A Survey of Bots Used for Distributed Denial of Service Attacks
In recent years, we have seen the arrival of Distributed Denial-of-Service (DDoS) open-source bot-based attack tools facilitating easy code enhancement, and so resulting in attack tools becoming more powerful. Developing new techniques for detecting and responding to the latest DDoS attacks often entails using attack traces to determine attack signatures and to test the techniques. However, obtaining actual attack traces is difficult, because the high-profile organizations that are typically attacked will not release monitored data as it may contain sensitive information. In this paper, we present a detailed study of the source code of the popular DDoS attack bots, Agobot, SDBot, RBot and Spybot to provide an in-depth understanding of the attacks in order to facilitate the design of more effective and efficient detection and mitigation techniques.
KeywordsMitigation Technique Destination Port Attack Trace Attack Packet Attack Tool
- 1.Diane E. Levine and Gary C. Kessler, “Chapter 11 — Denial of Service Attacks, Computer Security Handbook, 4th Edition”, Editors — Seymour Bosworth, Michel E. Kabay, 2002.Google Scholar
- 2.K. J. Houle and G. M. Weaver, “Trends in Denial of Service Attack Technology”, Oct. 2001, CERT Coordination Center, http://www.cert.org/archive/pdf/DoStrends.pdf.
- 3.Arbor Networks, “Worldwide ISP Security Report”, Sept. 2005.Google Scholar
- 4.Federal Bureau of Investigation, “The Case of the Hired Hacker: Entrepreneur and Hacker Arrested for Online Sabotage”, http://www.fbi.gov/page2/aprilO5/hiredhackerO41805.htm Apr. 2005.
- 5.Dawn Kawamoto, “Blackmailers try to black out Million Dollar Homepage”, CNET News, http://news.zdnet.com/2100-100922-6028131.html Jan. 2006.
- 6.BBC Technology News, “Hacker threats to bookies probed”, http://www.news.bbc.co.Uk/l/hi/technology/3513849.stm Feb. 2004.
- 7.Ashlee Vance, “Man admits to eBay DDoS attack”, http://www.theregister.co.uk/2005/12/28/ebay_bots_ddos, Dec. 2005.
- 8.Jan Libbenga, “Dutch hackers sentenced for attack on government sites”, The Register, http://www.theregister.co.uk/2005/03/l6/dutch_hackers_sentenced, Mar. 2005.
- 9.Basudev Saha and Ashish Gairola, “Botnet: An Overview”, CERT-In White Paper, CIWP-2005-05, Jun. 2005.Google Scholar
- 10.Laurianne McLaughlin, “Bot Software Spreads, Causes New Worries”, IEEE Distributed Systems Online, Jun. 2004.Google Scholar
- 11.Drew Cullen, “Dutch smash 100,000-strong zombie army”, http://www.theregister.co.Uk/2005/l0/07/dutch_police_smash_zombie_network, Oct. 2005.
- 12.Joris Evers, ‘“Bot herders’ may have controlled 1.5 million PCs”, ZDNet News, http://www.news.zdnet.eom/2100-1009_22-5906896.html Oct. 2005.
- 13.Dawn Kawamoto, “Bots slim down to get tough”, CNET News, Nov. 2005.Google Scholar
- 14.John Canavan, “The Evolution of Malicious IRC Bots”, Virus Bulletin Conference, Oct. 2005.Google Scholar
- 15. Felix C. Freiling, Thorsten Holz, and Georg Wicherski, “Botnet Tracking: Exploring a Root-Cause Methodology to Prevent Distributed Denial-of-Service Attacks”, 10thEuropean Symposium on Research in Computer Security (ESORICS 2005), Sept. 2005.Google Scholar
- 16.Evan Cooke, Farnam Jahanian, and Danny McPherson, “The Zombie Roundup: Understanding, Detecting, and Disrupting Botnets“, USENIX SRUTI: Steps to Reducing Unwanted Traffic on the Internet Workshop, Jul. 2005.Google Scholar
- 17.Michael Bailey, et al., “The Internet Motion Sensor: A distributed blackhole monitoring system”, Network and Distributed System Security Symposium (NDSS), Feb. 2005.Google Scholar
- 18.The Honeynet Project, “Know you enemy: Tracking botnets”, http://www.honeynet.org/papers/bots, Mar. 2005.
- 19.Microsoft, “DCOM RPC vulnerability”, http://www.microsoft.com/technet/security/bulletin/MS03-026.mspx Jul. 2003.
- 20.Microsoft, “LSASS vulnerability”, http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx Apr. 2004.
- 21.Paul Barford and Vinod Yegneswaran, “An Inside Look at Botnets”, To appear in Series — Advances in Information Security, Springer, 2006.Google Scholar
- 22.McAfee Threat Center, http://www.vil.nai.com.
- 23.Symantec, http://www.symantec.com.
- 24.Sophos, http://www.sophos.com.
- 25.T. Killalea, “Recommended Internet Service Provider Security Services and Procedures”, IETF BCP 46, RFC 3013, Nov. 2000.Google Scholar
- 26.P. Ferguson and D. Senie, “Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing”, IETF BCP 38, RFC 2827, May 2000.Google Scholar
- 27.Cheng Jin, Haining Wang, and Kang G. Shin, “Hop-count filtering: an effective defense against spoofed DDoS traffic”, 10th ACM Conference on Computer and Communications Security, Oct. 2003.Google Scholar
- 28.David Moore, et al., “Inferring Internet Denial-of-Service Activity”, ACM Transactions on Computer System (TOCS), May 2006, 24(2), pp. 115–139.Google Scholar
- 29.Robert Beverly and Steven Bauer, “The Spoofer Project: Inferring the Extent of Source Address Filtering on the Internet”, USENIX SRUTI: Steps to Reducing Unwanted Traffic on the Internet Workshop, Jul. 2005.Google Scholar
- 30.Yu-Shun Wang, Danlu Zhang, and Kang G. Shin, “SYN-dog: Sniffing SYN Flooding Sources”, 22nd IEEE International Conference on Distributed Computing Systems, Jul. 2002.Google Scholar
- 31.B. E. Brodsky and B. S. Darkhovsky, “Nonparametric Methods in Change-point Problems”. 1993: Kluwer Academic Publishers.Google Scholar