A Collaborative Traceback against P2P Botnet Using Information Sharing and Correlation Analysis

Botnets are a serious threat to Internet-based services and end users. The recent paradigms shift from centralized to more sophisticated Peer-to-Peer (P2P) botnets introduces new challenges for security researchers. Centralized botnets are easy to be taken down by computer security researchers and law enforcement. Thus, botnet operators have sought new ways to harden the infrastructures of their botnets and some botnets operators have (re) designed their botnets to use P2P infrastructures because of the excellent properties of P2P technology. Many P2P botnets are far more resilient to current takedown attempts than centralized botnets due to the lack of single points of failure and stealthy Command and Control (C&C) servers. In order to combat and eradicate a P2P botnet better, we have to track a P2P botnet and find its main C&C servers. However, research on tracking for C&C servers in current P2P botnets is still lacking to the best of our knowledge, which is urgently required. In this paper, an overview of current P2P botnets is firstly presented, including architecture characteristics and traffic models. Based on the architecture characteristics of P2P botnets and traffic models, a collaborative trace back framework is proposed to find the main C&C servers in P2P botnets.