Advertisement

Next Generation P2P Botnets: Monitoring Under Adverse Conditions

  • Leon BöckEmail author
  • Emmanouil Vasilomanolakis
  • Max Mühlhäuser
  • Shankar Karuppayah
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11050)

Abstract

The effects of botnet attacks, over the years, have been devastating. From high volume Distributed Denial of Service (DDoS) attacks to ransomware attacks, it is evident that defensive measures need to be taken. Indeed, there has been a number of successful takedowns of botnets that exhibit a centralized architecture. However, this is not the case with distributed botnets that are more resilient and armed with countermeasures against monitoring. In this paper, we argue that monitoring countermeasures, applied by botmasters, will only become more sophisticated; to such an extent that monitoring, under these adverse conditions, may become infeasible. That said, we present the most detailed analysis, to date, of parameters that influence a P2P botnet’s resilience and monitoring resistance. Integral to our analysis, we introduce BotChurn (BC) a realistic and botnet-focused churn generator that can assist in the analysis of botnets. Our experimental results suggest that certain parameter combinations greatly limit intelligence gathering operations. Furthermore, our analysis highlights the need for extensive collaboration between defenders. For instance, we show that even the combined knowledge of 500 monitoring instances is insufficient to fully enumerate some of the examined botnets. In this context, we also raise the question of whether botnet monitoring will still be feasible in the near future.

Notes

Acknowledgement

This work was supported by the German Federal Ministry of Education and Research (BMBF) and by the Hessen State Ministry for Higher Education, Research and the Arts (HMWK) within CRISP. The research leading to these results has also received funding from the European Union’s Horizon 2020 Research and Innovation Program, PROTECTIVE, under Grant Agreement No 700071 and the Universiti Sains Malaysia (USM) through Short Term Research Grant, No: 304/PNAV/6313332.

