Abstract
P2P technology has recently been adopted by Internet-based malware as a fault tolerant and scalable communication medium. Due to its decentralized and self-organizing nature, P2P malware is harder to detect and block, especially if it utilizes specialized techniques for hiding. We analyze a number of hiding strategies through extensive and realistic simulations over a model of the AS-level Internet topology. We show that the most effective strategy to avoid detection is to drastically reduce the maximal number of peers a node communicates with. While overlay networks of a small constant maximal degree are generally considered to be unscalable, we argue that it is possible to design them to be scalable, efficient, and robust. An important implication is that stealth mode P2P malware that is very difficult to discover with state-of-the-art methods is a plausible threat. We discuss algorithms and theoretical results that support the scalability of stealth mode overlays, and we present realistic event-based simulations of a proof-of-concept system. Besides the context of P2P malware, some of our results are of general interest in the area of constant degree overlays in connection with the problem of how to maintain reasonable performance and reliability with the smallest degree possible.
- Cheetancheri, S. G., Agosta, J. M., Dash, D. H., Levitt, K. N., Rowe, J., and Schooler, E. M. 2006. A distributed host-based worm detection system. In Proceedings of the SIGCOMM Workshop on Large-Scale Attack Defense (LSAD). ACM, New York, 107--113. Google Scholar
Digital Library
- Cooper, C. and Frieze, A. 2000. Hamilton cycles in random graphs and directed graphs. Random Struct. Algor. 16, 4, 369--401. Google Scholar
Digital Library
- Dagon, D. 2005. Botnet detection and response: The network is the infection. In OARC Workshop.Google Scholar
- Grizzard, J., Sharma, V., Nunnery, C., Kang, B., and Dagon, D. 2007. Peer-to-peer botnets: Overview and case study. In Proceedings of the 1st USENIX Workshop on Hot Topics in Understanding Botnets (HotBots). Google Scholar
Digital Library
- Gu, G., Perdisci, R., Zhang, J., and Lee, W. 2008. BotMiner: Clustering analysis of network traffic for protocol- and structure-independent botnet detection. In Proceedings of the 17th USENIX Security Symposium (Security). Google Scholar
Digital Library
- Holz, T., Steiner, M., Dahl, F., Biersack, E., and Freiling, F. 2008. Measurements and mitigation of peer-to-peer-based botnets: A case study on storm worm. In Proceedings of the 1st USENIX Workshop on Large-Scale Exploits and Emergent Threats (LEET). USENIX Association, Berkeley, CA. Google Scholar
Digital Library
- Hyun, Y., Huffaker, B., Andersen, D., Aben, E., Luckie, M., Claffy, K., and Shannon, C. 2008. The IPv4 Routed /24 AS Links Dataset -- 2008-01-02. http://www.caida.org/data/active/ipv4_routed_topology_aslinks_dataset.xml.Google Scholar
- Iliofotou, M., Pappu, P., Faloutsos, M., Mitzenmacher, M., Singh, S., and Varghese, G. 2007. Network monitoring using traffic dispersion graphs (TDGs). In Proceedings of the 7th ACM SIGCOMM Conference on Internet Measurement (IMC). ACM, New York, 315--320. Google Scholar
Digital Library
- Iliofotou, M., Pappu, P., Faloutsos, M., Mitzenmacher, M., Varghese, G., and Kim, H. 2008. Graption: Automated detection of P2P applications using traffic dispersion graphs (TDGs). Tech. rep. UCR-CS-2008-06080, Department of Computer Science and Engineering, University of California, Riverside.Google Scholar
- Jelasity, M. and Babaoglu, O. 2006. T-Man: Gossip-based overlay topology management. In Proceedings of the 3rd International Workshop on Engineering Self-Organising Systems (ESOA) (Revised Selected Papers). S. A. Brueckner, G. Di Marzo Serugendo, D. Hales, and F. Zambonelli Eds., Lecture Notes in Computer Science Series, vol. 3910. Springer-Verlag, 1--15. Google Scholar
Digital Library
- Jelasity, M. and Bilicki, V. 2009a. Scalable P2P overlays of very small constant degree: An emerging security threat. In Proceedings of the 11th International Symposium on Stabilization, Safety, and Security of Distributed Systems (SSS). R. Guerraoui and F. Petit Eds., Lecture Notes in Computer Science Series, vol. 5873. Springer-Verlag, 399--412. Google Scholar
