![Page 1: 1 An Advanced Hybrid Peer-to-Peer Botnet Ping Wang, Sherri Sparks, Cliff C. Zou School of Electrical Engineering & Computer Science University of Central](https://reader036.vdocument.in/reader036/viewer/2022062422/56649ec65503460f94bd2896/html5/thumbnails/1.jpg)
1
An Advanced Hybrid Peer-to-Peer Botnet
Ping Wang, Sherri Sparks, Cliff C. ZouSchool of Electrical Engineering & Computer
ScienceUniversity of Central Florida, Florida
![Page 2: 1 An Advanced Hybrid Peer-to-Peer Botnet Ping Wang, Sherri Sparks, Cliff C. Zou School of Electrical Engineering & Computer Science University of Central](https://reader036.vdocument.in/reader036/viewer/2022062422/56649ec65503460f94bd2896/html5/thumbnails/2.jpg)
2
Motivation
Most researches target current botnets only Rely on current botnet’s architecture,
infection methods, and control network Study current botnets is important, but not enough
May not work if botmasters upgrade their future botnets
We must study one step ahead How botnets will evolve? How to defend future botnets?
![Page 3: 1 An Advanced Hybrid Peer-to-Peer Botnet Ping Wang, Sherri Sparks, Cliff C. Zou School of Electrical Engineering & Computer Science University of Central](https://reader036.vdocument.in/reader036/viewer/2022062422/56649ec65503460f94bd2896/html5/thumbnails/3.jpg)
3
Current Botnet Control Architecture
bot bot
C&C
botmaster
bot
C&C
![Page 4: 1 An Advanced Hybrid Peer-to-Peer Botnet Ping Wang, Sherri Sparks, Cliff C. Zou School of Electrical Engineering & Computer Science University of Central](https://reader036.vdocument.in/reader036/viewer/2022062422/56649ec65503460f94bd2896/html5/thumbnails/4.jpg)
4
Peer-to-Peer (P2P) based Control Architecture?
C&C P2P control is a natural evolution P2P-based botnet is much harder to shut
down But the P2P upgrade is not so simple
Current P2P protocols are not suitable Easy exposure of botnet members Excess traffic susceptible to detection Bootstrap process against the design goal
Botmasters need easy control/monitor of their botnets
![Page 5: 1 An Advanced Hybrid Peer-to-Peer Botnet Ping Wang, Sherri Sparks, Cliff C. Zou School of Electrical Engineering & Computer Science University of Central](https://reader036.vdocument.in/reader036/viewer/2022062422/56649ec65503460f94bd2896/html5/thumbnails/5.jpg)
5
Proposed Hybrid P2P Botnet
Servent bots: static IPs, able to receive connections Static IP requirement ensures a stable, long lifetime control topology
Each bot connects to its “peer list” Only servent bot IPs are in peer lists
Servent bots
Client botsbot bot
C&C
botmaster
bot
C&C
Dramatically increase the number of C&C servers
![Page 6: 1 An Advanced Hybrid Peer-to-Peer Botnet Ping Wang, Sherri Sparks, Cliff C. Zou School of Electrical Engineering & Computer Science University of Central](https://reader036.vdocument.in/reader036/viewer/2022062422/56649ec65503460f94bd2896/html5/thumbnails/6.jpg)
6
Botnet Command and Control
Individualized encryption key Servent bot i generates its own symmetric key Ki
Any bot connecting with bot i uses Ki
A bot must have (IPi, Ki) in its peer list to conect bot i
Individualized service port Servent bot i chooses its port Pi to accept connections A bot must have (IPi, Ki, Pi) in its peer list to connect
bot i Benefits to botmasters:
No global exposure if some bots are captured Dispersed network traffic Go through some firewalls (e.g., HTTP, SMTP, SSH holes)
![Page 7: 1 An Advanced Hybrid Peer-to-Peer Botnet Ping Wang, Sherri Sparks, Cliff C. Zou School of Electrical Engineering & Computer Science University of Central](https://reader036.vdocument.in/reader036/viewer/2022062422/56649ec65503460f94bd2896/html5/thumbnails/7.jpg)
