An Improved Hybrid Peer-to-Peer Routing Algorithm

Yun Yang1, Guyu Hu3 Institute of Command Automation, PLAUST

Nanjing 210007. China. e-mail:yyhacker@163.com

Shize Guo2, Saisai Yu4 The Institute of North Electronic Equipment

Beijing 100083. China. e-mail: ferret.yang@gmail.com

Abstract—Now botnets have become the great threat of Internet Security. To be well prepared for future attacks, it is not enough to study how to defend against the botnets that have appeared in the past. More importantly, we should study advanced botnet designs that could be developed in the near future. In this paper, we present the improved design of an advanced hybrid P2P routing algorithm. The first method is based on the distinguish treatment between servent bots and client bots, introduce a connective table into the construction procedure of P2P network, combine with the concept of Maximum Connective Degree(MCD), design a self-adaptive routing algorithm which made the P2P architecture reach a well-balanced connectivity automatically; the second improvement is use dual-channel mechanism to add a special backdoor, which greatly enhanced the robustness of P2P network.

Keywords--botnet; MCD; roting table; sensor host; dual-channel; robustness;

I. INTRODUCTION Botnet is defined as a network of compromised

computers(bots) connected to the Internet which is controlled by a remote attacker(botmaster) [1],[2].The unique feature of a botnet lies in its command and control mechanism [3]. Up to now there are several botnets whose population beyond tens of million bots. e.g., Mariposa which derived from Spanish was reported as controlled more than 14 millions of bots in 2008, Conflicker had at least 12 millions of bots in 2009. Obviously, Botnets are a root cause of many network attack problems.

Classified botnets by command and control mechanism, there are 3 main kinds of botnets. One type is called "C&C botnet" or "IRC botnet", in which bots connect directly to command and control servers(C&C servers or IRC servers). These servers receive commands from their botmaster and forward them to the other bots in the network. GT-Bot, Sdbot, Agobot and Spybot are typical examples of IRC botnets [4]. Another type is HTTP botnet, which is similar to IRC botnet in functional architecture, the only difference between them is HTTP botnet construct controller in web style, bots use HTTP protocol to register and communicate with controller, which makes flow traffic easier to penetrate through firewalls and hard to be detected by IDS. Bobax, Rustock[5] and Clickbot[6] are the typical HTTP botnet. Both IRC botnet and HTTP botnet use centralized control mechanism, which directly take the disadvantage of single-node bottleneck problems, defenders can easily obtain all servers’ IP address based on large traffic analysis[7], or simply from one single captured bot.

The third type is peer-to-peer botnet (P2P Botnet), which use distributed architecture to maintain the whole botnet. Nodes in P2P botnet are symmetric in function, operate in dynamic environment. Compare to IRC/HTTP botnet, P2P botnet has improved performance of Fault-tolerant and self-concrescence. Typical P2P botnets including Slapper [8], sinit, Phatbot and Nugache, they have implemented different kinds of advanced P2P control architectures, but also have many shortages in constructing a robust botnet. e.g., Sinit uses random walking mechanism to find bots which lead to extensive probing traffic, Phatbot uses WASTE protocol with poor expansibility in large scale network, Nugache excessively rely on a 22 seed nodes list, and Slapper has no encryption and command authentication[9].

II. REVIEW OF AN ADVANCED HYBRID P2P BOTNET In [9] an advanced hybrid P2P botnet is introduced.

According to practical experiment results got by Bhagwan et al. [10], they reach a compellent assumption that 50% of bots with dynamic addresses, 25% of bots are not accept from Internet for other reasons, and 25% of bots are accessible from Internet.

Based on this assumption, they divide bots into 2 groups: Nodes with static IP addresses that are accessible from the Internet are candidates for servent bots, they behave with both client and server features. Nodes with DHCP IP, private IP or behind firewalls that are not accept from the internet are called client bots. In this model, each bot has a fixed and limited size peer list (we call "routing table" below), which contain only servents. Fig. 1 illustrates the command and control architecture of this hybrid P2P botnet. It has the following features:

A. Command control Botmaster could injects commands with unique IDs

through any bot(s) in the botnet. It use report command to monitor the entire botnet, and use update command to update routing tables of all bots. Both client bots and servent bots actively contact the servent bots in their routing table to retrieve commands. When a bot receives a new command that has a unique ID, it immediately forwards the command to all servent bots in its routing table.

