Army Rations Wiki
A Survey on botnets with cryptography
Abstract.
As the technology has been developed, the network of bot, botnet, was huge Matter in the computer science society. Most causes of botnet threats to network security and they are on C & C server such as IRC, HTTP-based protocol common [1] and since recently, botnet constructs P2P connection and the bot capabilities and activities are all different depending on the structure of the botnet. Therefore, the research has existed many too, and it is advantageous to categorize and classify defense mechanism of the robot. The bot activities result in a lot of negative effects such as DDoS (Distributed Denial of Service) and spamming. The mechanisms for the detection and prevention offered can be categorized into C & C based bot detection and P2P-based bot detection. An important Aspect of the botnet is managing the authenticity and integrity of commands. Asymmetric cryptography offers a simple but effective way to do this, and the methodology discussed here.
Keywords: botnet, bot detection, P2P bot C & C-Bot, cryptography
1st INTRODUCTION
The untraceable characteristic of the coordinated attacks is exactly what hackers / attackers demand to a computer or a network for illegal purposes compromise. As soon as a group of hosts with different locations are controlled by a malicious person or entity to initiate an attack, one can hardly trace the origins due to the complexity of the Internet. For this reason, the increase in incidents and threats against legitimate Internet activities such as information leakage, click fraud, Denial of Service (DoS) attack, and e-mail spam, etc., have very serious problems today [1]. Those victims, the coordinated control as zombies or bots, of the attacker from the term "robot is derived. The concept of bots is usually software applications, automated functions called via the Internet [2]. Under such Command and Control (C2 or C & C) infrastructure, a group of bots are able, a self-propagating, self-organizing form and autonomous framework, named Botnet [3]. In general, a number of systems, the botnet master's (as a perpetrator or Herder called compromise remotely) Bots will install, worms, Trojan horses, backdoors, or they [three]. The majority of the victims are running Microsoft Windows operating system [3]. The process of stealing hosts resources to run a botnet from so-called "Scrumping" [3].
Botnets can be divided into two broad categories based on their topologies are classified [4]. A typical and most common form is the Internet Relay Chat (IRC) based botnets. Because of its centralized architecture, researchers have developed some feasible countermeasures to detect and destroy as botnets [5, 6]. Therefore, newer and more sophisticated hackers / attackers begin to use Peer to Peer (P2P) technologies in botnets [4,7]. P2P botnets are distributed, and no central point of failure. Compared to the IRC-based botnets, they are more difficult to identify and take down [4]. Furthermore, most of the existing studies are still in the analysis phase [4, 7].
The organization of the paper is as follows. In Section 2, Botnet classification is given.Section 3 describes the relevant attacks. Section 4 develops the detection and tracking mechanisms. Preventive measures are given in Section 5. The conclusion and future challenges are presented in Section 6.
2nd CLASSIFICATION
Botnets are new threats with billions Hosts infected worldwide. Bots can be thousands of computers at a very high to do speed like worms. In contrast to worms, bots are capable of a botnet together to a common malicious purpose. For this reason, play Botnets today a very important role in the Internet-malware epidemic [16]. In [19] WT Strayer et al. put some metrics of flow analysis to detect botnets. After filtering IRC session from the traffic flow methods were applied discriminate malignant and benign IRC channels. The methods of [20] and [21] combined application of both proposed and network-layer analysis. E. Cooke, et al. [22] with IRC activities upon the application level, with information from the monitoring of network activities. Some authors had introduced methods Machine learning in botnet detection [23], since they fought a better way to characterize botnets. Currently Honeynets and Intrusion Detection System (IDS) are two important techniques to prevent their attacks. Honeynets can be used [9] in both distributed and local context. They are suitable for generating botnet attack on information may But do not say whether the details of how the victim has a certain worm [9]. The IDS uses signatures or behavior of existing botnet to identify signs of possible attack. Thus, to the properties is summarized by botnet significant for a secure network. To the best of our knowledge, we have no other work on anomaly-based detection found for botnet.
2.1 Formation and utilization
To illustrate the development and exploitation, we take as a spamming botnet Example. A typical formation of botnet can be described as following steps [3],
1) The offender sent botnet worms or viruses to victim machines, the payload are infected bots.
2) The bots on the infected computer, you log into an IRC server or other communication medium to form a botnet.
3) Spammer makes the payment to the owner of the botnet to gain access to law.
4) Spammer sends commands to this botnet to order the bots to send Spam.
5) The infected computer to send spam messages to different mail servers on the Internet.
2.2 IRC-based bot
IRC is a protocol for text-based instant messaging with people connected to the Internet. It is based on client / server (C / S) model, but suitable for distributed environment and [18]. Typical IRC severs are connected to each other and pass messages from one to another [18]. One can, with hundreds of clients to connect through multiple servers. It is thus referred to several IRC (mIRC), where communications between clients and servers for those who are connected to the channel are pushed. The functions of the IRC-based Bots are the management of access lists, move files, sharing clients, share information about the channels and so on [18].
• robot is usually an executable file from a specific command triggered to cut the IRC. Once a bot is installed on a victim host, it is a copy in a configurable Make directory, and allow the malicious program with operating system to start. In general, only the payload of worms or bots to open the way to the back door [18].
