International Journal of Emerging Technology and Advanced Engineering Website www - PDF document

International Journal of Emerging Technology and Advanced Engineering Website: www.ijetae.com ( ISSN 2250 - 2459, ISO 9001:2008 Certified Journal, Volume 4 , Issue 1 , January 2014 ) 121 Threats of Botnet to Internet Security and Respective Defense Strategies Sagar A. Yeshwantrao 1 , Prof. Vilas J. Jadhav 2 1 Lecturer, 2 Asst. Prof., Department of Computer Engineering , MGM’s College of Engineering & Technology Kamothe, Navi Mumbai , State - Maharashtra, Country - India. Abstract — Botnets are one of the most dangerous threats to internet security. The problem of Botnet is global in nature. A botnet is a network of computers infected with a malicious p rogram that allows cybercriminals to control the infected machines remotely without the user’s knowledge. Their target is to steal valuable information from organizations as well as individuals. Botnets have become a source of income for entire groups of c ybercriminals. It is necessary for the IT community to develop effective techniques for detecting and mitigating the malicious behavior of botnets. The paper presents a detailed study of technology involved in the command and control of botnets and threats posed by them . The aim of this paper is to study core details of security threats that users of Internet are facing from attackers by the use of malicious botnets. This paper also offers several strategies for defense against Botnets along with mea sures and activities which should be carried out in order establish successful defense . Keywords — Botnet, Bots, Botmaster, Zombie, C&C, DDoS, Spam , Malware, Internet Security , Defense Strategies. I. I NTRODUCTION Nowadays IT security involves a lot of fields and they are focused on variety of security aspects, starting from the lowest layers of OSI models up to applicative ones. Since security at lower layers of OSI models has been considerably improved, the attackers have redirected their focus towards the hi ghest layers of OSI models. In most of the cases they try to find out entrance to the systems via application layer. Having in m ind the fact that fast - growing Internet has been stimulated by the services which provide conditions for transferring and updat ing of the information separately from software platforms, question of Internet security has become much more crucial. Huge number of the Internet attacks happening nowadays is directed toward exploitation of individ uals, financial organizations and insti tutions in order to earn money, and that often causes financial losses. One of the most serious threats to the Internet is presence of large number of infected computers. Networks of such computers are present everywhere in the world. They are mostly co ntrolled by one or more hackers and are used for different types of attacks – starting from Distributed Denial - of - Service (DDoS), sending of unwanted e - mail messages (SPAM) up to spreading of malwares. Unlike other types of attacks, attacks performed by Bo tnets which consist of large number of computers, that can collect required amount of computer resources and exploit them for performing of various types of attacks. That’s why attackers are especially interested in their usage in order to gain maximum amo unt of benefits. In same time, harm caused by usage of such networks is distinctively bigger than the one caused by traditional, distinct attacks. Whole Internet community, legislative organizations and institutions, specific Internet users and big IT firm s have been considering possibilities to encounter this problem which is one the most serious security threats conducted against the Internet community today. The available literature contains only a few information about defense against Botnets and the in formation deals with specific aspects of defense. Botnets have become the biggest threats to the internet security and been used for launching attacks and committing different types of frauds. A study shows that, on a typical day, about 40% of the 800 mill ion computers connected to the Internet in a B otnet [1]. Those infected machines engage in many illegal activities, such as distributing spam, stealing sensitive and valuable information, launching denial - of - service attacks, and spreading new infections. Today, a prim ary motivation for operating a B otnet is the income that can be earned from sending spam email . Ferris Research [2 ] has found that email spam costs businesses over $130 billion a year worldwide — $42 billion in the U.S. alone. Another popular so urce of income for online criminals is the installation of advertising software, known as adware, on victim systems . Many adware software companies offer monetary incentives f or installing their software . Phishing schemes are