National Conference on Role of Cloud Computing Environment in Green Communication 2012


                             Sun College of Engineering and Technology

Abstract—A “botnet” consists of a network of         appeared until now have had a common
compromised computers controlled by an               centralized architecture. That is, bots in the
attacker (“botmaster”).botnets have become           botnet connect directly to some special hosts
the root cause of many Internet attacks. In          (called ―command-and-control‖ servers, or
our project we are going to monitor and              ―C&C‖ servers). These C&C servers receive
defend against the attacks that are occurring        commands from their botmaster and forward
in the systems. It is based on Network               them to the other bots in the network. l
security. This botnet works as master slave                      Most of the current research has
relationship. we should study advanced botnet        focused upon the C&C botnets that have
designs that could be developed by                   appeared in the past, especially Internet Relay
botmaster’s in the near future. in this project,     Chat (IRC)based botnets. It is necessary to
we present the design of an advanced hybrid          conduct such research in order to deal with the
peer to peer botnet. We are constructing a           threat we are facing today. However, it is equally
robust botnet and then detecting the attacks         important to conduct research on advanced
given to the bots by botmaster by using proxy        botnet designs that could be developed by
server technique and remove the botmaster            attackers in the near future. Otherwise, we will
from the botnet. Compared with current               remain susceptible to the next generation of
botnets, the proposed botnet is harder to be         internet malware attacks.
shut down, monitored, and hijacked. It                         From a botmaster’s perspective, the
provides robust network connectivity,                C&C servers are the fundamental weak points in
individualized encryption and control traffic        current botnet architectures. First, a botmaster
dispersion, limited botnet exposure by each          will lose control of his or her botnet once the
bot, and easy monitoring and recovery by its         limited number of C&C servers are shut down by
botmaster.                                           defenders. Second, defenders could easily obtain
                                                     the identities (e.g., IP addresses) of all C&C
        1.INTRODUCTION                               servers based on their service traffic to a large
                                                     number of bots , or simply from one single
          Internet malware attacks have evolved      captured bot (which contains the list of C&C
into better organized and more of it-centered        servers). Third, an entire botnet may be exposed
endeavors Email spam, extortion through denial-      once a C&C server in the botnet is hijacked or
of-service attacks, and click fraud represent a      captured by defenders. As network security
few examples of this emerging trend. ―Botnets‖       practitioners put more resources and effort into
are a root cause of these problems. A ―botnet‖       defending against botnet attacks, hackers will
consists of a network of compromised computers       develop and deploy the next generation of
(―bots‖) connected to the Internet that is           botnets with a different control architecture.
controlled by a remote attacker (―botmaster‖).
Since a botmaster could scatter attack tasks over             A.EXISTING SYSTEM
hundreds or even tens thousands of computers
distributed across the Internet, the enormous                 In the existing system of our project,
cumulative bandwidth and large number of             there is a C&C server ie, Command and Control
attack sources make botnet-based attacks             server. It act as intermediate between the bot
extremely dangerous and hard to defend against.      master and the bots. The C&C server gets the
Compared to other Internet malware, the unique       command from the bot master and then sends to
feature of a botnet lies in its control              its bots. Botnets have become the root cause of
communication network. Most botnets that have

Department of CSE, Sun College of Engineering and Technology
 National Conference on Role of Cloud Computing Environment in Green Communication 2012

