-connecting many small botnets together in a peer-to peer fashion. However, [24] largely ignored the practical issues that have been addressed in our work: (1). The majority of compromised computers cannot be used as C&C servers since they are either behind firewall or have dynamic IP addresses.
III. PROPOSED P2P BOTNET ARCHITECTURE
In this proposed P2P botnet architecture given in Fig. 1 two types of bots are presented. The first type of bots is called root bots and second type of bots is called leaf bots. All bots, including both leaf bots and root bots, actively contact the root bots in their peer lists to retrieve commands. Because root bots normally do not change their IP addresses, this design enhances the network stability of a botnet. The root bots are static and contain global IP addresses. Since the root bots are contain global IP addresses, there are accessible from the global Internet. The root bots behave as both clients and servers. Not all bots with static global IP addresses are qualified to be root bots. Some of them may stay behind firewall, inaccessible from the global Internet.
On the other hand the leaf bots are quite opposite to the root bots, they are dynamically allocated IP addresses, these are private IP addresses and these cannot be connected from the global Internet. The leaf bots will not accept incoming connections. The classification of bots is necessary because in near future shortage of IP space may occur. Only the root bots are candidates in peer list. A bot could easily decide the type of IP address used by its host machine. A bot master could rely on the collaboration between bots to determine the bots that may stay behind firewall, inaccessible from the global Internet. For example, a bot runs its server program and requests the root bots in its peer list to initiate connections to its service port. If the bot could receive such test connections, it labels itself as a root bot. Otherwise; it labels itself as a leaf bot.
A botmaster's command could pass via the links shown in Fig. 1 in both directions. The illustrative botnet shown in this Fig.1 has 5 root bots and 5 leaf bots. An arrow from bot A to bot B represents bot A initiating a connection to bot B. A botmaster injects his or her commands through any bot(s) in the botnet. Both leaf and root bots actively and periodically connect to the root bots in their peer lists in order to retrieve commands issued by their botmaster.
When a bot receives a new command that it has never seen before (e.g., each command has a unique ID), it immediately forwards the command to all root bots in its peer list. This description of command communication means that, in terms of command forwarding, the proposed botnet has an undirected graph topology.
To monitor the proposed P2P botnet, a botmaster issues a special command, called a send command, to the botnet thereby instructing every bot to send its information to a specified machine that is compromised and controlled by the botmaster. This data collection machine is called a collector host. The IP address (or domain name) of the centralized collector host is specified in the send command.
Bot
bot
Bot
Bot
Bot
Bot
Bot
Bot
Bot
Bot
Bot controller
Honeypot
Honeypot
P2P Botnet
Leaf Bots
Root bots
Fig.
Figure 1. Architecture of the proposed P2P botnet
TABLE I. ANALYSIS OF THREE DIFFERENT HONEYPOTS AND TOOLS
Parameter
Honeyd
Mwcollect
Argos
Origin
Niels Pavos of the University of Michigan
Nepenthes
Gerogios Portokalidis
Platform
Unix and Windows
Windows
Unix and Windows
Detection Method
Arpd tool
Mwcollect deamon
trace database via tcpdump
Supporting community
Very small
Big
Very big
Extendibility
Yes
Yes
Yes
Every round of send command issued by a botmaster could potentially utilize a different collector host. This would prevent honeypot from knowing the identity of the collector host before seeing the actual send command. After a send command has been sent out by a botmaster, it is possible that honeypot could quickly know the identity of the collector host (e.g., through honeypot joining the botnet [3], [6]), and then either shut it down or monitor the collector host. Thereby, the honeypot work will be started. In the Fig. 1 two separate honeypots are presented. Attacks may come from root bots or from leaf bots and the collector host may be the one from root bots type or leaf bots type. As specified earlier some bots are behind firewall, such bots are not connected with peers. That is, there will be no links or connections. That is the reason two honeypots are installed. These two honeypots are helpful in finding the attacker quickly. Albeit, two honeypots are installed, our system seems to be good in finding the attacker fastly and easily.
IV. ANALYSIS OF HONEYPOTS
The honeypots we analyzed were Honeyd, Mwcollect, and Argos. Honeyd and Mwcollect are low-interactive honeypots just like Nepenthes; Argos is a high-interactive honeypot. A summary on these three honeypots based on listed parameters is presented in Table 1.
V. CONCLUSION
The first workshop on botnets was hold in 2007 and since then many detection approaches have been proposed and also some real bot detection systems have been implemented (e.g. BotHunterTM by Gu et al. [26]). Botnet detection is a challenging problem. In this paper we proposed a new P2P botnet detection methodology. This proposed methodology is based on our definition of two classifications of bots in the P2P botnets. We also presented the summary of three kinds of honeypots. In future we simulate this proposed work and compare our system with exisiting P2P botnet detection methods using honeypots.