also a major revenue generator for B otnet operators. A B otnet is a common term referring to a collection of software robots that run without human interference . International Journal of Emerging Technology and Advanced Engineering Website: www.ijetae.com ( ISSN 2250 - 2459, ISO 9001:2008 Certified Journal, Volume 4 , Issue 1 , January 2014 ) 122 They are mostly malicious in nature . Unlike other types of attacks, attacks performed by Botnets which consist of large number of computers, that can collect required amount of computer resources and exploit them for performing of various types of attacks. That’s why attackers are especially interested in their usage in order to gain maximum amount of benefits. In same time , harm caused by usage of such networks is distinctively bigger than the one caused by traditional, distinct attacks. Whole Internet community, legislative organizations and institutions, specific Internet users and big IT firms have been considering possi bilities to encounter this problem which is one the most serious security threats conducted against the Internet community today. The available literature contains only a few information about defense against Botnets and the information deals with specific aspects of defense. A B otnet detector becomes important given the fact that it may save us millions of dollars every year and deter cyber criminals. Detecting malicious activity on a network is difficult. The attacker can hide their presence on a machine and only become active under certain conditions. Some vendors publish their findings about detecting Botnets but this information is not always enough to effectively track, disrupt, or mitigate Botnets. Botnets have been in existence for about 10 y ears. Security experts have been cautioning the public about the threat posed by botnets for some time. Still, the scale and magnitude of the problem caused by botnets are underrated and most users do not comprehend the real threat they pose. This paper is organized in following manner . In Section II , Problem Statement is given. In section III, describes Botnets and the ways of their functioning. Section IV, describes the threats caused by Botnets to the Internet security. In Section V, one can find def ense strategies against Botnets, i.e. Botnet prevention, Botnet detection and response to Botnet attacks that should be carried out in order to protect successfully the system against Botnets. Finally Sect ion VI summarizes the conclusion of the paper. II. P ROB LEM S TATEMENT An infected computer - zombie, while carrying out malicious code, spends the resources and follows certain commands without permission and prior knowledge of the owner and that activity causes slowing down of computer, showing of some mystical messages or it can even cause complete collapse of the system. However, this is not the biggest problem. The problem of Botnet is global in nature The problem with Botnets appears when they are used for attack. Botnet of a millions of malicious software robots, with 128 Kbps per compromised computer (zombie), can reach size of 128 gigabits in traffic. It is enough to put out of function 500 companies or firms and several countries by applying DDoS attacks. If several big Botnets unite, they could threaten functioning of national infrastructure of the most countries [7]. III. B OTNET A B otnet is a common term derived from the phrase robot network. Botnet is a group of infected computers with malicious robot software and such infected computers are very dangerous for security of the owner’s computer. After the malicious robot software has successfully been installed into the owner’s computer, the computer becomes a zombie. It carries out the i nstructions given by Bot controller (Botmaster) without any agreement and approval given by the owner. Botnets are one of the most sophisticated and popular types of cybe rcrime today . Millions and millions of personal computers have been silently infiltrat ed with Bot malware. Botnet is also called as zombie network. Zombie network is a network of infected computers (zombies) that allows cybercriminals to control the infected machines remotely without the owners knowledge. Nowadays, Zombie networks have beco me a source of income for entire groups of cybercriminals. This section of paper summarizes: (i) Working of Botnet, (ii) Command and Control Models, and (iii) Communication Protocols. A. Working of Botnet Botnets can also refer to the network of computer s usi ng distributed computing software , with the Botnet controller (Botmaster) issuing instructions directly to a small number of machines. These machines directed the instructions to other compromised machines, usually via Internet Relay Chat (IRC). Bots enter into a person’s computer in many ways. Bots often distribute themselves across the