a framework for hybrid structure p2p botnet speakers:ma2g0207 bo rong,sue source:ieee

A Framework for Hybrid Structure P2P BotnetSpeakers:MA2G0207 bo rong,sueSource:IEEE

Outline

1. INTRODUCTION2. CURRENT BOTNETS3. PROPOSED HYBRID STRUCTURE

P2P BOTNET4. BOTNET CONTROL5. PERFORMANCE EVALUATION6. CONCLUSIONS

1.INTRODUCTIONOne of the most significant

threats to the Internet today is the threat of botnets.

Botnets are networks of compromised computers, controlled by remote attackers.

Attackers use botnets to scatter attack tasks over thousands of computers distributed all over the Internet.

1.INTRODUCTIONA computer executing bot

programs is called a bot.A collection of these bots

connected to a network is called a botnet.

Botnets run autonomously and automatically.

Computers in botnets may be compromised via all kinds of attacking techniques.

1.INTRODUCTIONAfter being compromised, bots

log into a command-andcontrol(C&C) server.

Botnet in this architecture is easy to construct and efficient in distributing botmaster's commands.

2. CURRENT BOTNETSAt the beginning, bot masters used

IRC servers as C&C servers.But once the IRC servers were shut

down, the botnets would stop working.

As botmasters gradually realize the limitation of traditional botnets, they notice the weakness inherent to the centralized architecture of C&C servers.

2. CURRENT BOTNETSResearcher proposed an

advanced hybrid P2P botnet.Bots that had static IP addresses

and were accessible from the Internet were called server bots.

Others were called client bots.

2. CURRENT BOTNETSIf servent bots do not change their

IP addresses and never be offline, the botnet will keep working.

But in reality, 67 percent of the hosts with static IP addresses will be offline in 72 hours.

Servent bots will be invalid in 3days, and maybe the botnet will stop working until the bot masters renew the servent bot lists.

3. PROPOSED HYBRID STRUCTURE P2P BOTNET

Researcher proposed a hybrid structure P2P botnet based on Chord (Hsbotnet).

A. Botnet Architecture


◦The main part of the botnet is a Chord ring consisted of many virtual nodes.

◦Bots in the same virtual node may be also from the same or adjacent physical networks.

◦Bots in the Hsbotnet are classified into two groups.

◦The first group contains bots that have static IP addresses and are already online for more than 12 hours.


◦Bots in the first group are called super bots. ◦The second group contains the remaining

bots, called peer bots.◦Hsbotnet implements a consistent hash

operation that maps IP addresses of the first super bot in a virtual node to an m-bit sequence.

◦Hsbotnet uses Chord to assign each virtual node an identifier with those m-bit sequences as the IDs.

◦This identifier space can be viewed as a circle, in which the highest identifier is followed by zero.


◦Each Hsbotnet contains 2m virtual nodes at most, and there could be m-1 super bots in a virtual node.

B. Update Architecture◦In order to maintain the integrity of

this organization, each super bot in virtual node actually maintains a successor list, called finger table.

◦Which contains the identities to the m virtual nodes that immediately follow the virtual node in the identifier circle.


◦If a node's successor is not responsive, the node replaces it with the next entry in its successor list.


Start SuccessorNode

IP1 IP2 IP3 IP4 IP5

G8+1 G15 S15_1 S15_2 Null Null Null



G8+8 G16 S16_1 S16_2 S16_3 Null Null

G8+16 G25 S25_1 Null Null Null Null

G8+32 G48 S48_1 S48_2 S48_3 S48_4 Null


◦All the super bots in virtual node keep the same finger table.

◦While a virtual node join or quit the botnet, the finger tables will be updated automatically by Chord.

◦The botnet communicates via the super file contained in each bot.

◦Every virtual node has its own super file, IP addresses of super bots in that node are candidates in super file.


◦All the bots in virtual node, including both super bots and peer bots, keep the same super file.

◦Peer bots actively access super bots in their super files to retrieve commands.

Super File.


◦The bot master generates a pair of public/private keys, as K+ and K-, and codes K+ into the bot program.

◦The commands could be digitally signed by the private key K- to ensure their authentication and integrity.


◦The update process of Hsbotnet is briefly explained as follows.

◦Virtual node G8 is taken for example.1. Super bot S8_1 begins a

countdown to update local finger table via Chord.

2. Once the finger table has been updated, S8_1 actively contacts the IP addresses in it, to retrieve the super files saved on successor nodes.


3. If S8_1 finds there’s a new command contained in the super files, it will copy the command into local super file.

4. S8_1 sends messages to other super bots in G8, reqires them to retrieve finger table and super file that is saved on S8_1.


◦While another super bot in G8, such as S8_2, receives the message, it will check the sender’s IP address.

◦If the IP address is contained in local super file, S8_2 will retrieve the files, and then replace local finger table and super file.

◦After doing these, S8_2 add a random time to local countdown.


◦However, if the message comes from a strange IP address, S8_2 will discard it and require the sender to join the botnet as a new host.

◦Every 5 minutes, peer bots will randomly choose a super bot that contained in their local super file to access.

◦Peer bots will retrieve the super files stored at super bots, and replace local file.


C. Botnet Propagation◦ As being compromised, a new bot

receives a super file from the spreaders.

◦ Then, the new bot sends a join request to a super bot contained in the super file.

◦ The super bot will test the performance of the new bot, and decide to make it a peer bot or a super bot.


◦New bots that have static IP addresses are accessible from the global Internet, and are already online for more than 12 hours, will become super bots, others will become peer bots.

◦If new bot N can be a super bot, the following process will be executed by the super bot S that tested N, to decide which virtual node N will join in.