• Control channel: an IRC channel backed by the attacker set all bots to manage.
• IRC server: Can a compromised machine or even a legitimate provider for the public service.
• attacker: one is to control the IRC bot attack.
The attacker Operations have four phases [16]:
1) creating stage, where the attacker can add malicious code, or simply modify an existing from a number of highly customizable bots on the Internet [16].
2) Configuration Stage, where the IRC server and channel collected [16] information. As long as the Bot is installed on the victim, it will automatically connect to the selected host [16]. Then the attacker to restrict access and secure channel to the bots for business or other purposes [16]. For example, the attacker in a position, a list of bots to authorized users who adapt and utilize them for their want to use themselves, offer.
3) The infection stage, where bots are propagated [several direct and indirect 16]. As the name suggests, exploit vulnerabilities techniques of direct services or operating systems and are usually associated with the use of viruses [16]. While the vulnerable systems compromised, they will continue the infection process, so that saving the time of the attacker more victims added [16]. The most vulnerable systems are Windows 2000 and XP SP1, where the attacker can easily unpatched or find unsecured (ie no firewall) hosts [16]. By contrary, using indirect approaches of other programs to spread as a proxy bots, for example, with distributed malware by DCC (Direct Client-to-client) to exchange files via IRC or P2P networks to exploit the vulnerabilities of the target machine [16].
4) Control stage, where the attacker the instructions to a group of bots can send via the IRC channel to some malicious tasks to do.
2.3 P2P-based bot
Few studies focus on P2P-based bot so far [4, 24-29, 46]. It is still a challenging issue. In fact, the use of P2P network for victims adhoc host control is not a novel technique [26]. P2P communication is much more difficult to disrupt. This means that the compromise of a single Bot is not necessarily the loss of the entire botnet. But the design of P2P systems are complex and there are usually no guarantees for message delivery and latency. A worm with a P2P fashion, named Slapper [27], Linux system from DoS attacks, infected in 2002. It uses hypothetical customers to send and receive commands to compromised host Answers from them [27]. This could be his network location anonymous and difficult to monitor [27]. One year after, another P2P-based bot released called Dubbed Sinit [28]. It uses public key cryptography for authentication to be updated. Later, in 2004, Phatbot [29] created to send commands to other vulnerable hosts with a P2P system. Can currently transfer the Storm Worm [24] The most widely used P2P Bot on the Internet. T. Wood et al. analyzed are dealing with binary and Tracing network [24]. They also suggested some techniques to the communication of P2P-based botnet, as eclipsing binary content and environmentally the file to mind.
Nevertheless, the above P2P-based bots are not mature and have many weaknesses. Many P2P networks have a central server or a seed list of peers who can be contacted for adding a new peer. This process, called bootstrap has a single point of failure for aP2P-based botnet [25]. For this reason, authors presented in [25] a certain hybrid P2P botnet in order to overcome this problem.
2.4 Types of bots
Many types of bots in the network have already been discovered and studied [9, 16, 17]. Table I provides more widespread and well-known bots, along with their basic functions.
Types
Features
Agobot
Phatbot
Forbot
Xtrembot
- They are so widespread, that are over 500 versions on the Internet today. Agobot is the only bot, can other protocols IRC out of control [9]. It offers different approaches to bots on to hide the compromised computer, including NTFS Alternate Data Stream, polymorphic
Encryptor Antivirus Engine and killer [16].
SDBot
Rbot
UrBot
UrXBot
SDBot is the basis of the three other bots and probably much more [9]. Anders Agobot, is unclear and its code has only limited functions. Nevertheless, this group of bots are still widely used in the Internet [16].
SpyBot
NetBIOS
Kuang
NetDevil
KaZaa
There are hundreds of versions of SpyBot today [17]. Most of their C2 framework seems be shared with or developed from SDBot [17]. But it has no responsibility or hide their malicious purposes codebase [17].
mIRC-based
GT-bots
GT (Global Threat) bot is mIRC based bot. It allows a mIRC chat client on a set of binary files (DLLs are based mainly) and scripts [16]. Often, the application hides the window
compromised host to make mIRC invisible to the user [9].
DSNX bots
The DSNX (Data Network Spy X) offered a convenient plug-in interface for adding a new function [16]. Although the standard version does not meet the requirement, sanders, Plugins can help address this problem [9].
Q8 Bots
It is for Unix / Linux OS with the common features of a bot, like dynamic update HTTP, various DDoS attacks developed, the execution of arbitrary code, etc. [9].
Kaiten
It is quite similar to Q8 Bots basis of the same runtime environment and the lack of spreaders and. Kaiten has a simple remote shell, so it is useful to further control
Vulnerabilities via IRC [9].
Perl-based Bots
Many versions written in Perl today [9]. They are so small that only a few hundred lines of code of the bot [9]. So limited basic commands are Attacks are available, especially for DDoS-attacks in Unix-based systems [9].
3rd Botnet attacks
Botnets can be used both legitimate and illegitimate purposes [6]. A legitimate aim is to support the operations of the IRC channels with administrator rights to certain people. Nevertheless, such objectives do not meet the vast majority of bots that we have seen. signed based on the wealth of data honeypots [9], the possibilities to botnets for criminal or motivated to use them for destructive purposes are able to be categorized as follows.
