On The Effectiveness Of Structural Detection And Defense Against P2p-Based Botnets

Recently; peer-to-peer (P2P) networks have emerged as a covert communication platform for malicious programs known as bats. As popular distributed systems, they allow bots to communicate easily while protecting the botmaster from being discovered. Existing work on P2P-based botnets mainly focuses on measurement-based studies of botnet behaviors. In this work, through simulation, we study extensively the structure of P2P networks running Kademlia, one of a few widely used P2P protocols in practice. Our simulation testbed not only incorporates the actual code of a real Kademlia client software to achieve high realism, but also applies distributed event-driven simulation techniques to achieve high scalability. Using this testbed, we analyze the scaling, clustering, reachability and various centrality properties of P2P-based botnets from a graph-theoretical perspective. We further demonstrate experimentally and theoretically that monitoring bat activities in a P2P network is difficult, suggesting that the P2P mechanism indeed helps botnets hide their communication effectively. Finally, we evaluate the effectiveness of some potential mitigation techniques,such as content poisoning, sybil-based and eclipse-based mitigation. Conclusions drawn front this work shed light on the structure of P2P botnets, how to monitor bat activities in P2P networks, and how to mitigate botnet operations effectively.