Article

A multifaceted approach to understanding the botnet phenomenon

Authors:

Moheeb Abu Rajab,

Fabian Monrose,

Andreas TerzisAuthors Info & Claims

IMC '06: Proceedings of the 6th ACM SIGCOMM conference on Internet measurement

Pages 41 - 52

https://doi.org/10.1145/1177080.1177086

Published: 25 October 2006 Publication History

Abstract

The academic community has long acknowledged the existence of malicious botnets, however to date, very little is known about the behavior of these distributed computing platforms. To the best of our knowledge, botnet behavior has never been methodically studied, botnet prevalence on the Internet is mostly a mystery, and the botnet life cycle has yet to be modeled. Uncertainty abounds. In this paper, we attempt to clear the fog surrounding botnets by constructing a multifaceted and distributed measurement infrastructure. Throughout a period of more than three months, we used this infrastructure to track 192 unique IRC botnets of size ranging from a few hundred to several thousand infected end-hosts. Our results show that botnets represent a major contributor to unwanted Internet traffic - 27% of all malicious connection attempts observed from our distributed darknet can be directly attributed to botnet-related spreading activity. Furthermore, we discovered evidence of botnet infections in 11% of the 800,000 DNS domains we examined, indicating a high diversity among botnet victims. Taken as a whole, these results not only highlight the prominence of botnets, but also provide deep insights that may facilitate further research to curtail this phenomenon.

References

[1]

Paul Baecher, Thorsten Holz, Markus Kötter, and Georg Wicherski. The Malware Collection Tool (mwcollect). Available at http://www.mwcollect.org/.

[2]

Paul Baecher, Markus Kötter, Thorsten Holz, Maximillian Dornseif, and Felix Freiling. The Nepenthes Platform: An Efficient Approach to Collect Malware. In Proceedings of the 9th International Symposium on Recent Advances in Intrusion Detection (RAID), Sept. 2006.

Digital Library

[3]

Paul Barford and Vinod Yagneswaran. An Inside Look at Botnets. To appear in Series: Advances in Information Security, Springer, 2006.

[4]

Clam AntiVirus. Available at http://www.clamav.net/.

[5]

Evan Cooke, Farnam Jahanian, and Danny McPherson. The Zombie Roundup: Understanding, Detecting, and Disturbing Botnets. In Proceedings of the first Workshop on Steps to Reducing Unwanted Traffic on the Internet (STRUTI), pages 39--44, July 2005.

Digital Library

[6]

David Dagon, Cliff Zou, and Wenke Lee. Modeling Botnet Propagation Using Time Zones. In Proceedings of the 13th Network and Distributed System Security Symposium NDSS, February 2006.

[7]

Edward W. Felten and Michael A. Schneider. Timing attacks on web privacy. In CCS '00: Proceedings of the 7th ACM conference on Computer and communications security, pages 25--32, New York, NY, USA, 2000. ACM Press.

Digital Library

[8]

Felix Freiling, Thorsten Holz, and Georg Wicherski. Botnet Tracking: Exploring a root-cause methodology to prevent denial-of-service attaks. In Proceedings of 10th European Symposium on Research in Computer Security, ESORICS, pages 319--335, September 2005.

Digital Library

[9]

Luis Grangeia. DNS Cache Snooping or Snooping the Cache for Fun and Profit, Available at http:www.//sysvalue.com/papers/DNS-Cache-Snooping/files/DNS_Cache_Snooping_1.1.pdf, 2004.

[10]

Honeyd Virtual Honeypot Framework, http://www.honeyd.org/.

[11]

IP2LOCATION, Bringing Geography to the Internet. Available at http://www.ip2location.com/.

[12]

M. St. Johns. RFC 1413: Identification protocol, January 1993.

[13]

C. Kalt. Internet Relay Chat: Client Protocol. RFC 2812 (Informational), April 2000.

Digital Library

[14]

Dan Kaminsky. Welcome to Planet Sony, http://www.doxpara.com/.

[15]

Eddie Kohler, Robert Morris, Benjie Chen, John Jannotti, and M. Frans Kaashoek. The Click Modular Router. ACM Transactions on Computer Systems, 18(3):263--297, 2000.

Digital Library

[16]

Willaim Metcalf. Snort In-line. Available at http://snort-inline.sourceforge.net/.

