On the Resilience of P2P-based Botnet Graphs

P2P botnets represent another escalation level in the race of arms between criminals and the research community. By utilizing a distributed P2P architecture they are resilient against random failures and attacks and overcome the Iimitations of a central command and control server. For this reason, it is important to monitor them to gather information for potential takedown attempts. In this paper, we introduce our high-frequency crawling tool Strobo-Crawler that can carry out a fine-grained node enumeration. Furthermore, we propose mechanisms to derive accurate snapshots of the botnet graph on the basis of restricted monitoring data. We applied Strobo-Crawler in a two week crawling campaign in the P2P botnets Sality and ZeroAccess and describe the resuIts along with a careful evaluation of our graph reconstruction. Furthermore, we provide a thorough analysis of the resuIting botnet graphs and also provide these graphs to the public. Our resuIts indicate that they are highly resilient against node churn, but also against targeted attacks. Bots are highly interconnected and the graphs are characterized by a high cIustering coefficient, high density, and low diameter.