3.1 DDoS Attacks
Botnets are often used for DDoS attacks [9], the network of victim services system can be disabled by its extensive range. For example, an offender, to connect the botnet, a victim of the IRC channel at first, and then this destination for thousands of service requests from the botnet can be flooded. In this type of DDoS attack, the victim is suspended from IRC network. Evidence shows that are performed most frequently by botnets TCP SYN and UDP flooding attacks [30].
General Countermeasure against DDoS attacks requires: (a) the control of a large number of compromised machines (2) Disable the remote control mechanism [30]. Though we need more efficient ways to avoid this type of attack. FC Freiling et al. [30] have an approach to DDoS attack on the exploration of the hide-bots prevent honeypots presented.
3.2 spamming and spreading malware
About 70% to 90% of global spam botnets is of now causes the most experienced in the Internet security industry, affected [47, 49]. Report on the study shows that when the SOCKS V4/V5 proxy (TCP / IP RFC 1928) opened on compromised hosts by some bots, the machines for nefarious tasks can be used such as spamming. Moreover, some bots in a position to e-mail to collect the addresses of some specific tasks [9]. Therefore, attackers use to such a botnet to send massive amounts of spam [31]. Researchers in [32] have a distributed content independent Spam proposed classification system, called Trinity, against the spam from botnets. The designer assumes that the spam bots will have a mass of send e-mails within a short time. Therefore can be any letter from such an address spam.
To see the aggregate behavior of spam-botnet and the welfare of his Discovery in the future, Y. Xie et al. [33] have developed a spam signature generation framework called Autore. They also found several characteristics of spam botnet: (1) often adds Spammer to escape some random and legitimate URLs in the letter detection [33], (2) botnet IP addresses are usually spread over many Asen (Autonomous Systems), with only a few participating machines in each AS are different on average [33], (3) Despite the content of spam can be similar to their recipient addresses [33]. As these functions to use to capture and avoid spam botnets, the research is worthwhile in the future. Botnets can also be used to have to spread malware [9]. For example Witty worm botnet can start ICQ protocol, because the victim system can not access enabled Internet Security Systems (ISS) services [9].
3.3 Information Leakage
Since some bots sniff not only traffic can pass, the compromised machines, but the command data in the victim, Perpetrators can be accessed sensitive information such as usernames and passwords from botnets light [9]. Evidences show that botnets are becoming more sophisticated too fast in the host scanning for key corporate and financial data [47]. Since the bots rarely run impact on the performance of the infected systems, they are often out of the Field of view and hard to catch. Keylogging is the solution of internal attack [9.16]. Such kind of bot Listening Keyboard for activities and then reports to his master the useful Information after the filtering of the input meaningless. This allows the attacker to thousands of private information and login information to steal data [16].
3.4 click fraud
With the help of the botnet, the perpetrators are able to display add-ons and browser helper objects (BHO) for business Purposes [9]. Just like Google's AdSense program, in the interest of obtaining a higher click through rate (CTR), the offender may from time to time usebotnets Click to certain Hyperlinks and thus promote the CTR artificially [9]. This is also effective, surveys or online games [9]. As each victim host a unique IP address has scattered in the world, each click will be considered as a valid action by a legitimate person.
3.5 Identity Fraud
Identity Fraud, also known as identity theft is called, a fast-growing crime on the Internet [9]. Phishing Mail is a typical case. It typically includes legitimate as URLs and ask the recipient to enter personal or confidential information. Such messages are generated and sent from a botnet spam mechanisms by [9]. In another Botnets step also can specify multiple fake websites, Be an official business websites to harvest victims information. Once a fake is by his side Owner, may emerge another closed, until you shut down the computer.
DETECTION fourth and Tracing
Meanwhile have different approaches to the identification and tracking botnets have been proposed or tried. First and most commonly the use of honeypots, where a subnet pretends be compromised by a trojan, but actually observe the behavior of attackers, so that was to control hosts to identify [22]. In a relevant case Freiling et al. [30] have a feasible way to detect certain types of DDoS attacks by the botnet breakfasted introduced. First responders and active use honeypot to gather bot binaries. Then do so than to connect the botnet as a compromised machine to run bots on capture of the honey pot and allow them to access the IRC server. At the end of the botnet to a "silent drone is infiltrated" collect information that may be useful in dismantling botnet. A further and frequently used Method is that insiders are using the information to an IRC-based botnet-length [11]. The third but not the least common approach for botnets is probing DNS caches resolve on the network to the IP addresses of target recognition server [] 11.
4.1 Honeypot and Honeynet
Honeypots are good through its strong ability to recognize threats gather, malwares and the behaviors and motivations to understand the perpetrators. Honeynet, for monitoring a large diverse network consists of more than a honeypot in a network. Most researchers focus on Linux-based honeynet, for the obvious reason that any other platform are relatively more free tools available Honeynet [on Linux 6]. As a result, only a few tools to support the honeypots use on Windows and intruders to begin to proactively removing the honeypot.
Some scientists aim in the design of a reactive firewall or related resources to a number of compromises of honeypots to prevent [6]. While a compromised port detected by such a firewall can block incoming attacks on them [6]. This process should be based on secret to avoid the suspicion of the attacker to run. Evidence tells us we must act are covered less on the protection of honeypots against several compromises by worms, from worms to be used to detect its presence [6]. Because many invaders download toolkits a victim immediately, we should follow block Traffic selectively. These toolkits are important examples for future analysis. So, to some extent, should the attacker access to the honeypots are not prevented very well [6].
