Abstract
Botnets, in particular the Storm botnet, have been garnering much attention as vehicles for Internet crime. Storm uses a modified version of Overnet, a structured peer-to-peer (P2P) overlay network protocol, to build its command and control (C&C) infrastructure. In this study, we use simulation to determine whether there are any significant advantages or disadvantages to employing structured P2P overlay networks for botnet C&C, in comparison to using unstructured P2P networks or other complex network models. First, we identify some key measures to assess the C&C performance of such infrastructures, and employ these measures to evaluate Overnet, Gnutella (a popular, unstructured P2P overlay network), the Erdős-Rényi random graph model and the Barabási-Albert scale-free network model. Further, we consider the three following disinfection strategies: a) a random strategy that, with effort, can remove randomly selected bots and uses no knowledge of the C&C infrastructure, b) a tree-like strategy where local information obtained from a disinfected bot (e.g. its peer list) is used to more precisely disinfect new machines, and c) a global strategy, where global information such as the degree of connectivity of bots within the C&C infrastructure, is used to target bots whose disinfection will have maximum impact. Our study reveals that while Overnet is less robust to random node failures or disinfections than the other infrastructures modelled, it outperforms them in terms of resilience against the targeted disinfection strategies introduced above. In that sense, Storm designers seem to have made a prudent choice! This work underlines the need to better understand how P2P networks are used, and can be used, within the botnet context, with this domain being quite distinct from their more commonplace usages.
Chapter PDF
Similar content being viewed by others
Keywords
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
References
CNN Technology News: Expert: Botnets no. 1 emerging Internet threat (January 2006), www.cnn.com/2006/TECH/internet/01/31/furst /
Washington Post Technology news: The botnet trackers (February 2006), www.washingtonpost.com/wp-dyn/content/article/2006/02/16/AR2006021601388.html
New York Times Technology news: Attack of the zombie computers is growing threat (January 2007), www.nytimes.com/2007/01/07/technology/07net.html
Dagon, D., Gu, G., Lee, C., Lee, W.: A taxonomy of botnets. In: Proc. Computer Security Applications Conference (ACSAC), December 2007, pp. 325–339 (2007)
Vogt, R., Aycock, J., Jacobson Jr., M.J.: Army of botnets. In: Proc. 14th Annual Network and Distributed System Security Symposium (NDSS) (March 2007)
Ramachandran, A., Feamster, N.: Understanding the network-level behavior of spammers. In: Proc. Conference on Applications, technologies, architectures, and protocols for computer communications (October 2006)
Lanelli, N., Hackworth, A.: Botnets as a vehicle for online crime (December 2005), www.cert.org/archive/pdf/Botnets.pdf
Bureau, P.M., Lee, A.: Malware storms: a global climate change. Virus Bulletin (November 2007), http://www.virusbtn.com
Oikarinen, J., Reed, D.: Internet relay chat protocol. Request for Comments (RFC 1459) (May 1993)
Cooke, E., Jahanian, F., McPherson, D.: The zombie roundup: Understanding, detecting, and disrupting botnets. In: Proc. 1st Conference on Steps to Reducing Unwanted Traffic on the Internet (SRUTI) (July 2005)
Barford, P., Yegneswaran, V.: An inside look at botnets. Advances in Information Security 27, 171–191 (2007)
Binkley, J.R., Singh, S.: An algorithm for anomaly-based botnet detection. In: Proc. 2nd Conference on Steps to Reducing Unwanted Traffic on the Internet (SRUTI) (July 2006)
Strayer, W.T., Walsh, R., Livadas, C., Lapsley, D.: Detecting botnets with tight command and control. In: Proc. 31st IEEE Conference on Local Computer Networks (November 2006)
Rajab, M.A., Zarfoss, J., Monrose, F., Terzis, A.: A multifaceted approach to understanding the botnet phenomenon. In: Proc. 6th ACM SIGCOMM Conference on Internet measurement (October 2006)
