Discovery techniques for P2P botnets

Abstract

Over the last few years, researchers and network operators have examined networks of DDoS agents, more recently called botnets due to their connection to Internet Relay Chat (IRC). In the continued quest to take down these networks of bots, two important questions arise: how many bots are there, and how to nd every last bot? When one reads about a ten thousand, hundred thousand, one million node botnet, how much credibility does it have? Is botnet A really bigger than botnet B? The diculty in accurately and stealthily assessing the size of the botnet often lies in the structure of the botnet itself, such as IRC, HTTP, P2P-based, or a hybrid thereof. We present a general overview of discovery techniques for networks of malware, and provide a glimpse at a two-year study of a P2P botnet.