JOURNAL OF IIITD 1

Botnets
Arjun, Student, IIITD, and Chandrika Bhardwaj, Student, IIITD,

Abstract—Botnets have existed for a long time, over small on a central node, normally the IRC server and channel, to
university networks as well as networks as large as the internet. survive. On the other hand, these botnets are much more
Over this period, they have evolved drastically, from simple difficult to detect and attack, as there is no central controller.
botnets that were centralised or depended on social engineering
to large P2P networks, that are fully automatic and much more We will then model some popular botnet structure and
resilient to traditional attacks. They are the leading cause of analyse their performance and their resilience against certain
spam, and have resulted in loss of millions of dollars each year attacks. We will simulate sybil attacks and random node
due to the resources wasted by malicious botnets. In this paper, removal and then analyse their robustness. We will try to
we will try to analyse how these bot networks have evolved, analyse how we can improve on their architecture to improve
modelling them using complex systems, and then we will analyse
their performance as well as their robustness against some their defenses and performance, and make them more robust.
commonly used attacks against these botnets. On this analysis, We will then propose a botnet structure based on our find-
we will propose a framework for a new bot, which we will call the ings and compare its performance to other proposed botnet
loosely coupled bot, that has a higher performance, is much more architectures.
resilient to attacks, and has lesser chances of being detected. We
will then compare its performance with other currently known II. BACKGROUND
botnets.
A botnet is a group of infected end-hosts under the com-
Index Terms—botnets, p2p, lcbot, sybil, modelling, spam mand of a bot-master, commonly used by botmasters for
malicious activities, such as email spam, Distributed Denial-
I. I NTRODUCTION of-Service(DDOS), and password cracking, or other purposes.
Botnets are usually trying to recruit more vulnerable machines
INCE the dawn of the internet era, various malicious
S entities have tried to exploit this public resource for their
own profit. The malicious entities may range from something
by exploiting different remote software vulnerabilities or by
using any malware propagation scheme. The common control
infrastructure of botnets is based command and control (called
as small as social engineering, to something as large as a huge
C&C) servers, through which a botmaster transmits commands
network of millions of infected computers, being controlled by
to bots.Every botnet must have at least one command and
an external entity without the knowledge/permission of their
control (C&C) channel. The main purpose of such a channel
respective owner. The former is what a botnet typically is.
is to provide a communication medium for the botmaster’s
Botnets are a significant part of the internet, with some
commands. Botnets recruit new bots by exploiting different
studies estimating that over a quarter of all computers on the
software vulnerabilities that exist in targeted hosts, following
internet are a part of one or more botnets. A botnet’s maliciouc
the same worm and other malware propagation scenarios.
code is normally distributed as the payload of viruses or
Newly infected hosts download what is known as the bot
worms, which is deployed when the virus or worm infects that
executable image, which is typically a small application that
particular system. A botnet is typically used for financial gains,
runs in the background of an infected machine and communi-
though sometimes it is also used for attacking a particular
cates with the C&C server, allowing the bot-master to directly
target. It may be used for anything ranging from keylogging,
execute commands on the infected host. C&C channels operate
collecting credit card numbers and stealing private data to
in the application layer; for instance, botnets typically use the
DDoS-ing websites or sending massive spam. This, therefore,
IRC chat protocol due to its wide availability, giving botnets an
makes it important to study the nature of botnets and to design
advantage in hiding their activity. Other protocols are also in
defense mechanisms agianst them.
use like open source P2P protocols[5]. This kind of botnets are
In this paper, we will first analyse the trend of the evolution
easy to construct and efficient in disseminating commands, but
of the botnets over the past few decades. We will look at the
they are also relatively easy to be disrupted once these C&C
earliest botnets, which depended on a centralised architecture.
servers are identified. Disrupting those servers becomes an
Such bots normally connect to an IRC server, sitting idle
