Long Term Tracking and Characterization of P2P Botnet

P2P Botnet is quite robust against various attacks once very effective against centralized network. In this paper, we concentrate on the tracking of P2P botnets, investigate botnet victims which are routable on the Internet, also known as super peers. The super peers are the backbone of the botnet to disseminate its commands and payload updates. Through tracking of three typical live P2P botnets over 6 months and analysis of their network dynamics, we outline a number of descriptive and statistical characterization of super peers, such as geo-location, peer session time and intersession time, in-degree and out-degree distribution, pattern of arrival and departure. In addition, based on the assumption that IP dynamic allocation will not cross the AS (Autonomous System) border, we give out a lower bound estimate of total infected super peers in a conservative manner. We also propose several guidelines on disrupting P2P botnets concerning its various features we have characterized which could be helpful to the security community.