In this paper the authors outline the origins and structure of bots and botnets and use data from the operator community, the Internet Motion Sensor project, and a honeypot experiment to illustrate the botnet problem today. They then study the effectiveness of detecting botnets by directly monitoring IRC communication or other command and control activity and explain that a more comprehensive approach is required. They conclude by describing a system to detect botnets that utilize advanced command and control systems by correlating secondary detection data from multiple sources.
The paper starts by trying to quantify the problem of botnets, simply by giving an account of the numbers involved. According to the statistics provided, the number of new bots observed each day rose from less than 2,000 to more than 30,000 over the first six months of 2004. The total number of bot infected systems has been measured to be between 800,000 to 900,000 and CERT has described botnets with more than 100,000 members.
In this paper the authors have tried to emphasize on the quickly evolving nature and gravity of the botnet problem. They investigate the methods of stopping botnets, and identify the following three ways:
1. Prevent systems from being infected: There are a range of existing techniques, including anti-virus software, firewalls, and automatic patching.
2. Directly detect command and control communication among bots and
between bots and controllers:
3. Detect the secondary features of a bot infection such as propagation or attacks.
The focus in this paper is on the second and third methods. It goes on to explain IRC based communication and detection of the command and control mechanisms. Detection is difficult due to the presence of multiple types of command and control models, which include the following:
1. Centralized: With a central controller controlling all other bots. ie. Snowflake model.
2. P2P: A Peer to Peer topology.
3. Random: No single bot knows about more than one other bot. Such systems have very simple design, however the message latency would be high with no guarantee of delivery.
The paper concludes by mentioning that the botnet problem requires collaboration
among researchers to devise hybrid data analysis techniques and collaboration between network operators to more quickly and automatically act on threats. Botnets are a global problem that affects the entire Internet community and requires a community effort to stop them.
GLOSSARY:
1. IRC: Internet Relay Chat
2. CERT: Carnegie Mellon University's Computer Emergency Response Team