1. Introduction

2. What Are Botnet Attacks?

2.1. Toolkit of a Botnet Lifecycle

• “Bot – ‘Zombified’/Infected machine that waits for commands from the Botmaster.
• Botnet – A network/web of bots under control of the Botmaster and used for individual or group purposes, they are essentially a ‘horde’ of zombie computers.
• C&C – Command and Control channel which the Botmaster uses to contact the bots under their control.
• IRC – Internet Relay Chat, used commonly on the internet and provides one to one/one to many instant messaging, with different channels for each network over a varying set of subjects.” [10,12] (1)

Figure 1. Steps taken to ‘infect’ other Computers and create new Botnets [13].

Figure 1. Steps taken to ‘infect’ other Computers and create new Botnets [13].

2.3. Evaluation of a Recent Botnet Attack

Now let’s take a look at one of the best examples of botnet ‘invasions’ from recent years with the newly acquired understanding. One of the most well-known botnet attacks was the ‘Mirai’ botnet, which overwhelmed the internet from September 2016 and onwards. [6] The Mirai Botnet has been described as a ‘outbreak’, calling back to the multiple times botnet is described as a zombification of computers, when looking at the statistics of the time, it can be seen that the botnet infected approximately 65,000 IoT devices in the first 20 hours of its ‘invasion’. Overwhelming the servers and creating irreparable damage. [6]

From what we’ve learned so far, how did they manage to do this? By attaching malware to their network of bots, the Mirai botnet was successful with DDoS attacks, they were able to target “DNS provider Dyn and Lonestar Cell, a Liberian telecom.” [5] This was because they were being fed information through a unique set of code with a network telescope, giving them eyes to see hundreds of thousands of lines. Tracking their hosts from afar. “On average, the network telescope received 1.1 million packets from 269,000 IP addresses per minute during this period.” [6,16].

Calling back again to a previous statement, we see now how they got their information, when they were collecting it from the ‘network telescope’, Mirai Botnets were sifting through a network known as Merit Network over a seven-month period. Lasting from July 18, 2016, to February 28, 2017 [6] Knowing this, it is plain to see just how they found their hosts, the botnets lied in wait for the perfect moment to strike from months of preparation from the attacker’s/hosts, before being sent out to properly commence orders by the bot herders/ bot masters [18]. Infiltrating an entire company from malware expansion, all high profile. They were able to control and a good chunk of information. From this, we can deduct that bots are harmful on their own, and even doubly so when given tools. I.E ‘network telescope’.

Figure 3. Mirai Operation visualised. [6].

Figure 3. Mirai Operation visualised. [6].

Taking some time to look at the diagram (3) we can see it follows a similar hierarchy to the ones previously spoken of when we compare back. However, there is small changes that show their bots worked during the initial incursions.

Mirai bots scan for the IPv4 server, and use a hardcoded dictionary of IoT credentials stolen from other compromised computers, when successfully logged in, it ‘reports’ back and sends for a loader(malware) to infect the device, creating another bot. [6] The only way it lacks difference is when calling back to what we previously established, there was no prime directive, but here within the Mirai Botnets we can see there is a motive. They had pre-planned and adjusted the bots for invasion.

3. Botnet Detection Avoidance

4. How Can We Defend Against Botnets

4.1. Defending against the Mirai Botnet

There are many different ways to defend against Botnets, and different uses of 3^rd party approved software guaranteed to protect your computer from being compromised by the ‘horde’ of bots. First, let’s look back at the set of problems we first faced and analyzed in section II subject C.

Mirai exploited open ports with hard-coded credentials stolen via other bots within their botnet network, the bots probing unsuspecting computers and files for information it can get for finding ways into previously secured companies. [5] This caused 65k IoT devices to become rampant and useless, another zombified computer/machine. [5] How do we combat this system of unique scanning and fastworking ai? Block-chains.

