Abstract
Despite the increasing botnet threat, research in the area of botmaster traceback is limited. The four main obstacles are 1) the low-traffic nature of the bot-to-botmaster link; 2) chains of “stepping stones;” 3) the use of encryption along these chains; and 4) mixing with traffic from other bots. Most existing traceback approaches can address one or two of these issues, but no single approach can overcome all of them. We present a novel flow watermarking technique to address all four obstacles simultaneously. Our approach allows us to uniquely identify and trace any IRC-based botnet flow even if 1) it is encrypted (e.g., via SSL/TLS); 2) it passes multiple intermediate stepping stones (e.g., IRC server, SOCKs); and 3) it is mixed with other botnet traffic. Our watermarking scheme relies on adding padding characters to outgoing botnet C&C messages at the application layer. This produces specific differences in lengths between randomly chosen pairs of messages in a network flow. As a result, our watermarking technique can be used to trace any interactive botnet C&C traffic and it only requires a few dozen packets to be effective. To the best of our knowledge, this is the first approach that has the potential to allow real-time botmaster traceback across the Internet.
We have empirically validated the effectiveness of our botnet flow watermarking approach with live experiments on PlanetLab nodes and public IRC servers on different continents. We achieved virtually a 100% detection rate of watermarked (encrypted and unencrypted) IRC traffic with a false positive rate on the order of 10− 5. Due to the message queuing and throttling functionality of IRC servers, mixing chaff with the watermarked flow does not significantly impact the effectiveness of our watermarking approach.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Bächer, P., Holz, T., Kötter, M., Wicherski, G.: Know Your Enemy: Tracking Botnets, March 13 (2005), http://www.honeynet.org/papers/bots/
Barford, P., Yegneswaran, V.: An Inside Look at Botnets. In: Proc. Special Workshop on Malware Detection, Advances in Info. Security, Springer, Heidelberg (2006)
Binkley, J., Singh, S.: An Algorithm for Anomaly-based Botnet Detection. In: Proc. 2nd Workshop on Steps to Reducing Unwanted Traffic on the Internet (SRUTI), San Jose, CA, July 7, 2006, pp. 43–48 (2006)
Blum, A., Song, D., Venkataraman, S.: Detection of Interactive Stepping Stones: Algorithms and Confidence Bounds. In: Jonsson, E., Valdes, A., Almgren, M. (eds.) RAID 2004. LNCS, vol. 3224, pp. 258–277. Springer, Heidelberg (2004)
Chi, Z., Zhao, Z.: Detecting and Blocking Malicious Traffic Caused by IRC Protocol Based Botnets. In: Proc. Network and Parallel Computing (NPC 2007). Dalian, China, pp. 485–489 (September 2007)
Cooke, E., Jahanian, F., McPherson, D.: The Zombie Roundup: Understanding, Detecting, and Disturbing Botnets. In: Proc. Steps to Reducing Unwanted Traffic on the Internet (SRUTI), Cambridge, MA, July 7, 2005, pp. 39–44 (2005)
Dagon, D., Gu, G., Zou, C., Grizzard, J., Dwivedi, S., Lee, W., Lipton, R.: A Taxonomy of Botnets (unpublished paper, 2005)
Donoho, D.L., Flesia, A.G., Shankar, U., Paxson, V., Coit, J., Staniford, S.: Multiscale Stepping Stone Detection: Detecting Pairs of Jittered Interactive Streams by Exploiting Maximum Tolerable Delay. In: Wespi, A., Vigna, G., Deri, L. (eds.) RAID 2002. LNCS, vol. 2516, pp. 17–35. Springer, Heidelberg (2002)
Evers, J.: ‘Bot herders’ may have controlled 1.5 million PCs. http://news.com.com/2102-7350_3-5906896.html?tag=st.util.print
Freiling, F., Holz, T., Wicherski, G.: Botnet Tracking: Exploring a Root-Cause Methodology to Prevent DoS Attacks. In: Proc. 10th European Symposium on Research in Computer Security (ESORICS), Milan, Italy (September 2005)
Goebel, J., Holz, T.: Rishi: Identify Bot Contaminated Hosts by IRC Nickname Evaluation. In: Proc. First Workshop on Hot Topics in Understanding Botnets (HotBots), Cambridge, MA, April 10 (2007)
Goodrich, M.T.: Efficient Packet Marking for Large-scale IP Traceback. In: Proc. 9th ACM Conference on Computer and Communications Security (CCS 2002), October 2002, pp. 117–126. ACM, New York (2002)
