Botnet Command and Control Architectures Revisited: Tor Hidden Services and Fluxing

Αναγνωστόπουλος, Μάριος; Kambourakis, Georgios; Drakatos, Panagiotis; Karavolos, Michail H.; Kotsilitis, Sarantis; Yau, David K. Y.

doi:10.1007/978-3-319-68786-5_41

Cited by 12 publications

(13 citation statements)

References 9 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Performance and deficiencies [65], [66], [67], [68], [69] 5 Changes in the design [69], [70], [71], [61], [72], [73] 6 Discovery and measurement [74], [75], [32], [33], [34], [37], [38], [68], [23], [30], [31], [19] 12…”

Section: Research Fieldmentioning

confidence: 99%

“…Another article, claiming that because of Tor's unique features, HS can be used to control botnets [66], tests the implementation of new proxy-based botnet architectures that benefit from the anonymity provided by the Tor network to disguise its Command and Control infrastructure. To do this, each bot creates a Tor HS, thus acquiring an .onion address, to allow communication with the rest of the botnet.…”

Section: Performance and Deficienciesmentioning

confidence: 99%

See 1 more Smart Citation

Tor Hidden Services: A Systematic Literature Review

Trujillo¹,

Ruiz‐Martínez²

2021

Preprint

View full text Add to dashboard Cite

Anonymous communications networks were born to protect the privacy of our communications, preventing censorship and traffic analysis. The most famous anonymous communication network is Tor. This anonymous communication network provides some interesting features, among them, we can mention user’s IP location or Tor Hidden Services (THS) as a mechanism to conceal the location of servers, mainly, web servers. THS is an important research field in Tor. However, there is a lack of reviews that sump up main findings and research challenges. In this article we present a systematic literature review that aims to offer a comprehensive view on the research made on Tor Hidden services presenting the state of the art and the different research challenges to be addressed. This review has been developed from a selection of 57 articles and present main findings and advances regarding Tor Hidden Services, limitations found, and future issues to be investigated.

show abstract

Section: Research Fieldmentioning

confidence: 99%

Section: Performance and Deficienciesmentioning

confidence: 99%

Tor Hidden Services: A Systematic Literature Review

Trujillo¹,

Ruiz‐Martínez²

2021

Preprint

View full text Add to dashboard Cite

show abstract

“…[112] and Ref. [113] give a comprehensive review of mobile botnets; covering the state-of-the-art C&C architectures that are featured by contemporary mobile botnets. Anagnostopoulos et al [113] further elucidates the advanced capabilities that Tor's hidden services and DNS protocols avails to hackers for masking their identities and footprints, while also upscaling the resilience of their bot army through optimisations to a TXT-based Tor fluxing scheme for DNS operations.…”

Section: Botnets In Mobile and Cloud Environmentsmentioning

confidence: 99%

“…[113] give a comprehensive review of mobile botnets; covering the state-of-the-art C&C architectures that are featured by contemporary mobile botnets. Anagnostopoulos et al [113] further elucidates the advanced capabilities that Tor's hidden services and DNS protocols avails to hackers for masking their identities and footprints, while also upscaling the resilience of their bot army through optimisations to a TXT-based Tor fluxing scheme for DNS operations. In addition, sources such as Conti et al [114], Kadir et al [115], Farina et al [116], Alzahrani et al [117], Natarajan et al [118], Liao and Li (2014) [119], Eslahi et al [120], Mtibaa et al [121], Abdullah et al [122], Hamon (2014) [123], Mtibaa (2013) [124], Choi et al [125] and Apvrille et al [126] highlight some of the recent techniques and procedures used by attackers in setting up mobile botnets, as well as some countermeasures that have been recently developed for combating the challenge of mobile botnets.…”

Section: Botnets In Mobile and Cloud Environmentsmentioning

confidence: 99%

A Botnets Circumspection: The Current Threat Landscape, and What We Know So Far

et al. 2019

View full text Add to dashboard Cite

Botnets have carved a niche in contemporary networking and cybersecurity due to the impact of their operations. The botnet threat continues to evolve and adapt to countermeasures as the security landscape continues to shift. As research efforts attempt to seek a deeper and robust understanding of the nature of the threat for more effective solutions, it becomes necessary to again traverse the threat landscape, and consolidate what is known so far about botnets, that future research directions could be more easily visualised. This research uses the general exploratory approach of the qualitative methodology to survey the current botnet threat landscape: Covering the typology of botnets and their owners, the structure and lifecycle of botnets, botnet attack modes and control architectures, existing countermeasure solutions and limitations, as well as the prospects of a botnet threat. The product is a consolidation of knowledge pertaining the nature of the botnet threat; which also informs future research directions into aspects of the threat landscape where work still needs to be done.

show abstract

“…These armies of bots are used for launching Distributed Denial of Service (DDoS) attacks, sending spam emails on a massive scale, identity theft, and so forth [11]. To coordinate their network of bots effectively and in a stealthy manner, the botherders rely on advanced Command and Control (C&C) channels [12]. Specifically, the infected devices, called bots, receive and execute the commands of the botherder, through this covert C&C channel.…”

Section: Dns-based Candcmentioning

confidence: 99%

Another Step in the Ladder of DNS-Based Covert Channels: Hiding Ill-Disposed Information in DNSKEY RRs

Αναγνωστόπουλος

Seem

2019

Information

Self Cite

View full text Add to dashboard Cite

Covert channel communications are of vital importance for the ill-motivated purposes of cyber-crooks. Through these channels, they are capable of communicating in a stealthy way, unnoticed by the defenders and bypassing the security mechanisms of protected networks. The covert channels facilitate the hidden distribution of data to internal agents. For instance, a stealthy covert channel could be beneficial for the purposes of a botmaster that desires to send commands to their bot army, or for exfiltrating corporate and sensitive private data from an internal network of an organization. During the evolution of Internet, a plethora of network protocols has been exploited as covert channel. DNS protocol however has a prominent position in this exploitation race, as it is one of the few protocols that is rarely restricted by security policies or filtered by firewalls, and thus fulfills perfectly a covert channel’s requirements. Therefore, there are more than a few cases where the DNS protocol and infrastructure are exploited in well-known security incidents. In this context, the work at hand puts forward by investigating the feasibility of exploiting the DNS Security Extensions (DNSSEC) as a covert channel. We demonstrate that is beneficial and quite straightforward to embed the arbitrary data of an aggressor’s choice within the DNSKEY resource record, which normally provides the public key of a DNSSEC-enabled domain zone. Since DNSKEY contains the public key encoded in base64 format, it can be easily exploited for the dissemination of an encrypted or stego message, or even for the distribution of a malware’s binary encoded in base64 string. To this end, we implement a proof of concept based on two prominent nameserver software, namely BIND and NDS, and we publish in the DNS hierarchy custom data of our choice concealed as the public key of the DNS zone under our jurisdiction in order to demonstrate the effectiveness of the proposed covert channel.

show abstract

Botnet Command and Control Architectures Revisited: Tor Hidden Services and Fluxing

Cited by 12 publications

References 9 publications

Tor Hidden Services: A Systematic Literature Review

Tor Hidden Services: A Systematic Literature Review

A Botnets Circumspection: The Current Threat Landscape, and What We Know So Far

Another Step in the Ladder of DNS-Based Covert Channels: Hiding Ill-Disposed Information in DNSKEY RRs

Contact Info

Product

Resources

About