Botnet Defense



Overview

A botnet is a network of malicious computers, called zombies. Zombies are controlled by a botmaster, which instructs the zombies to carry out various malicious activities. Examples of such activities include launching distributed denial of service attacks (DDoS), sending spam, conducting click fraud, and stealing personal information.

Botnets pose most lethal threat to the stability and security of the Internet. The research community has proposed several counter-measures. But, the botnets have evolved significantly over the past decade, to the point of in-disruption. Recent botnets use redundancy and decentralization to achieve resilience. For example, the Conficker botnet uses 50,000 web-servers to issue commands, and the Nugache botnet uses peer-to-peer (P2P) techniques for command and control (C&C).

In our research effort, we continue the community's quest to find practical and deployable defense mechanisms against botnets, for current and next-generation Internet. We address the problem from a malicious and a non-malicious perspective. We have designed our own botnet to understand the design choices that a botmaster faces. This knowledge helps us in exploring different options for defense. In addition, we are conducting a botnet characterization study, by operating a non-malicious botnet. This study helps us in characterizing the human infection behavior. It also helps us in evaluating the strength of a moderately sized botnet. Based on our experience from these 2 projects, we are designing ISP level botnet defense mechanisms.

Projects

Tsunami: Identifying a new class of botnets

In this project, we design our own malicious botnet to understand the design choices a botmaster faces. This approach helps us in designing new defense techniques and in understanding their limitations.

Today's botnets use redundancy and decentralization to avoid disruption. For example, Conficker botnet uses 50,000 web-servers for C&C, and Nugache uses 22 bootstrap nodes for it's peer-to-peer (P2P) botnet. Both the approaches require significant resources and effort (e.g. compromising 50,000 web-servers). In addition, the botnets are still prone to partial disruption.

We design a new botnet, called Tsunami, that avoids maintaining a dedicated network, and thus avoids special C&C nodes. Tsunami uses widely-deployed application level networks for C&C. Examples of such network include Distributed Hash Tables (DHTs) and Online Social Networks (OSNs). Tsunami bots must disguise themselves as regular application participants, and must use application protocol for communication. As a result of this approach, no bot is more critical than the other. Thus, a defender cannot disrupt the botnet by disrupting a few critical nodes.

Tsunami bots do not know each other's identity because they disguise themselves as benign hosts. As a result, if a single Tsunami bot is captured, it does not reveal the identity of other bots, adding extra stealth to the botnet. However, this approach also makes C&C challenging because traditional point-to-point links do not exist. Thus, the key challenge is to issue commands and recieve response without knowing bot identities. The details of Tsunami C&C are explained in the paper.

Team Members

Publications

  • Tsunami: Identifying a New Class of Botnets
    Ghulam Memon, Jun Li, Reza Rejaie
    IEEE Network Special Issue on Online Social Networks, Volume 24, Number 5, In Submission

Code and Data

Please contact Ghulam Memon for data and code.