Internet of things is talk of the town now a days but the potential threat IoT has over the cyber safety is less emphasized. The possibility for attackers with all systems interconnected with no or less security measures installed in them, makes them vulnerable to all kinds of security attacks. Botnet consists of collection of private computers interconnected together and affected by malicious software, which can be controlled as a group without the owner’s knowledge. BotNet is roBot and Network combination, the bot here is the compromised device. Denial of service, spyware, email spam, click fraud, bit coin etc., and are some of the well-known attacks by botnet. Botnet control itself has become a community, which focuses on prevention, control and repair services. This paper focuses on detailed survey of botnet and it’s regarding features.
BotNet is a collection of devices interconnected logically. The devices include range of handheld, household and other smart devices that are connected via internet. One of these devices in the collection should be compromised by a malicious malware, which in turn acts as a bot and controls all other devices connected to it.
The core components of botnet of things uses many technological jargons that needs to be understood for clarity in the field.
|A botnet's originator||Known as a "bot herder" or "bot master" controls the botnet remotely.|
|Command-and- Control (C&C)||Controls the botnet remotely.|
|Fast flux DNS|
The two things needed to set up a botnet are an addressing mechanism to identify and reach a command-and-control instance, and a communication protocol to distribute commands to the bots. The latter is often referred to as anoverlay network that forms the botnet's communication channel. Different botnets are using different strategies here which is reflected in the topology used: We differentiate between centralized, decentralized and locomotive botnets. The kind of topology is extremely important for the selection of containment strategies. Centralized topologies as depicted in figure 1 are the classical botnet structures.
The classical botnet structures.
The box in the middle denotes the central C&C server with seven connected bots and a commander (the star symbol). Examples are the IRC-based Agobot, Rbot, and Sdbot families . A static command-and control server is contacted by bots via its IP address (which generally requires resolving a DNS name first).Centralized botnet infrastructures often rely on existing network protocols on top of IP that implement standard client-server architectures, like IRC or HTTP. For this reason, they are obviously completely extinguishable by taking down their C&C server. Figure 1. A centralized botnet with seven bots and a commander The communication in a centralized botnet can either follow a push strategy (as in IRC- based communication) where each bot stays connected to a server which then distributes commands simultaneously to all hosts in a broadcast-like manner. Or the server has to be polled by the clients on a regular basis (as in HTTP-based botnets). In the latter scenario, the general method is to set up and update a central resource like a web page which can be browsed by the bots. Both approaches have their advantages, e.g., IRC botnets can be built upon an existing IRC infrastructure with multiple self-synchronizing servers, providing load-balancing and reliability. HTTP, on the other hand, is more stealthy and better suited for
bypassing security gateways and hiding amongst regular traffic patterns.
In a decentralized topology, no single command-and control component exists. Instead, each bot seeks for a commander using some upstream query mechanism. A schematic structure is depicted in figure 2 In a decentralized topology, no single command-and control component exists. Instead, each bot seeks for a commander using some upstream query mechanism. A schematic structure is depicted in figure 2
Each bot knows some neighbors and receives and forwards commands. Three bots act as C&C servers and are advised to distribute commands in the network. Well-known representatives are the Storm Worm , or Conficker . The two-tiered approach allows the botnet owner to easily change the C&C backbone, making it much harder to take it down. As in centralized botnets, commands can be pushed to bots, which requires that they can be reached instantly, or infected machines pull commands from their individual C&C server (the latter being the most common case). Bots can be implemented to automatically re-establish a C&C session on disconnects. Most decentralized botnets seen so far were based on peer-to peer (P2P) technology that allows for both information queries as well as host addressing, the two features needed for the communication between a bot and a command server. In a common P2P botnet some peers are controlled by the botnet owner and used to issue and propagate information (i.e. commands) to other peers. Taking advantage of the flexible self-organizing network infrastructure, these nodes are easily replaceable with other hosts. The decentralization can be taken even further by designing fluxy registration of C&C servers at the query layer (i.e., a pool of command servers returned to queries which is kept highly dynamic through automated subscriptions). This situation is visualized in figure 3 on the next page: The shaded structures are past C&C servers that have been replaced by other ones automatically. Bots recognize the change and contact the new server instead. In most cases these C&C servers are also infected hosts, temporarily playing the role of a commander. Another way would be to change the query interface, e.g., by choosing timedependent domain names. We call such botnets locomotive because of their constantly moving structure. One example is the HTTP-driven Torpig botnet . Conficker, in addition to its P2P structure, also makes use of constantly changing DNS names [5,6,7]. There is no standard implementation of such botnets. In fact, the overall structure is often even more complex than outlined here. Figure 3. A locomotive botnet with C&C servers that move over time In reality the boundaries between centralized, decentralized, and locomotive botnets are blurred: A similar strategy was already commonly implemented in classical botnet infrastructures where a DNS entry was used to transparently switch between servers. However, this does not really provide more security as it only displaces the single point against which takeover attempts could be mounted.
