Researchers Boot Million Linux Kernels to Help Botnet Research

Scientists at Sandia National Laboratories have demonstrated the ability to run more than 1 million Linux kernels as virtual machines, an effort they say will ultimately help researchers analyzing massive botnets.

Scientists at Sandia National Laboratories are harnessing more than a million Linux kernels as virtual machines as part of an effort to aid researchers to better analyze botnet behavior. 

According to Sandia, which serves as an R&D arm for the Department of Energy, the project will allow security researchers to observe behavior found in botnets operating on the scale of a million nodes. 

"Botnets, said Sandia's Ron Minnich, are often difficult to analyze since they are geographically spread all over the world," said a Sandia statement July 28. "Running a high volume of VMs on one supercomputer-at a similar scale as a botnet-would allow cyber-researchers to watch how botnets work" and experiment with ways to stop them. 

"We can get control at a level we never had before," said Minnich, a computer scientist. 

The research comes at a time when the botnet threat continues to grow. A list of the biggest spam botnets plaguing users today would include some names familiar to researchers, like Cutwail and Rustock. Earlier in 2009, researchers estimated that the Conficker botnet at its height controlled millions of compromised Windows PCs.

In the past, the Sandia statement cited Minnich as saying, "researchers had only been able to run up to 20,000 kernels concurrently." To make the project a reality, Sandia used a "4,480-node Dell high-performance computer cluster, known as Thunderbird. To arrive at the 1 million Linux kernel figure, Sandia's researchers ran one kernel in each of 250 VMs and coupled those with the 4,480 physical machines on Thunderbird."

According to the statement: "The more kernels that can be run at once ... the more effective cyber-security professionals can be in combating the global botnet problem."

Minnich said, "Eventually, we would like to be able to emulate the computer network of a small nation, or even one as large as the United States, in order to 'virtualize' and monitor a cyber-attack."