B. Sensor host Sensor host is a specific compromised machine, which

acts as an “delivery boy” between botmaster and all bots in the botnet. e.g., all bots report their state information to the sensor host once receive a report command from botmaster, and they also contact sensor host to update their routing

2010 First International Conference on Pervasive Computing, Signal Processing and Applications

978-0-7695-4180-8/10 $26.00 © 2010 IEEE

DOI 10.1109/PCSPA.2010.281

112

2010 First International Conference on Pervasive Computing, Signal Processing and Applications

978-0-7695-4180-8/10 $26.00 © 2010 IEEE

DOI 10.1109/PCSPA.2010.36

112

2010 First International Conference on Pervasive Computing, Signal Processing and Applications

978-0-7695-4180-8/10 $26.00 © 2010 IEEE

DOI 10.1109/PCSPA.2010.36

112

tables once receive a update command . Sensor host can be changed every time when the botmaster inject a command.

Figure 1. Command and control architecture of hybrid P2P botnet.

C. Command authentication With a standard public-key authentication process,

botmaster generates a pair of public/private keys ,K K+ −< > , and hard codes the public key K + into the

bot program before releasing and building the botnet. Then, the command messages sent from the botmaster could be digitally signed by the K − to ensure their authentication and integrity.

D. Individualized Encryption Key and service port Each servent bot i randomly generates its symmetric

encryption key iK and individualized service port iP . Suppose the routing table of bot A is denoted by LA, and routing table space of A is M, then [9] construct routing table of A as follows:

1 1 1 2 2 2{( , , ), ( , , ), , ( , , )}

M M MAL IP K P IP K P IP K Pi i i i i i i i i= … (1)

Where ( , , )j j j

IP K Pi i i are the IP address, symmetric

key and individualized listen port of bot ji . With this

expanded routing table, botnet has a strong resistance against traffic analysis system[11] and hijacking attack.

E. Botnet construction procedures During the process of botnet propagation, a bot randomly

replacing one of bot if its routing table is full in new infection scenario; while in reinfection scenario, a bot B replace R (R≤M-1) randomly selected bots in its routing table with R bots from the routing table provided by A. Meanwhile, botmaster use report and update command to updating routing table of each bot, with this frequently operation, the whole botnet can reach a well-balanced connectivity, that means the degree distribution of all servent bots roughly follows normal distribution.

III. SOME SHORTAGES OF THE FORMER P2P NETWORK

A. Risk of exposing botnet topology from honey nodes As described in [9], Botmaster use frequent changing of

routing tables of all bots to get a better balanced connectivity. This may lead to the exposure of the whole botnet topology. Once defenders get one or several bots by “honey” machine, they can obtain the identities of all servent bots, then know topology of the whole botnet.

B. Risk of being detected from backbone nodes In fact, sensor host(s) used by botmaster has obvious

netwok traffic statistic characteristics, since thousands of bots report their state information to sensor host or get updating information from sensor host, which will create massive connections and data on Internet backbone network. Although defenders can not decrypt plain text from packets protected by public-key authentication, they can notice and analysis the network traffic with similar behavior, easily locate the IP addresses of all sensor hosts used by botmaster, use DNS redirecting techniques to interrupt communication or hijack the botnet temporary.

C. Risk of exposing botmaster Further more, Once defenders with technical or non-

technical method obtained the control rights of sensor host, or just control a important node on the sensor host’ routing path to internet, they can observe patiently for a few days, then the botmaster may be discovered based on the security logs, destination of massive data transfered to, etc. That may lead to a ending for botnet.

D. Traffic and Balanced-connectivity problem The improvement of balanced-connectivity depends on

the studious “update” work of botmaster. Besides the traffic data problem caused by frequent operation, the connectivity not improved obviously with the propagation of botnet still a problem.

IV. IMPROVEMENTS ON ROUTING ALGORITHM Considering shortages of the P2P network discussed in

III, we design a self-adaptive routing algorithm with the concept of Max Connective Degree (MCD), which made the P2P network architecture reach a well-balanced connectivity automatically. In this way, controller need not have to adjust all bots’ routing table frequently during the process of botnet propagation, which also reduce redundant network traffic and enhance confidentiality of botnet greatly.

