The case for in-the-lab botnet experimentation: creating and taking down a 3000-node botnet

Abstract : Botnets constitute a serious security problem. A lot of effort has been invested towards understanding them better, while developing and learning how to deploy effective counter-measures against them. Their study via various analysis, modelling and experimental methods are integral parts of the development cycle of any such botnet mitigation schemes. It also constitutes a vital part of the process of understanding present threats and predicting future ones. Currently, the most popular of these techniques are “in-the-wild” botnet studies, where researchers interact directly with real-world botnets. This approach is less than ideal, for many reasons that we discuss in this paper, including scientific validity, ethical and legal issues. Consequently, we present an alternative approach employing “in the lab” experiments involving at-scale emulated botnets. We discuss the advantages of such an approach over reverse engineering, analytical modelling, simulation and in-the-wild studies. Moreover, we discuss the requirements that facilities supporting them must have. We then describe an experiment in which we emulated a close to 3000-node, fully-featured version of the Waledac botnet, complete with a reproduced command and control (C&C) infrastructure. By observing the load characteristics and yield (rate of spamming) of such a botnet, we can draw interesting conclusions about its real-world operations and design decisions made by its creators. Furthermore, we conducted experiments where we launched sybil attacks against the botnet. We were able to verify that such an attack is, in the case of Waledac, viable. However, we were able to determine that mounting such an attack is not so simple: high resource consumption can cause havoc and partially neutralise the attack. Finally, we were able to repeat the attack with varying parameters, in an attempt to optimise it. The merits of this experimental approach is underlined by the fact that it is very difficult to obtain these results by employing other methods.
Type de document :
Communication dans un congrès
Annual Computer Security Applications Conference, Dec 2010, Austin, Texas, United States. 2010
Liste complète des métadonnées

Littérature citée [25 références]  Voir  Masquer  Télécharger

https://hal.inria.fr/inria-00536706
Contributeur : Joan Calvet <>
Soumis le : jeudi 18 novembre 2010 - 13:38:12
Dernière modification le : jeudi 11 janvier 2018 - 06:21:25
Document(s) archivé(s) le : samedi 19 février 2011 - 02:48:17

Fichier

article_acsac04v3.pdf
Fichiers produits par l'(les) auteur(s)

Identifiants

  • HAL Id : inria-00536706, version 1

Collections

Citation

Joan Calvet, Carlton R. Davis, José M. Fernandez, Jean-Yves Marion, Pier-Luc St-Onge, et al.. The case for in-the-lab botnet experimentation: creating and taking down a 3000-node botnet. Annual Computer Security Applications Conference, Dec 2010, Austin, Texas, United States. 2010. 〈inria-00536706〉

Partager

Métriques

Consultations de la notice

364

Téléchargements de fichiers

2627