A Survey on Botnet Architectures, Detection and Defences

10.6633/IJNS.201505.17(3).06

Muhammad Mahmoud；Manjinder Nir；Ashraf Matrawy

Botnet ； command and control ； distributed denial of service attack (DDoS) ； fast-ux service networks

International Journal of Network Security

17卷3期（2015 / 05 / 01）

272 - 289

英文

Botnets are known to be one of the most serious Internet security threats. In this survey, we review botnet architectures and their controlling mechanisms. Botnet infection behavior is explained. Then, known botnet models are outlined to study botnet design. Furthermore, Fast-Flux Service Networks (FFSN) are discussed in great details as they play an important role in facilitating botnet traffic. We classify botnets based on their architecture. Our classification criterion relies on the underlying C&C (Command and Control) protocol and thus botnets are classified as IRC (Internet Relay Chat), HTTP (HyperText Transfer Protocol), P2P (Peer-to-Peer), and POP3 (Post Office Protocol 3) botnets. In addition, newly emerging types of botnets are surveyed. This includes SMS & MMS mobile botnet and the botnets that abuse the online social networks. In term of detection methods, we categorize detection methods into three main groups, namely: (1) traffic behavior detection -in which we classify botnet traffic into; C&C traffic, bot generated traffic, and DNS traffic, (2) botmaster traceback detection, and (3) botnet detection using virtual machines. Finally, we summarize botnet defence measures that should be taken after detecting a botnet.