Download - Modeling and Measuring Botnets
1
Modeling and Measuring Botnets
David Dagon, Wenke LeeGeorgia Institute of Technology
Cliff C. ZouUniv. of Central Florida
2
Outline
Motivation Diurnal modeling of botnet
propagation Botnet population estimation Botnet threat assessment Advanced botnet
3
Motivation
Botnet becomes a serious threat Not much research on botnet yet
Empirical analysis of captured botnets Mainly based on honeypot spying
Need understanding of the network of botnet Botnet growth dynamics Botnet (on-line) population, threat level …
Well prepared for next generation botnet
4
Outline
Motivation Diurnal modeling of botnet
propagation Botnet population estimation Botnet threat assessment Advanced botnet
5
Botnet Monitor: Gatech KarstNet
A lot bots use Dyn-DNS name to find C&C
bot
bot
C&C
attacker
C&C
KarstNet sinkhole
cc1.com KarstNet informs DNS provider of
cc1.com Detect cc1.com by its abnormal DNS queries
DNS provider maps cc1.com to Gatech sinkhole (DNS hijack)
bot
All/most bots attempt to connect the sinkhole
6
Diurnal Pattern in Monitored Botnets
Diurnal pattern affects botnet propagation rate
Diurnal pattern affects botnet attack strength
7
Botnet Diurnal Propagation Model
Model botnet propagation via vulnerability exploit Same as worm propagation Extension of epidemic models
Model diurnal pattern Computers in one time zone same diurnal pattern “Diurnal shaping function” i(t) of time zone i
Percentage of online hosts in time zone i Derived based on the continuously connection attempts by
bots in time zone i to Gatech KarstNet
8
Modeling Propagation: Single Time Zone
: # of infected
: # of vulnerable
:# of online infected
:# of online vulnerable
Epidemic model
Diurnal pattern means:
Diurnal model
removal
9
Modeling Propagation: K Multiple Time Zones
(Internet)
Limited ability to model non-uniform scan
scan rate from zone jiIP space size of zone i
10
Validation: Fitting model to botnet data
Diurnal model is more accurate than traditional epidemic model
0 2000 4000 6000 8000
0.5
1
1.5
2
2.5
3
x 104
Time t (minute)
Botnet data
Diurnal model
SIR model
11
Applications of diurnal model
Predict future botnet growth with monitored ones Use same vulnerability? have similar (t)
Improve response priority
4 6 8 10 12 14 160
1
2
3
4x 10
5
Time after release (hours)
00:0006:0012:00
Released at different time
12
Outline
Motivation Diurnal modeling of botnet
propagation Botnet population estimation Botnet threat assessment Advanced botnet
13
Population estimation I: Capture-recapture
How to obtain two independent samples? KarstNet monitors two C&C for one botnet
Need to verify independence with more data Study how to get good estimation when two samples are
not independent KarstNet + honeypot spying
Guaranteed independence?
Botnet populatio
n
# of observed (two samples)
# of observed in both samples
14
Population estimation II: DNS cache snooping
Estimate # of bots in each domain via DNS queries of C&C to its local DNS server Non-recursive query will not change DNS cache
Time ….
CacheTTL
If queries inter-arrival time is exponentially distributed,then Ti follows the samesame exp. distr. (memoryless)
Query rate/bot
15
Outline
Motivation Diurnal modeling of botnet
propagation Botnet population estimation Botnet threat assessment Advanced botnet
16
Basic threat assessment
Botnet size (population estimation) Active/online population when attack
(diurnal model) IP addresses of bots in botnets
Basis for effective filtering/defense KarstNet is a good monitor for this
Honeypot spying is not good at this
Botnet control structure (easy to disrupt?) IPs and # of C&C for a botnet? P2P botnets?