7
Botnet Monitor by Botmaster
Botmasters need to know their weapons Botnet size; bot IPs, types (e.g., DHCP ones used for
spam) Distribution, bandwidth, diurnal …
Monitor via dynamical sensor Sensor IP given in monitor command One sensor, one shot, then destroy it Use a sensor’s current service to blend
incoming bot traffic
![Page 8: 1 An Advanced Hybrid Peer-to-Peer Botnet Ping Wang, Sherri Sparks, Cliff C. Zou School of Electrical Engineering & Computer Science University of Central](https://reader036.vdocument.in/reader036/viewer/2022062422/56649ec65503460f94bd2896/html5/thumbnails/8.jpg)
8
P2P Botnet Construction
Botnet networked by peer list Basic procedures
New infection: pass on peer list Reinfection: mix two peer lists
Ensure balanced connectivity
![Page 9: 1 An Advanced Hybrid Peer-to-Peer Botnet Ping Wang, Sherri Sparks, Cliff C. Zou School of Electrical Engineering & Computer Science University of Central](https://reader036.vdocument.in/reader036/viewer/2022062422/56649ec65503460f94bd2896/html5/thumbnails/9.jpg)
9
P2P Botnet Construction
OK? No! Real botnet is small compared to vulnerable
population Most current botnet size 20,000 Reinfection happens rarely
Not balanced topology via new infection only Simulation results:
500,000 vulnerable population Botnet stops infection after reach 20,000
Peer list = 20, 21 initial servent bots, 5000 bots are servent bots
Results: < 1000 reinfection events Initial servent bots: > 14,000 in-degree 80% of servent bots: < 30 in-degree
![Page 10: 1 An Advanced Hybrid Peer-to-Peer Botnet Ping Wang, Sherri Sparks, Cliff C. Zou School of Electrical Engineering & Computer Science University of Central](https://reader036.vdocument.in/reader036/viewer/2022062422/56649ec65503460f94bd2896/html5/thumbnails/10.jpg)
10
P2P Botnet Construction
Peer-list updating procedure Obtain current servent bots information Ask every bot connect to sensor to obtain a
new peer list
Result: all bots have balanced connectivity to servent bots used in this procedure Use once is enough for a robust botnet Can be used to reconnect a broken botnet
![Page 11: 1 An Advanced Hybrid Peer-to-Peer Botnet Ping Wang, Sherri Sparks, Cliff C. Zou School of Electrical Engineering & Computer Science University of Central](https://reader036.vdocument.in/reader036/viewer/2022062422/56649ec65503460f94bd2896/html5/thumbnails/11.jpg)
11
Botnet Robustness Study
500,000 vulnerable population, botnet = 20,000 Peer list = 20, 5000 bots are servent bots Run peer-list updating once when having 1000 servent bots
![Page 12: 1 An Advanced Hybrid Peer-to-Peer Botnet Ping Wang, Sherri Sparks, Cliff C. Zou School of Electrical Engineering & Computer Science University of Central](https://reader036.vdocument.in/reader036/viewer/2022062422/56649ec65503460f94bd2896/html5/thumbnails/12.jpg)
12
Botnet Robustness Analysis
C(p)=1-pM
M: peer list size
5 25 50 75 100
![Page 13: 1 An Advanced Hybrid Peer-to-Peer Botnet Ping Wang, Sherri Sparks, Cliff C. Zou School of Electrical Engineering & Computer Science University of Central](https://reader036.vdocument.in/reader036/viewer/2022062422/56649ec65503460f94bd2896/html5/thumbnails/13.jpg)
13
Defense Against the Botnet
Shut down a botnet before the first peer-list updating procedure Initial servent bots are the weak points at
beginning
Honeypot based defense: Poison control by pretending as servent bots
But the botnet can survive with 20% servent bots left
Clone a large set of “servent” bots