Within [5,10] there is a proposal to use block-chains to retaliate against Mirai based botnet code, after it became open source and was available to all attackers and hosts willing to use it for their own measures. The Block-chain is used to continuously exchange information once banks are full, swapping them back and forth to create a fluidity within the autonomous system, refreshing consistently so that Bots do not have the chance to take the information they want, and only that which is swapped. Who is to say, however, that the bots would get to that stage? There are two other processes used in this system to ensure that bots would not have the chance to access the block-chain and its consecutively changing information [21].

Secondly, Hosts are integral to the newly proposed system. We have two types of hosts: Normal Hosts and IoT Hosts, within the system, they will use exclusively IoT Hosts, due to the fact that they can be remotely monitored and controlled [5] and are less liable to compromise unlike your normal standard computer when put near a botnet, IoT Hosts are better by one advantage: You can monitor them during a botnet attack. Finally, we have the Autonomous System (AS), used in both Block-Chain and IoT technologically, however it will be responsible for storing a list of IP addresses, communicating who has been compromised, who will be compromised, who hasn’t, and who could be. [5] The best detection against Botnets is to know who is dangerous, and who isn’t, which is exactly what the Autonomous Systems do naturally.

Figure 4. Flow Chart of the proposed approach [5].

Figure 4. Flow Chart of the proposed approach [5].

5. Are There Flaws to This Defense

5.2. Honeypot vs Reconaissance Worm

The dubbed ‘two-stage reconnaissance worm’ [3] has two parts to play, the first being to decide once a computer is compromised, whether it is a honeypot or not. The second part is “allowing the infected host to join the P2P botnet” [3]. On paper this sounds intriguing, great even when you connotate it with the fact that the spearhead forces the host to decide, however without the stages and the sudden ‘spearhead’ movement, the botmaster could predict that it is not a true ‘other’ bot, and not authorize it mingling with the rest of the bots. This poses a problem for the net since the hosts A would thereon be inaccessible with the other hosts.

Figure 6. [3] Reconnaissance Worm Illustrated.

Figure 6. [3] Reconnaissance Worm Illustrated.

5.3. Honeypot vs Advanced Reconaissance Worm

Presenting the dual-honeypot worm, or two-stage honeypot worm, it is a direct upgrade from the previous one we covered and is immensely useful. However, it again has drawbacks that can’t be relied upon concurrently and must be considered that it is a risk and may alert the botmaster that there are fake bots trying to access their host domain [23]. The spearhead must decide on its own whether the host is remote or not. Its complexity does not make it unique, as botmasters have been renowned for making anti-detection against this specific technique, being aware of its effectiveness has made it only used once [3,9].

Figure 7. [3] Reconnaissance Worm Illustrated attacking a dual honeypot bot.

Figure 7. [3] Reconnaissance Worm Illustrated attacking a dual honeypot bot.

