Wentao Chang

Measuring Botnets in the Wild: Some New Trends

Today, botnets are still responsible for most large scale attacks on the Internet. Botnets are versatile, they remain the most powerful attack platform by constantly and continuously adopting new techniques and strategies in the arms race against various detection schemes. Thus, it is essential to understand the latest of the botnets in a timely manner so that the insights can be utilized in developing more efficient defenses. In this work, we conduct a measurement study on some of the most active botnets on the Internet based on a public dataset collected over a period of seven months by a monitoring entity. We first examine and compare the attacking capabilities of different families of todays active botnets. Our analysis clearly shows that different botnets start to collaborate when launching DDoS attacks.

Delving into Internet DDoS Attacks by Botnets: Characterization and Analysis

Internet Distributed Denial of Service (DDoS) at- tacks are prevalent but hard to defend against, partially due to the volatility of the attacking methods and patterns used by attackers. Understanding the latest DDoS attacks can provide new insights for effective defense. But most of existing understandings are based on indirect traffic measures (e.g., backscatters) or traffic seen locally. In this study, we present an in-depth analysis based on 50,704 different Internet DDoS attacks directly observed in a seven-month period. These attacks were launched by 674 botnets from 23 different botnet families with a total of 9,026 victim IPs belonging to 1,074 organizations in 186 countries. Our analysis reveals several interesting findings about todays Internet DDoS attacks. Some highlights include: (1) geolocation analysis shows that the geospatial distribution of the attacking sources follows certain patterns, which enables very accurate source prediction of future attacks for most active botnet families, (2) from the target perspective, multiple attacks to the same target also exhibit strong patterns of inter-attack time interval, allowing accurate start time prediction of the next anticipated attacks from certain botnet families, (3) there is a trend for different botnets to launch DDoS attacks targeting the same victim, simultaneously or in turn. These findings add to the existing literature on the understanding of todays Internet DDoS attacks, and offer new insights for designing new defense schemes at different levels.

Capturing DDoS Attack Dynamics Behind the Scenes

Despite continuous defense efforts, DDoS attacks are still very prevalent on the Internet. In such arms races, attackers are becoming more agile and their strategies are more sophisticated to escape from detection. Effective defenses demand in-depth understanding of such strategies. In this paper, we set to investigate the DDoS landscape from the perspective of the attackers. We focus on the dynamics of the attacking force, aiming to explore the attack strategies, if any. Our study is based on 50,704 different Internet DDoS attacks. Our results indicate that attackers deliberately schedule their controlled bots in a dynamic fashion, and such dynamics can be well captured by statistical distributions.

Measuring and Analyzing Trends in Recent Distributed Denial of Service Attacks

Internet DDoS attacks are prevalent but hard to defend against, partially due to the volatility of the attacking methods and patterns used by attackers. Understanding the latest of DDoS attacks can provide new insights for effective defense. But most of existing understandings are based on indirect traffic measures (e.g., backscatters) or traffic seen locally (e.g., in an ISP or from a botnet). In this study, we present an in-depth study based on 50,704 different Internet DDoS attacks directly observed in a seven-month period. These attacks were launched by 674 botnets from 23 different botnet families with a total of 9026 victim IPs belonging to 1074 organizations in 186 countries. In this study, we conduct some initial analysis mainly from the perspectives of these attacks’ targets and sources. Our analysis reveals several interesting findings about today’s Internet DDoS attacks. Some highlights include: (1) while 40% of the targets were attacked only once, 20% of the targets were attacked more than 100 times (2) most of the attacks are not massive in terms of number of participating nodes but they often last long, (3) most of these attacks are not widely distributed, but rather being highly regionalized. These findings add to the existing literature on the understanding of today’s Internet DDoS attacks, and offer new insights for designing effective defense schemes at different levels.

POSTER: How Distributed Are Today's DDoS Attacks?

Today botnets are responsible for most of the DDoS attacks on the Internet. Understanding the characteristics of such DDoS attacks is critical to develop effective DDoS mitigation schemes. In this poster, we present some preliminary findings, mainly concerning the distribution of the attackers, of todays DDoS attacks. Our investigation is based on 50,704 different Internet DDoS attacks collected within a seven-month period for activities across the globe. These attacks were launched by 674 botnet generations from 23 different bonet families with a total of 9026 victim IPs belonging to 1074 organizations that are collectively located in 186 countries. We find that different from the traditional widely distributed intuition, most of these DDoS attacks are not widely distributed as the attackers are mostly from the same region, i.e., highly regionalized. We also find that different botnet families have strong target preferences in the same area as well. These findings refresh our understanding on the modern DDoS attacks.

Understanding Adversarial Strategies from Bot Recruitment to Scheduling.

Today botnets are still one of the most prevalent and devastating attacking platforms that cyber criminals rely on to launch large scale Internet attacks. Botmasters behind the scenes are becoming more agile and discreet, and some new and sophisticated strategies are adopted to recruit bots and schedule their activities to evade detection more effectively. In this paper, we conduct a measurement study of 23 active botnet families to uncover some new botmaster strategies based on an operational dataset collected over a period of seven months. Our analysis shows that different from the common perception that bots are randomly recruited in a best-effort manner, bots recruitment has strong geographical and organizational locality, offering defenses a direction and priority when attempting to shut down these botnets. Furthermore, our study to measure dynamics of botnet activity reveals that botmasters start to deliberately schedule their bots to hibernate and alternate in attacks so that the detection window becomes smaller and smaller.