Toward Botnet Mesocosms

An in-depth understanding of botnet behavior is a precursor to building effective defenses against this serious and growing threat. In this paper we describe our initial steps toward building a flexible and scalable laboratory testbed for experiments with bots and botnets. Our Botnet Evaluation Environment (BEE) is designed to enable individual bots or networks of up to thousands of bots to be tested in a secure, self-contained framework. BEE is being developed as a toolkit for Emulab-enabled network testbeds; a design choice made to obviate the need for building user/experiment management functions and to enable access to collections of computing hosts. The focus of our implementation efforts has been on building a library of OS/Bot images that can be run on individual systems or on virtual machines. The library currently includes images generated from source code of four well known bots (Agobot, GTbot, Spybot, SDbot) and from binary code for several unknown bots, and a number of Windows OS variants. BEE also includes a set of services that are required for botnets including DHCP, DynDNS, and IRC, as well as other tools that are useful for botnet measurement and evaluation such as VM monitors and honeypots. To demonstrate the utility of BEE, we describe a simple set of tests that characterizes command and control traffic from three different botnet configurations.