Study of the Honeypot-Aware Peer-to-Peer Botnet and Its Feasibility

The research objective of this project is to investigate one possible advanced botnet – honeypotaware peer-to-peer (P2P) botnet: verifying our analysis of the propagation of a honeypot-aware P2P botnet, and then showing the feasibility of developing a such botnet in terms of its propagation effectiveness. A “botnet” is a network composed of compromised computers (“bots”) on the Internet, that are under control of a remote attacker (“botmaster”). Botnets have become one of the most significant threats to today’s Internet. Most of the current botnets are centralized botnets, such as IRC-based botnets. All the bots are connecting to a central authority to get botmaster’s commands. However, in recent years, P2P botnets have emerged. They leverage existing P2P protocols and networks for either bootstrapping onto a hierarchical command and control (C&C) network or command and control directly. With the good feature of P2P networks, that is the resilience to “churn” (the network dynamics caused by node leaving and joining), P2P botnets are more robust than centralized botnets, because the losing a couple of bots will not bring much impact on a P2P botnets, while the C&C communication will be disrupted if a central server in a centralized botnet is captured and shutdown by defenders. Therefore P2P botnets have made the situation even worse. On the other hand, honeypots and honeynets are effective detection and defense techniques, and hence there has been much recent research in this area [20, 12, 15, 7, 24]. And in the meantime, attacker have started to develop anti-honeypot approaches, such as [17, 9]. It is highly possible that attackers would integrate honeypot detection techniques with P2P botnets, and come up with honeypot-aware P2P botnets, in order to prevent their botnets from being infiltrated and monitored. So to better prepare for the future, we propose a general hardwareand softwareindependent honeypot detection, and its implementation in P2P botnets. To show the feasibility of developing a such botnet, we model and analyze the botnet propagation time delay caused by honeypot detection, and compare it with a P2P botnet without the capbility of honeypot detection. Our conclusion drew from the numerical results is positive. But to be more convincing and further our research, we would like to perform simulation experiments on real machines in a distributed environment, which is exactly what PlanetLab [3] provides.