Understanding how botnets work

Written by Jesmond Darmanin on August 7, 2009

It would be a fair bet to say that scientists at Sandia National Laboratories have seen “Night of the Living Dead.” The Livermore, California researchers embarked on a test to duplicate a zombie network a million strong.

The researchers ran more than a million Linux kernels as virtual machines, in an attempt to see how malicious botnets scale. Previous simulations have been able to re-create zombie networks of only about 20,000 nodes. Analyzing botnets has been difficult for security researchers, for a variety of reasons, not the least of which is the global, almost random distribution pattern that botnets exhibit. Unlike a real botnet though, which consists of huge numbers of individual machines, the Sandia simulation actually uses virtual machine technology to duplicate the effect of multiple machines, while actually running on one very large supercomputer.

Running a simulation has a good deal of value in terms of security research. According to a press release issued from Sandia, “Many phenomena occurring on the Internet are poorly understood, because we lack the ability to model it adequately. By running actual operating system instances to represent nodes on the Internet, we will be able not just to simulate the functioning of the Internet at the network level, but to emulate Internet functionality.”

The test is being run on Sandia Labs’ 4,480 node computer cluster named Thunderbird, which is located in its Albuquerque, New Mexico facility.

  • (required)
  • (required)