attractive way to reducing botnets effectiveness and efficiency.
in an IRC channel waiting for commands from a botmaster.
For instance, simply shutting down the C&C servers will cause
The botmaster issued commands to these bots, which were
bots lost contact with botmaster.
relayed to the bots through the IRC servers. We will see how
they have now evolved from simple centralised botnets to the III. S IMULATION MODELS
current trend of distributed botnets, normally using complex
In this section, we will explain the simulation models we
P2P structures to remain hidden and become more resilient
have used to study the botnets and the attacks against them.
to defensive attacks. The earlier centralised botnets depended
Since we are assuming that our attacks are against pre-
Arjun is with IIITD. email: arjun@iiitd.com. established botnets and we are interested only in their per-
Chandrika Bhardwaj is with IIITD, e-mail:chandrika1004@iiitd.ac.in. formance and resilience analysis, we will ignore the initial
JOURNAL OF IIITD
Figure 1. Typical infection cycle for IRC botnets
Figure 2. Traditional botnet architecture
propagation and connection failures that may happen. ie. we
will assume that the infected nodes are already connected and
operating as an established botnet.
We will define mean connectivity as the number of nodes
online that the botmaster can use at any point of time to
execute a particular task. Our simulation will halt when 99%
bot nodes have been identified. Each simulation is run ten
times and the averages are reported.
A. Traditional botnet architecture model
Since this architecture is centralised, it has a single point of
failure, the single IRC server acting as the C&C channel over
which the botmaster controls the bots. Each node will be in
one of the three states: online, offline, and busted, generating
an event when the states change. The state changes happen
at random time intervals. The simulator keeps the count of
busted nodes, whether the C&C is busted or not, and the
number of online nodes. As the botnet is centralised, busting
one node leads to identification of the C&C channel, which
further allows identification of all other compromised nodes.
Therefore, if a busted node is online, the system assumes that
the entire network has been busted.
B. Super-botnet architecture model
The super-botnet architecture model [8] is slightly more
complex than the traditional model, requiring more parameters
2
and events to model. We will model this network using an
undirected graph to represent the nodes and the links. In
addition to the events we used in the previous architecture, we
will add another event to this architecture, which occurs when
the botmaster issues a command. This generates a considerably
high amount of traffic, giving the attackers an opportunity
for dicovering the botnet nodes. In this case, however, if a
particular node is busted, the entire botnet is not effected.
Only one lower level botnet is assumed to be busted, since all
lower-level botnets are considerably isolated from each other.
However, when the master issues a command, all C&C hosts
sharing a link with a busted C&C host are assumed to be
busted, as the generated traffic can be analysed to find the
source and destination of the commands.
Figure 3. Super-botnet architecture
C. P2P botnet architecture model
We will again use undirected graphs to model the P2P botnet
architecture. The degree of a node will represent the total
number of connections that can be made between the bots.
P2P architectures can be broadly classified into two large
categories based on their degree distribution. If the connections
between nodes are formed arbitrarily, the architecture is said
to be unstructured. A peer list is maintained, which contains
the addresses of all bots on such network. The Barbasi-Albert
(BA) model, which is based on the two basic ingredients
of growth and preferential attachment, is a scale-free model
using which we will model the unstructured P2P systems. For
structured P2P networks, we will use the Erdos-Renyi (ER)
model, making all the nodes have approximately same degree.
IV. ATTACK MODELS
In our simulation, we will study four specific attacks against
botnets. The first attack is randomly disabling affected nodes,
thereby taking them down one by one. This is similar to
attacks by individual entities, without co-ordination with other
attackers who are fighting against the same botnet. The second
attack will be a simulation of the co-ordinated attack, where
attackers share their information with other attackers. In this
case, however, they choose not to take the nodes down, but
rather keep them under observation so as to study them further
for more information. In certain cases, this may lead to discov-
ery of new nodes, discovery of the C&C, information about
JOURNAL OF IIITD 3

