Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Electrical Engineering
  3. Telecommunications

A Taxonomy of Botnet Structures Martin Lyckander martily 08/04/2016

advertisement 
A Taxonomy of Botnet Structures
Martin Lyckander
martily
08/04/2016
About the paper
●
●
●
David Dagon, Guofei Gu, Christopher P. Lee, Wenke Lee
Georgia Institute of Technology
Published in 2007
What is a botnet?
●
●
●
●
●
●
●
Hosts under control of a third party
Infection vectors vary
Can be self propogating
Different means of communication in different botnets
Various capabilites:
○ Spam
○ DDoS
○ Keylogging / Data exfiltration
○ Scanning/Bruteforce
○ Clickfraud
Two categories of reasons when a bot leaves the botnet
○ Random failures
○ Targeted responses
Botnet topology can be seen as a network graph
The botmaster
The need for a taxonomy
●
●
●
Botnets are diverse
Size may vary greatly
Threat of a botnet is not only about number of infected hosts
○
○
●
High speed internet vs ADSL
Uptime of nodes in the botnet
Determine the potential of the botnet analysed
Purpose of a taxonomy
●
●
“(a) assist the defender in identifying possible types of botnets”
“(b) describe key properties of botnet classes, so researchers may focus their
efforts on beneficial response technologies.”
●
One method to take down one type of botnet is not necessarily as effective on
other types
Metrics
●
●
●
Effectiveness
Robustness
Efficiency
Effectiveness
●
●
Measure of overall utility to the botmaster
Size (The “giant” component, S) and bandwidth
○
○
●
The “giant” component is the largest online/connected portion of bots reachable by the
botmaster
In a DDoS: largest amount of bots that can receive and execute commands
Botnets are diurnal - affects available bandwidth
○
Often related to link speed
○
This is probably a lesser factor today in some parts of the world than when the paper was
written
○
Home-routers in botnets: http://www.securityweek.com/large-ddos-botnet-powered-routersinfected-”spike”-malware
In the future: IoT, cellphones
○
Effectiveness cont.
●
Available average bandwidth from a bot: B
○
●
●
Complex problem for a single link - for botnets, even harder
B is the average cumulative bandwidth available to the botmaster under ideal
circumstances
The paper classifies bots based on link speed
○
○
○
Modem (type 1)
DSL/cable (type 2)
High speed internet (type 3)
○
The chance of a bot belonging to a group is P, M=Max network bandwidth, A=Network
bandwidth, W= Probability of a bot being online
Efficiency
●
●
●
Communication in the botnet - C&C messages, updates or data exfiltration
Network diameter
The geodesic length between nodes
○
○
○
●
●
Degrees of separation
“Six degrees of separation” - l = 6
The inverse, l-inv is used in the taxonomy
Average length of the shortest edge connecting two nodes
If l-inverse is small, the communication can ble classified as slow.
○
○
l-inv = 0, no connection
l-inv = 1, fully connected
d(v,w) = distance between node v and w
Efficiency cont.
●
●
●
●
Distance is not the physical connections between the nodes
One physical jump(LAN) between could be several jumps in the botnet
Topology defined by the botmaster
The ideal network diameter is l-inv=1
Robustness
●
●
●
●
The network diameter (l-inverse) is also relevant for robustness
High connectivity between bots means high fault-tolerance
Bots are added and removed from the botnet constantly
Instead of only using the network diameter, local transitivity can be used to
measure redundancy
○
●
Given three nodes, u, w, v, with the existing pairs {u, w} and {u, v}, local transitivity measures
the likelihood of u and v also being connected
Clustering coefficient - average degree of local transitivity:
Ev is the number of edges around node v. Kv is the number of nodes around node v
(gamma)
Robustness cont.
●
●
●
●
The three nodes u,v,w forms a “triad”
measures the number of triads divided by the maximal number of triads
= 1 means that the botnet topology is a complete mesh
Local transitivity is important for some types of botnets
○
○
○
“Warez”
Key-/password-cracking
Bruteforcing
Botnet network models
Erdős–Rényi Random Graph Models
●
●
Botnet structured as a random graph
Equal probability N-1 that one node is connected to an other
○
●
●
Botmasters limit the maximum number of connections for their hosts
Random graphs require some central logging of nodes in the network
○
○
●
This means that a bot must know the address of all other bots to potentially create an edge
The first bot in a chain do not get information about subsequent infections
Easy to discover infections for honeypot operators
A challenge for botnets distributed through scanning/spam
○
○
The first in the infection chain does not know of subsequent infections
Scanning for active bots is a possibility
Erdős–Rényi Random Graph Models
Watts-Strogatz Small World Models
●
●
●
Network is created in a ring
Each node has a probability of being connected to
nodes on the opposite side of the ring
During spreading in a self-propagating botnet:
○
A new infection can receive a list of previously infected
victims
○
When the infected hosts then passes along the list of victims
to new infections it appends its own address
○
Typically limited number of addresses in list to hinder security
researchers
Barabási-Albert Scale Free Model
●
●
●
●
Highly connected central nodes, “hubs”
Leaf nodes has fewer connections
IRC based botnets
Very vulnerable to targeted responses by researchers
○
Taking down the central hubs, e.g. the IRC servers used
P2P models
●
●
Structured and unstructured topologies
The unstructured P2P botnets tend to have similar link distributions as the
scale free botnets
○
○
●
Some nodes have a much larger peer list than others
Distributed hash table(DHT)
Structured botnets are more similar to random networks, as each bot in the
botnet is connected to approximately the same amount of other bots
○
Kazaa/Gnutella
Response strategies
●
●
The response strategies proposed is based on
previous research, and an empirical study on two
different botnets in January 2006
Previously known: Targeting C&C infrastructure is
efficient!
