Botnet Architecture


Published on

it is a proposed architecture byPing Wang, Sherri Sparks, and Cliff C. Zou, Member, IEEE

Published in: Technology
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Botnet Architecture

  1. 1. MODELING BOTNET IN PEER TO PEER SYSTEMS<br />PRESENTED <br />BY<br />J.P.BhagathSingh B.E,M.TECH(N/W)<br />VIT UNIVERSITY<br />VELLORE<br />&<br />GUIDED<br />BY<br />Prof.ChandraMouliswaran.S<br />
  2. 2. INTRODUCTION<br />In the last several years, Internet malware attacks have evolved into better-organized and more profit-centered endeavors. <br />E-mail spam, extortion through denial-of-service attacks, and click fraud represent a few examples of this emerging trend.<br />“Botnets” are a root cause of these problems.<br />A “botnet” consists of a network of compromised computers (“bots”) connected to the Internet that is controlled by a remote attacker (“botmaster”). <br />
  3. 3. Botnet:<br />Botnet is a large number of compromised computers that are used to create and send spam or viruses or flood a network with messages as a denial of service attack. <br />Botnet is a term derived from the idea of bot networks. In its most basic form, a bot is simply an automated computer program, or robot.<br />Bots refer to computers that are able to be controlled by one, or many, outside sources.<br />An attacker usually gains control by infecting the computers with a virus or other malicious code that gives the attacker access.<br />
  4. 4. Existing system:<br />Most botnets that have appeared until now have had a common centralized architecture.<br />From a botmaster’s perspective, the C&C(Command &Control) servers are the fundamental weak points in current botnet architectures.<br />Because botmaster will lose control of their botnet once the<br /> limited number of C&C servers are shut down by defenders.<br />Then an entire botnet may be exposed once a C&C server<br /> in the botnet is hijacked or captured by defenders.<br /> That is, bots in the botnet connect directly to some special hosts (called “command-and-control” servers, or “C&C” servers).<br /> These C&C servers receive commands from their botmaster and forward them. <br />
  5. 5.
  6. 6. Proposed Architecture:<br />
  7. 7. The main aim of this proposed system is design an advanced hybrid peer-to-peer botnet. <br />Generation of robust botnet capable of maintaining control of its remaining bots even after a substantial portion of the botnet population has been removed by defenders. <br /> Easily monitor and obtain the complete information of a botnet by its botmaster.<br />A botmaster could easily monitor the entire botnet by issuing a report command.<br />And to prevent (or make it harder for) defenders from detecting bots via their communication traffic patterns.<br />
  8. 8. Bot Master Node:<br />This is the server node or attacker node.<br /> This node will send instruction to any other node. <br />A bot master can monitor the other node.<br />Bot Master maintain the detail about the bot.<br /> A botmaster issues a special command, called a report command, to the botnet.<br />It will instruct every bot to send its information to a specified machine that is compromised and controlled by the botmaster. <br />
  9. 9. Bot Master<br />Select Sensor Host<br />Command Initiation<br />Receive Command<br />Connection with sensor Host<br />Send Acknowledgement<br />Send Command<br />
  10. 10. ServentBot:<br />ServentBot contains bots that have static, non private IP addresses and are accessible from the global Internet.<br />Bots in the first group are called servent bots since they behave as both clients and servers. <br />Only servent bots are candidates in peer lists.<br />
  11. 11. Client Bot:<br />Client contains the remaining bots, including bots with dynamically allocated IP addresses, <br />Bots with private IP addresses will be connected to the global Internet. <br />This group of bots is called client bots since they will not accept incoming connections.<br />
  12. 12. Monitoring by Botmaster:<br />Another major challenge in botnet design is making sure that a botnet is difficult to monitor by defenders.<br />But at the same time, easily monitored by its botmaster.<br />Botmaster could conduct attacks more effectively according to the bot population, distribution, on/off status, IP address types, etc. <br />It keep tighter control over the botnet when facing various counterattacks from defenders. <br />In this section, we present a simple but effective way for botmasters to monitor their botnets whenever they want.<br />
  13. 13. Data Flow diagram<br />Bot Master<br />Command preparation<br />Command Receive from the Bot<br />Send Command<br />Receive Command<br />Sensor Selection<br />Servent Bot<br />Bot<br />Bot<br />Bot<br />Monitoring without Honeypot<br />Monitoring with Honeypot<br />
  14. 14. Botnet Monitoring<br />In this module we concentrate h0w defenders might defend against such an advanced botnet. Here we use two concepts to monitor the botnet<br />Botnet monitoring with Honeypot.<br />Botnet monitoring without Honeypot.<br />
  15. 15. Botnetmonitring with Honeypot:Honey pot:<br />In computer terminology, a honey pot is a trap set to detect, deflect, or in some manner counteract attempts at unauthorized use of information systems.<br />Generally it consists of a computer, data, or a network site that appears to be part of a network<br />It will block the attack from botmaster.<br />Which seems to contain information or a resource value of attackers.<br />
  16. 16. Honeypot Block Diagram:<br />Honeypot<br />Servent Bot<br />Client Bot<br />
  17. 17. Botnet monitoring without Honeypot.<br />In this honeypot is not used.<br />Attack cannot be blocked.<br />Botnet monitors the whole system by scanning it.<br />It can identify the temp file created by that attacker.<br />We can identify the source by the temp and be aware for next attack. <br />
  18. 18. BOTMASTER<br />
  19. 19.
  20. 20. Selecting client side IP<br />
  21. 21. Monitoring with Honeypot<br />
  22. 22.
  23. 23. Monitoring without honeypot<br />
  24. 24. Conclusion<br />To be well prepared for future botnet attacks, we should study advanced botnet attack techniques that could be developed by botmasters in the near future. <br />In this project, we present the design of an advanced hybrid P2P botnet. Compared with current botnets, the proposed one is harder to be monitored, and much harder to be shut down.<br />To defend against such an advanced botnet, we point out that honeypots may play an important role.<br />We should, therefore, invest more research into determining how to deploy honeypots efficiently and avoid their exposure to botnets and botmasters.<br />
  25. 25. Reference:<br />1. S. Kandula, D. Katabi, M. Jacob, and A. Berger, “Botz-4-Sale:<br /> Surviving Organized DDOS Attacks That Mimic Flash Crowds,”<br /> Proc. Second Symp. Networked Systems Design and Implementation<br /> (NSDI ’05), May 2005.<br />2. C.T. News, Expert: Botnets No. 1 Emerging Internet Threat, http://<br />, 2006.<br />3. F. Freiling, T. Holz, and G. Wicherski, “Botnet Tracking: Exploring<br /> a Root-Cause Methodology to Prevent Distributed Denial-of-<br /> Service Attacks,” Technical Report AIB-2005-07, CS Dept. RWTH<br /> Aachen Univ., Apr. 2005.<br />4 . D. Dagon, C. Zou, and W. Lee, “Modeling Botnet Propagation<br /> Using Time Zones,” Proc. 13th Ann. Network and Distributed System<br /> Security Symp. (NDSS ’06), pp. 235-249, Feb. 2006.<br />
  26. 26. THANK YOU<br />