Structured Peer-to-Peer Overlay Networks: Ideal Botnets Command and Control Infrastructures?

  • Authors:
  • Carlton R. Davis;Stephen Neville;José M. Fernandez;Jean-Marc Robert;John Mchugh

  • Affiliations:
  • École Polytechnique de Montréal,;University of Victoria,;École Polytechnique de Montréal,;École de technologie supérieure,;Dalhousie University,

  • Venue:
  • ESORICS '08 Proceedings of the 13th European Symposium on Research in Computer Security: Computer Security
  • Year:
  • 2008

Quantified Score

Hi-index 0.00

Visualization

Abstract

Botnets, in particular the Storm botnet, have been garnering much attention as vehicles for Internet crime. Storm uses a modified version of Overnet, a structured peer-to-peer (P2P) overlay network protocol, to build its command and control (C&C) infrastructure. In this study, we use simulation to determine whether there are any significant advantages or disadvantages to employing structured P2P overlay networks for botnet C&C, in comparison to using unstructured P2P networks or other complex network models. First, we identify some key measures to assess the C&C performance of such infrastructures, and employ these measures to evaluate Overnet, Gnutella (a popular, unstructured P2P overlay network), the Erdős-Rényi random graph model and the Barabási-Albert scale-free network model. Further, we consider the three following disinfection strategies: a) a randomstrategy that, with effort, can remove randomly selected bots and uses no knowledge of the C&C infrastructure, b) a tree-likestrategy where local information obtained from a disinfected bot (e.g. its peer list) is used to more precisely disinfect new machines, and c) a globalstrategy, where global information such as the degree of connectivity of bots within the C&C infrastructure, is used to target bots whose disinfection will have maximum impact. Our study reveals that while Overnet is less robust to random node failures or disinfections than the other infrastructures modelled, it outperforms them in terms of resilience against the targeted disinfection strategies introduced above. In that sense, Storm designers seem to have made a prudent choice! This work underlines the need to better understand how P2P networks are used, and can be used, within the botnet context, with this domain being quite distinct from their more commonplace usages.