1 Botnet Phenomenum
Botnets are emerging as the most significant threat facing online ecosystems and computing
assets. Malicious Botnets are distributed computing platforms predominantly used for illegal
activities such as launching Distributed Denial of Service or Denial of Service (DDoS)
attacks, sending spam, trojan and phishing emails, illegally distributing pirated media and
software, force distribution, stealing information and computing resource, business
extortion, performing click fraud, and identity theft [5].
The high light value of Botnets is the ability to provide anonymity through the use of a multi-tier
command and control (C&C) architecture. Moreover, the individual bots are not physically
owned by the botmaster, and may be located in several locations spanning the globe. Differences
in time zones, languages, and laws make it difficult to track malicious botnet activities across
international boundaries. This characteristic makes Botnet an attractive tool for
cybercriminals, and, in fact , poses a great threat against cybersecurity [5].
1.1 Botnet Control & Communication Architecture
The botmaster choreographs the issuance of commands to the entire botnet using the control and
communication infrastructure. The control and communication architecture of botnets is a major
area of interest to both botnet creators and security researchers trying to detect and disable
botnets [6]. A good understanding of the architectural approach used by a particular botnet can
lead to developing an effective detection mechanism for an entire genre of botnets and their
mutations.
�1.1.1 Traditional Botnet Architecture
Fig 1: Command and control architecture of Botnet
Figure 1 shows the centralized command and control architecture used in a majority of existing
and traditional botnets. In such kind of a network all the bots are directly connected to a few
specialized hosts called command and control server.
The botmaster communicates to the entire botnet exclusively through these few command and
control servers. Though this traditional architecture of centralized command and control servers
is very efficient in terms of scalability and the ease with which the botmaster can issue
commands to his entire network of infected computers, it has a major limitation. Detection or
failure of few of these command and control servers can result in botmaster losing the control of
all the computers connected through those servers. Once a bot is captured, the identities (IP
addresses) of these limited command and control servers are revealed. Hence the command and
�control servers in this architectures act as a single point of failure. P2P architectural approach
taken by newer botnet strains tries to mitigate some of the problems with the centralized
command and control architecture.
1.1.2 Peer To Peer Botnets
As the limitations of the centralized command and control architecture became apparent, the
attackers began experimenting with a new kind of architecture which would allow them to avoid
detection and continue their attacks from distributed locations. These new architectures utilized
Peer to Peer communication protocols and are now the most common among the newer kind of
botnets.
�Fig 2: Command and control architecture of the P2P botnet
Figure 2 shows the command and control architecture of the newer kinds of hybrid peer to peer
botnets. The problem of single point of failure is solved by creating redundancy among the
command and control servers. These servers can work completely
independent of each other, thus even if one of the servers is detected and brought down there is
very little effect on the overall functionality of the botnet. In this design not even servers are
�aware of all the computers in the botnet, each server is aware of only a subset of the total number
of infected computers, this adds to the stealth of the botnet. (Usenix, 2007).
Though the botnets using these newer approaches have succeeded in removing single point of
failure to a large extent they are plagued with newer problems like scalability and large amount
of network traffic. The peer to peer nature of these newer kinds of botnets results in a large
amount of network traffic, making it susceptible to monitoring via network flow analysis
(Usenix, 2007).
Just making a botnet to use P2P protocols is not enough to make it more robust and resistant to
detection, hence botnet creators have been experimenting with new techniques such as making
use of Sensor hosts. A sensor host is a host which the botmaster utilizes to receive status
information from all the bots in the botnet. [6] The IP address of the sensor host changes each
time a status report instruction is sent out by the botmaster. This IP address is generally specified
in the report instruction itself. The hosts classified as servant bots in this architecture are the ones
which have static IP addresses. The sensor bots behave both as servers as well as clients [6].
In addition to adoption of P2P protocol to increase the resilience of botnets to single point of
failure. Botmasters have also trying their hands at making super botnets by combining several
smaller botnets and this seems to be the trend towards which the botnet architecture is moving
[7].
1.1.3 Http Botnets
The most recent Botnet till date is HTTP Botnet. It works by exchanging web requests by using
port 80.
Instead of remaining in connected mode, the HTTP bots periodically visit certain web servers to
get updates or new commands. This model is called the PULL style and continues at a regular
interval that is defined by the botmaster. Botmasters use HTTP protocol to hide their activities
among the normal web flows and easily avoid current detection methods like firewalls.
Therefore, there is no surprise when 6 out of 9 most dangerous Botnets of 2012, were HTTP
Botnets [8].
�Fig 3: Command and control architecture of an HTTP botnet
Because of the wide range of HTTP services used, unlike the IRC and P2P, it is not easy to block
this service. Moreover, this service is commonly used by normal applications and services in the
Internet. some normal applications and services such as Gmail session (which periodically
checks for new emails), auto updaters, HTTP based download managers, self-refresh pages and
some browsers toolbars can generate the same periodic pattern and increase false positive rates
in the detection results [8].
Examples of such botnet includes Festi, The Festi, which is also known as a king of spam is one
of the most powerful spam and DDoS attackers since 2009 and Grum By having more than
840,000 infected targets all around the world the Grum know as second largest spam botnet in
the world [8].
�References
[1] Taxonomy of Botnet Threats, A Trend Micro White Paper, November 2006
[2] Collins, P., Shimeall, T., Faber, S., & janies, J. (2007). Using uncleanliness to predict future
botnet addresses.
[3] ANALYSIS OF BOTNETS THROUGH LIFE-CYCLE, R. A. Rodrguez-Gomez, G. Maci
a-Fernandez and P. Garc a-Teodoro
[4] A. Rajab, J. Zarfoss, F. Monrose, and A. Terzis. 2006, "A multifaceted approach to
understanding the Botnet phenomenon". In Proceedings of the 6th ACM SIGCOMM
Conference on Internet Measurement, page 52. ACM, 2006.
[5] Xiaonan Zang, Athichart Tangpong, George Kesidis and David J. Miller,2011, "Botnet
Detection Through Fine Flow Classification", This material is based upon work supported
by the National Science Foundation under Grant No. 0915552 and a Cisco Systems URP
gift.
[6] Wang, P., Sparks, S. & Zou, C. C. (2007). An advanced hybrid peer-to-peer botnet. Retrieved
01/28, 2008, from [Link]
[7] Ryan V, (2006). In Jhon A (Ed.), Attack of the 50 foot botnet. Alberta, Canada:
searchnetworking. (2007). Edge [Link] 11/17, 2008, from
[Link]
[8] Pierluigi Paganini, (2013). HTTP-Botnets: The Dark Side of an Standard Protocol, from
[Link]
[9] Puri, R. (2003). Bots & botnet: An [Link] 01/21, 2008, from
[Link]