An integrated experimental environment for distributed systems and networks
OSDI '02 Proceedings of the 5th symposium on Operating systems design and implementationCopyright restrictions prevent ACM from being able to make the PDFs for this conference available for downloading
The design principles of PlanetLab
ACM SIGOPS Operating Systems Review
A multifaceted approach to understanding the botnet phenomenon
Proceedings of the 6th ACM SIGCOMM conference on Internet measurement
The Zombie roundup: understanding, detecting, and disrupting botnets
SRUTI'05 Proceedings of the Steps to Reducing Unwanted Traffic on the Internet on Steps to Reducing Unwanted Traffic on the Internet Workshop
An advanced hybrid peer-to-peer botnet
HotBots'07 Proceedings of the first conference on First Workshop on Hot Topics in Understanding Botnets
HotBots'07 Proceedings of the first conference on First Workshop on Hot Topics in Understanding Botnets
The heisenbot uncertainty problem: challenges in separating bots from chaff
LEET'08 Proceedings of the 1st Usenix Workshop on Large-Scale Exploits and Emergent Threats
QEST '08 Proceedings of the 2008 Fifth International Conference on Quantitative Evaluation of Systems
Spamalytics: an empirical analysis of spam marketing conversion
Proceedings of the 15th ACM conference on Computer and communications security
Structured Peer-to-Peer Overlay Networks: Ideal Botnets Command and Control Infrastructures?
ESORICS '08 Proceedings of the 13th European Symposium on Research in Computer Security: Computer Security
SLINGbot: A System for Live Investigation of Next Generation Botnets
CATCH '09 Proceedings of the 2009 Cybersecurity Applications & Technology Conference for Homeland Security
Studying spamming botnets using Botlab
NSDI'09 Proceedings of the 6th USENIX symposium on Networked systems design and implementation
BotGraph: large scale spamming botnet detection
NSDI'09 Proceedings of the 6th USENIX symposium on Networked systems design and implementation
Walowdac - Analysis of a Peer-to-Peer Botnet
EC2ND '09 Proceedings of the 2009 European Conference on Computer Network Defense
Isolated virtualised clusters: testbeds for high-risk security experimentation and training
CSET'10 Proceedings of the 3rd international conference on Cyber security experimentation and test
Beyond simulation: large-scale distributed emulation of P2P protocols
CSET'11 Proceedings of the 4th conference on Cyber security experimentation and test
GQ: practical containment for measuring modern malware systems
Proceedings of the 2011 ACM SIGCOMM conference on Internet measurement conference
Dissecting SpyEye - Understanding the design of third generation botnets
Computer Networks: The International Journal of Computer and Telecommunications Networking
| Hi-index | 0.00 |
Botnets constitute a serious security problem. A lot of effort has been invested towards understanding them better, while developing and learning how to deploy effective counter-measures against them. Their study via various analysis, modelling and experimental methods are integral parts of the development cycle of any such botnet mitigation schemes. It also constitutes a vital part of the process of understanding present threats and predicting future ones. Currently, the most popular of these techniques are "in-the-wild" botnet studies, where researchers interact directly with real-world botnets. This approach is less than ideal, for many reasons that we discuss in this paper, including scientific validity, ethical and legal issues. Consequently, we present an alternative approach employing "in the lab" experiments involving at-scale emulated botnets. We discuss the advantages of such an approach over reverse engineering, analytical modelling, simulation and in-the-wild studies. Moreover, we discuss the requirements that facilities supporting them must have. We then describe an experiment in which we emulated a 3000-node, fully-featured version of the Waledac botnet, complete with an emulated command and control (C&C) infrastructure. By observing the load characteristics and yield (rate of spamming) of such a botnet, we can draw interesting conclusions about its real-world operations and design decisions made by its creators. Furthermore, we conducted experiments with sybil attacks launched against it and verified their viability. However, we were able to determine that mounting such attacks is not so simple: high resource consumption can cause havoc and partially neutralise them. Finally, we were able to repeat the attacks with varying parameters, in an attempt to optimise them. The merits of this experimental approach is underlined since by the fact that it would have been difficult to obtain these results by other methods.