Giant Portion
"largest connected (or online) portion
of the graph"
How many bots can participate in an attack
B = \displaystyle\sum_{i=1}^{3}(M_i - A_i)P_iW_i
B=i=1∑3(Mi−Ai)PiWi
Average bandwidth
The series of all groups i
Average maximum bandwidth
Average normal bandwidth use
Probability of bot being in group i
average online hours per day
- Network diameter l
- Since a botnet with more interconnections has more short paths, it passes messages quickly, and provides fewer detection opportunities
Botnet Efficiency
Botnet response strategies
- Random targeting can be effective in random networks
- Random targeting is ineffective for scale free networks
- Responses to scale free networks are more effective
- With scale free, targeting high speed nodes is more likely to increase the diameter of the network, increasing message distrobution time
- Keeping watch of effectiveness (available bandwith), helps with monitoring success rate
Methodology
- Nugache
- used for spam email
- data collection
- distributed via limewire
- Made by a 19 year old!
- Used emulator infected with nugache
- Forced unique ip on every node they controlled
- observed connections to computer in the wild
- Observed mostly > 6 links, but up to 30 links in some case
- This indicated scale free
- Cleaning highly connected nodes can have a high impact.
Bandwith as a metric
- Tested on two botnets, focus on DDoS
- Probed bandwith on random nodes
- Used to find an average, method described in metric for estmating bandwith
- Botnet size of 50k = 1Gbps total bandwith
- Botnet 1: 53.3004 Kbps, Botnet 2: 34.8164 Kbps
- Not adjusted for diurnal = roughly the same available bandwith
- Adjusted for diurnal = Botnet 2 has 50% capacity of botnet 1
deck
By Erlend Westbye
deck
- 416