Challenges in Botnet Size Estimation

1. My Botnet is Bigger than Yours (Maybe, Better than Yours) :why size estimates remain challengingMA Rajab, J Zarfoss, F Monrose, A Terzis - Proceedings of the First USENIX Workshop on Hot Topics in Understanding Botnets, April 2007. Reporter: 高嘉男 Advisor: Chin-Laung Lei 2009/06/09

2. Outline • Introduction • Botnet size? • Definitions & estimation techniques • Experiment • Hidden botnet connections • Conclusion

3. Introduction • How big are today’s botnets? • Botnet size is currently poorly defined • Different metrics lead to widely different results • Some issues increase the difficulty • Cloning • Temporary migration • Hidden structures • Expecting a definitive answer is unreasonable

4. Definitions • Different definitions of botnet size • Footprint : the overall size of the infected population at any point in its lifetime • Live population : the number of live bots simultaneously present in the command and control channel

5. Estimation Techniques • Two broad categories • Counting bots connecting to a particular server directly • Botnet infiltration • DNS redirection • Exploiting external information

6. Botnet Infiltration • Infiltrating the botnet by joining the command and control channel • An IRC tracker mimics the behavior of actual bots and joins many botnets • Recording any information observed on the command and control channel • Limitations • Botmasters may suppress bot identities • Counting can lead to different estimates

7. DNS Redirection • Manipulating the DNS entry associated with a botnet’s IRC server and redirecting connections to a sinkhole • The sinkhole completed the three-way TCP handshake with bots attempting to connect to the (redirected) IRC server and recorded their IP addresses • Limitations • It can only measure the botnet’s footprint • There is no way of knowing if the bots are connecting to the same command and control channel • Botmasters can redirect their bots to another IRC server

8. Exploiting External Information • DNS cache snooping • Bots normally make a DNS query to resolve the IP address of their IRC server • A cache hit implies that at least one bot has queried its nameserver • The total number of cache hits provides an indication of the botnet’s DNS footprint • DNS footprint provides (at best) only a lower bound of its actual footprint

9. Experiment

10. Result : Footprint & Live Population

11. Result : DNS Footprint

12. Temporary Bot Migration • Botmasters command bots to temporarily migrate from one botnet to another

13. Bot Cloning • Botmasters command bots to create copies of themselves and join a new channel on the same server • Clone flooding • Normal cloning

14. Hidden Botnet Connections • A d-dimensional structural feature vector • Features to represent a botnet’s unique identity • DNS name and/or IP address of IRC Server • IRC server or IRC network name (e.g.,ToXiC.BoTnEt.Net) • Server version (e.g., Unreal3.2.3) • IRC channel name. • Botmaster ID • For a pair of vectors the pair-wise score is a weighted dot product of the two vectors

15. Botnet Cluster

16. Number of Botnets Affiliatedwith Botnet Cluster

17. Conclusion • No single metric is sufficient for describing all aspects of a botnet’s size • A prudent step towards providing more reliable size estimates is to synthesize the results from multiple concurrent and independent views of a botnet’s behavior

18. References • Moheeb Abu Rajab, Jay Zarfoss, Fabian Monrose, and Andreas Terzis, “My Botnet is Bigger than Yours (Maybe, Better than Yours) : why size estimates remain challenging.” in Proceedings of the First USENIX Workshop on Hot Topics in Understanding Botnets, April 2007. • Moheeb Abu Rajab, Jay Zarfoss, Fabian Monrose, and Andreas Terzis, “A Multifaceted Approach to Understanding the botnet phenomenon.”in Proceedings of ACMSIGCOMM/USENIX Internet Measurement Conference (IMC), pages 41–52, 2006.