71 lines
2.5 KiB
TeX
71 lines
2.5 KiB
TeX
|
|
% \section{Testeroo ma man}
|
|
|
|
% \OfficialLogoNormal
|
|
|
|
% \logoNormal
|
|
|
|
% \textcolor{Accent}{foo lol fakultätsfarben}
|
|
|
|
% jo moin~\cite[121]{bib:persistentstruct}
|
|
|
|
% \Ac{html}
|
|
|
|
% \ac{html}
|
|
|
|
% \enquote{look ma, imma quote}~\ref{fig:some_figure}
|
|
|
|
% \begin{figure}[h]
|
|
% \OfficialLogoNormal
|
|
% \caption{OTH Logo}
|
|
% \label{fig:some_figure}
|
|
% \end{figure}
|
|
|
|
% asdft~\footfullcite[pre][post]{bib:persistentstruct}
|
|
|
|
|
|
% \textsc{Small Caps test Abschnitt}
|
|
|
|
% \subsection{Sub 1}
|
|
|
|
% \subsection{Sub 2}
|
|
|
|
% \subsubsection{Subsub 1}
|
|
|
|
% ich bin ein text mit fußnote\footnote{lol ich bin eine fußnote}
|
|
|
|
|
|
\section{Introduction}
|
|
|
|
|
|
% TODO: what is a bot? Infected systems. Malware. DGA, beispiele, tree vs graph
|
|
|
|
A botnet describes a network of connected computers with some way to control the infected systems.
|
|
In classic botnets, there are one or more central coordinating hosts called \acp{c2}.
|
|
These \acp{c2} could use anything from \ac{irc} over \ac{http} to Twitter to communicate with the infected systems.
|
|
The infected systems can be abused for a number of things, \eg{} \ac{ddos} attacks, stealing data from victims, as proxies to hide the attackers identity, send spam emails \dots{}
|
|
|
|
Analyzing and shutting down a centralized botnet is comparatively easily since every bot knows the IP address, domain name, Twitter handle, \ac{irc} channel \dots{} the \acp{c2} are using.
|
|
% TODO: wort für polizei
|
|
A targeted operation with help from TODO, hosting providers, domain registrars and platform providers could shut down or take over the operation by changing how requests are rooted or simply shutting down the controlling servers/accounts.
|
|
|
|
% TODO: too informal?
|
|
A number of botnet operations were shut down like this and as the defenders upped their game, so did attackers --- the idea of \ac{p2p} botnets came up.
|
|
The idea is to build a decentralized network without single points of failure where the \acp{c2} are.
|
|
In a \ac{p2p} botnet, each node in the network knows a number of it's neighbours and connects to those, each of these neighbours has a list of neighbours on his own, and so on.
|
|
|
|
\subsection{Detection Techniques for \ac{p2p} Botnets}
|
|
|
|
\begin{itemize}
|
|
|
|
% TODO: BotGrep (in zhang_building_2014)
|
|
\item Large scale network analysis (hard to differentiate from legitimate \ac{p2p} traffic (\eg{} BitTorrent), hard to get data, knowledge of some known bots required)
|
|
|
|
% TODO: BotMiner
|
|
\item Heuristics: Same traffic patterns, same malicious behaviour
|
|
|
|
\end{itemize}
|
|
|
|
|
|
% vim: set filetype=tex ts=2 sw=2 tw=0 et spell :
|