ACM Portal
  Subscribe (Full Service)    Register (Limited Service, Free)    Login
  Search:   The ACM Digital Library   The Guide
  
ACM Home Page
Please provide us with feedback. Feedback
Towards complete node enumeration in a peer-to-peer botnet
Full text PdfPdf (1.12 MB)
Source
ASIAN ACM Symposium on Information, Computer and Communications Security archive
Proceedings of the 4th International Symposium on Information, Computer, and Communications Security table of contents
Sydney, Australia
SESSION: Network security-I table of contents
Pages 23-34  
Year of Publication: 2009
ISBN:978-1-60558-394-5
Authors
Brent ByungHoon Kang  University of North Carolina at Charlotte
Eric Chan-Tin  University of Minnesota
Christopher P. Lee  Georgia Institute of Technology
James Tyra  University of Minnesota
Hun Jeong Kang  University of Minnesota
Chris Nunnery  University of North Carolina at Charlotte
Zachariah Wadler  University of North Carolina at Charlotte
Greg Sinclair  University of North Carolina at Charlotte
Nicholas Hopper  University of Minnesota
David Dagon  Georgia Institute of Technology
Yongdae Kim  University of Minnesota
Sponsor
SIGSAC: ACM Special Interest Group on Security, Audit, and Control
Publisher
ACM  New York, NY, USA
Bibliometrics
Downloads (6 Weeks): 38,   Downloads (12 Months): 184,   Citation Count: 0
Additional Information:

abstract   references   index terms   collaborative colleagues  

Tools and Actions: Request Permissions Request Permissions    Review this Article  
DOI Bookmark: Use this link to bookmark this Article: http://doi.acm.org/10.1145/1533057.1533064
What is a DOI?

ABSTRACT

Modern advanced botnets may employ a decentralized peer-to-peer overlay network to bootstrap and maintain their command and control channels, making them more resilient to traditional mitigation efforts such as server incapacitation. As an alternative strategy, the malware defense community has been trying to identify the bot-infected hosts and enumerate the IP addresses of the participating nodes so that the list can be used by system administrators to identify local infections, block spam emails sent from bots, and configure firewalls to protect local users. Enumerating the infected hosts, however, has presented challenges. One cannot identify infected hosts behind firewalls or NAT devices by employing crawlers, a commonly used enumeration technique where recursive get-peerlist lookup requests are sent newly discovered IP addresses of infected hosts. As many bot-infected machines in homes or offices are behind firewall or NAT devices, these crawler-based enumeration methods would miss a large portions of botnet infections. In this paper, we present the Passive P2P Monitor (PPM), which can enumerate the infected hosts regardless whether or not they are behind a firewall or NAT. As an empirical study, we examined the Storm botnet and enumerated its infected hosts using the PPM. We also improve our PPM design by incorporating a FireWall Checker (FWC) to identify nodes behind a firewall. Our experiment with the peer-to-peer Storm botnet shows that more than 40% of bots that contact the PPM are behind firewall or NAT devices, implying that crawler-based enumeration techniques would miss out a significant portion of the botnet population. Finally, we show that the PPM's coverage is based on a probability-based coverage model that we derived from the empirical observation of the Storm botnet.


REFERENCES

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

 
1
Atrivo/intercage's disconnection briefly disrupts spam levels. http://blogs.zdnet.com/security/?p=2006.
 
2
aMule network. http://www.amule.org.
 
3
Evan Cooke , Farnam Jahanian , Danny McPherson, The Zombie roundup: understanding, detecting, and disrupting botnets, Proceedings of the Steps to Reducing Unwanted Traffic on the Internet on Steps to Reducing Unwanted Traffic on the Internet Workshop, p.6-6, July 07, 2005, Cambridge, MA
 
4
D. Dagon, G. Gu, C. Lee, and W. Lee. A taxonomy of botnet structures. In Proceedings of the 23rd Annual Computer Security Applications Conference. ACSAC, December 2007.
 
5
John R. Douceur, The Sybil Attack, Revised Papers from the First International Workshop on Peer-to-Peer Systems, p.251-260, March 07-08, 2002
 
6
B. Enright. Exposing storm. In ToorCon, 2007.
 
7
B. Enright, G. Voelker, S. Savage, C. Kanich, and K. Levchenko. Storm: When researchers collide. ;Login, Usenix, 33(4), August 2008.
 
8
Attacks on virtual machine emulators, http://www.symantec.com/avcenter/reference/Virtual_Machine_Threats.pdf.
 
9
E. Florino and M. Cibotariu. Peerbot: Catch me if you can. In Symantec Security Response: Ireland, Virus Bulletin, March 2007.
 
10
Julian B. Grizzard , Vikram Sharma , Chris Nunnery , Brent ByungHoon Kang , David Dagon, Peer-to-peer botnets: overview and case study, Proceedings of the first conference on First Workshop on Hot Topics in Understanding Botnets, p.1-1, April 10, 2007, Cambridge, MA
 
11
G. Gu, R. Perdisci, J. Zhang, and W. Lee. Botminer: Clustering analysis of network traffic from protocol and command and control channels in network traffic. In Proceedings of the 17th annual USENIX Security Symposium. USENIX Association, July 2008.
 
12
Guofei Gu , Phillip Porras , Vinod Yegneswaran , Martin Fong , Wenke Lee, BotHunter: detecting malware infection through IDS-driven dialog correlation, Proceedings of 16th USENIX Security Symposium on USENIX Security Symposium, p.1-16, August 06-10, 2007, Boston, MA
 
13
G. Gu, J. Zhang, and W. Lee. Botsniffer: Detecting botnet command and control channels in network traffic. In Proceedings of the 15th Annual Network and Distributed System Security Symposium. ISOC, February 2008.
 
14
Thorsten Holz , Moritz Steiner , Frederic Dahl , Ernst Biersack , Felix Freiling, Measurements and mitigation of peer-to-peer-based botnets: a case study on storm worm, Proceedings of the 1st Usenix Workshop on Large-Scale Exploits and Emergent Threats, p.1-9, April 15-15, 2008, San Francisco, California
 
15
Chris Kanich , Kirill Levchenko , Brandon Enright , Geoffrey M. Voelker , Stefan Savage, The heisenbot uncertainty problem: challenges in separating bots from chaff, Proceedings of the 1st Usenix Workshop on Large-Scale Exploits and Emergent Threats, p.1-9, April 15-15, 2008, San Francisco, California
 
16
Mainline. http://www.bittorrent.com.
 
17
matlab. http://www.mathworks.com/.
 
18
Petar Maymounkov , David Mazières, Kademlia: A Peer-to-Peer Information System Based on the XOR Metric, Revised Papers from the First International Workshop on Peer-to-Peer Systems, p.53-65, March 07-08, 2002
 
19
The Overnet Protocol, https://opensvn.csie.org/mlnet/trunk/docs/overnet.txt.
20
Moheeb Abu Rajab , Jay Zarfoss , Fabian Monrose , Andreas Terzis, A multifaceted approach to understanding the botnet phenomenon, Proceedings of the 6th ACM SIGCOMM conference on Internet measurement, October 25-27, 2006, Rio de Janeriro, Brazil  [doi>10.1145/1177080.1177086]
 
21
A. Singh, T.-W. J. Ngan, P. Druschel, and D. S. Wallach. Eclipse attacks on overlay networks: Threats and defenses. In IEEE International Conference on Computer Communications (Infocom), 2006.
 
22
SORBS. http://www.us.sorbs.net/faq/dul.shtml.
23
Moritz Steiner , Taoufik En-Najjary , Ernst W. Biersack, A global view of kad, Proceedings of the 7th ACM SIGCOMM conference on Internet measurement, October 24-26, 2007, San Diego, California, USA  [doi>10.1145/1298306.1298323]
 
24
J. Stewart. Protocols and encryption of the storm botnet. http://www.blackhat.com/presentations/bh-usa-08/Stewart/BH_US_08_Stewart_Protocols_of_the_Storm.pdf.
 
25
J. Stewart. Storm worm ddos attack. http://www.secureworks.com/research/threats/view.html?threat=storm-worm, February 2007.
 
26
S. Stover, D. Dittrich, J. Hernandez, and S. Deitrich. Analysis of the storm and nugache trojans - P2P is here. ;Login, Usenix, 32(6), December 2007.
 
27
D. Stutzbach and R. Rejaie. Improving lookup performance over a widely-deployed DHT. In IEEE International Conference on Computer Communications (Infocom) 06, 2006.
28
Yinglian Xie , Fang Yu , Kannan Achan , Eliot Gillum , Moises Goldszmidt , Ted Wobber, How dynamic are IP addresses?, Proceedings of the 2007 conference on Applications, technologies, architectures, and protocols for computer communications, August 27-31, 2007, Kyoto, Japan

INDEX TERMS

Primary Classification:
  C. Computer Systems Organization
  C.2 COMPUTER-COMMUNICATION NETWORKS
      C.2.0 General
          Subjects: Security and protection (e.g., firewalls)

Additional Classification:
  C. Computer Systems Organization
  C.2 COMPUTER-COMMUNICATION NETWORKS
      C.2.3 Network Operations
          Subjects: Network monitoring


Keywords:
P2P, botnet, infected hosts enumeration, storm

Collaborative Colleagues:
Brent ByungHoon Kang: colleagues
Eric Chan-Tin: colleagues
Christopher P. Lee: colleagues
James Tyra: colleagues
Hun Jeong Kang: colleagues
Chris Nunnery: colleagues
Zachariah Wadler: colleagues
Greg Sinclair: colleagues
Nicholas Hopper: colleagues
David Dagon: colleagues
Yongdae Kim: colleagues

The ACM Portal is published by the Association for Computing Machinery. Copyright © 2009 ACM, Inc.
Terms of Usage   Privacy Policy   Code of Ethics   Contact Us

Useful downloads: Adobe Acrobat    QuickTime    Windows Media Player    Real Player