1. S Retrieves the super file stored at N, if it is a same file with local, fill it with “Null”.

2. If there are already m-1 IP addresses in the super file, S will create a new virtual cond and make N the first super bot in the new node. Go to 8).

3. If there are m-1 IP addresses in local super file, go to (6).


4. S tests the Internet delay Td between local and N,if Td>3000ms, go to (6).

5. S adds the IP address of N into local super file,then sends messages to other super bots in current node, reqires them to retrieve the super file stored at localhost. Go to (8).

6. S adds local IP address into N’s super file.7. S randomly chooses an IP address in local

finger table, N will be sent there and test again. Go to (1).

8. Process is completed


◦This process assures that the new super bot N will be tested for m-1 times at most.

◦If there is no suitable virtual node found, a new virtual node will be created and N will be the first super bot in it.


D. Promption and Movement of Peer Bot

◦While a peer bot has already been powered on for 12 hours, it will send a request for promotion to a super bot.

◦Then the super bot will test it just like testing a new bot.

◦If the peer bot can't be promoted to super bot, it could send the request again 12 hours later.


◦In the proposed botnet, peer bots could move from current virtual node to another just by changing their super files.

◦The moving process of peer bot P is briefly explained as follows.

1. If P has already stayed in current node for T minutes, it will test the average Internet delay Td between P and all the super bots in local super file.


2. If Td>3000ms, P will send a message to a super bot , require a random IP address that is contained in its finger table. Go to (4)

3. Double T. Go to (1).4. P connects to the IP address provided by

the super bot, retrieves the super file and replaces local file. Set T equal 5. Goto (1).

◦A peer bot will move from one virtual node to another, until it finds a node with low delay.

4. BOTNET CONTROLThe essential component of a

botnet is its command and control.Compared to the original botnet,

the proposed botnet has a more robust and complex self control architecture.

The major design challenge is to generate a botnet that is difficult to be shut down.

4. BOTNET CONTROL

A. Offline Detection◦Every 5 minutes, a super bot will try to

connect to the IP addresses that contained in its super file.

◦If an IP address cannot be connected, it would be replaced with "Null" in file that means the super bot is offline.

◦While super file edited, the super bot will sends messages to other super bots in current node, requires them to retrieve the super file saved on the local host.

4. BOTNET CONTROL◦Then all the super bots in node will delete

the IP of the super bot that is offline.◦While the super bot is online again, it will

be a stranger, and will be required to join the botnet as a new bot.

◦The offline of peer bots could not affect the operation of the proposed botnet.

◦AS they are powered on again, they will connect to the IP addresses contained in their super files, and join the botnet.

4. BOTNET CONTROLB. Command Authentication

◦When a new super bot was emerged, it sent an Email to the bot master's mailbox.

◦Each Email contains an IP address of super bot.

◦While the bot master wants to send commands, he could find a super bot via the Emails.

◦Then he would inject a command message, which is digitally signed by his private key K- into the super file saved on that super bot.

4. BOTNET CONTROL◦Because of the super file is edited,

the super bot will send messages to other super bots in current node, it's just the same process as update.

◦The command of bot master could be sent to every bots via the process of update.

◦This template provides authors with most of the formatting spec.

5. PERFORMANCE EVALUATION

Simulation tests were operated to evaluate the proposed botnet.

Two performance criteria were used for comparison: the command transmission speed and botnet robustness.


A. Simulation Parameters◦ Researcher used Network Simulator

2.34 under the Ubuntu9.10 to simulate a network with 8000 nodes, and there were 500 nodes in them could be super bots.

◦ Time in the simulated network was moving 60 times faster than normal.

◦ The open source P2P bot program Phatbot was used to compare with the proposed botnet.


B. Command Transmission Speed◦ In order to test the command

transmission speeds in the proposed botnet and the botnet of Phatbot (Phatbotnet), the same command was injected into both botnets.

◦ The command was sending a UDP package to a designated IP address.


◦Because of the peer bots would start attacking when they received the command, we could get the command transmission speed through analyzing the relationship between time and the number of UPD packages that the target host received.


◦Nevertheless, command transmission speed in the proposed botnet is a little slower than it in the Phatbotnet.


C. Botnet Robustness◦ In order to test the botnet

robustness in the proposed botnet and the Phatbotnet, we reduced the number of super bots and send the command again.

◦ 50 super bots were removed in each time and the command of sending UDP package was injected again.


◦So we could get the botnet robustness through analyzing the relationship between the number of decreased super bots and the number of UPD packages that the target host received.


◦The result shows the strong resistance of the proposed botnet against defense.

◦It’s much stronger than Phatbotnet.


D. Robustness Mathematical Analysis

◦ Assume that each virtual node contains m super bots.

◦ A virtual node is disconnected from the others when all super bots in it have been removed.

◦ Because of the random removal, each super bot has the equal probability p to be removed.


◦Thus, the probability that a virtual node is disconnected is pm.

◦Therefore, any virtual node has the same probability 1-pm to stay connected.

◦Those virtual nodes provide a robust botnet.

6. CONCLUSION◦Researching the evolvement of botnets,

as well as possible botnets construction methods, can improve us in depth understanding of details of botnets, and also guide us in the botnets defense research.

◦In this paper, we present the design of hybrid structure P2P botnet based on Chord.

◦Simulation results show that, compared with current botnets, the proposed one is much harder to be shut down.

6. CONCLUSION◦It provides robust network

connectivity and individualized encryption.

◦Therefore, we should invest more research into defending against such new botnets.

感謝觀看

a framework for hybrid structure p2p botnet speakers:ma2g0207 bo rong,sue source:ieee

Documents

botnet architecture

super bots

servent bots

server bots

advanced hybrid p2p

botnet control

bots log

remaining bots