A. New definitions

Define a new table AC to describe the connective state

between a servent bot A and client bots connect to it, AC is

different from routing table AL discussed in (1), which is used to describe the connective state between a servent bot A and other servent bots connect to it. AC is designed for servent bot, since client bots only report to servent bots

113113113

according to their AL ,so client bots have no AC . Table AC records client bot IP and corresponding last accessing time marked as lastimeT , in order to hide the true identities of client bot, we can use hash function to encrypt IP addresses. The space of AC is limit to N, which means the maximum number of client bots connect to a servent bot is N, then construct table AC as follows:

1 1

2 2

( ( ), )( ( ), )

( ( ), )

lastime

lastimeA

N Nlastime

Hash IP THash IP T

C

Hash IP T

⎧ ⎫⎪ ⎪⎪ ⎪= ⎨ ⎬⎪ ⎪⎪ ⎪⎩ ⎭

(2)

Where ( ( ), )j jlastimeHash IP T are the hash value of IP address and last login time of bot j.

Define current Connective Degree ( iCD ) of bot i is the number of connections from other bots connect to i during the past period time of T. Obviously, all client bots have

iCD equal to or smaller than the space of routing table M,

while servent bots have a larger iCD because we rely on the core network buildup by 25% of servent bots to control 75% of client bots in the hybrid p2p botnet (these ratios are discussed in part II).

Define a constant MCD as the Maximum Connective Degree of bot A, then MCD=M+N Based on definitions above, we can easily reach a conclusion as fellows.

(client bots)(servent bots)A A A

MCD MCD

M NCL ⎧= + ≤ = ⎨ +⎩ (3)

Now we improved the routing table of bot A in [9] as follows:

1 1 1 1

2 2 2 2

( , , , )

( , , , )

( , , , )M M M M

A

IP K P CDi i i iIP K P CDi i i iL

IP K P CDi i i i

⎧ ⎫⎪ ⎪⎪ ⎪⎪ ⎪= ⎨ ⎬⎪ ⎪⎪ ⎪⎪ ⎪⎩ ⎭

(4)

Where ( , , , )j j j j

IP K P CDi i i i are the IP address,

symmetric key, individualized listen port and current Connective Degree of bot

ji .

B. Contruction procedure Now the problem is how to use routing table, especially

the parameter j

CDi in the process of constructing the botnet.

we select a initial servent bot A as sample to analysis. At the beginning of botnet propagation, each initial bot

has same CD equal to M which was designed by botmaster. However, with botnet propagating to a large scale, bots in the routing table will have different CD values. So if bot A

receives a new connection from bot B, as part of the pseudocode described in Fig .2, bot A operates as fellows.

• First, bot A check ACD , AL and AC separately, get some important parameters: R bots list suitable for send to bot B, bot H with maximum HCD in AL .

• Then, bot A send R bots list to bot B in any case, check whether to insert bot B into LA and how to insert it.

• If ACD MCD= , that means bot A already have N client bots. So if bot B is a client bot, bot A just inform B to delete A from BL . If bot B is a servent

bot, we compare BCD with HCD , if BCD > HCD ,

bot A will do nothing; if BCD < HCD , bot A replace bot H with bot B, this action will reduce the overload of bot H.

• If ACD MCD< , that means AC is not full of client bots, bot A still have capacity to accept new connections. So if bot B is a client bot, bot A will accept it, enrolled IP address and last login time into

AC . If bot B is a servent bot, bot A will exchange

bot B and bot H in the same way as ACD MCD= .

Further more, If we consider all servent bots in AL and client bots controlled by them is a autonomy domain, the domain has capacity of ( )M N M+ × bots, so the exchange above will reduce the overload and traffic in this domain, and finally improve the global balance of botnet.

Figure 2. The pseudocode part to describe the procedure of bot A to deal

with incoming connection.

114114114

C. Performance analysis In [9] the authors suppose the routing table M=20, and

botnet stops growing after reaching the size of 20,000, each of the 21 initial servent bots have a degree between 14,000 and 17,500. after they conduct “peer-list updating” operation, the first 1000 servent bots used in updating have balanced connection degrees ranging from 300 to 500, while other 4000 servent bots still have small degrees. So the whole botnet architecture is still unbalanced. What’s more, frequent use of update command may lead to massive redundant net traffic, which made defenders easy to detect the botnet.

Since we have no true environments on internet to test the accuracy of the improved routing algorithm, We select M=25 and N=175 in our analysis, then build a local aera network composed of 10 computers: one normal host with 2M bandwidth is designate to run a http server listening on port 80, other 9 hosts act as client bots, run a packet sender with 20 threads to send http requests every 2sec to the server, then we observed that the server can deal 9*20=180 parallel requests from net uninterrupted with skill and ease.

