sybil attacks as a mitigation strategy against the storm botnet authors:carlton r. davis, jos´e m....
TRANSCRIPT
Sybil attacks as a mitigation strategy against the Storm
botnet
Authors:Carlton R. Davis, Jos´e M. Fernandez, Stephen Neville†, John McHugh
Presenter: Chia-Li Lin
2
OutlineIntroductionStorm botnet
DHT k-buckets && lists Dynamic lists Four message types
Sybil attackGoals and parameterSimulation DataFail FactorConclution
3
Introduction
The Storm botnet is currently one of the most sophisticated botnet infrastructures.
IRC bot easy to detect and disrupt once the server is
identified
peer-to-peer (P2P) bot more resilient
4
Storm Botnet
Storm uses a modified Overnet P2P protocol for its communication architecture.
The main difference between the Storm and overnet P2P infrastructure
Overnet P2P network is that Storm nodes XOR encrypts their messages using a 40-bit encryption key
The regular Overnet nodes do not encrypt their messages
5
DHT
Overnet implements a distributed hash table algorithm called “Kademlia”
Each node participating in an Overnet network generates a 128-bit ID for itself when it first joins the network.
6
k-buckets and lists
Each node in an Overnet network stores contact information about some of the other nodes in the network, in order to appropriately route query messages. This information is organised in lists
Lists of (IP address, UDP port, ID) triplets
The triplets are in the form <ID>=<IP><port>00 <ID> is the 128-bit node ID <IP><port>00 is the IP address and UDP port in
hexadecimal format
format:008052D5853A3B3D2A9B84190975BAFD=53855152054A00
7
Dynamic k-bucket (lists)
If a peer is already in the recipient k-bucket Move it to the tail of the k-bucket.
Otherwise If there are rooms left in the k-bucket, the peer’s
triplet is simply added to the tail of the k-bucket. If there is no room left, ping the head node
If a node does not respond, it is evicted from the k-bucket and the recipient adds the peer to the tail.
If all nodes respond, the peer contact is discarded.
8
Four Message Types
The Kademlia protocol (which Overnet implements)
provides the four message types outlined below:
PING: if it is on-lineSTORE: store a <key, value> pairFIND_NODE: search for a node IDFIND_VALUE: search for a <key, value> pair
9
Sybil Attack
Holz, Steiner, Dahl, Biersack, and Freiling presented “Measurements and Mitigation of Peer-to-Peer-based Botnets: A Case Study on Storm Worm” showing how to use sybils to infiltrate the Storm botnet.
That is able to create thousands of sybils on one single physical machine
10
Simulation step
(a) Send PING, FIND_NODE, and FIND_VALUE messages to non-sybil nodes in attempt to get their IDs in the peerlist of the nodes
(b) Respond to FIND_NODE and FIND_VALUE queries with false
information
11
Three Goals
What effects do Sybil growth rate is : a) equal to the botnet growth rateb) half the botnet growth rate c) twice the botnet growth rate
What effects do time duration of Sybil attacks have on the degree of success in disrupting the botnet communication
Do botnet design choices, such as the size of the peerlist, have any bearing on the effectiveness of the Sybil attacks
12
R-Reachability
To assess the effectiveness of the Sybil attack in disrupting the botnet C&C infrastructure
13
Insertion Ratio of Sybils
(IR) : insertion ratio of sybils in the peer-lists(SI) : the total occurrences of sybils in the peer-lists(N) : the product of the final number of
nodes(l) : the peer-list size
14
Parameter
Sybil birth rate (SBR) varies from 0 to 2 times the net botnet growth
rate (BGR)
Peer list sizes l {100, 200, 300}
Time-steps {10, 20, 30}R-Reachability (r = 1 radius)
15
Simulation Data[1/2]SBR/BGR total sybils insertion ratio(IR) standard deviation0.5 1000 4.22% 0.5123%1 2000 8.34% 0.5293%2 4000 15.43% 0.8730%r = 1 radius, l = 200,time-step=10
SBR/BGR total sybils insertion ratio(IR) standard deviation0.5 3000 10.53% 0.5422 %1 6000 18.67% 0.69222 12000 30.94% 1.2172r = 1 radius, l = 200,time-step=30
SBR/BGR total sybils insertion ratio(IR) standard deviation0.5 2000 7.88% 0.6078%1 4000 14.34% 0.6668%2 8000 24.82% 1.0678%r = 1 radius, l = 200,time-step=20
SBR/BGR total sybils insertion ratio(IR) standard deviation0.5 2000 7.62% 0.8577 %1 4000 13.94% 1.2987%2 8000 24.74% 1.6265%r = 1 radius, l = 100,time-step=20
SBR/BGR total sybils insertion ratio(IR) standard deviation0.5 2000 7.88% 0.60501 4000 14.35% 0.96022 8000 24.83 0.7827r = 1 radius, l = 300,time-step=20
16
Simulation Data[2/2]
17
Fail Factor
Fault tolerant voting schemes
Fastest response path and time
Detectable by the botnet operators
18
Fastest Response Path
19
Conclution
Sybil atack is not very efficient to mitigate Storm worm peer-to-peer botnet.