many internet attacks. A botmaster could scatter     Slapper each bot has a fixed and limited size
attack tasks over hundreds or ten thousands of       peer list and does not reveal its peer list to other
computers distributed across the internet, the       bots. In this way, when a bot is captured by
enormous cumulative bandwidth and large              defenders, only the limited number of bots in its
number of attack sources make botnet based           peer list are exposed.
attacks extremely dangerous and hard to defend                 • A botmaster could easily monitor the
against.                                             entire botnet by issuing a report command. This
                                                     to a specific compromised machine (which is
 The fundamental weak points                         called a sensor host) that is controlled by the
         1.A botmaster will lose control of her      botmaster. The IP address of the sensor host,
botnet once the limited number of C&C servers        which is specified in the report command, will
are shutdown by defenders.                           change every time a report command is issued to
        2.Defenders could easily obtain the          prevent defenders from capturing or blocking the
identities(e.g. IP address) through all C&C          sensor host beforehand.
servers based on their service traffic to a large            • After collecting information about the
number of bots, or simply from one captured          botnet through the above report command, a
bot(which contains the list of C&C servers).         botmaster, if she thinks necessary, could issue an
       3.An entire botnet may be exposed once a      update command to actively let all bots contact a
C&C server in the botnet is hijacked or captured     sensor host to update their peer lists. This
by defenders.                                        effectively reorganizes the botnet such that it has
                                                     a balanced and robust connectivity, and/or
         B.PROPOSED SYSTEM                           reconnects a broken botnet.
                                                             • Only bots with static global IP addresses
          Considering the problems encountered       that are accessible from the Internet are
by C&C botnets and previous P2P botnets, the         candidates for being in peer lists (they are called
design of an advanced botnet, from our               servants bots according to P2P terminologies
understanding, should consider the following         [12] since they behave with both client and
practical challenges faced by botmaster’s:           server features). This design ensures that the peer
 (1). How to generate a robust botnet capable of     list in
maintaining control of its remaining bots even       each bot has a long lifetime.
after a substantial portion of the botnet                    • Each servant bot listens on a self-
population has been removed by defenders?            determined      service port       for incoming
 (2). How to prevent significant exposure of the     connections from other bots and uses a self-
network topology when some bots are captured         generated symmetric encryption key for
by defenders?                                        incoming traffic. This individualized encryption
(3). How to easily monitor and obtain the            and individualized service port design makes it
complete information of a botnet by its              very hard for the botnet to be detected through
botmaster?                                           network flow analysis of the botnet
 (4). How to prevent (or make it harder)             communication traffic.
defenders from detecting bots via
their communication traffic patterns?
        In addition, the design should also                   II. RELATED WORK
consider many network related issues such as
dynamic or private IP addresses and the diurnal               Current research on botnets is mainly
online/offline property of bots. By considering      focused on monitoring and detection. presented
all the challenges listed above, in this paper, we   comprehensive studies on using honey pots to
present our research on the possible design of an    join botnets in order to monitor botnet activities
advanced hybrid P2P botnet. The proposed             in the Internet. With the help from Dynamic
hybrid P2P botnet has the                            DNS service providers, [4] presented a botnet
following features:                                  monitoring system by redirecting the DNS
         • The botnet requires no bootstrap
                                                     mapping of a C&C server to a botnet monitor.
procedure.                                           Ramachandran et al. presented how to passively
         • The botnet communicates via the peer      detect botnets by finding botmaster’s’ queries to
list contained in each bot. However, unlike          spam DNS-based black hole list servers

Department of CSE, Sun College of Engineering and Technology
 National Conference on Role of Cloud Computing Environment in Green Communication 2012

(DNSBL).Since most botnets nowadays use                become more important in the future as a larger
Internet Relay Chat (IRC) for their C&C servers,       proportion of computers will sit behind firewall,
many people have studied how to detect them by         or use DHCP or private IP addresses due to
detecting their IRC channels or traffic. Binkley       shortage of IP space.
and Singh attempted to detect them through                       A bot could easily determine the type of
abnormal IRC channels. Strayed used machine-           IP address used by its host machine. For
learning techniques to detect botnet IRC-based         example, on a Windows machine, a bot could
control traffic and tested the system on trace-        run the command ―ipconfig /all‖. Not all
driven network data. Chen presented a system to        bots with static global IP addresses are qualified
detect botnet IRC traffic on high-speed network        to be servant bots—some of them may stay
routers.                                               behind firewall, inaccessible, from the global
        In [21], the authors presented a ―super-       Internet. A botmaster could rely on the
botnet‖, which is a super-size botnet by inter-        collaboration between bots to determine such
connecting many small botnets together in a            bots. For example, a bot runs its server program
peer-to-peer fashion. However, [21] largely            and requests the servant bots in its peer list to
ignored two important practical issues that have       initiate connections to its service port. If the bot
been addressed in our work:                            could receive such test connections, it labels
         (1). The majority of compromised              itself as a servant bot. Otherwise, it labels itself
computers cannot be used as C&C servers since          as a client bot.
they are either behind firewall or have dynamic
IP addresses;                                          B. Botnet Command and Control Architecture
         (2). The robust botnet control topology                 The peer list size is 2 (i.e. each bots’
cannot be set up through re-infection mechanism,       peer list contains the IP addresses of 2 servant
if a botnet does not have substantive re-              bots). An arrow from bot A to bot B represents
infections during its built-up, which is the case      bot A initiating a connection to bot B. A
for most botnets in reality.                           botmaster injects his or her commands through
                                                       any botnet. Both client and servant bots actively
       III. PROPOSED HYBRID P2P                        and periodically connect to the servant bots in
BOTNET ARCHITECTURE                                    their peer lists in order to retrieve commands
                                                       issued by their botmaster. When a bot receives a
A. Two Classes of Bots                                 new command that it has never seen before (e.g.,
          The bots in the proposed P2P botnet are      each command has a unique ID), it immediately
classified into two groups. The first group            forwards the command to all servant bots in its
contains bots that have static, non-private IP         peer list. This description of command
addresses and are accessible from the global           communication means that, in terms of
Internet. Bots in the first group are called servant   command forwarding, the proposed botnet has
bots since they behave as both clients and             an undirected graph topology. If the size of the
servers1. The second group 1In a traditional           botnet peer list is denoted by M, then this design
peer-to-peer file sharing system, all hosts behave     makes sure that each bot has at least M venues to
both as clients and servers and are called             receive commands.
―servants‖ [22].contains the remaining bots,
including: (1). Bots with dynamically allocated                   IV. BOTNET COMMAND AND
IP addresses; (2). Bots with private IP addresses;     CONTROL
(3). Bots behind firewalls such that they cannot       The essential component of a botnet is its
be connected from the global Internet. The             command       and   control    communication.
second group of bots are called client bots since      Compared to a C&C botnet, the proposed botnet
they will not accept incoming connections.             has a more robust and complex communication
          Only servant bots are candidates in peer     architecture. The major design challenge is to
lists. All bots, including both client bots and        generate a botnet that is difficult to be shut
servant bots, actively contact the servant bots in     down, or monitored by defenders or other
their peer lists to retrieve commands. Because         attackers.
servant bots normally do not change their IP
addresses, this design increases the network           A. Command Authentication
stability of a botnet. This bot classification will

