Improve DDoS Botnet Tracking With Honeypots

DDoS botnet tracking can be used to watch botnet assisted attacks in real time together with the details including the botnet families, C&C servers, attack types, and attack parameters. Such information helps us to learn current DDoS attacks and improve existing detection and mitigation solutions. To achieve better tracking, we need to figure out: 1) what coverages the tracked attacks have among the real ones; 2) how many active DDoS bot families are still out of our telescope.
To answer those 2 questions, both the real attacks and a method to correlate them with the used botnet families (or attacking tools) are necessary. Our studies show that DDoS bots differ from each other not only in their C&C protocols, but also, in most cases, in their packet generating algorithms (PGA for short) which are used by the bots to generate the enormous number of attacking packets according to the received commands. Therefore, it’s possible to boil the observed attacks down to the bot families by analyzing their PGA’s.
In this presentation, I would talk about how to use honeypots to collect the real DDoS attacks with spoofed source IP’s. The method to break down PGA, as well as the techniques to profile PGA from the collected attacking packets, would be introduced. In the final part, I would present some real examples we have found.

Print Friendly
Ya Liu
Malware analysist, botnet researcher @ Network Security Research Lab, Qihoo 360