REFRENCES
[1] Wikipedia Honeypots,http://en.wikipedia.org/wiki/Honeypot %28 electronics%29
[2] David Dagon, Julian Grizzard, Vikram Sharma, Chris Nunnery, Brent Kang, "Peer-to-Peer Botnets: Overview and Case Study",
http://www.usenix.org/events/hotbots07/tech/full_papers/grizzard/grizzard.pdf
[3] Ping Wang, sherri Sparks, Cliff C. Zou, "An Advanced Hybrid Peer-to-Peer Botnet",
http://www.usenix.org/events/hotbots07/tech/full_papers/ wang /wang.pdf
[4] Elia Florio, Mircea Ciubotariu, Symantec Security Response, "Peerbot: Catch me if you can", http://www.symantec.com/avcenter/ reference/peerbot.catch.me.if.you.can.pdf
[5] André Fucs, Augusto Paes de Barros, Victor Pereira, "New botnets trends and threats", http://www.blackhat.com/presentations/bh-europe-07/Fucs-Paes-de-Barros-Pereira/Whitepaper/bh-eu-07-barros-WP.pdf
[6] Anestis Karasaridis, Brian Rexroad, David Hoeflin, "Wide-scale Botnet Detection and Characterization", http://www.usenix.org/ events/hotbots07/tech/full_papers/karasaridis/karasaridis.pdf
[7] http://en.wikipedia.org/wiki/Botnets
[8] F. Freiling, T. Holz, and G. Wicherski, "Botnet tracking: Exploring aroot-cause methodology to prevent distributed denial-of-service attacks,"CS Dept. of RWTH Aachen University, Tech. Rep. AIB-2005-07, April 2005.
[9] D. Dagon, C. Zou, and W. Lee, "Modeling botnet propagation usingtime zones," in Proceedings of 13th )", month = "Feburary", year="2007".
[10] A. iv, N. Feamster, and D. Dagon, "Revealing botnet
membership using dnsbl counter-intelligence," in USENIX 2nd Workshopon Steps to Reducing Unwanted Traffic on the Internet e(SRUTI 06), June 2006.
[11] E. Cooke, F. Jahanian, and D. McPherson, "The zombie roundup: Understanding, detecting, and disrupting botnets," in Proceedings of SRUTI: Steps to Reducing Unwanted Traffic on the Internet, July 2005.
[12] J. R. Binkley and S. Singh, "An algorithm for anomaly-based botnet detection," in USENIX 2nd Workshop on Steps to Reducing Unwanted Traffic on the Internet (SRUTI 06), June 2006.
[13] I. Arce and E. Levy, "An analysis of the slapper worm," IEEE Security& Privacy Magazine, Jan.-Feb. 2003.
[14] Sinit P2P trojan analysis. Http://www.lurhq.com/sinit.html.
[15] Phatbot trojan analysis. Http://www.lurhq.com/phatbot.html.
[16] R. Puri, "Bots & botnet: An overview," 2003, http://www.sans.org/rr/whitepapers/malicious/1299.php.
[17] B. McCarty, "Botnets: Big and bigger," IEEE Security & Privacy Magazine, vol. 1, no. 4, July 2003.
[18] P. Barford and V. Yegneswaran, An Inside Look at Botnets, To appear in Series: Advances in Information Security. Springer, 2006.
[19] H. Project, "Know your enemy: Tracking botnets," 2005, http://www.honeynet.org/papers/bots/.
[20] F. Monrose. (2006) Longitudinal analysis of botnet dynamics. ARO/DARPA/DHS Special Workshop on Botnet.
[21] T. Strayer. (2006) Detecting botnets with tight command and control. ARO/DARPA/DHS Special Workshop on Botnet.
[22] Y. Chen. (2006) IRC-based botnet detection on high-speed routers. ARO/DARPA/DHS Special Workshop on Botnet.
[23] C. Zou and R. Cunningham, "Honeypot-aware advanced botnet construction and maintenance," in Proceedings of International Conference on Dependable Systems and Networks (DSN), June 2006.
[24] R. Vogt, J. Aycock, and M. Jacobson, "Army of botnets," in Proceedingsof 14th Annual Network and Distributed System Security Symposium (NDSS) Feburary 2006, pp. 235-249.
[25] Hossein Rouhani Zeidanloo, Azizah Bt Abdul Manaf, Rabiah Bt Ahmad, Mazdak Zamani and Saman Shojae Chaeikar, "A Proposed Framework for P2P Botnet Detection", IACSIT International Journal of Engineering and Technology, Vol.2, No.2, April 2010, pp 161-168
[26] G. Gu, P. Porras, V. Yegneswaran, M. Fong, and W. Lee. "BotHunter: Detecting malware infection through ids-driven dialog correlation", In Proceedings of the 16th USENIX Security Symposium (Security'07), 2007.