[17]

Alexandros Ntoulas, Junghoo Cho, and Christopher Olston. What's New on the Web? The Evolution of the Web from a Search Engine Perspective. In Proceedings of the 13th International World Wide Web (WWW) Conference, pages 1--12, 2004.

Digital Library

[18]

Larry Peterson, Tom Anderson, David Culler, and Timothy Roscoe. A Blueprint for Introducing Disruptive Technology into the Internet. SIGCOMM Computer Communication Reviews, 33(1):59--64, 2003.

Digital Library

[19]

Honeynet Project and Research Alliance. Know your enemy: Tracking Botnets, March 2005. See http://www.honeynet.org/papers/bots/.

[20]

Niels Provos. A virtual honeypot framework. In Proceedings of the USENIX Security Symposium, pages 1--14, August 2004.

Digital Library

[21]

Jeremy Sugerman, Ganesh Venkitachalam, and Beng-Hong Lim. Virtualizing IO Devices on VMware Workstation's Hosted Virtual Machine Monitor. In USENIX Annual Technical Conference, 2001. Available at http://www.vmware.com/.

Digital Library

[22]

The UnrealIRC Team. Unrealircd. See http://www.unrealircd.com/.

[23]

Michael Vrable, Justin Ma, Jay Chen, David Moore, Erik Vandekieft, Alex C. Snoeren, Geoffrey M. Voelker, and Stefan Savage. Scalability, Fidelity and Containment in the Potemkin Virtual Honeyfarm. Proceedings of ACM SIGOPS Operating System Review, 39(5):148--162, 2005.

Digital Library

[24]

Nick Weaver Weidong Cui, Vern Paxson and Randy H. Katz. Protocol-Independent Adaptive Replay of Application Dialog. In Proceedings of the 13th Annual Network and Distributed System Security Symposium (NDSS), San Diego, CA, Feb 2006.

Cited By

S KSundararajan KVasudevan ISheela LThyagarajan S(2024)Detection and Categorization of Conflict Flows Within SDN Environments using Machine Learning Approach2024 Second International Conference on Emerging Trends in Information Technology and Engineering (ICETITE)10.1109/ic-ETITE58242.2024.10493381(1-6)Online publication date: 22-Feb-2024
https://doi.org/10.1109/ic-ETITE58242.2024.10493381
Nguyen HSubramani KAcharya BPerdisci RVadrevu P(2024)C-Frame: Characterizing and measuring in-the-wild CAPTCHA attacks2024 IEEE Symposium on Security and Privacy (SP)10.1109/SP54263.2024.00200(277-295)Online publication date: 19-May-2024
https://doi.org/10.1109/SP54263.2024.00200
Lyu MHabibi Gharakheili HSivaraman V(2024)A Survey on Enterprise Network Security: Asset Behavioral Monitoring and Distributed Attack DetectionIEEE Access10.1109/ACCESS.2024.341906812(89363-89383)Online publication date: 2024
https://doi.org/10.1109/ACCESS.2024.3419068
Show More Cited By

Index Terms

A multifaceted approach to understanding the botnet phenomenon
1. Security and privacy
  1. Intrusion/anomaly detection and malware mitigation
  2. Systems security
    1. Operating systems security

Recommendations

Honeypot detection in advanced botnet attacks

Botnets have become one of the major attacks in the internet today due to their illicit profitable financial gain. Meanwhile, honeypots have been successfully deployed in many computer security defence systems. Since honeypots set up by security ...
Analysis of a Botnet Takeover

Botnets, networks of malware-infected machines (bots) that are controlled by an adversary, are the root cause of a large number of security problems on the Internet. A particularly sophisticated and insidious type of bot is Torpig, a malware program ...
Your botnet is my botnet: analysis of a botnet takeover
CCS '09: Proceedings of the 16th ACM conference on Computer and communications security

Botnets, networks of malware-infected machines that are controlled by an adversary, are the root cause of a large number of security problems on the Internet. A particularly sophisticated and insidious type of bot is Torpig, a malware program that is ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

IMC '06: Proceedings of the 6th ACM SIGCOMM conference on Internet measurement

October 2006

356 pages

ISBN:1595935614

DOI:10.1145/1177080

General Chairs:
Jussara Almeida
Federal University of Minas Gerais, Brazil
,
Virgilio Almeida
Federal University of Minas Gerais, Brazil
,
Program Chair:
Paul Barford
University of Wisconsin -- Madison, USA

