Arbor Networks: Security to the Core

We’ve been tracking botnets for some time now; it’s a great way to directly monitor malicious activity. The graph above relates to a botnet I’m currently tracking. It’s seeing a lot of churn - something on the order of thousands of new IP addresses every day. But, that’s not quite accurate; it’s hosts leave and re-join. As such, you have to count the join’s as an addition and the leaves as a subtraction, so that’s what I did. This gives an accurate snapshot per minute of the botnet’s size. This activity profile reminds me of the paper “Modeling Botnet Propagation Using Time Zones”, by David Dagon, Cliff Zou, and Wenke Lee.

As an aside, we’ll be presenting much of our botnet research at a number of places this year. Just last month we submitted a paper idea to the Virus Bulletin 2006 Conference, and we’re proud to say it’s been accepted. Here’s the submitted abstract:

Title: Botnet Tracking Techniques & Tools
Authors: Jose Nazario & Jeremy Linden

Botnets have quickly become one of the chief dangers to large-scale Internet security, threatening nearly every Internet user and even the very infrastructure itself. Unlike traditional malware such as viruses and worms, the structure of a botnet creates the opportunity to perform direct measurements and observation. The common tools to do this measurement are usually quickly written and may or may not work for long periods of time, especially if the botnet owner is vigilant about checking for lurking hosts. Furthermore, most botnet studies published thus far have focused on studying captured malware samples outside of the network or have been carried out using honeypot hosts. Neither of these techniques provide a full picture of the botnet landscape. To study larger amounts of information about the botnet community, we have developed simple tools and techniques to infiltrate large numbers of botnets for long periods of time. Our findings reveal how botnet operators manage their networks, what they are doing with the infected hosts, and the skill levels required to create such botnets. The results of this illustrate how lucrative the botnet community is, how easy it is to get started, and how dangerous it can be for the Internet community at large.

We’re currently working on the paper, and we have an overflow of material, so you will see more of it in the coming months elsewhere. Watch for some of the data to appear here, as well.

This entry was posted on Wednesday, April 12th, 2006 at 11:00 am and is filed under Arbor Networks, Botnets, Events, Interesting Research. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.