Components of Botnet
Command and Control Server—Often abbreviated as C&C, a command and control server is the centralized computer that issues commands to and receives information back from the bots. Command and control infrastructure frequently consists of several servers and other technical components. Most botnets use a client-server architecture, but some botnets are peer-to- peer (P2P), with the command-and- control functionality embedded in the botnet.
Peer-to-Peer Botnet—Peer-to-peer (P2P) botnets use a decentralized network of bots for added protection against takedowns. While P2P botnets can include a C&C server, they may also operate without one and be structured randomly to further obfuscate the botnet and its purpose. While P2P botnets are less likely to be identified, the botmaster cannot easily monitor command delivery and the implementation can be complex.
Botmaster— Alternatively called a botnet controller or bot herder, the botmaster is the botnet’s operator. This individual remotely controls the botnet, issuing commands to the C&C server, or to individual bots within the network. A botmaster’s name and location are heavily obfuscated to prevent identification and prosecution by law enforcement.
Bot—An Internet-connected individual device within the botnet is called a bot. A bot is most often a computer, but a smart phone, tablet, or Internet of Things device can also be part of a botnet. A bot receives operational instructions from a command and control server, directly from the botmaster, or sometimes from other bots within the network.
Zombie—Another name for a bot. Because the bot is controlled by an outside computing device or person, it is likened to a fictional ‘zombie’. A botnet is also known as a “zombie army.”
How C and C Distribute Malware
A botmaster develops a botnet by distributing bot malware to infect PCs or other devices. He may also rent an existing botnet from another criminal.
The newly harvested bots or “zombies” report in to the botnet’s command and control (C&C).
The C&C now controls these bots and issues instructions for the bot to distribute executable malware files, as well as the email templates and potential victim address lists.
The infected zombie bots receive the orders, each sending email messages carrying the malware payload to thousands of potential victims.
Counter Measures for BotNet Attack
How to Identify the System influenced by Bot Net of things. If answer to the following questions is yes, then it is possible that system may be under an influence of a botnet.
Is your computer or internet connection running slower than normal?
Did your computer start behaving erratically? Does it crash frequently? Do you receive unexplained error messages?
Did the fan kick into overdrive when your computer is idle?
Did you notice unusual internet activity (like high network usage)?
Does your browser close frequently and unexpectedly?
Did your computer take a long time to start or shut down or didn’t shut down properly?
These can indicate that a program is running without your knowledge and using a fair amount of resources. The next step would be to check the Task Manager – see what’s going on in there. You can also disconnect from the Internet and see if there are any differences. Of course, all these could also indicate that your fan is full of dust and it just needs to be cleaned. Or that your computer is obsolete and needs an upgrade. However, if this is not the case and you discover that your computer is part of a botnet, the standard advice would be to wipe it all out. Format it and reinstall the operating system. In order to minimize any potential damage, make sure that you always backup all your important files and folders. This is a piece of advice most people ignore, but I know you know better than that.
Thus to avoid botnet of things spread, measures to be taken in developing IoT applications with secure gateways. Protocols for message transfer and information sharing must be made rigid in all perspectives. This paper focuses on basic analogy to understand the newly evolving threat.
- Botnets as a Vehicle for Online Crime Ianelli Nicolas, Hackworth Aaron. The International Journal of Forensic Computer Science.2007;:19-39. CrossRef Google Scholar
- Request for Comments Summary RFC Numbers 1700-1799 Kennedy M. .1997. CrossRef Google Scholar
- Honeynet Phase Two: Knowing Your Enemy More Kirkby Andrea. Computer Fraud & Security.2001-dec;:8-9. CrossRef Google Scholar
- CERT Victim of Three Day Denial-of-service Attack Gengler Barbara. Network Security.2001-jul. CrossRef Google Scholar
- Botnets and Packet Flooding DDoS Attacks on the Domain Name System Kristoff John, Joffee Rodney. The International Journal of Forensic Computer Science.2007;:9-18. CrossRef Google Scholar
- Toward understanding distributed blackhole placement Cooke Evan, Bailey Michael, Mao ZMorley, Watson David, Jahanian Farnam, McPherson Danny. Proceedings of the 2004 ACM workshop on Rapid malcode - WORM \textquotesingle04.2004. CrossRef Google Scholar
- Detecting Botnet Membership with DNSBL Counterintelligence Ramachandran Anirudh, Feamster Nick, Dagon David. Botnet Detection.;:131-142. CrossRef Google Scholar
- A multifaceted approach to understanding the botnet phenomenon Rajab MoheebAbu, Zarfoss Jay, Monrose Fabian, Terzis Andreas. Proceedings of the 6th ACM SIGCOMM on Internet measurement - IMC \textquotesingle06.2006. CrossRef Google Scholar