Sybil attacks as a mitigation strategy against the Storm botnet

1. Sybil attacks as a mitigation strategy against the Storm botnet Authors:Carlton R. Davis, Jos´e M. Fernandez, Stephen Neville†, John McHugh Presenter: Chia-Li Lin

2. Outline • Introduction • Storm botnet • DHT • k-buckets && lists • Dynamic lists • Four message types • Sybil attack • Goalsand parameter • Simulation Data • Fail Factor • Conclution

3. Introduction The Storm botnet is currently one of the most sophisticated botnet infrastructures. • IRC bot • easy to detect and disrupt once the server is identified • peer-to-peer (P2P) bot • more resilient

4. Storm Botnet • Storm uses a modified Overnet P2P protocol for its communication architecture. • The main difference between the Storm and overnet P2P infrastructure • Overnet P2P network is that Storm nodes XOR encrypts their messages using a 40-bit encryption key • The regular Overnet nodes do not encrypt their messages

5. DHT • Overnet implements a distributed hash table algorithm called “Kademlia” • Each node participating in an Overnet network generates a 128-bit ID for itself when it first joins the network.

6. k-buckets and lists • Each node in an Overnet network stores contact informationabout some of the other nodes in the network, in orderto appropriately route query messages. This information isorganised in lists • Lists of (IP address, UDP port, ID) triplets • The triplets are in the form <ID>=<IP><port>00 • <ID> is the 128-bit node ID • <IP><port>00 is the IP address and UDP port in hexadecimal format format:008052D5853A3B3D2A9B84190975BAFD=53855152054A00

7. Dynamic k-bucket (lists) • If a peer is already in the recipient k-bucket • Move it to the tail of the k-bucket. • Otherwise • If there are rooms left in the k-bucket, the peer’s triplet is simply added to the tail of the k-bucket. • If there is no room left, ping the head node • If a node does not respond, it is evicted from the k-bucket and the recipient adds the peer to the tail. • If all nodes respond, the peer contact is discarded.

8. Four Message Types The Kademlia protocol (which Overnet implements) provides the four message types outlined below: • PING: if it is on-line • STORE: store a <key, value> pair • FIND_NODE: search for a node ID • FIND_VALUE: search for a <key, value> pair

9. Sybil Attack • Holz, Steiner, Dahl, Biersack, and Freiling presented “Measurements and Mitigation of Peer-to-Peer-based Botnets: A Case Study on Storm Worm” showing how to use sybils to infiltrate the Storm botnet. • That is able to create thousands of sybils on one single physical machine

10. Simulation step (a) Send PING, FIND_NODE, and FIND_VALUE messages to non-sybil nodes in attempt to get their IDs in the peerlist of the nodes (b) Respond to FIND_NODE and FIND_VALUE queries with false information

11. Three Goals • What effects do Sybil growth rate is : • equal to the botnet growth rate • half the botnet growth rate • twice the botnet growth rate • What effects do time duration of Sybil attacks have on the degree of success in disrupting the botnet communication • Do botnet design choices, such as the size of the peerlist, have any bearing on the effectiveness of the Sybil attacks

12. R-Reachability • To assess the effectiveness of the Sybil attack in disrupting the botnet C&C infrastructure

13. Insertion Ratio of Sybils • (IR) : insertion ratio of sybils in the peer-lists • (SI) : the total occurrences of sybils in the peer-lists • (N) : the product of the final number of nodes • (l) : the peer-list size

14. Parameter • Sybil birth rate (SBR) varies • from 0 to 2 times the net botnet growth rate (BGR) • Peer list sizes l {100, 200, 300} • Time-steps {10, 20, 30} • R-Reachability (r = 1 radius)

15. Simulation Data[1/2]

16. Simulation Data[2/2]

17. Fail Factor • Fault tolerant voting schemes • Fastest response pathand time • Detectable by the botnet operators

18. Fastest Response Path

19. Conclution • Sybil atack is not very efficientto mitigate Storm worm peer-to-peer botnet.