Random graph and P2P models
●
●
●
●
Empirical studies have shown a median
node degree k = 5,5
Network diameter is logarithmically
increasing with values for k, but this is
only for larger values of k. Realistic
values show a linear growth
Giant (S), number of reachable hosts for
the botmaster
Local transitivity ( ) is also
logarithmically increasing, but not for
realistic values of k
Random graph and P2P models - loss of nodes
●
●
●
Targeted responses and random failures have the same effect
Low impact!
P2P networks often have a k equal to log N where N is the size of the botnet
○
○
●
●
Therefore slightly more resilient than random graph
Loss of nodes are constant in the three metrics
Random graph and p2p botnets are very resilient
Remediation techniques
○
○
Remove a large number of nodes at once
Targeted respones : Address list poisoning, P2P index poisoning
Wattz-Strogatz model
●
Research shows some botnets using this model
○
●
The average degree in a “small world model” is equal to the number of edges
each vertex has
○
●
Constant decay of all metrics as nodes are removed
Other advantages
○
○
●
Low utility to the botmaster
Stealthy propogation
Anonymity
In other domains researchers state that “small world model” is essentially a
random graph
Scale free and structured P2P models
5k botnet
●
●
●
●
●
Targeted responses are highly effective
The core size, C, is the number of bots which
function as hubs
○
Distributing commands
○
Adding a large amount of cores does not affect network
diameter
measures the number of triads
Dip in the graph is caused by Core-nodes
forming squares, while triads are measured
locally
Upon adding more cores, transitivity grows as
Core-nodes also form triads
Transitivity loss in scale free
●
●
●
●
The botmaster whishes to avoid
transitivity
A low amount of core nodes makes
the botnet vulnerable to takedowns
By increasing number of links for leaf
nodes, the dip is lower
A high link count makes bots
vulnerable to anomaly detection (e.g.
netflow analysis)
Changes in transitivity vs core size
Scale free targeted responses and random loss
●
●
Centralizing information makes the
network vulnerable
Targeted responses are highly effective
Case study: Nugache botnet
Link count in Nugache leaf nodes
●
●
●
●
●
Uses the WASTE file sharing protocol
Hard-coded IP-addresses to retrieve a
list of initial peers
Continues to connect and discover to
new peers
Spread through P2P, resulting mesh is a
scale free network
Low link count for each leaf node
Takedown of the ZeroAccess botnet
●
●
Clickfraud, search-hijacking
P2P based
○
○
●
●
●
(Not covered in the paper)
New peers were pushed to all bots using a broadcast mechanism
Unstructured
Cost online advertizers $2,7 million each month
More than 2 million infected hosts, 800k active each day
Takedown in 2013 by Microsoft, Europol and FBI
○
○
○
○
Sinkholed 18 IP-adresses, 49 domains
Targeted the mechanism to broadcast new configurations/updates to newly infected bots
P2P layer was still intact, botnet masters still making money
Botnet still alive today, but at limited capacity
http://www.darkreading.com/attacks-and-breaches/microsoft-fails-to-nuke-zeroaccess-botnet/d/d-id/1113008
https://news.microsoft.com/2013/12/05/microsoft-the-fbi-europol-and-industry-partners-disrupt-the-notorious-zeroaccess-botnet/#sm.0000a9ziod396dqxqk714erddbw47
Empirical study: Available bandwidth in botnets
●
Botnet 1:
○
○
●
50,000 unique members, sample size of 7,326
Measured in January 2005
Botnet 2:
○
○
48,000 unique members, sample size of 3,391
Measured in January 2006
Bandwidth in botnets cont.
-
Taking diurnal activity into account, with [2, 4,24] for each class of bots
Botnet 1 has a DDoS capability of ~1 Gbps
2,000 less members in botnet 2, but only half the DDoS capability
Could potentially be used to determine which botnet to target in takedowns
Targeted responses against high speed bots can be very impactfull
Botnet 1
Botnet 2
Average available bandwidth
~53 Kbps
~39 Kbps
Accounted for diurnal
~22 Kbps
~14 Kbps
Summary
●
●
●
Proposed metrics to measure botnets utility to the botmaster
Structured P2P botnets and random graph botnets are resilient to both
targeted and random responses
Targeted responses are effective on scale free botnets
Questions?
Further reading
-
Paper published in 2013 about resilience of different P2P botnets
-
P2PWNED - Modeling and Evaluating the Resilience of Peer-to-Peer Botnets
http://www.ieee-security.org/TC/SP2013/papers/4977a097.pdf
Related documents
Jason and Abhishek`s presentation on botnets
Jason and Abhishek`s presentation on botnets
Motivation behind botnets
Motivation behind botnets
Measuring Botnet Populations
Measuring Botnet Populations
BotnetPres
BotnetPres
Research Proposal - Initial - National Center for Border Security and
Research Proposal - Initial - National Center for Border Security and
Botnets - Information Security Group
Botnets - Information Security Group
Defending: Taxonomy of Botnet Threats
Defending: Taxonomy of Botnet Threats
files\final_report - Department of Electrical Engineering and
files\final_report - Department of Electrical Engineering and
Active Botnet Probing to Identify Obscure Command and
Active Botnet Probing to Identify Obscure Command and
Entelecheia: Detecting P2P Botnets in their Waiting Stage
Entelecheia: Detecting P2P Botnets in their Waiting Stage
Download
advertisement