Böck, Leon (2024)
On IP-Based Botnet Measurements.
Technische Universität Darmstadt
doi: 10.26083/tuprints-00024761
Dissertation, Erstveröffentlichung, Verlagsversion
Kurzbeschreibung (Abstract)
Botnets allow cybercriminals to conduct crippling Distributed Denial of Service (DDoS) attacks, distribute ransomware, and perform many other attacks. To mitigate the damage from botnet attacks, defenders observe and record botnet traffic in a process called botnet tracking. Defenders use the gathered information to take down the botnet itself or defend against attacks originating from the botnet. Botnet tracking measurements typically rely on IP addresses as identifiers of infected devices. This reliance on IP addresses is problematic, as Internet Service Providers (ISPs) frequently reassign IP addresses to different users. Furthermore, multiple devices may share a single public IP address due to the shortage of IP addresses. The lack of unique and long-term identifiers plagues botnet measurements with uncertainty. Furthermore, IP addresses are commonly considered Personally Identifiable Information (PII), raising privacy-related concerns about the lawfulness of collecting and processing botnet tracking data. In this thesis, we make four contributions that allow us to conduct more accurate botnet measurements based on IP addresses and improve our understanding of the quality and limitations of these measurements. First, we introduce a novel approach for estimating a botnet’s size, called Considering Address Reassignment Duration when Counting (CARDCount). State-of-the-art approaches rely on counting unique IP addresses, leading to inaccurate estimates due to bots being assigned multiple IP addresses over time. The idea of CARDCount is to use statistical distributions of IP address assignments to account for multiple IP address assignments. We show that CARDCount provides substantially more accurate estimates than the state-of-the-art in several real-world evaluations. Second, we describe a measurement study that we conducted to analyze modern IoT botnets’ (dis-)similarities. For that, we implemented a novel system to uniformly and collaboratively measure multiple botnets. In an eight-month measurement study, we found that modern IoT botnets strongly deviate in their characteristics. We used the IP addresses to group bots based on their AS and country to identify possible reasons for the deviations. This grouping allowed us to identify the influence of demographics on a bot’s lifetime, churn, and response behavior. These findings show that modern IoT botnets evolved from the once canonical IoT botnet Mirai. Furthermore, the differences in demographics highlight that not all bots provide the same utility, e.g., the availability to conduct DDoS attack. Therefore, in addition to size, one should consider a botnet’s demographics and the resulting impact on bot lifetime, availability, and responsiveness. Third, we conducted simulations to investigate the recent development of anti-tracking mechanisms and their impact on botnet tracking operations. We assumed a worst-case scenario where botmasters could detect any deviation from regular bot behavior. For our evaluation, we developed a purpose-built botnet simulation framework to simulate thousands of possible scenarios and configurations. We found that anti-tracking mechanisms can require a hundredfold increase in available IP addresses to track a botnet successfully. However, developing distributed and collaborative tracking mechanisms could reduce the resource requirements of defenders. Fourth, we address the interdisciplinary question of the lawfulness of botnet tracking under the GDPR. We established that the GDPR does apply to botnet tracking. Furthermore, we identified legal grounds for botnet tracking conducted by industry, ISPs, and research in the public interest. We found that research in the public interest is most flexible, while ISPs are most restricted concerning the techniques used to conduct and data collected during botnet tracking. Furthermore, we provided practical guidelines for each party to minimize the possible impact on the privacy of an infected device’s owner. Overall, this thesis makes several contributions that improve our understanding of botnet measurements based on IP addresses and our capabilities to perform more accurate measurements. While in parts of our work, we focused on current threats (Hajime, Mirai, and Mozi botnets), we consistently aimed to make our contributions as general as possible to make them applicable to future botnets. Ultimately, the tools and insights presented in this thesis provide defenders with an edge in the fight against botnets now and in the future.