Figure 5. lcbot Architecture

Figure 4. P2P botnet architecture

commands being sent by the botmaster, or even information
about the botmaster himself. They mayh also help prevent
attacks before they are executed, because of high traffic that
is generated when a command is being sent. Therefore, these
bot nodes kept under high surveillance, called busted nodes,
are an invaluable source of information. We will study these
nodes and compare their results against individual efforts.
The third and fourth attacks will be a form of Sybil attack.
We will use random Sybil attack first. ie. we will randomly
inject Sybil nodes into the botnet, and try to analyse the
performance in this case. For a random Sybil attack to be
effective, the botnet has to be considerably large. Let f
represent the fraction of nodes that are Sybil nodes in the
entire bot network. If f ≥ 12 , then the probability of a Sybil
node being able to capture a command is at least 1 − n1 , where
n is the number of nodes[2]. Thus, larger the botnet, higher
the probability of capturing the packets.
V. P ROPOSED BOT ARCHITECTURE
In our proposed architecture, we will divide the entire botnet
into several groups with different group codes. Each node is
fully connected to all other nodes in its own group, and the
peerlist contains the addresses of all other nodes in the same
group. Within each group, only a few nodes have a connection
to a bot outside its own group. These nodes have only one
outlink to a bot in the other group. When a message is sent
by this node to a node outside its group, it has a TTL of
2, specifying that the message must be discarded after two
hops. This lowers the chance of being detected in presence of
honeypot nodes. The exact algorithm for creation of lcbot is
not included due to space constraints.
VI. R ESULTS

The fourth and final attack that we will study will be the
adaptive Sybil attack. This works by injecting some initial
Sybil nodes into the botnet and then analysing the recieved
command query packet. Usually, the targeted identity can be
identified from the packet, provided the packet is being relayed
through one of the Sybil nodes. To ensure this happens, the
Sybil nodes need to be closer to the actual intended nodes.
In super-botnet architectures, impersonating a super-node is
helpful, as it leads to almost all of the traffic being passed
through that particular node, giving a higher probability of
detection of new nodes. For impersonating a super-node, the
node must have a higher capacity than the predefined threshold Figure 6. Random disabling of bots
in the bot code. In random botnets, however, the node identities
are randomly assigned, and cannot be chosen by themselves. We compared the defense strategy of super-bots with tradi-
In that case, we will try to further improve the efficiency by tional botnets, given in Fig. 6. For the tradition botnets, we
allowing probing of multiple candidates of identities at a time. found that the larger the botnet is, the easier it is to detect
This process is called d-choice probing. Our simulations have and take down. Random disabling of bots took down the
shown that using d-choice Sybil attack improves the efficiency entire botnet in case of traditional botnets, while it proved
of the attack considerably. less ineffective when dealing with super-botnets.
JOURNAL OF IIITD 4

Figure 7. ER model robustness. l−1 is a function of the mean inverse

geodesic length, and f is a function of the percentage of bots removed from
the system

Figure 9. Mean coverage after random removal

Figure 8. BA model robustness. l−1 is a function of the mean inverse

geodesic length, and f is a function of the percentage of bots removed from
the system

We also compared the robustness of ER model of P2P

botnets versus that of BA model of P2P botnets, showing that
their response to degree-based attacks is considerably worse
than that to random attacks. This is represented in Fig. 7 and
Fig. 8.
Finally, we compared the performance of our proposed
architecture with random-botnet and super-botnet. The results
are given in Fig. 9 and Fig. 10.
VII. C ONCLUSIONS
In this paper, we propose a botnet framework which
achieves much better performance in the simulations, and is
less likely to be detected due to the P2P architecture used.
However, there are still methods which can be used to detect
P2P-based botnets, which we will consider for our future work.
Figure 10. Mean coverage after select removal
[4] F. Monrose M. Rajab, J. Zarfoss and A. Terzis. A multi-faceted
approach to understanding the botnet phenomenon. Internet Measurement
Conference, 2006.
[5] R. Schoof and R. Koning. Detecting peer-to-peer botnets.
[6] A. Solomon and G. Evron. The world of botnets. Virus Bulletin, 2006.
[7] Yong Guan Thomas E. Daniels Su Chang, Linfeng Zhang. A framework
for p2p botnets. In International Conference on Communications and
Mobile Computing, 2009.
[8] R. Vogt and J. Aycock. Attack of the 50 foot botnet. Technical report,
2006.

R EFERENCES
[1] Ahmed Barakat and Sherif Khattab. A comparative study of traditional
botnets versus super-botnets.
[2] Zhou Hangxia. Mitigating peer-to-peer botnets by sybil attacks. Interna-
tional Conference on Innovative Computing and Communication, 2010.
[3] Jun Hu Feng Liu Lingyun Zhou Junfeng Yu, Zhitang Li. Structural
robustness in peer to peer botnets. International Conference on Networks
Security, Wireless Communications and Trusted Computing, 2009.