Traceback Attacks in Cloud -- Pebbletrace Botnet

Botmaster sets up Command and Control (C&C) server and stepping-stones in the Internet for stealing sensitive information from victim´s machine. Clouds provide botmaster with an ideal environment of rich computing resources where he can easily deploy/remove C&C server and establish/tear-down stepping-stones for anonymous attacks. It is of vital importance for cloud service providers to detect botnet, prevent attack, and trace back to the botmaster. We present our Pebble trace scheme for the trace back to the botmaster. It first identifies cryptographic keys of the botnet communications for configuring botnet operations and then traces back to the botmaster. We design and implement a new key identification scheme and propose an approach for tracing back to the botmaster across stepping-stones and beyond multiple clouds without universal deployment of monitors, router updates, or ISP support. We implement our method and build a Pebble-trace prototype that is applied to Zeus botnet in OpSource cloud with promising results.