Digital Library
- Jelasity, M. and Bilicki, V. 2009b. Towards automated detection of peer-to-peer botnets: On the limits of local approaches. In Proceedings of the 2nd USENIX Workshop on Large-Scale Exploits and Emergent Threats (LEET). USENIX. http://www.usenix.org/events/leet09/tech/. Google Scholar
Digital Library
- Jelasity, M., Montresor, A., and Babaoglu, O. 2005. Gossip-based aggregation in large dynamic networks. ACM Trans. Comput. Syst. 23, 3, 219--252. Google Scholar
Digital Library
- Jelasity, M., Voulgaris, S., Guerraoui, R., Kermarrec, A.-M., and van Steen, M. 2007. Gossip-based peer sampling. ACM Trans. Comput. Syst. 25, 3, 8. Google Scholar
Digital Library
- Jelasity, M., Montresor, A., and Babaoglu, O. 2009. T-Man: Gossip-based fast overlay topology construction. Comput. Netw. 53, 13, 2321--2339. Google Scholar
Digital Library
- Johnson, D. S. and McGeoch, L. A. 1997. The traveling salesman problem: A case study in local optimization. In Local Search in Combinatorial Optimization, E. H. L. Aarts and J. K. Lenstra Eds., John Wiley and Sons, 215--310.Google Scholar
- Kaashoek, M. F. and Karger, D. R. 2003. Koorde: A simple degree-optimal distributed hash table. In Proceedings of the 2nd International Workshop on Peer-to-Peer Systems (IPTPS).Google Scholar
- Kanich, C., Levchenko, K., Enright, B., Voelker, G. M., and Savage, S. 2008. The heisenbot uncertainty problem: Challenges in separating bots from chaff. In Proceedings of the 1st USENIX Workshop on Large-Scale Exploits and Emergent Threats (LEET). USENIX Association, Berkeley, CA. Google Scholar
Digital Library
- Kermarrec, A.-M., Massoulié, L., and Ganesh, A. J. 2003. Probabilistic reliable dissemination in large-scale systems. IEEE Trans. Parall. Distrib. Syst. 14, 3, 248--258. Google Scholar
Digital Library
- Kleinberg, J. 2000. The small-world phenomenon: An algorithmic perspective. In Proceedings of the 32nd ACM Symposium on Theory of Computing (STOC). ACM, New York, 163--170. Google Scholar
Digital Library
- Kleinberg, J. 2007. The wireless epidemic. Nature 449, 287--288.Google Scholar
Cross Ref
- Kong, J. S., Bridgewater, J. S. A., and Roychowdhury, V. P. 2006. A general framework for scalability and performance analysis of DHT routing systems. In Proceedings of the International Conference on Dependable Systems and Networks (DSN). IEEE Computer Society, Los Alamitos, CA, 343--354. Google Scholar
Digital Library
- Kostoulas, D., Psaltoulis, D., Gupta, I., Birman, K. P., and Demers, A. J. 2007. Active and passive techniques for group size estimation in large-scale and dynamic distributed systems. J. Syst. Softw. 80, 10, 1639--1658. Google Scholar
Digital Library
- Le Merrer, E., Kermarrec, A.-M., and Massoulie, L. 2006. Peer to peer size estimation in large and dynamic networks: A comparative study. In Proceedings of the 15th IEEE International Symposium on High Performance Distributed Computing (HPDC). 7--17.Google Scholar
- Lua, E. K., Crowcroft, J., Pias, M., Sharma, R., and Lim, S. 2005. A survey and comparison of peer-to-peer overlay network schemes. IEEE Comm. Surv. Tuts. 7, 2, 72--93. Google Scholar
Digital Library
- Malkhi, D., Naor, M., and Ratajczak, D. 2002. Viceroy: A scalable and dynamic emulation of the butterfly. In Proceedings of the 21st ACM Symposium on Principles of Distributed Computing (PODC). ACM, New York, 183--192. Google Scholar
Digital Library
- Manku, G. S., Bawa, M., and Raghavan, P. 2003. Symphony: Distributed hashing in a small world. In Proceedings of the 4th USENIX Symposium on Internet Technologies and Systems (USITS). Google Scholar
Digital Library
- Manku, G. S., Naor, M., and Wieder, U. 2004. Know thy neighbor’s neighbor: The power of lookahead in randomized P2P networks. In Proceedings of the 36th ACM Symposium on Theory of Computing (STOC). ACM, New York, 54--63. Google Scholar
Digital Library
- Massoulié, L., Kermarrec, A.-M., and Ganesh, A. J. 2003. Network awareness and failure resilience in self-organising overlay networks. In Proceedings of the 22nd Symposium on Reliable Distributed Systems (SRDS). 47--55.Google Scholar