So we infer that botnet improved in our analysis scene can work well, the autonomy domain around an initial servent bot A is 200, a larger domain around the routing table AL is (25 175) 25 5000+ × = . Since we have defined the MCD and N, the capacity of the single domain is strictly limited to a certain 5000, each bot has 200 connections at most, which greatly reduce the risk of single node problems caused by overload of CPU and bandwidth, and made the whole p2p botnet tend to be flat. In this way, we greatly reduce the network traffic between bots and improve the balanced connectivity automatically.

V. DUAL-CHANNEL MECHANISM Though the botnet in [9] use a self-determined service

port for incoming connections from other bots, e.g., DNS 53 Port and SSH 22 Port, it does not provide good security. If the master of system notices the system attempt to visit the unexpected destination, the bot program can be detected simply by a firewall, then with the help of a redirecting gateway, the defender can obtain the hidden port listening on the computer.

We suggest a dual-channel mechanism to add a special backdoor. First open one common port and use it to communicate with other bots, then open another common port for standby.

For bots can not be visit from the Internet, unless the first port is detected by defender, the second port do noting but waiting for commands from the botmaster. This method enhanced the robustness of botnet.

For bots with global IP that can be visit from Internet, we can use this method to initialize the “second backdoor”, botmaster store the pairs of (IP, Port) information in the database, and use random walker mechanism to probe these

static backdoor and active them immediately. So improved the concurrent attack efficiency of botnet.

VI. CONCLUSION Nowadays, Botnet is the largest threat to Internet

Security, more and more people research botnet and try to deal with it. P2P network architecture is the main factor affects the robustness of botnet. In this paper, we compare the 3 types of command and control mechanism of botnet, present an improved design of an advanced hybrid P2P routing algorithm, and analyse the performance within the autonomy domain. Research on botnet detection and using this P2P architecture in public P2P services may be a future orientation.

ACKNOWLEDGMENT Thank the Doctor Guangyu Kang for his helpful

comments for improving this paper.

REFERENCES [1] E. Cooke, F. Jahanian, and D. McPherson, “The zombie

roundup: Understanding, detecting, and disrupting botnets,” in Proceedings of SRUTI: Steps to Reducing Unwanted Traffic on the Internet, July 2005.

[2] A. Ramachandran, N. Feamster, and D. Dagon, “Revealing botnet membership using dnsbl counter-intelligence,” in USENIX 2nd Workshop on Steps to Reducing Unwanted Traffic on the Internet (SRUTI 06), June 2006.

[3] Rajab MA, Zarfoss J, Monrose F, Terzis A. A multifaceted approach to understanding the botnet phenomenon. In: Almeida JM, Almeida VAF, Barford P, eds. Proc. of the 6th ACM Internet Measurement Conf. (IMC 2006). Rio de Janeriro: ACM Press, 2006. 41-52.

[4] Barford P, Yegneswaran V. An inside look at botnets. In: Christodorescu M, Jha S, Maughan D, Song D, Wang C, eds. Advances in Information Security, Malware Detection, Vol. 27.Springer-Verlag, 2007.

[5] Chiang K, Lloyd L. A case study of the rustock rootkit and spam bot. In: Proc. of the 1st Workshop on Hot Topics in Understanding Botnets (HotBots 2007). 2007.

[6] Daswani N, Stoppelman M, the Google Click Quality and Security Teams. The anatomy of Clickbot.A. In: Proc. of the 1st Workshop on Hot Topics in Understanding Botnets (HotBots 2007). 2007.

[7] J. R. Binkley and S. Singh, “An algorithm for anomaly-based botnet detection,” in USENIX 2nd Workshop on Steps to Reducing Unwanted Traffic on the Internet (SRUTI 06), June 2006.

[8] Arce I, Levy E. An analysis of the slapper worm. IEEE Security & Privacy, 2003,1(1):82-87.

[9] Wang P, Sparks S, Zou CC. An advanced hybrid peer-to-peer botnet. In: Proc. of the 1st Workshop on Hot Topics in Understanding Botnets (HotBots 2007). 2007.

[10] R. Bhagwan, S. Savage, and G. M. Voelker, “Understanding availability,” in Proceedings of the 2nd International Workshop on Peer-to-Peer Systems (IPTPS), Feburary 2003.

[11] Y. Chen. (2006) IRC-based botnet detection on high-speed routers.ARO/DARPA/DHS Special Workshop on Botnet.

115115115