Botnet tracing based on distributed denial of service activity analysis

Most of DDoS(Distributed Denial of Service) attacks use botnets as the carrier, which has become one of the serious threat to Internet. However, botnet detection is difficult in backbone because C&C(command & control channel) is blended into the heavy background traffic. This paper proposed a method for locating botnet by DDoS activity data analysis and DPI(Deep Packet Inspection) technology. The DDoS attack traffic is sampled to locate suspicious hosts firstly, then the hosts´ packets are collected and analyzed by DPI technology with some DDoS parameters, such as victim, start time of the attack etc. for finding C&C and Servers. This detection model has been implemented, named BTS (Botnet tracking system) at a POP of CERNET. The tests showed the practicability of this model.