network by searching for highly vulnerable, unprotected computers to infect. When they find an vulnerable or unprotected computer, they quickly infect the machine and the n report back to their master (B otmaster). Their goal is then to stay hidden until they are instructed to car ry out a particular task. The most common type of self propogating malware technique, being used in the past for some time now was the IRC Based Botnet s . International Journal of Emerging Technology and Advanced Engineering Website: www.ijetae.com ( ISSN 2250 - 2459, ISO 9001:2008 Certified Journal, Volume 4 , Issue 1 , January 2014 ) 123 The components of a typical B otnet include a server program, client program for operation, and the malicious program that embeds itself on the victim’s machine ( B ot). All three of these usually communicate with each other over a network and may use encryption for stealth and for protection against detection or intrusion into t he Botnet controlled network . Figure 1: Shows Working of Botnet using DDoS attack Botnets are effective in performing tasks that would be impossible given only a single co mputer, single IP address. Originally, B otnets were used for distributed denial of service (DDoS) attacks. (See Figure 1 ) Most modern web servers have developed strategies to deal with such DDoS attacks, making this us e of a Botnet less effective [3 ]. When infecting a victim , the bots connect to IRC servers on a predefined channel as visitor s and waited for messages (i.e. commands) from the B otmaster. The B otmaster could come online at any time, view the list of bots, send commands to all zombie (compromised ) computers at once, or send a private message to one zombie machine. B . Command and Control Models Once Bot malware is installed on the victim machines, the B otmaster has to discover these Bot malware infected machines. Once discovered, the B o tmaster needs to control these Bot infected machines through some form of communication to carry out the desired operations. A simple method of communication between bots and B otmaster is through a direct control message communication link. However, such a dir ect link can easily locate the B otmaster and as such this type of communication is not used. Instead several organized command languages and control protocols called B otnet Command and Control (C&C ) techniques are used to handle Botnets remotely . Since the bots work together in lar ge groups taking orders from a C entralize d Botmaster, they can disable a large - scale networks in a short time. The B ot malware is also propagated through peer to peer networks, open file sharing, and direct client to client file exchange. C&C system of B otnets is unique and unlikely to change among bots and their variants, however; attackers are contin uing to adapt and look for new B otnet communication chan nels [4]. In this section we summ arize three different types of command and control models namely Centralized, Peer to P eer (P2P) and Unstructured C&C Models . 1) Centralized C&C Model: This C&C model uses a central high bandwidth host called C&C server to forward messages between various Bots. The C&C server in a Botnet is a compromised computer that runs certain network services like IRC, HTTP, etc and which rallies the commands issued by the Botmaster to each host in the Botnet that join the C&C server channel. The centralized C&C is mo st predominant C&C technique and many bots including AgoBot, RBot, SDBot use this C&C technique. There are several advantages of using centralized C&C techniques out of which easy availability and greater productivity are most predominant. Centralized C&C allows controlling of as many bots as possible and thus maximizes the profit of the Botmaster. The only drawback of centralized C&C technique is that C&C server is the weakest point in the entire Botnet link as all communication passes through this single point. 2) Peer to Peer (P2P) C&C Model: The peer to peer C&C model uses P2P communication with no real central server to forward messages between Botnets which makes it more resilient to failures in the network. Unlike centralized C&C model, the P2P based C&C model is much harder to discover and destroy. Botmaster can send commands from any peer. However, it is a more complex job for designing P2P systems. Some examples of Botnets that use P2P C&C model include Phatbot and Sinit. 3) Unstructured C&C Model: A Bot will not actively contact other bots or the Botmaster, and would listen to incoming connections from its Botmaster. The Botmaster randomly scan the Internet and pass along the encrypt message when it detected another Bot [5]. International Journal of Emerging Technology and Advanced Engineering Website: www.ijetae.com ( ISSN 2250 - 2459, ISO 9001:2008 Certified Journal, Volume 4 , Issue 1 , January 2014 ) 124 C . Communication Pro tocols Botnet basically use well defined communication protocols. Studying the communication protocols can help us to determine the origins of a B otnet attack and decode conversations between the b ots and the Botmasters. In [6] , the communication protocols was be classified in three different categories. 