Grizzard, J., Sharma, V., Nunnery, C., Kang, B., Dagon, D.: Peer-to-Peer Botnets: Overview and Case Study. In: Proc. First Workshop on Hot Topics in Understanding Botnets (HotBots), Cambridge, MA (April 2007)
Gu, G., Zhang, J., Lee, W.: BotSniffer: Detecting Botnet Command and Control Channels in Network Traffic. In: Proc. 15th Network and Distributed System Security Symposium (NDSS), San Diego, CA (February 2008)
Gu, G., Porras, P., Yegneswaran, V., Fong, M., Lee, W.: BotHunter: Detecting Malware Infection Through IDS-Driven Dialog Correlation. In: Proc. 16th USENIX Security Symposium, Boston, MA (August 2007)
Holz, T.: A Short Visit to the Bot Zoo. Sec. and Privacy 3(3), 76–79 (2005)
Ianelli, N., Hackworth, A.: Botnets as a Vehicle for Online Crime. In: Proc. 18th Annual Forum of Incident Response and Security Teams (FIRST), Baltimore, MD, June 25-30 (2006)
Karasaridis, A., Rexroad, B., Hoein, D.: Wide-Scale Botnet Detection and Characterization. In: Proc. First Workshop on Hot Topics in Understanding Botnets (HotBots), Cambridge, MA, April 10 (2007)
Li, J., Sung, M., Xu, J., Li, L.: Large Scale IP Traceback in High-Speed Internet: Practical Techniques and Theoretical Foundation. In: Proc. 2004 IEEE Symposium on Security and Privacy. IEEE, Los Alamitos (2004)
Naraine, R.: Is the Botnet Battle Already Lost? http://www.eweek.com/article2/0,1895,2029720,00.asp
Rajab, M., Zarfoss, J., Monrose, F., Terzis, A.: A multifaceted approach to understanding the botnet phenomenon. In: Proc. 6th ACM SIGCOMM on Internet Measurement, October 25-27, 2006. Rio de Janeiro, Brazil (2006)
Roberts, P.F.: California Man Charged with Botnet Offenses, http://www.eweek.com/article2/0,1759,1881621,00.asp
Roberts, P.F.: Botnet Operator Pleads Guilty, http://www.eweek.com/article2/0,1759,1914833,00.asp
Roberts, P.F.: DOJ Indicts Hacker for Hospital Botnet Attack, http://www.eweek.com/article2/0,1759,1925456,00.asp
Savage, S., Wetherall, D., Karlin, A., Anderson, T.: Practical Network Support for IP Traceback. In: Proc. ACM SIGCOMM 2000, September 2000, pp. 295–306 (2000)
Snoeren, A., Patridge, C., Sanchez, L.A., Jones, C.E., Tchakountio, F., Kent, S.T., Strayer, W.T.: Hash-based IP Traceback. In: Proc. ACM SIGCOMM 2001, September 2001, pp. 3–14. ACM Press, New York (2001)
Symantec. Symantec Internet Security Threat Report – Trends for January 06 - June 06. Volume X (September 2006)
Micro, T.: Taxonomy of Botnet Threats. Trend Micro Enterprise Security Library (November 2006)
Wang, X., Chen, S., Jajodia, S.: Tracking Anonymous, Peer-to-Peer VoIP Calls on the Internet. In: Proc. 12th ACM Conference on Computer and Communications Security (CCS 2005) (October 2007)
Wang, X., Chen, S., Jajodia, S.: Network Flow Watermarking Attack on Low-Latency Anonymous Communication Systems. In: Proc. 2007 IEEE Symposium on Security and Privacy (S&P 2007) (May 2007)
Wang, X., Reeves, D.: Robust Correlation of Encrypted Attack Traffic Through Stepping Stones by Manipulation of Interpacket Delays. In: Proc. 10th ACM Conference on Computer and Communications Security (CCS 2003), October 2003, pp. 20–29. ACM, New York (2003)
Wang, X., Reeves, D., Wu, S.: Inter-packet Delay Based Correlation for Tracing Encrypted Connections Through Stepping Stones. In: Gollmann, D., Karjoth, G., Waidner, M. (eds.) ESORICS 2002. LNCS, vol. 2502, pp. 244–263. Springer, Heidelberg (2002)
Yoda, K., Etoh, H.: Finding a Connection Chain for Tracing Intruders. In: Cuppens, F., Deswarte, Y., Gollmann, D., Waidner, M. (eds.) ESORICS 2000. LNCS, vol. 1895, pp. 191–205. Springer, Heidelberg (2000)
Zhang, Y., Paxson, V.: Detecting Stepping Stones. In: Proc. 9th USENIX Security Symposium, pp. 171–184. USENIX (2000)
Author information
Authors and Affiliations
Editor information
Rights and permissions
Copyright information
© 2008 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Ramsbrock, D., Wang, X., Jiang, X. (2008). A First Step towards Live Botmaster Traceback. In: Lippmann, R., Kirda, E., Trachtenberg, A. (eds) Recent Advances in Intrusion Detection. RAID 2008. Lecture Notes in Computer Science, vol 5230. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-87403-4_4
Download citation
DOI: https://doi.org/10.1007/978-3-540-87403-4_4
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-87402-7
Online ISBN: 978-3-540-87403-4
eBook Packages: Computer ScienceComputer Science (R0)