Detection of Botnets Using Honeypots and P2P Botnets

Only available on StudyMode
  • Download(s) : 31
  • Published : April 22, 2013
Open Document
Text Preview
Rajab Challoo & Raghavendra Kotapalli

Detection of Botnets Using Honeypots and P2P Botnets
Rajab Challoo
Dept. of Electrical Engineering & Computer Science Texas A&M University Kingsville Kingsville, 78363-8202, USA

kfrc000@tamuk.edu

Raghavendra Kotapalli
Dept. of Electrical Engineering & Computer Science Texas A&M University Kingsville Kingsville, 78363-8202, USA

raghavsan@gmail.com

Abstract A “botnet” is a group of compromised computers connected to a network, which can be used for both recognition and illicit financial gain, and it is controlled by an attacker (bot-herder). One of the counter measures proposed in recent developments is the “Honeypot”. The attacker who would be aware of the Honeypot, would take adequate steps to maintain the botnet and hence attack the Honeypot (Infected Honeypot). In this paper we propose a method to remove the infected Honeypot by constructing a peer-to-peer structured botnet which would detect the uninfected Honeypot and use it to detect botnets originally used by the attacker. Our simulation results show that our method is very effective and can detect the botnets that are intended to malign the network. Keywords: Peer-to-peer network, Botnet, Honeypot, Hijacking.

1. INTRODUCTION
The Increase in the Internet malware in the recent attacks have attracted considerable amount of attraction towards botnets. Some of them include Email spamming, Key logging, click fraud and traffic sniffing [1]. Recently detected dangerous botnets include Mariposa (2008), officla (2009) and TDSS (2010). The scatter attacks done by the bot controllers using a program called bot which communicates with other botnets and receive the commands from Command and Control servers [3]. As the traditional botnets, which are designed to operate from a central source (bot-attackers machine) which can be shutdown if the source is pin-pointed by the security agencies, bot masters use or resort to peer to peer (P2P) botnets which do not have a centralized source and can grow at an alarming speed. For example, botnet Oficla can spam up to 3.6 billion targets per day [4]. In this paper we show how the use of a combination of Honeypots and Peer to Peer botnet to defend the attacks from other botnets. In order to improve the efficacy in defending against such malicious attacks, one needs to analyze the botnets from a bot-attackers perspective. This would require a study of basic structure of botnet and the network. The antivirus approach, of signature based detection of removing one bot or virus at a time works at host level but when bot-attackers use polymorphic methods creating new instances using the botcodes, evasion from antivirus becomes complicated. Security experts monitor Command and Control (C&C) traffic so as to detect an entire network which is infected, this is done to extenuate the botnet problem on a large scale by identifying the C&C channel[5]. Once a C&C channel is identified by the defenders, entire botnet could be captured by the defenders[3]. After botnet is captured, botmasters move to an advanced technique.

International Journal of Computer Science and Security (IJCSS), Volume (5) : Issue (5) : 2011

496

Rajab Challoo & Raghavendra Kotapalli

2. BACKGROUND
To mitigate the botnet problem, the command and control mechanism has been under study which determines the structure of C&C botnets that can monitor, hijack and shutdown the network. Defenders can however shutdown the entire C&C channel and prevent the attack [5]. In P2P botnets there is no central point for controlling the botnets. The servant bots act as client and servers [6], and accept both incoming and outgoing connections whereas the client bots do not accept incoming connections. Servant bots alone are added to the peer-lists. All bots including both client and server bots contact the servant bots to retrieve the commands [4]. 2.1 Types of Botnets Bots are basically classified into three types based on botnet...
tracking img