As more and more popular honeypots have accompanied and in defense systems, will begin intruders to avoid a way to evade honeypot traps search [34]. There are some techniques to identify feasible to honeypots. For example, to VMware and other virtual machine emulates see [35.36], or to the reactions of the Program detects errors in honeypot [37]. In [38], Bethencourt et al. Honeypots have successfully determined with intelligent probing for public reporting statistics. Above Krawetz also have [39] presented a commercial tool capable anti-spam honeypot operation, called "Send-Safe Honeypot Hunter's". Through the review the response of remote proxy, spammers can be seen in a position to open proxy honeypot [39]. However, this instrument can not effectively identify other except open proxy honeypot. Recently CC Zou et al. [34] have a different method for detecting honeypot proposed on the basis of independent software and hardware. In their paper, they also have a Approach to effectively locate and remove infected honeypots with the help of a structured P2P botnet introduced [34]. All the above show evidence that in the event that botnet invisible Honeypot is, the relevant research should be improved.
4.2 IRC-based detection
IRC-based botnet is studied wild and therefore several features for recognition have been discovered. One of the easy ways is to recognize this type of botnets, sniff the traffic on common IRC ports (TCP port 6667), and then examine whether the payloadsmarch the strings in our knowledge database [22]. Nevertheless, botnets used to communicate random ports. Therefore another approach in search of animal behavior comes from bots. Racine S. [Found 40] IRC-based bots were often idle and responds only to receive a specific instruction. Thus the connections with such features can be marked as potential enemies. Nevertheless, it still has a high rate of false positive results.
There are also other methods are it for IRC-based botnet detection. Barford et al. [17] some approaches to the source-code analysis is proposed. Rajab et al. [11] a modified IRC client called IRC tracker in a position to sever a connection, the IRC and answer the queries automatically. Given a template and relevant fingerprint, the IRC tracker could be a new session on the IRC servers IRC instantiate [11]. In the case of the bot master can search for the true identity of the tracker, it appeared as a powerful response and offered over the Internet and cause any malicious command, including the responses to the attacker [11]. Consequences which we will discuss some methods of detection to introduce IRC-based botnet.
4.2.1 Detection Based on Traffic Analysis
Signature technology is often used in anomaly detection. The basic idea is to provide information to extract the function packages from the market and registered in March, the pattern in the knowledge base available bots. Apparently, it is easy to carry, by simply clicking on the Comparing every byte in the packet, but it's also a number of drawbacks [45]. First, it is not possible to identify the undefined bots [45]. Secondly, it should update always the knowledge base with new signatures, which the administration costs and reducesthe power [increase 45]. Third, new bots launch attacks before they are patched in the knowledge Base [45].
Based discover the properties of the IRC, a few other techniques are botnet. Basically, two types of actions in a normal IRC communication involved. One is interactive commands and a different exchange messages [45]. If we can identify the IRC-operation with a particular program, it is possible for a botnet attack to recognize [45]. For example, the private information is copied elsewhere by some IRC commands, we claim the system is under attack as a normal behavior in chat will never do [45]. are hidden on the other hand, the traffic can be encrypted over the network or noise [21]. Each situation will the bots invisible.
In [45], the authors observed real traffic on IRC communication ports ranges 6666-6669. They found some IRC clients repeatedly sending login information, while the Server refused the connection [45]. Based on the result of experiment, they claimed that bots would repeat these actions in specific intervals according to the IRC server rejected, and the intervals are different [45]. However, they did not consider a true IRC-based botnet attack in their experiment. There is a possible future Working to expand its services.
In [49], P. Sroufe et al. proposed a different method for botnet detection. Their approach to efficiently and automatically identify spam or bots. The main idea is to form the e-mail (lines and the number of characters in each line excerpt) by applying a Gaussian kernel density estimator [49]. E-mails similar form are suspected. However, authors can not be identified to show the way botnet using this method. It can be another future work is worth studying.
4.2.2 Based on Anomaly Detection Activities
In [21] authors proposed an algorithm for anomaly-based botnet detection. It combines IRC mesh functions with TCP-based anomaly detection module. First, observed and recorded a large number of TCP packets with respect to the IRC hosts. Based on the ratio of the total amount of TCP control packets calculated (eg, SYN, SynAck, FIN, and sets) the number of TCP packets, it is capable of some activities to detect anomalies [21]. They called this ratio as the TCP work weight and claimed that high value implies a possible attack by a scanner or worm [21]. However, this mechanism does not work if the IRC commands were coded, as the discussion in [21].
4.3 DNS Tracking
Because bots usually send DNS queries to the C2-server access, if we can be their domain name, botnet traffic is intercepted in a position to be covered by blacklisting the domain name [41, 42]. Actually, it is also an important secondary Avenue to take down botnets by disabling their ability to spread [11]. H. Choi et al. have discussed [41] the Properties of DNA botnet. According to their analysis, botnets "DNS queries can be easily distinguished from legitimate [41]. First of bots only send DNS queries to the C2 domain of the server, this is never legitimate to do [41]. Second act together botnet members and walk at the same time, as well as their DNS queries [41]. While the legitimate one occurs continuously vary from botnet [41]. Third, the legitimate use DDNS host not very often during botnet usually use DDNS server [for C2 41]. Based on the above functions, they developed an algorithm for identification of botnet DNS query [41]. Its basic idea is to calculate the similarity to the group activities and then distinguish the botnet of them on the basis of their value. The similarity value is defined as 0.5 (C / C + A / B), where A and B represent the size of two lists, the requested IP somecommon IP addresses and domain name are the same, and C stands for the size of the duplicated IP addresses [41]. If the value is approximately zero, such as joint domain may be suspected [41].
There are also some other approaches. Dagon et al. [42] presented a method of inquiry by examining the rates of DDNS domain. Abnormally high or suspected were concentrated in time, because attackers make their last C2 servers frequently [44]. It uses both Mahalanobis distance and Chebyshev's inequality to quantify how the rate is anomalous 44] [. Schonewille et al. [43] found that had been hit below the C2 servers, DDNS reaction often name error message. Hosts repeating such queries can be infected and have to assume, therefore [be] 43rd evaluated in [44], authors of the above two methods through experiments on real world. They claimed that Dagon was not as effective approach, since there are some C2 domain server misclassified with short TTL, while Schonewille's comparative method was due effective suspicious name came from independent individuals [44]. In [48], X. Hu et al. proposed that a botnet detection system called RB-Seeker (Seeker botnet Redirection). It is able to automatically detect botnets in each structure. RB-Seeker collects information about bots diversion activities (eg, temporal and spatial characteristics) of two Subsystems. Then using the statistical methodology and DNS query probing technique to distinguish the malicious from legitimate domain. Experiment results show that RB-Seeker efficient Instrument both for "aggressive recognize" and "Stealth" botnets.
5th Strong cryptography
5.1Tamper-proof command and control update
An important aspect of the botnet is managing the authenticity and integrity of commands. A Bot should accept only commands issued by the botmaster. In current botnets, commonly botmasters Use only a very weak form of authenticity, for example. By a simple password scheme before sending the actual command. Even if the botnets use stronger authentication schemes, these can usually be broken, as eg. Storm Worm uses a 64-bit RSA implementation that can be overcome. In central IRC bot-nets, could this lack of authenticity, for example, by patching IRC servers can be overcome in order to distribute such a way that can only send the botmaster messages in the designated channel. But when dealing with a decentralized network of equal peers, needs a botmaster to ensure that no hostile parties as defendants or other groups may poison the botnet botnet by injecting malicious commands.
Asymmetric cryptography offers a simple but effective way to do this: before the release of a bot in the wild, botmaster creates a public / private pair of cryptographic keys, of which the former one is in the bot binary hard coded. This enables the botmaster sure all commands or files signed using his private key. All peers in the botnet are able to command employs the public key hardcoded , But check are given a reasonable key length (eg.2048 bits for RSA), no defender is able to forge the signature.
5.2Rent a botnet
With the help of asymmetric cryptography, a botmaster takes on the role of a trusted certification authority, which a efficient way to see the botnet to other rents in parts or as a whole to protect for a variable amount of time, and for certain purposes.To against malicious tenants it is recommended to implement a black list of invalid public key pairs blacklist is stored on each computer and robot can only botmaster add or remove public key using its private key to sign the order. So all certificates that include an attacker be revoked.
However, such a black list of little use against attacks that require only a short period in order to be successful. For example, a malicious tenant a botnet Buy Certificate for the dissemination of spam and abuse by ordering all bots to an e-mail to a specific address to send, their IP address or other sensitive data. In fact, an attacker could easily obtain valuable information about the size of a botnet and its overall structure. Therefore, renting a botnet should be considered as an option to be used with caution by a botmaster be taken into account.
6th Preventive measures
Just a few hours for conventional worms circle the globe since the single released by a host. If worms botnet appears with several Hosts are infected worldwide at the same time she is able, the majority of vulnerable hosts within a few minutes [7]. Some botnets have in the previous sections been discussed. However, there are still many of them are unknown to us. How is to minimize the risk posed by botnets in the future, the topic that we discussed in this section.
6.1 Countermeasures botnet attacks
Unfortunately, there are some solutions for a host against a DoS attack botnet so far [3]. Though It is difficult to be able to find the pattern of malicious hosts, network administrators continue to identify botnet attacks to passive OS fingerprinting from the latest Firewall equipment extracted [3]. The life cycle of botnet us say, bots often use free DNS hosting services to a subdomain on an inaccessible IP address . Reroute So, the removal of these services may be, as a botnet [3]. Currently, many security companies focus on offers to stop botnets [3]. Some of them to protect consumers, while most others are designed for ISPs or companies [3]. The various products offered to try, behavior by anti-virus software to identify. The Enterprise Products have identified as nothing better solutions null routing DNS entries or shutdown of the IRC and other key server for a botnet attack [3].
6.2 Countermeasures for Public
Personal or corporate security necessarily dependent on the communication partner [7]. Building a good relationship with these partners is essential. First, one should continually request the service provider for security packages, such as firewall, anti-virus tool kit, Intrusion Detection Utility, etc. [7]. If something goes wrong, it should be called a phone number to [7]. Secondly, you have a lot of attention to the traffic report to report and, if ISP attacked by DDoS attack. ISP can help block] of these malicious IP addresses [7th Thirdly, better accountability on his system to establish,] together with a law enforcement agency [7th More precisely, scientists and industry have some strategies for both home users and system administrators to prevent, detect and react to botnet attacks [16, 18] proposed. Here we take their suggestions.
6.2.1 Home Users
TABLE II: Rules for the prevention of home-users [18]
Type
Strategies
Personal habits
Caution when downloading
Do not install useless stuff
Read carefully before you click
Routine
Use anti-virus/trojan Utilities
Update system often
Shutdown PC when you leave
Optional Operations
Back-up all systems regularly
Keep all software up-to-date
Installing Personal Firewall
6.2.2 System Administrator
In the same way, there are follow rules for system administrator to prevent, detect and react to botnet attacks [16, 18]. As the methods for prevention, should the administrator with the following manufacturers guidelines for updating the system and applications [18]. Also, the current vulnerabilities and use of access control achieve and maintain log files, accountability [posted 18]. As shown in Table III, these can help the system administrator the ability of botnets minimize attack.
TABLE III: Rules for the recognition by system administrators [18]
Regulate
Notes
Regular monitoring protocols
Analyze Internet traffic for anomalies
Using packet sniffer network
Identify the malicious traffic in Intranet
Insulate the malignant subnet
Check IRC activity on the host
Scan individual Machine
They contain malware
Once an attack is detected, the system administrator should isolate the compromised computer and note the home-users [16]. Then the data on the infected hosts, including the log files [16]. Also identify the number of victims via sniffer tools [16]. Finally, report the infection Security Consultant at [16].
CONCLUSION seventh and future challenges
For a better understanding of the botnet and stop the attack Finally, we offer a botnet survey of existing studies. The content of the discussion is botnet formation and exploitation, and two typical topologies.
After the discussion in Section 2, we have some ideas for different topologies. For IRC-based botnet issues is the thorny problem that we are not the source of most of the bots. Hence in-depth analysis on the networking level and system-level bots "behaviors is rarely exercised. For P2P-based botnet questions, the following practical challenges further considered: (1) keeping the rest for some bots have been taken by defenders, (2) the botnet topology hiding while some bots from the defenders are recorded, (3) managing the botnet more easily, (4) Changing traffic patterns more frequently and make it more difficult for detection.
As we see can, detection and prosecution of compromised computers in the botnet will continue to be a challenging task. Traffic fingerprinting for identification of botnet useful. However, just as previous signature technologies discussed in Section 3, the disadvantages are obvious. We need an up-to-date Knowledge Base released for all bots the world, which seems to be on an impossible mission. Anomaly detection is another possible approach. However, if infected hosts do not behave so unusual it can not recognize in a position to such a potential threat. As the current collection's technology depends on the case, attacking no guarantee for us to to find any vulnerable hosts. An interesting exhibition on the anomaly detection is the time of effectiveness. If an attack has taken place and we can the anomaly to grasp at first, and the related problems before it is used for malicious purposes, say, the anomaly detection is time-saving. We need to focus to work on time efficiency in the future.
In the wireless context, especially for ad hoc network, we have not yet related research on both offense and defense come so far. There are many open questions: (1) How to find the shortest route to goal attack, (2) How the compromised hosts fromdetecting in the wireless network to prevent, (3) How to propagate to line the bots in the wireless network, especially off a couple of compromised hosts.
There are also some other interesting open Issues must be considered. To the best of our knowledge, now we can not avoid DDoS attacks originating from botnets. The attack was detected, no effective Ability to trace and fight against him. Instead, we simply just shut down compromised hosts or disconnect to the network and awaits further command such as virus scanning or formatting of the operating system. Since, in fact, is what we really need bots avoid planting in the first step. Perhaps the only effective solution to Botnets is the provision of new protocols on the router to eliminate the world. It really is a huge and beyond reality project. Then why not consider the Install it locally on a Gateway? Imagining if the gateway to communicate between multiple bots could block domains, the attacker would have to manage not just the compromised Hosts worldwide. In the meantime, could provide the gateway of our information about where the malicious command came. Based on the abundant evidence of the network would be it possible to trace the first attack. Nevertheless, it is very difficult, such an idea because of the following reasons: Implementation (1) It is heavy, the adverse to distinguish data packets from the traffic flow, (2) Cooperating between domains is not very easy, and should the situation that some gateways are at risk of the opinion (3) How to trace the potential attack, and who should be identified for further analysis must be investigated.
REFERENCES
[1] K. Ono, I. Kawaishi and T. Kamon, "Trend of botnet activity," the 41st Annual Meeting IEEE International Carnahan Conference on Security Technology, Ottawa, CA,
Oct., 2007, pp. 243-249.
[2] Wikipedia, "Internet-Bot" [Online]. Available: http://en.wikipedia.org/ wiki / Internet_bot.
[3] Wikipedia, "Botnet" [Online]. Available: http://en.wikipedia.org/wiki/ botnet.
