Giant Portion

"largest connected (or online) portion
of the graph"

 

How many bots can participate in an attack

B = \displaystyle\sum_{i=1}^{3}(M_i - A_i)P_iW_i
B=i=13(MiAi)PiWiB = \displaystyle\sum_{i=1}^{3}(M_i - A_i)P_iW_i

Average bandwidth

The series of all groups i

Average maximum bandwidth

Average normal bandwidth use

Probability of bot being in group i

average online hours per day

  • Network diameter l
  • Since a botnet with more interconnections has more short paths, it passes messages quickly, and provides fewer detection opportunities

Botnet Efficiency

Botnet response strategies

  • Random targeting can be effective in random networks
  • Random targeting is ineffective for scale free networks
  • Responses to scale free networks are more effective
  • With scale free, targeting high speed nodes is more likely to increase the diameter of the network, increasing message distrobution time
  • Keeping watch of effectiveness (available bandwith), helps with monitoring success rate

Methodology

  • Nugache
    • used for spam email
    • data collection
    • distributed via limewire
    • Made by a 19 year old!
  • Used emulator infected with nugache
  • Forced unique ip on every node they controlled
  • observed connections to computer in the wild
  • Observed mostly > 6 links, but up to 30 links in some case
  • This indicated scale free
  • Cleaning highly connected nodes can have a high impact.

Bandwith as a metric

  • Tested on two botnets, focus on DDoS
  • Probed bandwith on random nodes
  • Used to find an average, method described in metric for estmating bandwith
  • Botnet size of 50k = 1Gbps total bandwith
  • Botnet 1:  53.3004 Kbps, Botnet 2: 34.8164 Kbps
  • Not adjusted for diurnal = roughly the same available bandwith
  • Adjusted for diurnal = Botnet 2 has 50% capacity of botnet 1

deck

By Erlend Westbye

deck

  • 416