92 lines
5.2 KiB
TeX
92 lines
5.2 KiB
TeX
%{{{ introduction
|
|
\section{Introduction}
|
|
|
|
The internet has become an irreplaceable part of our day to day lives.
|
|
We are always connected via numerous \enquote{smart} and \ac{iot} devices.
|
|
We use the internet to communicate, shop, handle financial transactions and much more.
|
|
Many personal and professional workflows are so dependent on the internet, that they won't work when being offline.
|
|
|
|
%{{{ motivation
|
|
\subsection{Motivation}
|
|
|
|
% TODO: fast consumer internet connections 100 Mbit/s ++
|
|
The number of connected \ac{iot} devices is around 10 billion in 2021 and estimated to be constantly growing over the next years up to 25 billion in 2030~\cite{statista_iot_2020}.
|
|
Many of these devices run on outdated software, don't receive any updates and don't follow general security best practices.
|
|
While in 2016 only 77\% of German households had a broadband connection with a bandwidth of 50 Mbit/s or more, in 2020 it were already 95\% with more than 50 Mbit/s and 59\% with at least 1000 Mbit/s~\cite{statista_broadband_2021}.
|
|
This makes them an attractive target for botmasters since they are easy to infect, always online, behind internet connections that are getting faster and faster, and due to their nature as small devices, often without any direct user interaction, an infection can go unnoticed for a long time.
|
|
In recent years, \ac{iot} botnets have been responsible for some of the biggest \ac{ddos} attacks ever recorded, creating up to 1 Tbit/s of traffic~\cite{ars_ddos_2016}.
|
|
|
|
|
|
% TODO: what is a bot? Infected systems. Malware. DGA, beispiele, tree vs graph
|
|
|
|
A botnet describes a network of connected computers with some way to control the infected systems.
|
|
In classic botnets, there are one or more central coordinating hosts called \acp{c2}.
|
|
These \acp{c2} could use anything from \ac{irc} over \ac{http} to Twitter to communicate with the infected systems.
|
|
The infected systems can be abused for a number of things, \eg{} \ac{ddos} attacks, stealing data from victims, as proxies to hide the attackers identity, send spam emails \dots{}
|
|
|
|
Analyzing and shutting down a centralized botnet is comparatively easily since every bot knows the IP address, domain name, Twitter handle, \ac{irc} channel \dots{} the \acp{c2} are using.
|
|
|
|
A targeted operation with help from law enforcement, hosting providers, domain registrars and platform providers could shut down or take over the operation by changing how requests are rooted or simply shutting down the controlling servers/accounts.
|
|
|
|
% TODO: too informal?
|
|
A number of botnet operations were shut down like this and as the defenders upped their game, so did attackers --- the idea of \ac{p2p} botnets came up.
|
|
The idea is to build a decentralized network without single points of failure where the \acp{c2} are.
|
|
In a \ac{p2p} botnet, each node in the network knows a number of it's neighbours and connects to those, each of these neighbours has a list of neighbours on his own, and so on.
|
|
|
|
This lack of a \ac{spof} makes \ac{p2p} botnets more resilient to take-down attempts since the communication is not stopped and botmasters can easily rejoin the network and send commands.
|
|
|
|
%}}} motivation
|
|
|
|
%{{{ detection techniques
|
|
\subsection{Detection Techniques for \Acs*{p2p} Botnets}
|
|
|
|
There are two distinct methods to map and get an overview of the network topology of a \ac{p2p} botnet:
|
|
|
|
%{{{ passive detection
|
|
\subsubsection{Passive Detection}
|
|
|
|
For passive detection, traffic flows are analyzed in large amounts of collected network traffic (\eg{} from \acp{isp}).
|
|
This has some advantages in that it is not possible for botmasters to detect or prevent data collection of that kind but it is not trivial to distinguish valid \ac{p2p} application traffic (\eg{} BitTorrent, Skype, cryptocurrencies, \ldots) from \ac{p2p} bots.
|
|
\citeauthor{zhang_building_2014} propose a system of statistical analysis to solve some of these problems in~\cite{zhang_building_2014}.
|
|
Also getting access to the required datasets might not be possible for everyone.
|
|
|
|
%}}} passive detection
|
|
|
|
%{{{ active detection
|
|
\subsubsection{Active Detection}
|
|
|
|
In this case, a subset of the botnet protocol are reimplemented to place pseudo-bots or sensors in the network, which will only communicate with other nodes but won't accept or execute commands to perform malicious actions.
|
|
The difference in behaviour of these sensors from the reference implementation and conspicuous graph properties (\eg{} high $\deg_{\text{in}}$ vs.\ low $\deg_{\text{out}}$) allows botmasters to detect and block the sensor nodes.
|
|
|
|
%}}} active detection
|
|
|
|
%}}} detection techniques
|
|
|
|
\begin{itemize}
|
|
|
|
% TODO: BotGrep (in zhang_building_2014)
|
|
\item Large scale network analysis (hard to differentiate from legitimate \ac{p2p} traffic (\eg{} BitTorrent), hard to get data, knowledge of some known bots required)~\cite{zhang_building_2014}
|
|
|
|
% TODO: BotMiner (in zhang_building_2014)
|
|
\item Heuristics: Same traffic patterns, same malicious behaviour
|
|
|
|
\end{itemize}
|
|
|
|
%{{{ detection criteria
|
|
\subsection{Detection Criteria}
|
|
|
|
\begin{itemize}
|
|
|
|
\item \ac{p2p} online time vs host online time
|
|
|
|
\item neighbourhood lists
|
|
|
|
\item no/few \ac{dns} lookups; instead direct lookups from routing tables
|
|
|
|
\end{itemize}
|
|
%}}} detection criteria
|
|
|
|
%}}} introduction
|
|
|
|
% vim: set filetype=tex ts=2 sw=2 tw=0 et spell :
|