[4] B. Thuraisingham, "Data Mining for Security Applications: Mining concept-drifting data streams to-peer botnet detect peer traffic, "in IEEE International
Conference on Intelligence and Security Informatics, ISI 2008, Taipei, Taiwan, June 2008, pp. Xxix-xxx.
[5] C. Mazzariello, "IRC Traffic Analysis for Botnet Detection", in the fourth International Conference on Information Assurance and Security, Naples, Italy, Sept. 2008,
pp. 318-323.
[6] B. McCarty, "Botnets: Large and bigger, "IEEE Security and Privacy, vol. 1, No. 4, pp. 87-90, Jul., 2003.
[7] GP Schaffer, worms and viruses and botnets, oh my!: Rational treatment choices for emerging threats from the Internet, "IEEE Security and Privacy, vol.. 4, No. 3, pp. 52-58, May
2006th
[8] J. Mirkovic, G. Prier and P. Reiher, "Attacking DDoS at the source", in ICNP'02: Proceedings of the 10th IEEE International Conference on Network
Protocols, Paris, France, Nov., 2002, pp. 312-321.
[9] P. Bacher, T. Wood, M. and G. Wicherski Kotter, "Know Your Enemy: Tracking Botnets "[Online]. Available: http://www.honeynet.org/papers/bots/.
[10] T. Wood, P. Marechal and F. Raynal, "New Threats and Attacks on the World Wide Web ", IEEE Security & Privacy, vol.. 4, No. 2, pp.72-75, Mar / April 2006.
[11] MA Rajab, J. Zarfoss, F. Monrose and A. Terzis, "a multidimensional approach to understanding the botnet phenomenon," in Proceedings of the 6th ACM
SIGCOMM conference on Internet Measurement, Rio de Janeriro, Brazil, Oct. 2006, pp. 41-52.
[12] E. Levy, "The making of a Spam Zombie Army: Dissecting the Sobig worms," IEEE Security and Privacy, vol. 1, No. 4, pp. 58-59, Jul., 2003.
[13] D. Cook, J. Hartnett, K. Manderson, and J. Scanlan, Catching spam before it arrived: Domain-specific dynamic blacklists, "in Proceedings of 2006
Australasian workshops on Grid computing and e-Research, Hobart, Australia, pp. 193-202, Jan., 2006.
[14] J. Jung and E. Sit, "An empirical study of spam traffic and the use of DNS blacklists," in IMC '04: Proceedings of the 4th ACM SIGCOMM Conference about
Internet measurement, Taormina, Italy, pp. 370-375, October 2004.
[15] A. Ramachandran, N. FEAM and D. Dagon, "Revealing botnet membership using DNSBL counter-intelligence, "in Proceedings of the 2nd Conference on
Steps to reduce unwanted traffic on the Internet – Volume 2, San Jose, USA, pp. 8-8, 2006.
[16] J. Govil, "Examination of Criminology at the Bot Zoo," in 6th International Conference on Information, Communications & Signal Processing, Singapore, pp. 1-6,
Dec. 2007th
[17] P. Barford and Yegneswaran V. ", an insight into botnets," in Series: Advances in Information Security, Springer, 2006.
[18] R. Puri, "Bots and Botnets: An Overview," Technical report, SANS Institute, 2003rd
[19] WT Strayer, R. Walsh, C. Livadas and D. Lapsley, "Detecting botnets with tight command and control" in Proceedings 2006 31 IEEE Conference on Local
Computer Networks, Tampa, USA, pp.195-202, Nov. 2006.
[20] M. Akiyama, T. Kawamoto, M. Shimamura, T. Yokoyama, Y. Kadobayashi and S. Yamaguchi, "A proposal of metrics for botnet detection based on their
cooperative behavior, "in Proceedings of 2007 International Symposium on the Applications and Internet workshop, Washington DC, USA, pp. 82-82,
Jan., 2007th
[21] JR Binkley and S. Singh, "An algorithm for Anomaly-based botnet detection "in the Proceedings of the 2nd conference on Steps to reducing unwanted traffic on
the Internet, San Jose, USA, pp. 7-7, 2006.
[22] E. Cooke, F, Jahanian and D. McPherson, "The Zombie Roundup: Understanding, detect and destroy botnets," in Proceedings of the Steps to reduce
Unwanted traffic on the Internet, Cambridge, USA, pp. 6-6, 2005.
[23] C. Livadas, R. Walsh, D. Lapsley, to identify and W. Strayer, "Using machine learning methods to botnet traffic," in Proceedings 2006 IEEE Conference on 31
Local computer Networks, Tampa, USA, pp. 967-974, Nov. 2006.
[24] T. Wood, M. Steiner, F. Dahl, EW Biersack, and F. Freiling, "measurement and mitigation of peer-to-peer basis Botnets: A Case Study on Storm Worm "in
Proceedings of the 1st Usenix Workshop on Large-Scale Exploits and Emergent Threats, San Francisco, USA, pp. 1-9, Apr., 2008.
[25] S. Wang, S. Sparks and Zou CC "An advanced hybrid peer-to-peer botnet," in Proceedings of the First Conference on First Workshop on Hot Topics in
Understanding Botnets, Cambridge, USA, pp. 2-2, Jul. 2008th
[26] R. Lemos, "Bot software looks to improve peerage" [Online]. Available: http://www.securityfocus.com/news/11390.
