Large-scale botnets have become a blight on the Internet. Botnets engage in a variety of harmful activities, including initiating DDoS attacks, committing click fraud, propagating adware, and sending enormous volumes of spam. Though there is an increasing awareness of botnets, there are gaping holes in our understanding of botnets, both in terms of macroscopic properties as well as the ability to track and thwart specific attacks. As part of this project, we develop a response to the botnet threat by building a monitoring system that gathers and distributes objective data on the problem. Our work offers three novel contributions. First, we solve many of the challenges involved in building a real-time botnet monitoring platform. For example, our system executes live botnet nodes, and as such, it must prevent these nodes from causing harm to other hosts on the Internet. Second, we implement several prototype defensive tools that take advantage of the real-time information provided by the platform. Third, our work exposes the rich texture of the botnet ecosystem by analyzing botnets from multiple perspectives and by correlating the attack vectors with observations of real bots executed in laboratory settings. Our botnet monitoring platform thus advances our understanding of botnets and enables promising anti-botnet defense tactics. It thus serves as a crucial step in the development of a trustworthy network that can support a much wider diversity of uses than can be found on today's Internet.
CT-M: A Real-Time Botnet Monitoring Infrastructure