When good guys doing bad things

The recent USENIX conference NDSI has been slashdotted a lot. One very interesting paper describe how people pollute Stormnet, one of the biggest botnet, and bring it down to knees. 

One thing I learn from this paper is that the current Storm botnet is organized in a structured P2P overlay. It implements one of the very simple yet effective overlay called Kademlia.  So once infected, the bot machine will join the Kademlia network and participate in a publish/subscribe protocol. The general operations of this gang are as follows:

1. An attacker initially publishes commands into the network, using keys that he and all the bots in the network know how to generate. As the matter of fact, the key can be based on the current date and time, plus some pre-define randomness. Credits to the researchers to reverse-engineering the malware and discover this process. 
2. Bots periodically search for keys that it knows. Obviously they will find the published commands, download and execute them blindly. 
3. Not much details are given about the commands, but I presume it can contain another set of commands,  so that the bots themselves can later publish commands into the network. That way, the attacker is well covered.

If I were the botnet creator, I would use Tapestry overlay rather than Kademlia. It is more suitable and probably performs better for this type of subscription/publishing protocol. On the other hand, Kademlia is probably the most easy one to implement, and its source code is available. 

The most interesting point is the proposal (already deployed) of launching Sybil attacks to the network. I spend quite some time reading papers on Sybil attacks. All of them, including me, label Sybil attacks as a threat to P2P networks and works are focused on finding away to mitigate them. This work shed a new light to the field by looking at the attacks at a different angle. If the network is full of bad participants, taking it down becomes a moral thing to do. And Sybil attack is a great tool.  It has implemented all sort of attacks mentioned in the literature, desperately trying to render the botnet useless. The attacker will have the same difficulty finding us as we have in finding him.  The attack attempts to partition the network so that bots can not discover commands that were published. 

Having said that, many (including me) are working towards how to fight Sybil attacks. Apparently, the attacker can use these techniques to fend off the current attempts. At the moment, the paper describes that it was able to introduce thousands of Sybils into the networks, using a single machine. However, due to Kademlia's routing redundancy, there are still rooms for improvement. It also surprises me a bit that you can launch that many Sybils on a single machine. This indicates how the current implementation of the botnet malware is still not robust enough, for it allows thousands of connections from a few IP addresses. 

Anyways, Sybil attack is just like guns. It does bad things when under bad guys' control, but can offers helps to good guys in certain circumstances.  For the time being, though, the possible bad things it can cause seem to outnumber the good things it can bring.