Botnet Tracking, Reporting, and Termination[edit | edit source]

Aim[edit | edit source]

To locate and report fast-flux hosts so they can be disinfected. The project is codenamed BRAT for Botnet Reporting And Termination.

Method[edit | edit source]

The method involves performing address lookups on host names for each known botnet, accumulating the data, and reporting the infections to the contact for each Autonomous System contact where the infection is detected.

Data Collection[edit | edit source]

By examining existing spammed URLs, and checking the site's DNS SOA, one can determine if they have a short TTL. By performing a "host" lookup and counting the number of Address records, one can determine multi-hosted sites. These two methods allow you to distinguish single hosts from botnet hosts.

Once a fast-flux candidate is found, it can be used as a "probe" to log the botnet's fast-flux IP addresses.

A collection of probes is placed into a control file as a set of site names. By issuing a "host" command for each probe on a regular cyclic basis, the IPs can be detected and logged with a date/time stamp. The probe cycle time is selected according to the fast-flux TTL (If the TTL is 3 minutes, probe every 3 minutes for new addresses).

Probes are categorised by

  1. Cycle time (eg 0, 1, 3, 5, 10, 30 minutes) - [Cycle time is used to select the probe rate].
  2. Hosting function (eg pharmacy spam site, Storm infection distribution site, phishing, money mule, Warezov distribution etc) - [Hosting function is used to separate or accumulate reporting runs].

Every 24 hours, the logs are copied for accumulation and reporting.

Accumulation[edit | edit source]

Each probe log is processed. For each IP discovered, the FIRST SEEN timestamp, LAST SEEN timestamp, and NUMBER OF SIGHTINGS is accumulated. Then, each IP is used to look up the ASN number, ISO country code, Reverse IP PTR, and ASN description. These fields are appended to each IP's line item. All of the results for common categories of hosting function are merged into one reporting file. There will be one merged file for spam operations, one for storm infection distributors etc.

Reporting[edit | edit source]

A table of primary abuse / security email addresses is maintained for each ASN. For each merged file, template reporting messages are prepared and sent to each ASN contact. Where one contact has multiple ASNs, these are rolled together into the same report. This gives each recipient a full picture of the penetration of the infections within their total network.

Statistics[edit | edit source]

For 24 hours of probing a 0-TTL fast-flux distributor of Storm there will be approximately 3,000 IPs detected, spread over approximately 500 ASNs.

For the same period, probes of 8 fast-flux botnets ranging from 1-10 minute cycles will detect approximately 2,000 IPs, spread over approximately 300 ASNs.

In total, the probe method can accumulate 5,000 IPs per day, or 35,000 per week.

Results[edit | edit source]

Reporting using this methodology started on Sept 20, 2007. Over the intervening period, the number of botnets being probed has climbed from 3 to 9 as of November 1.

Over that period there has been a measurable decline in botnet size, as reported by the graphs.

Five weeks ago when reporting commenced it was measured at 180K bots; at Nov 10 it was at 100K bots, a reduction of 80K bots

5 week reduction in botnets

Although this reduction can not be attributed solely to this reporting project, there is no doubt that it is a significant contributing factor.

More Reading[edit | edit source]

Spreadsheet tables showing some of the accumulated data from botnet probes are available at the Spamtrackers Botnet Downloads page

Geographical fingerprint charts for spam hosting, Storm distribution and DDoS botnets are shown at Botnet hosting

Community content is available under CC-BY-SA unless otherwise noted.