>To ensure the entire network is discovered, we should start the crawler off with multiple supernode IPs and store all IPs found into a database, then each time we restart the crawler we seed it with the list of IPs found during the previous crawler; repeating this process for a couple of hours ensure all online nodes are found.
This would just discover supernodes though right? Or any node at some point broadcasts as a supernode?
Yes to your first question, no to your second. He goes on to explain that, "In order to map all workers, we’d need to set up multiple supernodes across the botnet which log incoming connections (obviously every worker doesn’t connect to every supernode at the same time, so it’s important that our supernodes have a stronger presence in the botnet)."
From what I understand the process is:
1. Write a program to pretend to be a compromised peer requesting a connection to a Supernode in order to obtain a peer list of other Supernodes.
2. Recursively crawl for existing Supernodes + the list of Supernode IPs. Store all addresses found.
3. Set up one or more Supernodes and 'infiltrate' the peer list of already established Supernodes. Log incoming connections from Workers.
How is he able to add new supernodes to the cluster? I would expect a supernode to have some sort of credentials that are used for authentication. If not, isn't it possible to neutralize the botnet by overloading it with supernodes that don't send malicious commands?
According to his initial explanation - "In a peer to peer botnet, bots which can receive incoming connections act as servers (called supernodes)."
So in some cases the only requirement for a node to be a supernode is that it can receive incoming connections. I take this to mean that any computer that is 1. infected with the botnet program, 2. can receive incoming connections, becomes a supernode. Under those circumstances there's no need to reverse engineer the botnet program, all you have to do is set up a vulnerable computer, allow it to be compromised and infected becoming a supernode; then monitor the traffic of incoming connections.
He later mentions that supernodes can be filtered based on "age, online time, latency, or trust." This tells me that certain botnets do have a level of trust that is defined in each peer list.
I believe your last question refers to the concept of sinkholing or blackholing. These methods have been used by the FBI to take down botnets through DNS hijacking, I think.
reply