 |
 |
 |
 |
 |
 |
|
| |
|
|
| |
| Abstract |
| |
|
Paper
Title
|
StormTrap: Undetectable Mitigation of P2P Botnet
|
|
Author(s)
|
Chanho Ryu (Korea), Director, Incidents Analysis
Team, KISC, KISA.
Sangwook Seo (Korea), Researcher, Incidents Analysis Team, KISC, KISA.
Sungbae Ji (Korea), Researcher, Incidents Analysis Team, KISC, KISA.
|
|
Time
|
11 December, Thursday, 10:55 - 11:35.
|
|
|
|
|
| The
Storm botnet is a novel form of botnet unlike conventional
centralized botnets using HTTP, IRC, or other types of instant
messaging (IM) protocols as command and control (C&C) channels.
While a conventional botnet with a single point of failure is
easy to take down by shutting down C&C servers or null-routing
(re-directing) DNS entries, the Storm botnet is difficult to
make the whole botnet inoperable. Because the Storm bot
communicates each other using peer-to-peer (P2P) protocol, it is
not even simple to figure out who the real botnet herder is. The
Storm rather successfully compromises new machines and expand
the botnet using social engineering technique. Currently, the
Storm botnet is segmented for sale and used in a variety of
criminal activities such as DDoS attacks and spamming business.
In recent
studies, botnet defenders have been attempting to attack Storm
botnets. They are actively conducting botnet tracking and
applying attack methodologies proposed against P2P systems.
However, the Storm has figured out these approaches and launched
a DDoS attack on them as retaliation. When they do not consider
state transition anomaly caused by crawling, index poisoning,
and routing table poisoning attacks, the Storm botnet can detect
these attacks and kick them out.
In this
paper, we propose StormTrap for mitigating Storm botnet in an
undetectable manner. StormTrap consists of multiple virtual
machines (VMs) infected by Storm worm and a StormProxy which
monitors Storm-generated packets. Each VM can be managed with
the different version of Storm or one of segmented botnets and
the differences in node IDs can cover the whole botnet.
StormProxy drops, replays, or manipulates the only packets
predefined as undetectable attack vectors. Distributed
StormTraps can obtain the more accurate result and disarm the
Storm botnet effectively. The monitoring result can be applied
to Storm-aware IPS or firewall. |
| |
|
| |
|