1) IRC Protocol : This is the most common protocol used by Botmasters to communicate with their Bots. IR C protocol is mostly developed for communications in groups (many - to - many), but it also handles one to one communication by private messages. This is very useful for Botmasters contr ol their Botnet. However, securit y devices can be easily configured to block IRC traffic. 2) HTTP Protocol: The HTTP protocol is also one of popular communication method used b y Botnets. Detecting of Botnet which use HTTP protocol for communication is much more difficult, because this sort of traffic usually interferes with high capacity of normal HTTP network traffic. 3) Other Protocols: Some more advanced Botnet networks use other protocols such as IM protocols and P2P protocols for communications. IM and P2P protocols are used for creating Botnet of relatively small sized Botnets. New versions of Botnet use P2P communication, especially crypted implementation of P2P protocol, which is designed for communication by pri vate messages and transferring of files among small number of confidential parties [7]. Some recent variants of Phatbot and Agobot, Nugache, Peacomm used P2P communication protocol. IV. S ECURITY T HREATS F ROM B OTNET A B ot net is effective tool for malicious users (Botmasters) . There are as many different motives for using B otnets as there are people with malicious intent. Most are used for financial gain or for destructive purposes [3 ]. With the growing composure of Bo tnets and highly skilled and organized Botmasters, a powerful threat as that from viruses, worms, Trojan horses, network intrusion and other known internet threats persists to the Internet security. Botmasters are large, composed, extremely difficult to i dentify, have better tools and very large size of Bot armies and thus can command the individual zombies (compromised computers) to carry out various types of attacks that include but is not limited to distributed denial of services (DDoS), spamming, phis hing, identity theft, sniffing traffic spreading new malware, Installing Advertisement Add - ons and Browser Helper Objects , Attacking IRC Chat Networks, and a variety of other possible attacks such as attacks on mobile phones . A. Distri buted Denial - of - Service (DDoS) A ttack s DDoS attack on a network that causes a loss of service to user, typically the loss of network connectivity and services consuming the bandwidth of the victim network or overloading the computational resources of the victim’s system. To launch a DDoS attack using B otnet has several advantages that include multiplying impact of the attack without the requirement of any IP address spoofing. Attackers have spent a lot of tim e and effort on improving such attacks. B. Spamming Spam is any e - mail message, disregarding of its content which is sent to multiple recipients who have not specifically requested the message . Spam generally refers to email, rather than other forms of e lectronic communication. A person involved in spamming is called spammer. Blogs, forums, social networking site and any other site that accepts visitors comments are particular targets and are often victims of drive - by spamming, where automated software creates rubbish po sts with links that are usually unnecessary and unwanted. Undesired advertising on wireless devices such as cell phones is called wireless spam. C. Phishing and Identity Theft (ID Theft) The term ―phishing‖ evolved from the word ―fishing‖ and follows a very similar approach. Fraudsters and scammers, the ―fisherm en‖, send out large quantities of deceptive emails, the ―bait‖, to mostly random address across the Internet. Phishing is used to describe spoof e - mails and other technical deceptions to fake receipts into giving up their personal or their organizations co nfidential and sensitive information such as social security number (SSN), financial account details and other identity and security information. Some phishing emails look attractive and realistic, while others are crude and badly constructed, but have a c ommon goal to steal information through deception. Phishing actually comprises of two online identity thefts which are the identity of the target company and its unsuspecting customers. Identity Theft (ID Theft) is used for deception that involves someone prete nding to be some one else to steal money or get other benefits. The victim whose identity is used can suffer various consequences when he/she is held responsible for the