![Page 1: Towards Complete Node Enumeration in a Peer-to-Peer Botnet](https://reader036.vdocument.in/reader036/viewer/2022062304/56813cb9550346895da66570/html5/thumbnails/1.jpg)
Towards Complete Node Enumeration in
a Peer-to-Peer Botnet
![Page 2: Towards Complete Node Enumeration in a Peer-to-Peer Botnet](https://reader036.vdocument.in/reader036/viewer/2022062304/56813cb9550346895da66570/html5/thumbnails/2.jpg)
REFERENCES Towards complete node enumeration
in a peer-to-peer botnet B. Kang, E. Chan-Tin, C. Lee, J. Tyra, H. Kang, C. Nunnery, Z. Wadler,
G. Sinclair, N. Hopper, D. Dagon, and Y. Kim.. In ACM Symposium on Information, Computer & Communication Security (ASIACCS 2009), 2009.
![Page 3: Towards Complete Node Enumeration in a Peer-to-Peer Botnet](https://reader036.vdocument.in/reader036/viewer/2022062304/56813cb9550346895da66570/html5/thumbnails/3.jpg)
INTRODUCTIONPPM-Passive P2P Monitor -collection of a “routing only” nodes in the P2P
networkFWC-FireWall Checker -send back two query packets one from the
sensor and one from another IPStorm Botnet -Overnet ProtocolCrawler -sending look-up requests -get-peerlist protocol
![Page 4: Towards Complete Node Enumeration in a Peer-to-Peer Botnet](https://reader036.vdocument.in/reader036/viewer/2022062304/56813cb9550346895da66570/html5/thumbnails/4.jpg)
ARCHITECTUREExpected Problems and Fixes -PPM cannot identify a new node, if Storm
botnet does not send messages to it -PPMis its lack of source address spoofing detection
![Page 5: Towards Complete Node Enumeration in a Peer-to-Peer Botnet](https://reader036.vdocument.in/reader036/viewer/2022062304/56813cb9550346895da66570/html5/thumbnails/5.jpg)
ARCHITECTUREImplementation Details1. A Storm node in the bot network sends a request to one
of our PPM
2. PPM replies to the request and sends another request to that Storm node
2’. At the same time, PPM also sends a message to FWC telling it to send a similar request to that Storm node
2”. Upon receiving this message, FWC sends a request to the same Storm node (same request that PPMsent to that Storm node).
![Page 6: Towards Complete Node Enumeration in a Peer-to-Peer Botnet](https://reader036.vdocument.in/reader036/viewer/2022062304/56813cb9550346895da66570/html5/thumbnails/6.jpg)
ANALYTICAL AND EXPERIMENTAL RESULTSExperimental Settings -PPM nodes, the FWC, and a P2P network
crawler -deployed 256 PPM nodes -collected from 20 days -deployed 16 virtual machines infected
each of them with Storm
![Page 7: Towards Complete Node Enumeration in a Peer-to-Peer Botnet](https://reader036.vdocument.in/reader036/viewer/2022062304/56813cb9550346895da66570/html5/thumbnails/7.jpg)
ANALYTICAL AND EXPERIMENTAL RESULTS
![Page 8: Towards Complete Node Enumeration in a Peer-to-Peer Botnet](https://reader036.vdocument.in/reader036/viewer/2022062304/56813cb9550346895da66570/html5/thumbnails/8.jpg)
ANALYTICAL AND EXPERIMENTAL RESULTS
![Page 9: Towards Complete Node Enumeration in a Peer-to-Peer Botnet](https://reader036.vdocument.in/reader036/viewer/2022062304/56813cb9550346895da66570/html5/thumbnails/9.jpg)
ANALYTICAL AND EXPERIMENTAL RESULTS
![Page 10: Towards Complete Node Enumeration in a Peer-to-Peer Botnet](https://reader036.vdocument.in/reader036/viewer/2022062304/56813cb9550346895da66570/html5/thumbnails/10.jpg)
ANALYTICAL AND EXPERIMENTAL RESULTS
![Page 11: Towards Complete Node Enumeration in a Peer-to-Peer Botnet](https://reader036.vdocument.in/reader036/viewer/2022062304/56813cb9550346895da66570/html5/thumbnails/11.jpg)
ANALYTICAL AND EXPERIMENTAL RESULTSProbability of PPM receiving a random
message-Search is a message used in routing to find
the replica roots- GetSearchResult is a message sent to
possible replica roots to get the actual result
-Publish is a message meant to publish binding information
![Page 12: Towards Complete Node Enumeration in a Peer-to-Peer Botnet](https://reader036.vdocument.in/reader036/viewer/2022062304/56813cb9550346895da66570/html5/thumbnails/12.jpg)
ANALYTICAL AND EXPERIMENTAL RESULTS
![Page 13: Towards Complete Node Enumeration in a Peer-to-Peer Botnet](https://reader036.vdocument.in/reader036/viewer/2022062304/56813cb9550346895da66570/html5/thumbnails/13.jpg)
ANALYTICAL AND EXPERIMENTAL RESULTS
![Page 14: Towards Complete Node Enumeration in a Peer-to-Peer Botnet](https://reader036.vdocument.in/reader036/viewer/2022062304/56813cb9550346895da66570/html5/thumbnails/14.jpg)
ANALYTICAL AND EXPERIMENTAL RESULTS
![Page 15: Towards Complete Node Enumeration in a Peer-to-Peer Botnet](https://reader036.vdocument.in/reader036/viewer/2022062304/56813cb9550346895da66570/html5/thumbnails/15.jpg)
ANALYTICAL AND EXPERIMENTAL RESULTS
![Page 16: Towards Complete Node Enumeration in a Peer-to-Peer Botnet](https://reader036.vdocument.in/reader036/viewer/2022062304/56813cb9550346895da66570/html5/thumbnails/16.jpg)
CONCLUSIONPPM as an enumeration method for the
Storm peer-to-peer botnet is efficientanalyzed the differences in enumeration results from the PPM and a crawler