1. Field of the Disclosure
The present disclosure generally relates to network security. More specifically, the present disclosure relates to identifying bots within a botnet.
2. Background Information
Botnets are networks of compromised hosts. Botnets pose a significant threat to both a network's infrastructure and its customers. Therefore, it is important for an Internet Service Provider to detect and track botnet members, i.e., bots.
Botnets generally include a bot master that manages a botnet by sending commands to each of the bots within the botnet. In order for the botnet to function properly, the bot master must be able to communicate with each of the bots and send them commands through a command and control channel.
Traditional botnets generally adopted a centralized command and control architecture to communicate commands from the bot master to each of the bots. In a centralized command and control architecture, the bot master publishes commands at a central location, such as a specific IP address, a specific IRC channel, a specific domain name, etc. Thereafter, each of the bots fetches the commands from the central location.
Modern botnets have adopted new command and control architectures. For example, new botnets often adopt a peer-to-peer command and control architecture to distribute commands amongst each of the bots. In the peer-to-peer command and control architecture, there is no centralized controller. Instead, the bot master simply injects a command into the botnet at any arbitrary point. The injected command is disseminated through the botnet amongst the bots using various peer-to-peer protocols.