AppBot: a novel P2P botnet architecture resistant to graph-based tracking

P2P architectures have been widely adopted by botnets for their high robustness. As the complex Command and Control (C&C) mechanism inevitably leads to too many interactions among bots, the P2P topology characteristics of traditional P2P botnet architectures is likely to be exposed to defenders, which makes them vulnerable to graph-based tracking. Inspired by the infeasibility of monitoring the global Internet and the diffculty of IP traceback problem, we propose a novel P2P botnet architecture, called AppBot, which is resistant to graph-based tracking. The key idea behind our proposal is two-folds: i) interactions are strictly restricted across different domains, and ii) IP spoofing is used to hide the origins of bots' interactions. Based on the real botnet distribution and background traffic of mainland China, we provide a realistic scenario for our experiments. In order to systematically evaluate AppBot, we compare it with two other typical P2P botnet architectures (HppBot and KppBot) in terms of the performance against one of the best graph-based tracking methods. We repeat our experiments by varying the botnet distribution (Gafgyt distribution and IMDDOS distribution). Each experiment is conducted on the mixture of synthetic botnet traffic and real background traffic of Xinjiang domain and Hainan domain, respectively. Experimental results show that AppBot shows a significantly high anti-tracking performance over all experimental settings. The average anti-tracking performances of AppBot, HppBot and KppBot are 46.88%, 20.45% and 24.28%, respectively.