Finding the pin in the haystack: A Bot Traceback service for public clouds

Cloud computing permits customers to host their data and applications to the cloud with an interesting economic cost-benefit tradeoff. However, the low price of cloud computing resources encourages attackers to rent a bulk of their botnets on the cloud and launch their attacks from there, which makes customers worry about using cloud computing. Therefore, in this paper, we propose a Bot Traceback (BTB) service for reporting and tracing back the presence of a bot inside an IaaS cloud provider. BTB aims to identify the virtual machine on which a bot runs either inside the same provider or inside a federated provider. The BTB service has been implemented as a part of the security tools in the EASI-CLOUDS project and has been deployed online. We present the implementation details of the BTB service and its main components (the BTB reporting service and BTB detection service). The BTB detection service will start running after a BTB report is received either from the same provider or from another federated provider.