perpetrator’s actions. D. Sniffing Traffic (Traffic Monitoring) Bots can also use a packet sniffer to watch for interesting clear - text data passing by a compromised machine. Sniffers mostly retrieve sensitive information like usernames and passwords. International Journal of Emerging Technology and Advanced Engineering Website: www.ijetae.com ( ISSN 2250 - 2459, ISO 9001:2008 Certified Journal, Volume 4 , Issue 1 , January 2014 ) 125 E. Malware: It is malicious software, designed to damage a computer system without the owners prior consent. Viruses and worms are the examples of malware. Botnets are used to spread new bots and malware. F. Installing Advertisement Add - ons and Browser Helper Objects (BHO’s): Botnets are used to spread new bots through use of adwares. This is easy since all bots implement mechanisms to download and execute a file via HTTP or FTP. Some B ots may act as H TTP or FTP servers for malware. By setting up a fake website with some advertisements and signing up with companies that pay for clicks on ads a Botmaster can generate income. With the help of a Botnet, these clicks can be automated (Click Fraud) so that a few thousand bots click on advertisements. G. Attacking IRC Chat Networks The victim network is flooded by service requests from thousands of bots or by thousands of channel - joins by bots. In this way, the victim IRC network is brought down similar to a DDoS attack. Recently mobile Botnets was brought in notice as viruses, worms, trojans, spyware and adware targeting the mobile platform. Mobile phones seem overtake desktop and laptop computers as the preferred way of connecting to the internet. Android Bo tnets (such as SpamSoldier) have now been discovered. SpamSoldier Botnet steals money by sending an SMS to selected numbers without the Android user knowledge. The malware spreads by sending SMSs from the infected device to other mobile phones, attracting the user to install the malware. Android Botnets can be used for identical attacks that personal computer based Botnets have been used, such as DDoS attacks, identity theft, etc. The surface area of devices is thus rapidly growing, making Botnets a much gr eater threat – along with the complementary increase in the threat of malware, DDoS, identity theft, phishing etc. V. D EFENSES O F T HE B OTNET Defense against Botnets is carried out by application of certain strategies or mechanisms, i.e. certain security measures and activities. Internet users from all over world are responsible for defense, starting from home or business computer users, system administrators, designers, developers, Web service providers, up to application administrators. The defense must be considered as a durable and comprehensive process in which all the activities and measures must be proactive. This is the only way to achieve significant results and to protect whole system, i.e. Web services/applications against the activities with b ad intentions . Botnet present s sign ificant new challenges for the i nternet community as the attackers come up with new and improved tools. Protecti on against falling victim to a B otnet and detecting the location of B otmaster is very challenging owing to va rious facts that include : i) the mechanism used in c onstructing and maintenance of B otnets and that used in its possible attack are independent of eac h other, ii) Every Zombie in a B otnet is a source of attack and iii) Botnets remain in a silent state unti l they are influenced to launch a specific [8]. Defense strategies against Botnets could be classified in three main stages : (i) prevention, (ii) detection, and (iii) response to the Botnet attacks. A . Botnet Prevention This stage recommends the measures a internet user or system administrator could take to prevent their system or network from bots infection. This section outlines the preventive measures the internet user and system administrator could implement against bots infection. 1) Usage of Intrusion of Prevention System (IPS); Intrusion Prevention Systems are devices which monitor network activity in order to detect vilifications or undesirable activities in real time with the task to block or prevent them from acting [9], [10 ]. Undesirable activities usually come in the form of malicious inputs to a target application or service that attackers use to interrupt and gain control of an application or machine. Figure 2 shows an example of Web service architecture with built - in IPS. Figure. 