Department of CSE, Sun College of Engineering and Technology
 National Conference on Role of Cloud Computing Environment in Green Communication 2012

      Compared with a C&C botnet, because bots          • Dispersed network traffic: Since service port
in the proposed botnet do not receive commands          is a critical parameter in classifying network
from predefined places, it is especially important      traffic, this individualized port design makes it
to implement a strong command authentication.           extremely hard for defenders to detect a botnet
A standard public-key authentication would be           based on monitored network traffic. When
sufficient. A botmaster generates a pair of             combined with the individualized encryption
public/private keys, K+,K−_, and hard codes the         design, a P2P botnet has a strong resistance
public key K+ into the bot program before               against most (if not all) network traffic flow
releasing and building the botnet. There is no          based detection systems, such as the ones
need for key distribution because the public key        introduced in [19], [18].
is hard-coded in bot program. Later, the                • Secret backdoor: The individualized port
command messages sent from the botmaster                design also ensures that servant bots in a P2P
could be digitally signed by the private key K− to      botnet keep their backdoors ―secret‖. Otherwise,
ensure their authentication and integrity.              defenders could scan the specific port used by a
    This public-key based authentication could          botnet to detect potential servant bots, or monitor
also be readily deployed by current C&C                 network traffic targeting this service port to
botnets. So botnet hijacking is not a major issue.      facilitate their botnet detection. A randomly-
B. Individualized Encryption Key                        generated service port may not always be good
     In the proposed botnet, each servant bot i         for botnets since network traffic going to a rarely
randomly generates its symmetric encryption key         used port is abnormal. To overcome this, a
Ki. Suppose the peer list on bot A is denoted by        botmaster can specify a set of service ports for
LA. It will not only contain the IP addresses of M      each bot to choose, preferably choosing from
servant bots, but also the symmetric keys used          those standard encrypted ports such as port 22
by these servant bots. Thus, the peer list on bot A     (SSH), port 443 (HTTPS), or port 993 (IMAPS).
is:                                                     Furthermore, a sophisticated botmaster could
LA = {(IPi1,Ki1 ), (IPi2,Ki2 ), · · · (IPiM,KiM)} (1)   even program bot code to mimic the protocol
where (IPij,Kij ) are the IP address and symmetric      format of the service port as what ―honeyed‖
key used by servant bot ij . With such a peer list      [23] does.
design, each servant bot uses its own symmetric
key for incoming connections from any other                      V. BOTNET MONITORING BY ITS
bot. This is applicable because if bot B connects       BOTMASTER
to a servant bot A, bot B must have (IPA,KA) in              Another major challenge in botnet design is
its peer list.                                          making sure that a botnet is difficult to be
    This individualized encryption guarantees that      monitored by defenders, but at the same time,
if defenders capture one bot, they only obtain          easily monitored by its botmaster. With detailed
keys used by M servant bots in the captured bots’       botnet information, a botmaster could (1).
peer list. Thus the encryption among the                Conduct attacks more effectively according to
remaining botnet will not be compromised.               the bot population, distribution, bandwidth,
                                                        on/off status, IP address types, etc; (2). Keep
C. Individualized Service Port                          tighter control over the botnet when facing
     The peer-list based architecture also enables      various counterattacks from defenders. In this
the proposed botnet to disperse its                     section, we present a simple but effective way
communication traffic in terms of service port.         for botmaster’s to monitor their botnets
Since a servant bot needs to accept connections         whenever they want, and at the same time, resist
from other bots, it must run a server process           being monitored by others.
listening on a service port. The service port
number on servant bot i, denoted by Pi, could be        A. Monitoring Via a Dynamically Changeable
randomly picked by the bot. Considering this, a         Sensor
peer list needs to contain the service port                 To monitor the proposed hybrid P2P botnet,
information as well. For example, the peer list on      a botmaster issues a special command, called a
bot A is:                                               report command, to the botnet thereby
LA = {(IPi1,Ki1, Pi1 ), · · · , (IPiM,KiM, PiM)} (2)    instructing every bot to send its information to a
The individualized service port design has two          specified machine that is compromised and
benefits for botmaster’s:

Department of CSE, Sun College of Engineering and Technology
 National Conference on Role of Cloud Computing Environment in Green Communication 2012

controlled by the botmaster. This data collection     • New infection: Bot A passes its peer list to a
machine is called a sensor.                           vulnerable host B when compromising it. If B is
     The IP address (or domain name) of the           a servant bot, A adds B into its peer list (by
centralized sensor host is specified in the report    randomly replacing one bot if its peer list is full).
command. Every round of report command                Similarly, if A is a servant bot, B adds A into its
issued by a botmaster could potentially utilize a     peer list in the same way.
different sensor host. This would prevent             • Re-infection: If re-infection is possible and bot
defenders from knowing the identity of the            A re-infects bot B, bot B will then replace R (R
sensor host before seeing the actual report           ≤ M−1) randomly selected bots in its peer list
command. After a report command has been sent         with R bots from the peer list provided by A.
out by a botmaster, it is possible that defenders     Again, bo t A and B will add each other into
could quickly know the identity of the sensor         their respective peer lists if the other one is a
host (e.g., through honey pot joining the botnet      servant bot.
[3], [6]), and then either shut it down or monitor
the sensor host. To deal with this threat, a
botmaster may implement any of the following                    VII.     BOTNET         ROBUSTNESS
procedures:                                           STUDY
• Use a popular Internet service, such as HTTP or           Next, we study the robustness property of a
Email, for report to a sensor. The sensor is          constructed hybrid P2P botnet. Two factors
chosen such that it normally provides such a          affect the connectivity of a botnet: (1). Some
service to avoid exhibiting abnormal network          bots are removed by defenders; and (2). Some
traffic.                                              bots are off-line (for example, due to the diurnal
• Use several sensor machines instead of a single     phenomenon [4]). These two factors, even
sensor.                                               though completely different, have the same
• Select sensor hosts that are harder to be shut      impact on botnet connectivity when the botnet is
down or monitored, for example, compromised           used by its botmaster at a specific time. For this
machines in other countries with minimum              reason, we do not distinguish them in the
Internet security and International collaboration.    following study. Since servant bots, especially
• Manually verify the selected sensor machines        the servant bots used in peer list updating
are not honey pots (see further discussion in         procedure, are the backbone connecting a botnet
Section IX).                                          together, we study botnet connectivity when a
• Wipe out the hard drive on a sensor host            certain fraction of peer-list updating servant bots
immediately after retrieving the report data.         are removed (that is to say, either removed by
• Specify expiration time in report command to        defenders or off-line).Let C(p) denote the
prevent any bot exposing itself after that time.      connected ratio and D(p) denote the degree ratio
• Issue another command to the botnet to cancel       after removing top p fraction of mostly-
the previous report command once the botmaster        connected bots among those peer-list updating
knows that the sensor host has been captured by       servant bots—this is the most efficient and
defenders.                                            aggressive defense that could be done when
                                                      defenders have the complete knowledge
         VI. BOTNET CONSTRUCTION                      (topology, bot IP addresses ...) of the botnet.
                                                      C(p) and D(p) are defined as:
A. Basic construction procedures                      C(p) =# of bots in the largest connected graph
      Botnet connectivity is solely determined by     # of remaining bots
the peer list in each bot. A natural way to build     D(p) =Average degree of the largest connected
peer lists is to construct them during                graph Average degree of the original botnet.
propagation. To make sure that a constructed
botnet is connected, the initial set of bots should   A. Monitoring
contain some servant bots whose IP addresses               In this area, defenders hold a better position
are in the peer list on every initial bot. Suppose    with the help from honey pots. If they utilize a
the size of peer list in each bot is configured to    honey pot on a large IP space, they may be able
be M. As a bot program propagates, the peer list      to trap a large number of botnet infection
in each bot is constructed according to the           attempts. If the bot program cannot detect the
following procedures:                                 honey pot and passes its peer list in each