17
Botnet attack bandwidth
Bot bandwidth: Heavy-tailed distribution Filtering 32% of bots cut off 70% of attack traffic
How about bots bandwidth in term of ASes? If yes, then contacting top x% of ASes is enough for a victim
to defend against botnet DDoS attack
101
102
103
104
10-4
10-3
10-2
10-1
100
Bot Bandwidth (kbps)
F(w
)Average
Minimum
Maximum
18
Outline
Motivation Diurnal modeling of botnet
propagation Botnet population estimation Botnet threat assessment Advanced botnet
19
Monitoring evasion by botmasters
Honeypot detection Honeypot defenders are liable for attacks sending out
C&C
bot sensor (secret)malicious traffic
Inform bot’s IPAuthorize
C&C hijacking detection (e.g., KarstNet) Check if C&C names map to their real IPs
Attacker knows which computers used for C&Cs Check if C&C passes trivial commands to bots
20
Advanced hybrid P2P botnet
Why use P2P by attackers? Remove control bottleneck (C&C) C&Cs are easy to be monitored
One honeypot spy reveals all C&Cs One captured/hijacked C&C reveals all bots
C&C are easy to be shut down (limited number)
Current P2P protocols will not work for botnets Bootstrap process is vulnerable to be blocked Disable global view from each bot (prevent
monitoring) Must consider DHCP, private IP, firewall, capture,
removal
21
Advanced botnet designs Servent bots:
static IP, no firewall blocking
Peer-list based connection: Max number of servent bot IPs
in each bot Limited view of botnet
Built as a botnet spreads No bootstrap process No reveal of entire botnet
Servent bots
Client bots
Compare to C&C botnets: Large # of C&C bots interconnect to each other
22
Advanced botnet designs
Public key in bot code, private key in botmaster Ensure command authentication/integrity
Individualized encryption, service port
Defeat traffic-based detection Limited exposure when one bot is captured
Peer list:
23
Advanced botnet designs Easy monitoring by botmaster
Command all bots report to a “sensor” host Each bot report: peer list, encryption key, service port, IP, diurnal
property, IP property, link bandwidth…. Different sensor hosts in each round of report command
Prevent sensors from being blocked, captured
Robust botnet construction by peer-list updating With few re-infections, initial servent bots are highly
connected (each connecting to >60% of bots in a botnet) “Peer-list Update” command: each bot goes to a “sensor”
host to get its new peer list Peer list randomly selected from previous reported servent bots
24
Botnet robustness study
: remove top p fraction of servent bots used in “update” command
: connected ratio – how many remaining bots are connected Simulation settings:
20,000-size botnet, 5000 are servent bots (hundreds of reinfections) 1000 servent bots used in update command
25
Future work
Propagation modeling Diurnal model of email-based propagation Parameters: (t), , removal dynamics
Population estimation: Validate the independence of monitor samples Validate the Poisson arrival in C&C DNS queries
Threat assessment AS-level botnet bandwidth (heavy tailed?) Bot access link speed --- better representation?
Monitor and model of advanced botnets
26
Reference
NSF Cyber Trust grant: CNS-0627318 "Collaborative Research: CT-ISG: Modeling and Measuring
Botnets" PI: Cliff Zou, PI: Wenke Lee
David Dagon, Cliff C. Zou, and Wenke Lee. "Modeling Botnet Propagation Using Time Zones," in 13th Annual Network and Distributed System Security Symposium (NDSS), Feb., San Diego, 2006 (Acceptance ratio: 17/127=13.4%).
Cliff C. Zou and Ryan Cunningham. "Honeypot-Aware Advanced Botnet Construction and Maintenance," in the International Conference on Dependable Systems and Networks (DSN), Jun., Philadelphia, 2006 (Acceptance ratio: 34/187=18.2%).
Ping Wang, Sherri Sparks, Cliff C. Zou. “An Advanced Hybrid Peer-to-Peer Botnet,” in submission.
Cliff Zou homepage: http://www.cs.ucf.edu/~czou/