Botnet tracking techniques and tools
Jose Nazario, Jeremy Linden Arbor Networks
download slides (PDF)
Botnets have quickly become one of the chief dangers to large-scale Internet security,
threatening nearly every Internet user and even the very infrastructure itself. Unlike
traditional malware such as viruses and worms, the structure of a botnet creates the
opportunity to perform direct measurements and observation. The common tools to perform these
measurements are usually written quickly and may or may not work for long periods of
time, especially if the botnet owner is vigilant about checking for lurking hosts.
Furthermore, most botnet studies published thus far have focused on studying captured malware
samples outside of the network or have been carried out using honeypot hosts. Neither of
these techniques provide a full picture of the botnet landscape.
To study larger amounts of information about the botnet community, we have developed
simple tools and techniques to infiltrate large numbers of botnets for long periods of
time. Our findings reveal how botnet operators manage their networks, what they are
doing with the infected hosts, and the skill levels required to create such botnets.
The results of this illustrate how lucrative the botnet community is, how easy it is to
get started, and how dangerous it can be for the Internet community at large.