2: Example of a Web service architecture with IPS [7] The IPS often sits directly behind the firewall and is provides a complementary layer of analysis that negatively selects for malicious content. Unlike the Intrusion Detection System (IDS), which is a pass ive system that scans network traffic an d reports back on threats. The IPS is placed inline (in the direct communication path between source and destination), which actively analyze and taking automated actions on all traffic flows that enter the network. International Journal of Emerging Technology and Advanced Engineering Website: www.ijetae.com ( ISSN 2250 - 2459, ISO 9001:2008 Certified Journal, Volume 4 , Issue 1 , January 2014 ) 126 2) General awareness about online security & privacy is must for all online users. High level of user awareness is best course in preventing malicious bots from infecting computers. 3) Set the OS to download and install security patches automatically . 4) Use a firewall to protect the system from hacking attacks while it is connected on the internet. 5) Downloading the freeware only from websites that are known and trustworthy. Use of pirated software, games, and other illegal material available online are always a source of malicious code and thus presents a serious security threat and as such users should restrict themselves from accessing such web sites. 6) Use antivirus, anti - Spyware software and anti - Trojan tools and regularly update it. 7) The use of CAPTCHA tests has been suggested for website and other services for prevention against bots and other malicious agents. B . Botnet Detection Detecting the B ot activity on a system or on a network is imparative to the study of Botnets. There are mainly four approaches of B otnet detect ion and tracking methods: (i) Signature - based detection, (ii) Anomaly - based detection, (iii) DNS - based Detection, and (iv) Data mining - based Det ection. 1) Si gnature - b ased Detection: In this technique based on the available knowl edge and signature of existing B ot is sufficient to captu re bots. In this to detect the B otnets, collected a library of specific Botnet commands and function names which could be summarized and included in the proposed IDS. Once the IDS found matching keywords while inspecting the payload content, it can trigger the alert and take further actions against the Botnet. But this technique is limited to detect only the known B o tnets. For example, Snort is an open source IDS that monitors network traffic to find signs of intrusion by searching matches based on the predefined set of rules and signature [11] . 2) Anomaly - b ased Detection: Anomaly - based detection Anomaly - based dete ction approaches try to detect Botnets based on a number of network traffic anomalies such as high network latency, high volumes of traffic, traffic on different ports, and unexpected system behavior that could show existence of bots in the network . Never theless this technique meets the problem of detecting unknown Botnets, but is not capable to realize an IRC network Botn et which has not been used yet for attacks. To s olve this, Binkley and Singh [12 ] proposed an effective and efficient algorithm that co mbines TCP - based anomaly detection with IRC tokenization technique and IRC message statistics to develop a system that can significantly detect client Botnets. This algorithm can also reveal bot servers [12 ]. However, Binkley’s approach could be easily cru shed by simply using a minor cipher to encode the IRC commands . Gu et al. [13 ] have proposed Botsniffer that uses network - based anomaly detection to identify Botnet C&C channels in a LAN. Botsniffer is based on observation that bots within the same Botnet will likely reveal very strong similarities in their responses and activities. 3) DNS - b ased Detection: DNS - based B otnet detection techniq ues are generally based on DNS information generated by a Botnet. As mentioned before, bots normally begin connection with C&C server to get commands. Thus, In order to access the C&C server bots carry out DNS queries to locate the specific C&C server that is typ ically hosted by a Dynamic DNS provider. Therefore, it is feasible to detect Botnet DNS traffic by DNS tr ackin g and detect DNS traffic anomalies. 4 ) Data mining - b ased Detection: Data mining base d detection techniques aims to recognize useful patterns to discover regularities and irregularities in large data sets. Packet flow provides complete information of flow data but in large file type. Anomaly based detection techniques are mostly based on network behavior anomalies such as high network latency, activities on unused por ts and unusual computer behavio r. Data mining detection technique can be applie d for optimi zation purpose and enables to extract sufficient data for analysis fro m network log file. Today, Most useful data mining detection techniques includes correlation, classification, clustering, statistical analysis, and aggregation for efficiently knowledge discovery about network flows [14]. Botminer is the most recent approach which applies data mining techniques fo r Botnet C&C traffic detection. Botminer is an improvement of Botsniffer [13 ]. C . Response to the Botnet attacks: This section of the paper reco mm ends some actions that internet users and system administrator could take in re sponse to bots infecting computers or network. 