1

My Botnet is Bigger than Yours (Maybe, Better than Yours) :why size estimates remain challengingMA Rajab, J Zarfoss, F Monrose, A Terzis - MA Rajab, J Zarfoss, F Monrose, A Terzis - Proceedings of Proceedings of the First USENIX Workshop on Hot Topics in the First USENIX Workshop on Hot Topics in Understanding BotnetsUnderstanding Botnets, April 2007.

Reporter: 高嘉男Advisor: Chin-Laung Lei2009/06/09

2

OutlineOutlineIntroduction

◦Botnet size?Definitions & estimation

techniquesExperimentHidden botnet connectionsConclusion

3

IntroductionHow big are today’s botnets?

◦Botnet size is currently poorly defined

◦Different metrics lead to widely different results

◦Some issues increase the difficulty Cloning Temporary migration Hidden structures

Expecting a definitive answer is unreasonable

4

DefinitionsDifferent definitions of botnet

size◦Footprint : the overall size of the

infected population at any point in its lifetime

◦Live population : the number of live bots simultaneously present in the command and control channel

5

Estimation TechniquesTwo broad categories

◦Counting bots connecting to a particular server directly Botnet infiltration DNS redirection

◦Exploiting external information

6

Botnet InfiltrationInfiltrating the botnet by joining the

command and control channelAn IRC tracker mimics the behavior of

actual bots and joins many botnetsRecording any information observed

on the command and control channelLimitations

◦Botmasters may suppress bot identities ◦Counting can lead to different estimates

7

DNS Redirection Manipulating the DNS entry associated with a

botnet’s IRC server and redirecting connections to a sinkhole

The sinkhole completed the three-way TCP handshake with bots attempting to connect to the (redirected) IRC server and recorded their IP addresses

Limitations◦ It can only measure the botnet’s footprint◦ There is no way of knowing if the bots are

connecting to the same command and control channel

◦ Botmasters can redirect their bots to another IRC server

8

Exploiting External InformationDNS cache snooping

◦Bots normally make a DNS query to resolve the IP address of their IRC server

◦A cache hit implies that at least one bot has queried its nameserver

◦The total number of cache hits provides an indication of the botnet’s DNS footprint

DNS footprint provides (at best) only a lower bound of its actual footprint

9

Experiment

10

Result : Footprint & Live Population

11

Result : DNS Footprint

12

Temporary Bot MigrationBotmasters command bots to

temporarily migrate from one botnet to another

13

Bot CloningBotmasters command bots to create

copies of themselves and join a new channel on the same server◦ Clone flooding◦ Normal cloning

14

Hidden Botnet Connections A d-dimensional structural feature vector

Features to represent a botnet’s unique identity◦ DNS name and/or IP address of IRC Server◦ IRC server or IRC network name

(e.g.,ToXiC.BoTnEt.Net)◦ Server version (e.g., Unreal3.2.3)◦ IRC channel name.◦ Botmaster ID

For a pair of vectors the pair-wise score is a weighted dot product of the two vectors

di xxxv ,...,, 21

ji vv, jim ,

15

Botnet Cluster

16

Number of Botnets Affiliatedwith Botnet Cluster

17

ConclusionNo single metric is sufficient for

describing all aspects of a botnet’s size

A prudent step towards providing more reliable size estimates is to synthesize the results from multiple concurrent and independent views of a botnet’s behavior

18

ReferencesMoheeb Abu Rajab, Jay Zarfoss, Fabian

Monrose, and Andreas Terzis, “My Botnet is Bigger than Yours (Maybe, Better than Yours) : why size estimates remain challenging.” in Proceedings of the First Proceedings of the First USENIX Workshop on Hot Topics in USENIX Workshop on Hot Topics in Understanding BotnetsUnderstanding Botnets, April 2007.

Moheeb Abu Rajab, Jay Zarfoss, Fabian Monrose, and Andreas Terzis, “A Multifaceted Approach to Understanding the botnet phenomenon.” in Proceedings of ACMSIGCOMM/USENIX Internet Measurement Conference (IMC), pages 41–52, 2006.