Skip to main content
SpringerLink
Log in

A First Step towards Live Botmaster Traceback

  • Conference paper
Recent Advances in Intrusion Detection (RAID 2008)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 5230))

Included in the following conference series:

Abstract

Despite the increasing botnet threat, research in the area of botmaster traceback is limited. The four main obstacles are 1) the low-traffic nature of the bot-to-botmaster link; 2) chains of “stepping stones;” 3) the use of encryption along these chains; and 4) mixing with traffic from other bots. Most existing traceback approaches can address one or two of these issues, but no single approach can overcome all of them. We present a novel flow watermarking technique to address all four obstacles simultaneously. Our approach allows us to uniquely identify and trace any IRC-based botnet flow even if 1) it is encrypted (e.g., via SSL/TLS); 2) it passes multiple intermediate stepping stones (e.g., IRC server, SOCKs); and 3) it is mixed with other botnet traffic. Our watermarking scheme relies on adding padding characters to outgoing botnet C&C messages at the application layer. This produces specific differences in lengths between randomly chosen pairs of messages in a network flow. As a result, our watermarking technique can be used to trace any interactive botnet C&C traffic and it only requires a few dozen packets to be effective. To the best of our knowledge, this is the first approach that has the potential to allow real-time botmaster traceback across the Internet.

We have empirically validated the effectiveness of our botnet flow watermarking approach with live experiments on PlanetLab nodes and public IRC servers on different continents. We achieved virtually a 100% detection rate of watermarked (encrypted and unencrypted) IRC traffic with a false positive rate on the order of 10− 5. Due to the message queuing and throttling functionality of IRC servers, mixing chaff with the watermarked flow does not significantly impact the effectiveness of our watermarking approach.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 89.00
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Bächer, P., Holz, T., Kötter, M., Wicherski, G.: Know Your Enemy: Tracking Botnets, March 13 (2005), http://www.honeynet.org/papers/bots/

  2. Barford, P., Yegneswaran, V.: An Inside Look at Botnets. In: Proc. Special Workshop on Malware Detection, Advances in Info. Security, Springer, Heidelberg (2006)

    Google Scholar 

  3. Binkley, J., Singh, S.: An Algorithm for Anomaly-based Botnet Detection. In: Proc. 2nd Workshop on Steps to Reducing Unwanted Traffic on the Internet (SRUTI), San Jose, CA, July 7, 2006, pp. 43–48 (2006)

    Google Scholar 

  4. Blum, A., Song, D., Venkataraman, S.: Detection of Interactive Stepping Stones: Algorithms and Confidence Bounds. In: Jonsson, E., Valdes, A., Almgren, M. (eds.) RAID 2004. LNCS, vol. 3224, pp. 258–277. Springer, Heidelberg (2004)

    Google Scholar 

  5. Chi, Z., Zhao, Z.: Detecting and Blocking Malicious Traffic Caused by IRC Protocol Based Botnets. In: Proc. Network and Parallel Computing (NPC 2007). Dalian, China, pp. 485–489 (September 2007)

    Google Scholar 

  6. Cooke, E., Jahanian, F., McPherson, D.: The Zombie Roundup: Understanding, Detecting, and Disturbing Botnets. In: Proc. Steps to Reducing Unwanted Traffic on the Internet (SRUTI), Cambridge, MA, July 7, 2005, pp. 39–44 (2005)

    Google Scholar 

  7. Dagon, D., Gu, G., Zou, C., Grizzard, J., Dwivedi, S., Lee, W., Lipton, R.: A Taxonomy of Botnets (unpublished paper, 2005)

    Google Scholar 

  8. Donoho, D.L., Flesia, A.G., Shankar, U., Paxson, V., Coit, J., Staniford, S.: Multiscale Stepping Stone Detection: Detecting Pairs of Jittered Interactive Streams by Exploiting Maximum Tolerable Delay. In: Wespi, A., Vigna, G., Deri, L. (eds.) RAID 2002. LNCS, vol. 2516, pp. 17–35. Springer, Heidelberg (2002)

    Chapter  Google Scholar 

  9. Evers, J.: ‘Bot herders’ may have controlled 1.5 million PCs. http://news.com.com/2102-7350_3-5906896.html?tag=st.util.print

  10. Freiling, F., Holz, T., Wicherski, G.: Botnet Tracking: Exploring a Root-Cause Methodology to Prevent DoS Attacks. In: Proc. 10th European Symposium on Research in Computer Security (ESORICS), Milan, Italy (September 2005)

    Google Scholar 

  11. Goebel, J., Holz, T.: Rishi: Identify Bot Contaminated Hosts by IRC Nickname Evaluation. In: Proc. First Workshop on Hot Topics in Understanding Botnets (HotBots), Cambridge, MA, April 10 (2007)

    Google Scholar 

  12. Goodrich, M.T.: Efficient Packet Marking for Large-scale IP Traceback. In: Proc. 9th ACM Conference on Computer and Communications Security (CCS 2002), October 2002, pp. 117–126. ACM, New York (2002)

    Chapter  Google Scholar 

  13. Grizzard, J., Sharma, V., Nunnery, C., Kang, B., Dagon, D.: Peer-to-Peer Botnets: Overview and Case Study. In: Proc. First Workshop on Hot Topics in Understanding Botnets (HotBots), Cambridge, MA (April 2007)

    Google Scholar 

  14. Gu, G., Zhang, J., Lee, W.: BotSniffer: Detecting Botnet Command and Control Channels in Network Traffic. In: Proc. 15th Network and Distributed System Security Symposium (NDSS), San Diego, CA (February 2008)