- Melamed, R. and Keidar, I. 2008. Araneola: A scalable reliable multicast system for dynamic environments. J. Paral. Distrib. Comput. 68, 12, 1539--1560. Google Scholar
Digital Library
- Montresor, A. and Jelasity, M. 2009. Peersim: A scalable P2P simulator. In Proceedings of the 9th IEEE International Conference on Peer-to-Peer Computing (P2P). IEEE, Los Alamitos, CA, 99--100.Google Scholar
- Naor, M. and Wieder, U. 2005. Know thy neighbor’s neighbor: Better routing for skip-graphs and small worlds. In Peer-to-Peer Systems III, Lecture Notes in Computer Science Series, vol. 3279. Springer, 269--277. Google Scholar
Digital Library
- Nguyen, T. T. T. and Armitage, G. 2008. A survey of techniques for Internet traffic classification using machine learning. IEEE Comm. Surv. Tuts. 10, 4, 56--76. Google Scholar
Digital Library
- Porras, P., Saïdi, H., and Yegneswaran, V. 2009. A foray into Conficker’s logic and rendezvous points. In Proceedings of the 2nd USENIX Workshop on Large-Scale Exploits and Emergent Threats (LEET). Google Scholar
Digital Library
- Ramachandran, A., Feamster, N., and Dagon, D. 2006. Revealing botnet membership using DNSBL counter-intelligence. In Proceedings of the 2nd Workshop on Steps to Reducing Unwanted Traffic on the Internet (SRUTI). Google Scholar
Digital Library
- Steiner, M., En-Najjary, T., and Biersack, E. W. 2009. Long term study of peer behavior in the KAD DHT. IEEE/ACM Trans. Netw. 17, 5, 1371--1384. Google Scholar
Digital Library
- Stern, H. 2009. Effective malware: The trade-off between size and stealth. In Proceedings of the 2nd USENIX Workshop on Large-Scale Exploits and Emergent Threats (LEET).Google Scholar
- Stoica, I., Morris, R., Karger, D., Kaashoek, M. F., and Balakrishnan, H. 2001. Chord: A scalable peer-to-peer lookup service for Internet applications. In Proceedings of the Conference on Applications, Technologies, Architectures, and Protocols for Computer Communications (SIGCOMM). ACM Press, New York, NY, 149--160. Google Scholar
Digital Library
- Strayer, W. T., Lapsely, D., Walsh, R., and Livadas, C. 2008. Botnet detection based on network behavior. In Botnet Detection: Countering the Largest Security Threat, W. Lee, C.Wang, and D. Dagon Eds., Advances in Information Security Series, vol. 36. Springer, 1--24.Google Scholar
- Stutzbach, D. and Rejaie, R. 2006. Understanding churn in peer-to-peer networks. In Proceedings of the 6th ACM SIGCOMM Conference on Internet Measurement (IMC). ACM, New York, 189--202. Google Scholar
Digital Library
- Weaver, N., Ellis, D., Staniford, S., and Paxson, V. 2004. Worms vs. perimeters: The case for hard-LANs. In Proceedings of the 12th Annual IEEE Symposium on High Performance Interconnects (HOTI). IEEE Computer Society, Los Alamitos, CA, 70--76. Google Scholar
Digital Library
Index Terms
Scalable Stealth Mode P2P Overlays of Very Small Constant Degree
Recommendations
A Promotion Mechanism for Scalable Stealth DHT
ICIW '10: Proceedings of the 2010 Fifth International Conference on Internet and Web Applications and ServicesMost Distributed Hash Tables (DHTs) inherently assume interconnecting nodes with homogeneous capabilities. Realistically however, capabilities of nodes on a network widely vary, leading traditional DHTs to inevitably exhibit poor performance in real-...
Scalable P2P Overlays of Very Small Constant Degree: An Emerging Security Threat
SSS '09: Proceedings of the 11th International Symposium on Stabilization, Safety, and Security of Distributed SystemsIn recent years peer-to-peer (P2P) technology has been adopted by Internet-based malware as a fault tolerant and scalable communication medium for self-organization and survival. It has been shown that malicious P2P networks would be nearly impossible ...
3D P2P overlay over MANETs
We study the challenging problems of the mismatch between the overlay and the physical network and the resilience of the overlay structure in peer-to-peer (P2P) protocols over a mobile ad hoc network (MANET). Existing P2P protocols have used inflexible ...






Comments