[27] I. Arce and E. Levy, "An analysis of the paddle worm," IEEE Security & Privacy Magazine, vol. 1, No. 1, pp. 82-87, January 2003.
[28] J. Stewart, "Sinit P2P Trojan Analysis" [Online]. Available: http://www.secureworks.com/research/threats/sinit/.
[29] J. Stewart, "Phatbot Trojan-Analysis" [Online]. Available http://www.secureworks.com/research/threats/phatbot.
[30] to prevent FC Freiling, T. Wood, and G. Wicherski Botnet Tracking: Exploring a Root-Cause method for distributed denial-of-service attacks, "Lecture Notes in
Computer Science, Springer-Verlag, Germany, 2005, No. 3679, pp. 319-335.
[31] K. Chiang and L. Lloyd, "A case study of the fill and Rootkit Spam-bot, "in Proceedings of the 1st workshop on Hot Topics in Understanding Botnets,
Cambridge, USA, pp. 10-10, 2007.
[32] A. Brodsky and D. Brodsky, "A content independent method for spam detection distributed," in Proceedings of the 1st Workshop on Hot Topics in Understanding
Botnets, Cambridge, USA, pp. 3-3, 2007.
[33] Y. Xie, F. Yu, K. Achan, R. Panigrahy, G. Hulten and I. Osipkov "Spamming botnets: signatures and characteristics," in Proceedings of the ACM SIGCOMM
2008 conference on data communication, Seattle, USA, pp. 171-182, Aug. 2008th
[34] CC Zou, R. Cunninqham, "Honeypot-Aware Advanced botnet construction and maintenance, "in 2006 International Conference on Dependable Systems
and Networks, Philadelphia, USA, pp. 199-208, Jun. 2006th
[35] J. Corey, "Advanced Honey Pot identification and exploitation" [Online]. Available http://www.phrack.org/fakes/p63/p63-0×09.txt:, 2004.
[36] K. Seifried, "Honeypotting with VMware basics" [Online]. Available: http://www.seifried.org/security/index.php/Honeypotting_With_VMWare_Basics, 2002.
[37] Honeyd Security Advisory 2004-001, "Remote detection of simple probe package" [Online]. Available: http://www.honeyd.org/adv.2004-01.asc, 2004th
[38] J. Bethencourt, J. Franklin and M. Vernon, "Mapping Internet Sensors with Probe Response Attacks" in the Proceedings of the 14th USENIX Conference on Security
Symposium, Baltimore, USA, pp. 193-208, Aug. 2005th
[39] N. Krawetz, "Anti-Honeypot Technology", IEEE Security & Privacy Magazine, vol. 2, no. 1, pp. 76-79, Jan., 2004.
[40] S. Racine, "Analysis of the Internet Relay Chat Usage by DDoS Zombies" thesis, Swiss Federal Technology Zurich, April 2004.
[41] H. Choi, H. Lee, H. Lee and H. Kim, "Botnet Detection by Monitoring Group Activities in DNS traffic, "In Proceedings of the 7th IEEE International Conference
on the computer and information technology, Washington DC, USA, pp. 715-720, Oct., 2007.
[42] D. Dagon, "Botnet Detection and Response, is the network of infection" [Online]. Available: http://www.caida.org/workshops/dns-oarc/200507/
slides/oarc0507-Dagon.pdf, 2005.
[43] A. Schonewille and DJ van Helmond, The Domain Name Service as an IDS, "Master's Project, Univ. Amsterdam, Netherlands, Feb. 2006,
http://staff.science.uva.nl/ ~ delaat/snb-2005-2006/p12/report.pdf.
[44] R. Villa Marin-Salomon and JC Brustoloni, "Identifying Botnets using anomaly detection techniques applied to DNS traffic, "in Proceedings of the 5th IEEE
Consumer Communications and Networking Conference, Las Vegas, USA, pp. 476-481, Jan. 2008.
[45] Y. Kugisaki, Y. Kasahara, Y. Hori and K. Sakurai, "Bot detection based on traffic analysis," in Proceedings of the 2007 International Conference on Intelligent
Pervasive Computing, Washington, DC, USA, pp 303-306, October 2007.
[46] C. Langin, H. Zhou, and S. Rahimi: "To WIDA08 A model for exploring the Internet traffic indirectly, to internal network security to deny use problems," Design, submitted.
[47] K. Pappas, "Back to basics to fight botnets," Journal of Communications News, vol. 45, Issue 5, pp. 12 (1), May 2008.
[48] X. Hu, M. Knyz and KG Shin, "RB-Seeker: automatic detection of botnets diversion" in Proceedings of 16th Annual Network & Distributed System Security
Symposium (NDSS'09) Feb. 2009th
[49] P. Sroufe, p. Phithakkitnukoon, R. Dantu, J. Cangussu, "Email Form Analysis for botnet spam detection" in Consumer Communications and Networking
Conference (CCNC 2009), pp. 1-2, Jan., 2009.
About the Author
Authors
1.G. Satyavathy, Lecturer,Department of Computer Science, Sri Ramakrishna College Of Arts and Science For Women,Coimbatore-641 044.
2.Dr. M. Punithavalli, Director and Head, Department Of Computer Science, Sri Ramakrishna College Of Arts and Science For Women,Coimbatore-641 044.