Abstract

Evidently, centralised botnets are nowadays considered as easy targets for take-down efforts by law enforcement and computer security researchers. Hence, malicious actors transitioned towards the implementation of Peer-to-Peer (P2P) IoT botnets such to solidify their infrastructures, avoid single points of failure and further evade back tracking. Consequently, due to the highly distributed persona of modern P2P botnets, the detection of critical nodes to aid for the effective capturing of emerging threat vectors in such setups evolved into a challenging task. In this work, we conduct a novel 24-month longitudinal study based on real Internet measurements from globally distributed honeypots focusing on propagation trends of P2P IoT botnets. In order to achieve this, we develop graph-based centrality metrics to attribute AS-level connectivity characteristics to botnet and malware propagation as well as relating AS-level tolerance for botnet malware hosts we refer to as loaders. In general, we argue that the proposed methodology and outcomes of the herein study, can significantly benefit security experts and network operators towards the design of mitigation measures against present and future P2P botnets.