1 ma rajab, j zarfoss, f monrose, a terzis - proceedings of the first usenix workshop on hot topics...
TRANSCRIPT
1
My Botnet is Bigger than Yours (Maybe, Better than Yours) :why size estimates remain challengingMA Rajab, J Zarfoss, F Monrose, A Terzis - MA Rajab, J Zarfoss, F Monrose, A Terzis - Proceedings of Proceedings of the First USENIX Workshop on Hot Topics in the First USENIX Workshop on Hot Topics in Understanding BotnetsUnderstanding Botnets, April 2007.
Reporter: 高嘉男Advisor: Chin-Laung Lei2009/06/09
2
OutlineOutlineIntroduction
◦Botnet size?Definitions & estimation
techniquesExperimentHidden botnet connectionsConclusion
3
IntroductionHow big are today’s botnets?
◦Botnet size is currently poorly defined
◦Different metrics lead to widely different results
◦Some issues increase the difficulty Cloning Temporary migration Hidden structures
Expecting a definitive answer is unreasonable
4
DefinitionsDifferent definitions of botnet
size◦Footprint : the overall size of the
infected population at any point in its lifetime
◦Live population : the number of live bots simultaneously present in the command and control channel
5
Estimation TechniquesTwo broad categories
◦Counting bots connecting to a particular server directly Botnet infiltration DNS redirection
◦Exploiting external information
6
Botnet InfiltrationInfiltrating the botnet by joining the
command and control channelAn IRC tracker mimics the behavior of
actual bots and joins many botnetsRecording any information observed
on the command and control channelLimitations
◦Botmasters may suppress bot identities ◦Counting can lead to different estimates
7
DNS Redirection Manipulating the DNS entry associated with a
botnet’s IRC server and redirecting connections to a sinkhole
The sinkhole completed the three-way TCP handshake with bots attempting to connect to the (redirected) IRC server and recorded their IP addresses
Limitations◦ It can only measure the botnet’s footprint◦ There is no way of knowing if the bots are
connecting to the same command and control channel
◦ Botmasters can redirect their bots to another IRC server
8
Exploiting External InformationDNS cache snooping
◦Bots normally make a DNS query to resolve the IP address of their IRC server
◦A cache hit implies that at least one bot has queried its nameserver
◦The total number of cache hits provides an indication of the botnet’s DNS footprint
DNS footprint provides (at best) only a lower bound of its actual footprint
13
Bot CloningBotmasters command bots to create
copies of themselves and join a new channel on the same server◦ Clone flooding◦ Normal cloning
14
Hidden Botnet Connections A d-dimensional structural feature vector
Features to represent a botnet’s unique identity◦ DNS name and/or IP address of IRC Server◦ IRC server or IRC network name
(e.g.,ToXiC.BoTnEt.Net)◦ Server version (e.g., Unreal3.2.3)◦ IRC channel name.◦ Botmaster ID
For a pair of vectors the pair-wise score is a weighted dot product of the two vectors
di xxxv ,...,, 21
ji vv, jim ,
17
ConclusionNo single metric is sufficient for
describing all aspects of a botnet’s size
A prudent step towards providing more reliable size estimates is to synthesize the results from multiple concurrent and independent views of a botnet’s behavior
18
ReferencesMoheeb Abu Rajab, Jay Zarfoss, Fabian
Monrose, and Andreas Terzis, “My Botnet is Bigger than Yours (Maybe, Better than Yours) : why size estimates remain challenging.” in Proceedings of the First Proceedings of the First USENIX Workshop on Hot Topics in USENIX Workshop on Hot Topics in Understanding BotnetsUnderstanding Botnets, April 2007.
Moheeb Abu Rajab, Jay Zarfoss, Fabian Monrose, and Andreas Terzis, “A Multifaceted Approach to Understanding the botnet phenomenon.” in Proceedings of ACMSIGCOMM/USENIX Internet Measurement Conference (IMC), pages 41–52, 2006.