Department of CSE, Sun College of Engineering and Technology
 National Conference on Role of Cloud Computing Environment in Green Communication 2012

infection attempt, the defenders could get many     Symposium on Networked Systems Design and
copies of peer lists, obtaining the important       Implementation (NSDI), May 2005.
information (IP addresses, encryption key,          [2] C. T. News, ―Expert: Botnets no. 1 emerging
service port) of many servant bots in a botnet.     internet               threat,‖             2006,
Second, based on honey pot bots, defenders may
be able to obtain the plain text of commands        furst/.
issued by a botmaster. Once the meaning of the      [3] F. Freiling, T. Holz, and G. Wicherski,
commands is understood, defenders are able to:      ―Botnet tracking: Exploring a root-cause
(1). Quickly find the sensor machines used by a     methodology to prevent distributed denial-of-
botmaster in report commands. If a sensor           service attacks,‖ CS Dept. of RWTH Aachen
machine can be captured by defenders before the     University, Tech. Rep. AIB-2005-07, April
collected information on it is erased by its        2005.
botmaster, they might be able to obtain detailed    [4] D. Dagon, C. Zou, and W. Lee, ―Modeling
information of the entire botnet; (2). Know the     botnet propagation using time zones,‖ in
target in an attack command so that they could      Proceedings of 13th Annual Network and
implement      corresponding    countermeasures     Distributed System Security Symposium (NDSS),
quickly right before (or as soon as) the actual     Feburary 2006, pp. 235–249.
attack begins. Another honey pot-based              [5] A. Ramachandran, N. Feamster, and D.
monitoring opportunity happens during peer-list     Dagon, ―Revealing botnet membership using
updating procedure. First, defenders could let      dnsbl counter-intelligence,‖ in USENIX 2nd
their honey pot bots claim to be servant bots in    Workshop on Steps to Reducing Unwanted
peer-list updating. By doing this, these honey      Traffic on the Internet (SRUTI 06), June 2006.
pots will be connected by many bots in the          [6] E. Cooke, F. Jahanian, and D. McPherson,
botnet. Second, during peer-list updating, each     ―The zombie roundup: Understanding, detecting,
honey pot bot could get a fresh peer list, which    and disrupting botnets,‖ in Proceedings of
means the number of bots revealed to each honey     SRUTI: Steps to Reducing Unwanted Traffic on
pot could be doubled.                               the Internet, July 2005.
                                                    [7] J. R. Binkley and S. Singh, ―An algorithm for
         VIII . CONCLUSION                          anomaly-based botnet detection,‖ in USENIX
                                                    2nd Workshop on Steps to Reducing Unwanted
      To be well prepared for future botnet         Traffic on the Internet (SRUTI 06), June 2006.
attacks, we should study advanced botnet attack     [8] I. Arce and E. Levy, ―An analysis of the
techniques that could be developed by               slapper worm,‖ IEEE Security & Privacy
botmaster’s in the near future. In this paper, we   Magazine, Jan.-Feb. 2003.
present the design of an advanced hybrid peer-to-
peer botnet. Compared with current botnets, the
proposed one is much harder to be shut down or
monitored. It provides robust network
connectivity, individualized encryption and
control traffic dispersion, limited botnet
exposure by each captured bot, and easy
monitoring and recovery by its botmaster. To
defend against such an advanced botnet, we
point out that honey pot may play an important
role. We should, therefore, invest more research
into determining how to deploy honey pots
efficiently and avoid their exposure to botnets
and botmaster’s.


[1] S. Kandula, D. Katabi, M. Jacob, and A.
Berger, ―Botz-4-sale: Surviving organized ddos
attacks that mimic flash crowds,‖ in 2nd

Department of CSE, Sun College of Engineering and Technology

To top