Garlic: A Distributed Botnets Suppression System

Garlic: A Distributed Botnets Suppression System Fuye Han, HongFeng Xu and Yong Liang

Zhen Chen

Department of Computer Science and Technologies

Research Institute of Information Technology (RIIT)

Tsinghua University

Tsinghua University

Beijing, China

Beijing, China

Email: {hfy10, xhf10, ly10}@mails.tsinghua.edu.cn

Email: [email protected]

Abstract-Botnets are extremely versatile and can be used for

Thirdly, we use comprehensive collection of feedback to

many functions, for example, sending huge volumes of spam or

determine the validity of the rules.

launching Distributed Denial-of-Service (DDoS) attacks. What’s

II. GARLIC

more terrible is, with the development of network technology, suppressing botnets become more and more difficult. In this

The garlic system, as its name suggested, it is distributed

poster, we present an automatic and distributed botnets

and consists of multiple terminal nodes and one control node

suppressing system called “Garlic”. The reason that we call this

as show in Figure 1.

system “Garlic” is its structure is very similar to that of garlic, whose cloves is also distributed, and also , Garlic is very effective against zombies in mystery, whatever comes from film or the

Firewall module Terminal node 1

Terminal node 2

Terminal node 3

Terminal node 4

Protocol filter module Recording module

Internet. This system can automatically collect network traffic

Conmmunication module

Terminal node4

resulted from the botnet controlled network in a distributed mode, and then process these huge data using cloud computing technology,

by

which

when

botnets

are

detected

and

Feedback modual

Detection module

Communication module

countermeasure rules are generated and disseminated into Garlic node. Finally, Garlic targets to gather the feedback events

Central control node Figure 1. system components

resulted from the deployed rules, process, and regenerate countermeasure rules to further suppress the new variant

In Figure 1, we can see the garlic system has a central control node, central control node has three modules, in

botnets. Keywords-botnet; network security; collaboration; forensics;

addition, it also has four terminal nodes, and it has four functional modules, the firewall module, the protocol filter

I.

INTRODUCTION

In this poster, we present an automatic and distributed

module, the recording module and the communication module. Central control node is a server that has three functional

botnets suppressing system “Garlic”. This system can be

modules,

feedback

module,

detection

module

and

automatic and distributed collect network traffic that comes

communication module. Generally, when botnets are detected,

from the controlled network, and then process these huge data

it’s result is based on IP address and port, according to these

using cloud computing technology, which when detecting

information, the detection module will produce the rules. Then

botnets generates rules and upload them, finally, Garlic gather

central control node distributes generate rules to all the

feedback of rules and process them, regenerate rules to

terminals. After distribution of rules, Garlic checks whether

completely suppress botnets.

the rules have feedback indicating the rules are effective or not.

The contribution of our work has three major points.

Garlic system will be uninterrupted collection of feedback for

Firstly, we implemented the distributed garlic system, which

each rule, according to these, it can regenerate rules and

can simultaneously control multiple subnets. Secondly, we

distribute them, and these second-generation rules also can

combine firewalls and protocol filtering, so that much work

produce feedbacks, forming a recursive process.

about botnet detection can be integrated into our System.

of which is composed of three parts, ESX servers, users and

3

Central Control node

2

the terminal nodes. This division is intended not only to simulate a very real network environment, but also to bring real bots into test. In this experiment, the A group gets 46

Internet

4

different rules, and the B group gets 14 different rules. By comprehensive comparison of the results of A and B, there are

1

54 different rules, we distribute these rules to the two terminal nodes, and then gather feedback of these, the result of experimental is to be expected, for each group, the actual

Internal Network 1

Internal network 2

Internal network 3

Internal network 4

Figure 2. The workflow of Garlic.

number of rules in effect more than the number of rules obtained above, which means that within each group has lost a

In Figure 2, we show the workflow of Garlic. Step 1

number of bots that do exist, and our garlic system can

indicates terminal node transfers traffic data to central control

compensate for this shortcoming. In addition, we consider that

node, traffic data is recorded by terminal node. Step 2 is very

the “Garlic” system can detect botnets more quickly when it

important step, where the control node processes huge traffic

has more composite data can be provided.

which is collected in Step 1. Due to the burst nature of network traffic and the fact that most networks can produce thousands

IV.

CONCLUSION AND FUTURE WORK

and even millions of packets in every second, it is very

Garlic systems emphasize collaboration and feedback;

challenging task to process the data in real time, which is

collaboration will enable botnet information sharing, and

solved by LARX [7]. LARX is a cloud computing platform

making users more comprehensive to detect the botnet.

that can process multiple tasks in parallel. The third step is to

Feedback is a very important resource to evaluate the accuracy

load the rules to each terminal node, so the advantage of this

of rule. In the future work, we will further study the feedback

approach is to prevention and control together sharing rules.

resources. For exempla, we will use feedback to build botnet

After rules are loaded into the terminal node, we get to the

model, through model matching to identify false positives.

final and crucial step, which is to check if the rule is valid or not, whether the botnet changes the C&C server or not. We can get the answer from the feedback. In our study, we found that, when some firewalls loaded new rules, they will not check the established links, that means, once bots and C&C server establish a link, no matter how precise the rules are, the link will not be intercepted, which is very dangerous, so we improve this point by checking all the rules about established links when firewall load new rules. III.

PERFORMANCE EVALUATION

We conduct performance tests on our garlic system, from which we can see the distributed system performance benefits and the importance of feedback. We used five physical machines, one machine used as the central control node, two machines used as the terminal node to enforce rules, the rest used as the ESX servers, On this ESX server, we installed four virtual machines, whose operating system is Windows XP sp2 and loaded bots. In our experiment, we build two groups each

REFERENCES [1] C. Kreibich, N. Weaver, C. Kanich, W. Cui and V. Paxson. GQ: Practical Containment for Measuring Modern Malware Systems. In: ACM IMC’2011. [2] G. Gu, J. Zhang and W. Lee. BotSniffer: Detecting botnet command and control channels in network raffic. In:NDSS 2008. [3] H. Choi, H. Lee, H. Lee and H. Kim. Botnet detection by monitoring group activities in dns traffic. In:CIT 2007. [4] Jun Li, Shuai Ding, Ming Xu, Fuye Han and Zhen Chen. TIFA: Enabling Real-Time Querying and Storage of Massive Stream Data. In:ICNDC 2011. [5] Ying Zhang, Fachao Deng, Zhen Chen, Yibo Xue and Chuang Lin. UTM-CM: A Practical Control Mechanism Solution for UTM System. In:CMC 2010. [6] Beipeng Mu, Xinming Chen and Zhen Chen. A Collaborative Network Security Management System in Metropolitan Area Network. In:CMC 2011. [7] Tianyang Li, Fuye Han, Shuai Ding and Zhen Chen. LARX: Large-Scale Anti-Phishing by Retrospective Data-Exploring Based on a Cloud Computing Platform. In: ICCCN’2011. [8] G. Maier, R. Sommer, H. Dreger, A. Feldmann, V. Paxson and F. Schneider, Enriching Network Security Analysis with Time Travel, In: SIGCOMM 2008.