1) The user should di sconnect system from both the internet and any local network immediately as soon as the u ser realizes it's been infected by virus . This helps limit the potential damage both to user’s own systems (Botmasters can no longer gain access) and to other systems on the internet (user’s machine cannot be used to attack others). International Journal of Emerging Technology and Advanced Engineering Website: www.ijetae.com ( ISSN 2250 - 2459, ISO 9001:2008 Certified Journal, Volume 4 , Issue 1 , January 2014 ) 127 It is important to ph ysically disconnect system from the network. 2) Then, scan the entire system with fully updated antivirus, anti - Spyware software and anti - Trojan tools. It is important to remove and/or quarantine the viruses, worms, spywares and Trojans. 3) If the user stores sensitive and valuable information such as bank or credit card details on infected computer, then the user should immediately inform the appropriate organization. 4) There is a possibility that your passwords may have been compromised in such cases, so change the passw ords immediately. 5) In addition to response measures recommended for internet users, system administrators could initiate action to control the spreading of bots, like by isolating the malicious network subnet from the system. 6) Report unauthorized sys tem accesses to the legislative authorities and government agencies such as cyber crime branch of police and Computer Emergency Response Team (CERT). CERT India is the apex authority in India for cyber safety. VI. C ONCLUSION Nowadays, Botnets are very importan t challenge for the Internet community. Their malicious activities cause a lot of problems for the Internet users, system administrators, Internet service providers (ISP’s), etc. The threats put upon the computers and systems by Botnets require efficient d efense strategies. In this paper, we presented a details of Botnets and their threats to Internet security. In addition, we have given the description of the measures and proposal of activities for carrying out of each defense strategy. This study was a pa rt of ongoing research on the behavior of Botnets to find new ways to detect and prevent malicious activities. Applying given defense strategies contributes to significant results in defense against Botnets. REFERENCES [1] Botnet scams are exploding by Byron Acohido and Jon Swartz. http://www.usatoday.com/tech/news/computersecurity/2008 - 03 - 16 - computer - botnets_N.htm. [2] Ferris Research (2009), Industry statistics. Retr ieved from http://www.ferris.com/research - library/industry - statistics/ [3] Botnet Detection and Mitigation, Seidenberg School of CSIS, Pace University, USA ,Proceedings of Student - Facu lty Research Day, CSIS, Pace University, May 7th, 2010 . [4] "Study of Botnets and Their Threats to Internet Security,". Sprouts, Banday, M.T., Qadri, J.A., Shah, N.A. (2009), Working Papers on Information Systems, 9(24). [5] Chao Li, Wei Jiang, Xin Zou,‖Botnet: S urvey and Case Study‖, 4th International Conference on Innovative Computing, Information and Control, 2009. [6] Taxonomy of Botnet Threats. Trend Micro Inc. White Paper, November, 2006. [7] Defense Strategies Against Modern Botnets,by Srdjan Stanković and Dejan Si mić , (IJCSIS) International Journal of Computer Science and Information Security, Vol. 2, No. 1, 2009. [8] Paper Presentation On Botnet by Priyanka Harjai, and Khushboo Bhola, Department of C.S.E., Haryana Engineering College, Feb 15, 2006. [9] C. Livadas, R. Walsh, D. Lapsley, and T. Strayer, Using Machine Learning Techniques to Identify Botnet Traffic,‖ Submitted to 2nd IEEE LCN Workshop on Network Security, 2006. [10] Cisco Intrusion Prevention System Solutions, Cisco Systems Inc,2009(http://www.c isco.com/en/US/prod/collateral/vpndevc/ps57 29/ps5713/ps4077/product_data_sheet0900aecd805baef2_ps2706_Pr oducts_Data_Sheet.html) [11] Amit Kumar Tyagi and G.Aghila. Article: A Wide Scale Survey on Botnet. International Journal of Computer Applications 34(9):10 - 23, November 2011. [12] R. Binkley and S. Singh. An algorithm for anomaly - based Botnet detection. In Proceedings of USENIX SRUTI’06, pages 43 – 48, July 2006. [13] Guofei Gu, Junjie Zhang, and Wenke Lee. "BotSniffer: Detecting Botnet Command and Control Channels in Ne twork Traffic." In Proceedings of the 15th Annual Network and Distributed System Security Symposium (NDSS'08), San Diego, CA, February2008. [14] A Review - Botnet Detection and Suppression in Clouds by Miss Namrata A. Sable and Prof. Dinesh S. Datar, International Journal of Engineering Research & Technology (IJERT), Vol. 2 Issue 11, November – 2013.