Poster: Mitigating OnionBots

Over the last decade botnets have become a serious security threat. They have evaded mitigation and take overs by adopting an increasing sophisticated strategies. At the same time the rise and success of privacy infrastructures, has opened new possibilities of abuse by malicious users. Tor is a prominent example of such infrastructure, which allows users to hide their activities and location from government agencies and corporations. Furthermore, it also offers anonymity for servers through hidden services. Recent statistics about hidden services clearly indicates changes in their popularity and use. For instance, the number of hidden services has abruptly doubled in the last year (Figure 1), which clearly indicates the presence of some coordinated massive use. We envision a next generation of cryptographic, resilient, stealthy botnets, OnionBots, that subverts privacy infrastructures for cyber attacks, by completely decoupling their operation from the infected host IP address. Furthermore, they rely on disturbed self-healing network formation that is simple to implement, yet achieves a low diameter and a low degree, and is robust to partitioning attacks. As a result, the current detection and mitigation strategies would be inadequate against them. We devise a mitigation mechanism that uses OnionBots’ very own capabilities to neutralize them. In light of the potential of such botnets, we believe that the research community should proactively develop detection and mitigation methods to thwart OnionBots, potentially making adjustments to privacy infrastructure. The preliminary results of this work have been presented [1] I. ONIONBOT: A CRYPTOGRAPHIC P2P BOTNET OnionBots form a peer-to-peer, self-healing network that maintains a low degree and a low diameter with other bots to relay messages. The already existing peer-to-peer networks are generic in terms of their operations. Therefore, their design and resiliency is based on different assumptions and requirements. We propose a Dynamic Distributed Self Repairing (DDSR) graph construction that is simple, stealthy and resilient. The DDSR construct is inspired by the knowledge of Neighbors-of-Neighbor. Where each node has the knowledge about its immediate neighbors. Consider graph G with n nodes (V ), where each node ui ∈ V , 0 ≤ i < n, is connected to a set of nodes. The neighbors of ui, are denoted as N(ui). Furthermore, ui has the knowledge of nodes that are connected to N(ui). Meaning that each node also knows the identity of its neighbor’s neighbors. In the context of our work the identity is the .onion address. Having this information enables the botnet to repair its graph formation and maintain its connectivity in a distributed setting. When a node ui is deleted, each pair of its neighbors uj , uk will form an edge (uj , uk) if (uj , uk) / ∈ E, where E is the set of existing edges. The aforementioned basic DDSR graph does not deal with the growth in the connectivity degree of each node, denoted by d(u); after multiple deletions the degree of some nodes can increase significantly. Such increase is not desirable for the 2015-01-01 2015-04-01 2015-07-01 2015-10-01 2016-01-01 2016-04-01 20000 40000 60000 8000