1 My Botnet is Bigger than Yours (Maybe, Better than Yours) : why size estimates remain challenging MA Rajab, J Zarfoss, F Monrose, A Terzis - MA Rajab, J Zarfoss, F Monrose, A Terzis - Proceedings of the First USENIX Workshop on Hot Topics in Proceedings of the First USENIX Workshop on Hot Topics in Understanding Botnets Understanding Botnets, April 2007. Reporter: 高高高 Advisor: Chin-Laung Lei 2009/06/09
18
Embed
1 MA Rajab, J Zarfoss, F Monrose, A Terzis - Proceedings of the First USENIX Workshop on Hot Topics in Understanding Botnets My Botnet is Bigger than Yours.
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
1
My Botnet is Bigger than Yours (Maybe, Better than Yours) :why size estimates remain challengingMA Rajab, J Zarfoss, F Monrose, A Terzis - MA Rajab, J Zarfoss, F Monrose, A Terzis - Proceedings of Proceedings of the First USENIX Workshop on Hot Topics in the First USENIX Workshop on Hot Topics in Understanding BotnetsUnderstanding Botnets, April 2007.
◦Different metrics lead to widely different results
◦Some issues increase the difficulty Cloning Temporary migration Hidden structures
Expecting a definitive answer is unreasonable
4
DefinitionsDifferent definitions of botnet
size◦Footprint : the overall size of the
infected population at any point in its lifetime
◦Live population : the number of live bots simultaneously present in the command and control channel
5
Estimation TechniquesTwo broad categories
◦Counting bots connecting to a particular server directly Botnet infiltration DNS redirection
◦Exploiting external information
6
Botnet InfiltrationInfiltrating the botnet by joining the
command and control channelAn IRC tracker mimics the behavior of
actual bots and joins many botnetsRecording any information observed
on the command and control channelLimitations
◦Botmasters may suppress bot identities ◦Counting can lead to different estimates
7
DNS Redirection Manipulating the DNS entry associated with a
botnet’s IRC server and redirecting connections to a sinkhole
The sinkhole completed the three-way TCP handshake with bots attempting to connect to the (redirected) IRC server and recorded their IP addresses
Limitations◦ It can only measure the botnet’s footprint◦ There is no way of knowing if the bots are
connecting to the same command and control channel
◦ Botmasters can redirect their bots to another IRC server
8
Exploiting External InformationDNS cache snooping
◦Bots normally make a DNS query to resolve the IP address of their IRC server
◦A cache hit implies that at least one bot has queried its nameserver
◦The total number of cache hits provides an indication of the botnet’s DNS footprint
DNS footprint provides (at best) only a lower bound of its actual footprint
9
Experiment
10
Result : Footprint & Live Population
11
Result : DNS Footprint
12
Temporary Bot MigrationBotmasters command bots to
temporarily migrate from one botnet to another
13
Bot CloningBotmasters command bots to create
copies of themselves and join a new channel on the same server◦ Clone flooding◦ Normal cloning
14
Hidden Botnet Connections A d-dimensional structural feature vector
Features to represent a botnet’s unique identity◦ DNS name and/or IP address of IRC Server◦ IRC server or IRC network name
(e.g.,ToXiC.BoTnEt.Net)◦ Server version (e.g., Unreal3.2.3)◦ IRC channel name.◦ Botmaster ID
For a pair of vectors the pair-wise score is a weighted dot product of the two vectors
di xxxv ,...,, 21
ji vv, jim ,
15
Botnet Cluster
16
Number of Botnets Affiliatedwith Botnet Cluster
17
ConclusionNo single metric is sufficient for
describing all aspects of a botnet’s size
A prudent step towards providing more reliable size estimates is to synthesize the results from multiple concurrent and independent views of a botnet’s behavior
18
ReferencesMoheeb Abu Rajab, Jay Zarfoss, Fabian
Monrose, and Andreas Terzis, “My Botnet is Bigger than Yours (Maybe, Better than Yours) : why size estimates remain challenging.” in Proceedings of the First Proceedings of the First USENIX Workshop on Hot Topics in USENIX Workshop on Hot Topics in Understanding BotnetsUnderstanding Botnets, April 2007.
Moheeb Abu Rajab, Jay Zarfoss, Fabian Monrose, and Andreas Terzis, “A Multifaceted Approach to Understanding the botnet phenomenon.” in Proceedings of ACMSIGCOMM/USENIX Internet Measurement Conference (IMC), pages 41–52, 2006.