![Page 14: 1 An Advanced Hybrid Peer-to-Peer Botnet Ping Wang, Sherri Sparks, Cliff C. Zou School of Electrical Engineering & Computer Science University of Central](https://reader036.vdocument.in/reader036/viewer/2022062422/56649ec65503460f94bd2896/html5/thumbnails/14.jpg)
14
Monitor Against the Botnet
Forensic analysis of botmaster’s sensor Could obtain IPs of all reported bots Challenge:
Logging of unknown port service and IP beforehand
Distinguish normal clients from reporting bots
Honeypot-based monitoring Obtain peer lists in incoming infections Obtain many copies of new peer lists in
peer-list updating procedure
![Page 15: 1 An Advanced Hybrid Peer-to-Peer Botnet Ping Wang, Sherri Sparks, Cliff C. Zou School of Electrical Engineering & Computer Science University of Central](https://reader036.vdocument.in/reader036/viewer/2022062422/56649ec65503460f94bd2896/html5/thumbnails/15.jpg)
15
Summary
P2P based botnets are much harder to defend
Proposed a hybrid P2P botnet Two classes of bots Individualized encryption and service port Limited exposure by each bot Botmaster’s monitoring capability Peer-list updating procedure
![Page 16: 1 An Advanced Hybrid Peer-to-Peer Botnet Ping Wang, Sherri Sparks, Cliff C. Zou School of Electrical Engineering & Computer Science University of Central](https://reader036.vdocument.in/reader036/viewer/2022062422/56649ec65503460f94bd2896/html5/thumbnails/16.jpg)
16
Discussion
Any other effective ways to monitor/defend botnets besides honeypot?
Is there a way to solve the dilemma of: No exposure of a large part of botnet? Easy botmaster’s monitoring and botnet
construction without centralized sensor?
How soon will botmasters really upgrade current C&C-based architecture?
How soon will botmasters care of honeypot threat?
![Page 17: 1 An Advanced Hybrid Peer-to-Peer Botnet Ping Wang, Sherri Sparks, Cliff C. Zou School of Electrical Engineering & Computer Science University of Central](https://reader036.vdocument.in/reader036/viewer/2022062422/56649ec65503460f94bd2896/html5/thumbnails/17.jpg)
17
Points to Add
Peer-list updating can be used to change the topology of current botnet
Study how honeypot monitoring changes if more and more honeypots being as servent bots Could have an analytical model
![Page 18: 1 An Advanced Hybrid Peer-to-Peer Botnet Ping Wang, Sherri Sparks, Cliff C. Zou School of Electrical Engineering & Computer Science University of Central](https://reader036.vdocument.in/reader036/viewer/2022062422/56649ec65503460f94bd2896/html5/thumbnails/18.jpg)
18
![Page 19: 1 An Advanced Hybrid Peer-to-Peer Botnet Ping Wang, Sherri Sparks, Cliff C. Zou School of Electrical Engineering & Computer Science University of Central](https://reader036.vdocument.in/reader036/viewer/2022062422/56649ec65503460f94bd2896/html5/thumbnails/19.jpg)
19
Weaknesses of Current Botnets
Control structure by one layer of C&C servers Bottleneck in control Susceptible to monitor/interception of C&C
servers
Most rely on IRC based C&C servers Susceptible to IRC traffic based monitor/detection
Other issues: Most have no or simple encryption, authentication Have no honeypot detection feature
![Page 20: 1 An Advanced Hybrid Peer-to-Peer Botnet Ping Wang, Sherri Sparks, Cliff C. Zou School of Electrical Engineering & Computer Science University of Central](https://reader036.vdocument.in/reader036/viewer/2022062422/56649ec65503460f94bd2896/html5/thumbnails/20.jpg)
20
Botnet Command and Control
Command authentication Botmaster: private key used for commands Each bot: public key contained in bot code
Can be done in current botnets Not the focus of this paper