Gu, G., Zhang, J., Lee, W.: BotSniffer: Detecting botnet command and control channels in network traffic. In: Proc. 15th Annual Network and Distributed System Security Symposium (NDSS) (February 2008)
Fisher, D.: Storm, nugache lead dangerous new botnet barrage (December 2007), http://SearchSecurity.com
Grizzard, J., Sharma, V., Nunnery, C., Kang, B., Dagon, D.: Peer-to-peer botnets: overview and case study. In: Proc. 1st Workshop on Hot Topics in Understanding Botnets (HotBots 2007) (April 2007)
Wang, P., Sparks, S., Zou, C.C.: An advanced hybrid peer-to-peer botnet. In: Proc. 1st Workshop on Hot Topics in Understanding Botnets (HotBots 2007) (April 2007)
Kutznet, K., Fuhrmann, T.: Measuring large overlay networks - the overnet example. In: Proc. Kommunikation in Verteilten Systemen (KiVS) (March 2005)
Maymounkov, P., Mazières, D.: Kademlia: A peer-to-peer information system based on the XOR metric. In: Revised Papers from the 1st International Workshop on Peer-to-Peer Systems (IPTPS) (March 2002)
Stewart, J.: Storm worm DDoS attack (February 2007), http://www.secureworks.com/research/threats/storm-worm
Utter, D.: Storm botnets using encrypted traffic (October 2007), http://www.securitypronews.com
Honeynet Project: Know your enemy: Fast-flux service networks (July 2007), http://www.honeynet.org/papers/honeynet
Gaudin, S.: Storm botnet puts up defenses and starts attacking back. InformationWeek (August 2007), http://www.www.informationweek.com
Erdös, P., Rényi, A.: On random graphs I. Publ. Math. 15, 290–297 (1959)
Barabási, A.L., Albert, R.: Emergence of scaling in random networks. Science 286, 509–512 (1999)
Watts, D.J., Strogatz, S.H.: Collective dynamics of ‘small-world’ networks. Nature 393, 440–442 (1998)
Albert, R., Jeong, H., Barabási, A.L.: Error and attack tolerance of complex networks. Nature 406, 378–382 (2000)
Crucitti, P., Latora, V., Marchiori, M., Rapisarda, A.: Error and attack tolerance of complex network. Physica A 340, 388–394 (2004)
Holme, P., Kim, B.J., Yoon, C.N., Han, S.K.: Attack vulnerability of complex networks. Physical Review E 65, 56109 (2002)
Stoica, I., Morris, R., Karger, D., Kaashoek, M., Balakrishnan, H.: Chord: a scalable peer-to-peer lookup service for internet applications. In: Proc. Annual ACM Conference of the Special Interest Group on Data Communication (SIGCOMM) (August 2001)
Gnutella forum: Gnutella (March 2001), http://www.gnutella.com
Clarke, I., Sandberg, O., Wiley, B., Hong, T.: Freenet: a distributed anonymous information storage and retrieval system. In: Proc. ICSI Workshop on Design Issues in Anonymity and Unobservability (July 2000)
Bollobás, B.: Random Graphs. Academic Press, London (1985)
Csárdi, G.: The igraph library (2005), http://cneurocvs.rmki.kfki.hu/igraph
Ripeanu, M., Foster, I., Iamnitchi, A.: Mapping the gnutella network: Properties of large-scale peer-to-peer systems and implications for system design. IEEE Internet Computing Journal 6, 50 (2002)
Jovanovic, M., Annexstein, F., Berman, K.: Scalability issues in large peer-to-peer networks - a case study of gnutella. Technical report, University of Cincinnati (January 2001)
Newman, M., Strogatz, S., Watts, D.: Random graphs with arbitrary degree distributions and their applications. Physical Review E 64(026118) (2001)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2008 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Davis, C.R., Neville, S., Fernandez, J.M., Robert, JM., McHugh, J. (2008). Structured Peer-to-Peer Overlay Networks: Ideal Botnets Command and Control Infrastructures?. In: Jajodia, S., Lopez, J. (eds) Computer Security - ESORICS 2008. ESORICS 2008. Lecture Notes in Computer Science, vol 5283. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-88313-5_30
Download citation
DOI: https://doi.org/10.1007/978-3-540-88313-5_30
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-88312-8
Online ISBN: 978-3-540-88313-5
eBook Packages: Computer ScienceComputer Science (R0)