Typ des Eintrags: | Dissertation | ||||
---|---|---|---|---|---|
Erschienen: | 2024 | ||||
Autor(en): | Böck, Leon | ||||
Art des Eintrags: | Erstveröffentlichung | ||||
Titel: | On IP-Based Botnet Measurements | ||||
Sprache: | Englisch | ||||
Referenten: | Mühlhäuser, Prof. Dr. Max ; Levin, Prof. Dr. Dave | ||||
Publikationsjahr: | 11 Januar 2024 | ||||
Ort: | Darmstadt | ||||
Kollation: | xix, 249 Seiten | ||||
Datum der mündlichen Prüfung: | 26 Oktober 2023 | ||||
DOI: | 10.26083/tuprints-00024761 | ||||
URL / URN: | https://tuprints.ulb.tu-darmstadt.de/24761 | ||||
Kurzbeschreibung (Abstract): | Botnets allow cybercriminals to conduct crippling Distributed Denial of Service (DDoS) attacks, distribute ransomware, and perform many other attacks. To mitigate the damage from botnet attacks, defenders observe and record botnet traffic in a process called botnet tracking. Defenders use the gathered information to take down the botnet itself or defend against attacks originating from the botnet. Botnet tracking measurements typically rely on IP addresses as identifiers of infected devices. This reliance on IP addresses is problematic, as Internet Service Providers (ISPs) frequently reassign IP addresses to different users. Furthermore, multiple devices may share a single public IP address due to the shortage of IP addresses. The lack of unique and long-term identifiers plagues botnet measurements with uncertainty. Furthermore, IP addresses are commonly considered Personally Identifiable Information (PII), raising privacy-related concerns about the lawfulness of collecting and processing botnet tracking data. In this thesis, we make four contributions that allow us to conduct more accurate botnet measurements based on IP addresses and improve our understanding of the quality and limitations of these measurements. First, we introduce a novel approach for estimating a botnet’s size, called Considering Address Reassignment Duration when Counting (CARDCount). State-of-the-art approaches rely on counting unique IP addresses, leading to inaccurate estimates due to bots being assigned multiple IP addresses over time. The idea of CARDCount is to use statistical distributions of IP address assignments to account for multiple IP address assignments. We show that CARDCount provides substantially more accurate estimates than the state-of-the-art in several real-world evaluations. Second, we describe a measurement study that we conducted to analyze modern IoT botnets’ (dis-)similarities. For that, we implemented a novel system to uniformly and collaboratively measure multiple botnets. In an eight-month measurement study, we found that modern IoT botnets strongly deviate in their characteristics. We used the IP addresses to group bots based on their AS and country to identify possible reasons for the deviations. This grouping allowed us to identify the influence of demographics on a bot’s lifetime, churn, and response behavior. These findings show that modern IoT botnets evolved from the once canonical IoT botnet Mirai. Furthermore, the differences in demographics highlight that not all bots provide the same utility, e.g., the availability to conduct DDoS attack. Therefore, in addition to size, one should consider a botnet’s demographics and the resulting impact on bot lifetime, availability, and responsiveness. Third, we conducted simulations to investigate the recent development of anti-tracking mechanisms and their impact on botnet tracking operations. We assumed a worst-case scenario where botmasters could detect any deviation from regular bot behavior. For our evaluation, we developed a purpose-built botnet simulation framework to simulate thousands of possible scenarios and configurations. We found that anti-tracking mechanisms can require a hundredfold increase in available IP addresses to track a botnet successfully. However, developing distributed and collaborative tracking mechanisms could reduce the resource requirements of defenders. Fourth, we address the interdisciplinary question of the lawfulness of botnet tracking under the GDPR. We established that the GDPR does apply to botnet tracking. Furthermore, we identified legal grounds for botnet tracking conducted by industry, ISPs, and research in the public interest. We found that research in the public interest is most flexible, while ISPs are most restricted concerning the techniques used to conduct and data collected during botnet tracking. Furthermore, we provided practical guidelines for each party to minimize the possible impact on the privacy of an infected device’s owner. Overall, this thesis makes several contributions that improve our understanding of botnet measurements based on IP addresses and our capabilities to perform more accurate measurements. While in parts of our work, we focused on current threats (Hajime, Mirai, and Mozi botnets), we consistently aimed to make our contributions as general as possible to make them applicable to future botnets. Ultimately, the tools and insights presented in this thesis provide defenders with an edge in the fight against botnets now and in the future. |
||||
Alternatives oder übersetztes Abstract: |
|
||||
Status: | Verlagsversion | ||||
URN: | urn:nbn:de:tuda-tuprints-247617 | ||||
Sachgruppe der Dewey Dezimalklassifikatin (DDC): | 000 Allgemeines, Informatik, Informationswissenschaft > 004 Informatik | ||||
Fachbereich(e)/-gebiet(e): | 20 Fachbereich Informatik 20 Fachbereich Informatik > Telekooperation Profilbereiche Profilbereiche > Cybersicherheit (CYSEC) |
||||
Hinterlegungsdatum: | 11 Jan 2024 13:03 | ||||
Letzte Änderung: | 18 Jan 2024 12:41 | ||||
PPN: | |||||
Referenten: | Mühlhäuser, Prof. Dr. Max ; Levin, Prof. Dr. Dave | ||||
Datum der mündlichen Prüfung / Verteidigung / mdl. Prüfung: | 26 Oktober 2023 | ||||
Export: | |||||
Suche nach Titel in: | TUfind oder in Google |
Frage zum Eintrag |
Optionen (nur für Redakteure)
Redaktionelle Details anzeigen |