Research On P2P-based Botnet And Key Technologies

A "botnet" is a network of compromised computers (bots) that are controlled by an attacker (botmasters). Botnets are one of the most serious threats to today’s Internet; they are the root cause of many current Internet attacks, such as email spam, distributed denial of service (DDoS) attacks, click fraud, etc. Early Botnet mainly used a centralized command and control mechanism. Such Botnet built command and control channel based on IRC protocol, this kind of Botnet is relatively mature, and has a weak security. Therefore, presently Botnet control technology is gradually transformed to P2P; they explored distributed command and control via P2P protocol to aginst the single point failure problem and increase robustness and concealment. Therefore, we systematically study peer to peer Botnets along multiple dimensions:command and control mechanisms and communication protocols, Botnet evaluation model and some defenses idea. To deepen the understanding of performance of P2P Botnet, it is necessary to study the key technologies of P2P Botnet, evaluation model and development trend. This paper investigates the key technologies of P2P Botnet, and the main research results are as follows:1. Research the double-layer P2P botnet structure dynamic model, through contrast and analysis the existing P2P botnet, forecast and study the double-layer P2P botnet structure the communications protocol and control framework, which provide important theoretical and technical support for the defense work. In node selection mechanism, we propose the distance and degree strategy to aid the super-node choose its neighbor list, while using the AHP algorithm to achieve the common node selects the super-node in the P2P botnet, a strong focus on the three areas of super node:online time, round-trip time and hardware configuration. Finally, simulations results show that enhance the robustness and efficiency of the entire botnet by the support of IP address similarity algorithm and the use of AHP assessment of super node.2. Research the sample and network characteristics of the Botnet; Present a comprehensive evaluation system and the corresponding evaluation indicators for the P2P botnet. Stealthy include the host’s own stealthy, and the stealthy of communications after implantation of terminal, and the following areas:capabilities against the killing software, communications encryption mechanism, the traffic caused by task, maintaining traffic. The effectiveness of botnets is mainly used to evaluate the power of the destruction; this index is equivalent to the size which is the number of control hosts of botnets at a certain extent. When we evaluate the effectiveness, while taking advantage of online time of each machine to estimate total number of machines used at a time, then assess their effectiveness. Efficiency is mainly used to assess the speed of executing commands in the botnet, the time required for from the controller issues the command to each Bot receives commands, and the indicator is closely related to the diameter of the botnet. Robustness is mainly said the stability of the botnet structure, and the impact on the botnet after the destruction of bot and the bot on or off the line. Include the following:whether there is a single point of failure nodes, the impact on the botnet after randomly or specified destructive some nodes of a botnet. Studies have shown that robustness and the average degree, the difference degree of nodes have a certain relationship to some extent. In the research process, an important indicator in the evaluation model, the relevant formulas, and the proposed index are given in the proved results. Existing P2P botnet communication mechanism can be divided into two kinds of model, we evaluate and analysis the two models by the evaluation index, in order to study the relationship between basic characteristics of botnet and evaluation index.3. The paper proposes a defense strategy for P2P botnets which use proprietary protocol. Super-node plays a very important role in the P2P botnet, they not only have the execution command function of common nodes, and also take on the important task of forward and spread task. In the paper defense strategy study mainly on the key nodes in super-node of P2P botnet, and propose two feasible ways to detect the key nodes in the botnet, experiments show that destruction of key nodes for the P2P botnet defense can play a multiplier effect.4. According to the second chapter of double-layer structure of P2P botnet dynamic model to realize a botnet. In order to strengthen the botnet robustness and concealment of command and control mechanism, the key chechniques for the detailed design:time synchronization mechanism, command issued mechanism, encryption authentication mechanism, the botnet management and message types in communication process makes a detailed design. At the same time make the detail design on the botnet system structure, function module and command and control mechanism. Build a real environment for the botnet, in order to test the traffic, robustness and efficiency, and analyze the selection algorithm based on AHP and based on IP address similarity proposed in second chapter.