Copyright © 2006 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 25 October 2006

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Article

Conference

IMC06

Sponsor:

IMC06: Internet Measurement Conference

October 25 - 27, 2006

Rio de Janeriro, Brazil

Acceptance Rates

Overall Acceptance Rate 277 of 1,083 submissions, 26%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

355
Total Citations
View Citations
4,524
Total Downloads

Downloads (Last 12 months)201
Downloads (Last 6 weeks)6

Reflects downloads up to 07 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

S KSundararajan KVasudevan ISheela LThyagarajan S(2024)Detection and Categorization of Conflict Flows Within SDN Environments using Machine Learning Approach2024 Second International Conference on Emerging Trends in Information Technology and Engineering (ICETITE)10.1109/ic-ETITE58242.2024.10493381(1-6)Online publication date: 22-Feb-2024
https://doi.org/10.1109/ic-ETITE58242.2024.10493381
Nguyen HSubramani KAcharya BPerdisci RVadrevu P(2024)C-Frame: Characterizing and measuring in-the-wild CAPTCHA attacks2024 IEEE Symposium on Security and Privacy (SP)10.1109/SP54263.2024.00200(277-295)Online publication date: 19-May-2024
https://doi.org/10.1109/SP54263.2024.00200
Lyu MHabibi Gharakheili HSivaraman V(2024)A Survey on Enterprise Network Security: Asset Behavioral Monitoring and Distributed Attack DetectionIEEE Access10.1109/ACCESS.2024.341906812(89363-89383)Online publication date: 2024
https://doi.org/10.1109/ACCESS.2024.3419068
Carr LChavula J(2024)Deep Learning Classification for Encrypted Botnet Traffic: Optimising Model Performance and Resource UtilisationSouth African Computer Science and Information Systems Research Trends10.1007/978-3-031-64881-6_1(3-29)Online publication date: 8-Jul-2024
https://doi.org/10.1007/978-3-031-64881-6_1
ALASALI TDAKKAK O(2023)EXPLORING THE LANDSCAPE OF SDN-BASED DDOS DEFENSE: A HOLISTIC EXAMINATION OF DETECTION AND MITIGATION APPROACHES, RESEARCH GAPS AND PROMISING AVENUES FOR FUTURE EXPLORATIONInternational Journal of Advanced Natural Sciences and Engineering Researches10.59287/ijanser.7267:4(327-349)Online publication date: 22-May-2023
https://doi.org/10.59287/ijanser.726
Al lelah TTheodorakopoulos GReinecke PJaved AAnthi E(2023)Abuse of Cloud-Based and Public Legitimate Services as Command-and-Control (C&C) Infrastructure: A Systematic Literature ReviewJournal of Cybersecurity and Privacy10.3390/jcp30300273:3(558-590)Online publication date: 1-Sep-2023
https://doi.org/10.3390/jcp3030027
Vanerio JGyörgyi CSchmid SRamos FShahbaz MGurevich VSignorello S(2023)Poster: P4DME: DNS Threat Mitigation with P4 In-Network Machine Learning OffloadProceedings of the 6th on European P4 Workshop10.1145/3630047.3630251(53-56)Online publication date: 8-Dec-2023
https://dl.acm.org/doi/10.1145/3630047.3630251
Ngo Q(2023)Towards Detecting Suspicious Features in IoT Botnet2023 7th International Conference on Trends in Electronics and Informatics (ICOEI)10.1109/ICOEI56765.2023.10125742(452-457)Online publication date: 11-Apr-2023
https://doi.org/10.1109/ICOEI56765.2023.10125742
Yadav BKushwaha VKumar MPathak N(2023)Detection of botnet in Machine Learning2023 International Conference on Disruptive Technologies (ICDT)10.1109/ICDT57929.2023.10151328(36-42)Online publication date: 11-May-2023
https://doi.org/10.1109/ICDT57929.2023.10151328
Trehan SHimanshu Nishad A(2023)Feature Engineering Strategies in Machine Learning for Distinguishing Legitimate Traffic from Application Layer DDoS Attacks2023 2nd International Conference on Automation, Computing and Renewable Systems (ICACRS)10.1109/ICACRS58579.2023.10404755(1687-1693)Online publication date: 11-Dec-2023
https://doi.org/10.1109/ICACRS58579.2023.10404755
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents