A Taxonomy of Botnets

Attackers are increasingly using large networks of compromised machines to carry out further attacks (e.g., using botnets, or enormous groups of compromised hosts under the control of a single attacker). We consider the problem of responding to entire networks of attacking computers. We identify key metrics for measuring the utility of a botnet, and describe various topological structures they may use to coordinate attacks. Using the performance metrics, we consider the ability of different response techniques to degrade or disrupt botnets. Our models show that for scale free botnets, targeted responses are particularly effective. Further, botmasters’ efforts to improve the robustness of scale free networks comes at a cost of diminished transitivity. Botmasters do not appear to have any structural solutions to this problem in scale free networks. Our models also show that random graph botnets (e.g., those using structured P2P formations) are highly resistant to both random and targeted responses. This suggests the urgent need for further research into response strategies. We validated our model on a particular class of botnets using star topologies. After tracking dozens of botnets over months, we located and performed a targeted response on a very large (100K member) botnet. This resulted in an over 90% reduction in the botnet population, and confirmed the utility of our taxonomy.