6. Conclusion

References

1. The most recent Botnet Attacks: The 2022 Edition The Most Recent Botnet Attacks: 2022 Edition (clickguard.com).
2. Liu, J., Xiao, Y., Ghaboosi, K., Deng, H. and Zhang, J., 2009. Botnet: classification, attacks, detection, tracing, and preventive measures. EURASIP journal on wireless communications and networking, 2009, pp.1-11. [Figure 2].
3. I. Ghafir and V. Prenosil, “Malicious File Hash Detection and Driveby Download Attacks,” International Conference on Computer and Communication Technologies, series Advances in Intelligent Systems and Computing. Hyderabad: Springer, vol. 379, pp. 661-669, 2016.
4. Wang, P., Wu, L., Cunningham, R. and Zou, C.C., 2010. Honeypot detection in advanced botnet attacks. International Journal of Information and Computer Security, 4(1), pp.30-51. [Figures 5,6,7]. 5.
5. Meidan, Y., Bohadana, M., Mathov, Y., Mirsky, Y., Shabtai, A., Breitenbacher, D. and Elovici, Y., 2018. N-baiot—network-based detection of iot botnet attacks using deep autoencoders. IEEE Pervasive Computing, 17(3), pp.12-22.
6. M. Hammoudeh, I. Ghafir, A.Bounceur and T. Rawlinson, “Continuous Monitoring in Mission-Critical Applications Using the Internet of Things and Blockchain,” International Conference on Future Networks and Distributed Systems. Paris, France, 2019.
7. Ahmed, Z., Danish, S.M., Qureshi, H.K. and Lestas, M., 2019, September. Protecting iots from mirai botnet attacks using blockchains. In 2019 IEEE 24th International Workshop on Computer Aided Modeling and Design of Communication Links and Networks (CAMAD) (pp. 1-6). IEEE. [Figure 4].
8. I. Ghafir and V. Prenosil. “Proposed Approach for Targeted Attacks Detection,” Advanced Computer and Communication Engineering Technology, Lecture Notes in Electrical Engineering. Phuket: Springer International Publishing, vol. 362, pp. 73-80, 9, 2016.
9. Antonakakis, M. , April, T., Bailey, M., Bernhard, M., Bursztein, E., Cochran, J., Durumeric, Z., Halderman, J.A., Invernizzi, L., Kallitsis, M. and Kumar, D., 2017. Understanding the mirai botnet. In 26th USENIX security symposium (USENIX Security 17) (pp. 1093-1110).
10. Borgaonkar, R. , 2010, July. An analysis of the asprox botnet. In 2010 Fourth International Conference on Emerging Security Information, Systems and Technologies (pp. 148-153). IEEE.
11. I. Ghafir and V. Prenosil, “Advanced Persistent Threat and Spear Phishing Emails.” International Conference Distance Learning, Simulation and Communication. Brno, Czech Republic, pp. 34-41, 2015.
12. Zhang, L., Yu, S., Wu, D. and Watters, P., 2011, November. A survey on latest botnet attack and defense. In 2011IEEE 10th International Conference on Trust, Security and Privacy in Computing and Communications (pp. 53-60). IEEE.
13. Lee, S., Abdullah, A. and Jhanjhi, N.Z., 2020. A review on honeypotbased botnet detection models for smart factory. International Journal of Advanced Computer Science and Applications, 11(6).
14. I. Ghafir, J. Svoboda, V. Prenosil, “A Survey on Botnet Command and Control Traffic Detection,” International Journal of Advances in Computer Networks and Its Security (IJCNS), vol. 5(2), pp. 75-80, 2015.
15. Gallopeni, G., Rodrigues, B., Franco, M. and Stiller, B., 2020, June. A practical analysis on mirai botnet traffic. In 2020 IFIP Networking Conference (Networking) (pp. 667-668). IEEE.
16. Feily, M. , Shahrestani, A. and Ramadass, S., 2009, June. A survey of botnet and botnet detection. In 2009 Third International Conference on Emerging Security Information, Systems and Technologies (pp. 268273). IEEE.
17. I. Ghafir and V. Prenosil, “Blacklist-based Malicious IP Traffic Detection,” Global Conference on Communication Technologies (GCCT). Thuckalay, India: pp. 229-233, 2015.
18. Li, C., Jiang, W. and Zou, X., 2009, December. Botnet: Survey and case study. In 2009 Fourth International Conference on Innovative Computing, Information and Control (ICICIC) (pp. 1184-1187). IEEE.
19. Botnets: Dawn of the Connected Dead Botnets: Dawn of the connected dead (emsisoft.com) [Figure 1].
20. J. Govil, “Examining the criminology of bot zoo,” in Proceedings of the 6th International Conference on Information, Communications and Signal Processing (ICICS ’07), pp. 1–6, Singapore, December 2007.
21. S. Eltanani and I. Ghafir, "Aerial Wireless Networks: Proposed Solution for Coverage Optimisation," IEEE Conference on Computer Communications Workshops”, IEEE, 2021.
22. Albazrqaoe, W., Huang, J. and Xing, G., 2016, June. Practical bluetooth traffic sniffing: Systems and privacy implications. In Proceedings of the 14th Annual International Conference on Mobile Systems, Applications, and Services (pp. 333-345).
23. M. Bailey, E. Cooke, F. Jahanian, and J. Nazario. The Internet Motion Sensor - A Distributed Blackhole Monitoring System. In 12th Network and Distributed Systems Security Symposium, 2005.