References

  1. 1.
    Adrian, D., Durumeric, Z., Singh, G., Halderman, J.A.: Zippier zmap: internet-wide scanning at 10 gbps. In: WOOT (2014)Google Scholar
  2. 2.
    Andriesse, D., Rossow, C., Bos, H.: Reliable recon in adversarial peer-to-peer botnets. In: Internet Measurement Conference. ACM (2015)Google Scholar
  3. 3.
    Andriesse, D., Rossow, C., Stone-Gross, B., Plohmann, D., Bos, H.: Highly resilient peer-to-peer botnets are here: an analysis of gameover zeus. In: International Conference on Malicious and Unwanted Software (2013)Google Scholar
  4. 4.
    Baumgart, I., Heep, B., Krause, S.: Oversim: a scalable and flexible overlay framework for simulation and real network applications. In: Peer-to-Peer Computing, pp. 87–88. IEEE (2009)Google Scholar
  5. 5.
    Böck, L., Karuppayah, S., Grube, T., Mühlhäuser, M., Fischer, M.: Hide and seek: detecting sensors in P2P botnets. In: Communications and Network Security, pp. 731–732. IEEE (2015)Google Scholar
  6. 6.
    Falliere, N.: Sality: story of a peer-to-peer viral network. Technical report, Symantec Corporation (2011)Google Scholar
  7. 7.
    Greengard, S.: The war against botnets. Commun. ACM 55(2), 16 (2012).  https://doi.org/10.1145/2076450.2076456CrossRefGoogle Scholar
  8. 8.
    Gu, G., Perdisci, R., Zhang, J., Lee, W., et al.: Botminer: clustering analysis of network traffic for protocol-and structure-independent botnet detection. In: USENIX Security Symposium, vol. 5, pp. 139–154 (2008)Google Scholar
  9. 9.
    Haas, S., Karuppayah, S., Manickam, S., Mühlhäuser, M., Fischer, M.: On the resilience of P2P-based botnet graphs. In: Communications and Network Security (CNS), pp. 225–233. IEEE (2016)Google Scholar
  10. 10.
    Holz, T., Steiner, M., Dahl, F., Biersack, E., Freiling, F.: Measurements and mitigation of peer-to-peer-based botnets: a case study on storm worm. In: LEET (2008)Google Scholar
  11. 11.
    Karuppayah, S.: Advanced monitoring in P2P botnets. Ph.D. thesis, Technische Universität Darmstadt (2016)Google Scholar
  12. 12.
    Karuppayah, S., Fischer, M., Rossow, C., Muhlhauser, M.: On advanced monitoring in resilient and unstructured P2P botnets. In: International Conference on Communications. IEEE (2014).  https://doi.org/10.1109/ICC.2014.6883429
  13. 13.
    Karuppayah, S., Roos, S., Rossow, C., Mühlhäuser, M., Fischer, M.: ZeusMilker: circumventing the P2P zeus neighbor list restriction mechanism. In: International Conference on Distributed Computing Systems, pp. 619–629. IEEE (2015)Google Scholar
  14. 14.
    Karuppayah, S., Vasilomanolakis, E., Haas, S., Muhlhauser, M., Fischer, M.: BoobyTrap: on autonomously detecting and characterizing crawlers in P2P botnets. In: 2016 IEEE International Conference on Communications, ICC 2016 (2016).  https://doi.org/10.1109/ICC.2016.7510885
  15. 15.
    Kleissner, P.: Me Puppet Master: Behind the scenes of crawling P2P botnets (2014). http://blog.kleissner.org/?p=455
  16. 16.
    Maymounkov, P., Mazières, D.: Kademlia: a peer-to-peer information system based on the XOR metric. In: Druschel, P., Kaashoek, F., Rowstron, A. (eds.) IPTPS 2002. LNCS, vol. 2429, pp. 53–65. Springer, Heidelberg (2002).  https://doi.org/10.1007/3-540-45748-8_5CrossRefzbMATHGoogle Scholar
  17. 17.
    Narang, P., Ray, S., Hota, C., Venkatakrishnan, V.: Peershark: detecting peer-to-peer botnets by tracking conversations. In: 2014 IEEE Security and Privacy Workshops (SPW), pp. 108–115. IEEE (2014)Google Scholar
  18. 18.
    Neville, A., Gibb, R.: ZeroAccess Indepth. Technical report (2013)Google Scholar
  19. 19.
    Page, L., Brin, S., Motwani, R., Winograd, T.: The PageRank citation ranking: bringing order to the web (1999)Google Scholar
  20. 20.
    Rossow, C., et al.: P2PWNED: modeling and evaluating the resilience of peer-to-peer botnets. In: Symposium on Security & Privacy. IEEE (2013)Google Scholar
  21. 21.
    Salah, H., Strufe, T.: Capturing connectivity graphs of a large-scale P2P overlay network. In: 2013 IEEE 33rd International Conference on Distributed Computing Systems Workshops (ICDCSW) (2013)Google Scholar
  22. 22.
    Stingl, D., Gross, C., Rückert, J., Nobach, L., Kovacevic, A., Steinmetz, R.: Peerfactsim.kom: a simulation framework for peer-to-peer systems. In: High Performance Computing and Simulation (HPCS), pp. 577–584. IEEE (2011)Google Scholar
  23. 23.
    Stutzbach, D., Rejaie, R.: Understanding churn in peer-to-peer networks. In: ACM SIGCOMM Conference on Internet Measurement, pp. 189–201 (2006)Google Scholar
  24. 24.
    Surati, S., Jinwala, D.C., Garg, S.: A survey of simulators for P2P overlay networks with a case study of the P2P tree overlay using an event-driven simulator. Eng. Sci. Technol. Int. J. 20, 705–720 (2017)CrossRefGoogle Scholar
  25. 25.
    Vasilomanolakis, E., Wolf, J.H., Böck, L., Karuppayah, S., Mühlhäuser, M.: I trust my zombies: a trust-enabled botnet. arXiv preprint arXiv:1712.03713 (2017)
  26. 26.
    Wyke, J.: The zeroaccess botnet - mining and fraud for massive financial gain. Technical report, September, Sophos (2012)Google Scholar
  27. 27.
    Yan, J., et al.: Revisiting node injection of P2P botnet. In: Au, M.H., Carminati, B., Kuo, C.-C.J. (eds.) NSS 2014. LNCS, vol. 8792, pp. 124–137. Springer, Cham (2014).  https://doi.org/10.1007/978-3-319-11698-3_10CrossRefGoogle Scholar
  28. 28.
    Yao, Z., Leonard, D., Wang, X., Loguinov, D.: Modeling heterogeneous user churn and local resilience of unstructured P2P networks. In: International Conference on Network Protocols (ICNP), pp. 32–41. IEEE (2006)Google Scholar

Copyright information

© Springer Nature Switzerland AG 2018

Authors and Affiliations

  • Leon Böck
    • 1
    Email author
  • Emmanouil Vasilomanolakis
    • 1
  • Max Mühlhäuser
    • 1
  • Shankar Karuppayah
    • 2
  1. 1.Telecooperation LabTechnische Universität DarmstadtDarmstadtGermany
  2. 2.National Advanced IPv6 CentreUniversiti Sains Malaysia (USM)GelugorMalaysia

Personalised recommendations