    Google Scholar 

  15. Gu, G., Porras, P., Yegneswaran, V., Fong, M., Lee, W.: BotHunter: Detecting Malware Infection Through IDS-Driven Dialog Correlation. In: Proc. 16th USENIX Security Symposium, Boston, MA (August 2007)

    Google Scholar 

  16. Holz, T.: A Short Visit to the Bot Zoo. Sec. and Privacy 3(3), 76–79 (2005)

    Article  Google Scholar 

  17. Ianelli, N., Hackworth, A.: Botnets as a Vehicle for Online Crime. In: Proc. 18th Annual Forum of Incident Response and Security Teams (FIRST), Baltimore, MD, June 25-30 (2006)

    Google Scholar 

  18. Karasaridis, A., Rexroad, B., Hoein, D.: Wide-Scale Botnet Detection and Characterization. In: Proc. First Workshop on Hot Topics in Understanding Botnets (HotBots), Cambridge, MA, April 10 (2007)

    Google Scholar 

  19. Li, J., Sung, M., Xu, J., Li, L.: Large Scale IP Traceback in High-Speed Internet: Practical Techniques and Theoretical Foundation. In: Proc. 2004 IEEE Symposium on Security and Privacy. IEEE, Los Alamitos (2004)

    Google Scholar 

  20. Naraine, R.: Is the Botnet Battle Already Lost? http://www.eweek.com/article2/0,1895,2029720,00.asp

  21. Rajab, M., Zarfoss, J., Monrose, F., Terzis, A.: A multifaceted approach to understanding the botnet phenomenon. In: Proc. 6th ACM SIGCOMM on Internet Measurement, October 25-27, 2006. Rio de Janeiro, Brazil (2006)

    Google Scholar 

  22. Roberts, P.F.: California Man Charged with Botnet Offenses, http://www.eweek.com/article2/0,1759,1881621,00.asp

  23. Roberts, P.F.: Botnet Operator Pleads Guilty, http://www.eweek.com/article2/0,1759,1914833,00.asp

  24. Roberts, P.F.: DOJ Indicts Hacker for Hospital Botnet Attack, http://www.eweek.com/article2/0,1759,1925456,00.asp

  25. Savage, S., Wetherall, D., Karlin, A., Anderson, T.: Practical Network Support for IP Traceback. In: Proc. ACM SIGCOMM 2000, September 2000, pp. 295–306 (2000)

    Google Scholar 

  26. Snoeren, A., Patridge, C., Sanchez, L.A., Jones, C.E., Tchakountio, F., Kent, S.T., Strayer, W.T.: Hash-based IP Traceback. In: Proc. ACM SIGCOMM 2001, September 2001, pp. 3–14. ACM Press, New York (2001)

    Google Scholar 

  27. Symantec. Symantec Internet Security Threat Report – Trends for January 06 - June 06. Volume X (September 2006)

    Google Scholar 

  28. Micro, T.: Taxonomy of Botnet Threats. Trend Micro Enterprise Security Library (November 2006)

    Google Scholar 

  29. Wang, X., Chen, S., Jajodia, S.: Tracking Anonymous, Peer-to-Peer VoIP Calls on the Internet. In: Proc. 12th ACM Conference on Computer and Communications Security (CCS 2005) (October 2007)

    Google Scholar 

  30. Wang, X., Chen, S., Jajodia, S.: Network Flow Watermarking Attack on Low-Latency Anonymous Communication Systems. In: Proc. 2007 IEEE Symposium on Security and Privacy (S&P 2007) (May 2007)

    Google Scholar 

  31. Wang, X., Reeves, D.: Robust Correlation of Encrypted Attack Traffic Through Stepping Stones by Manipulation of Interpacket Delays. In: Proc. 10th ACM Conference on Computer and Communications Security (CCS 2003), October 2003, pp. 20–29. ACM, New York (2003)

    Chapter  Google Scholar 

  32. Wang, X., Reeves, D., Wu, S.: Inter-packet Delay Based Correlation for Tracing Encrypted Connections Through Stepping Stones. In: Gollmann, D., Karjoth, G., Waidner, M. (eds.) ESORICS 2002. LNCS, vol. 2502, pp. 244–263. Springer, Heidelberg (2002)

    Chapter  Google Scholar 

  33. Yoda, K., Etoh, H.: Finding a Connection Chain for Tracing Intruders. In: Cuppens, F., Deswarte, Y., Gollmann, D., Waidner, M. (eds.) ESORICS 2000. LNCS, vol. 1895, pp. 191–205. Springer, Heidelberg (2000)

    Chapter  Google Scholar 

  34. Zhang, Y., Paxson, V.: Detecting Stepping Stones. In: Proc. 9th USENIX Security Symposium, pp. 171–184. USENIX (2000)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Department of Computer Science, George Mason University Fairfax, VA 22030, USA

    Daniel Ramsbrock & Xinyuan Wang

  2. Department of Computer Science, North Carolina State University, Raleigh, NC 27606, USA

    Xuxian Jiang

Authors
  1. Daniel Ramsbrock
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Xinyuan Wang
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Xuxian Jiang
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Richard Lippmann Engin Kirda Ari Trachtenberg

Rights and permissions

Reprints and permissions

Copyright information

© 2008 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Ramsbrock, D., Wang, X., Jiang, X. (2008). A First Step towards Live Botmaster Traceback. In: Lippmann, R., Kirda, E., Trachtenberg, A. (eds) Recent Advances in Intrusion Detection. RAID 2008. Lecture Notes in Computer Science, vol 5230. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-87403-4_4

Download citation

  • DOI: https://doi.org/10.1007/978-3-540-87403-4_4

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-540-87402-7

  • Online ISBN: 978-3-540-87403-4

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation