Is there a way to verify that a bot is legitimate?

[Quillwerth]

Yes, there's no obvious way to do this, and there's a lot of feints that an analyst bot can do, but...

• Attack to Verify: Basically, distributing commands that appear like legitimate DDoS requests, but the botmaster owns the server being attacked. After 24 hours, send a second command: give this server your peer list. Taking all these lists, the botmaster can now see who didn't participate in the attack. From here, there's a way to tell the net which bots aren't what they seem. This does not prevent bots from misbehaving later, but could make them compliant until the analysts choose to reveal them.

[mplewis]

This is a really interesting approach! One of the weaknesses I see is that bot churn will cause bots to go offline, and bots that attack but change IP or are unable to attack after going offline will be mistakenly blacklisted.

I had another idea: what if you ask a bot to voluntarily self-terminate, either temporarily or permanently, then compare which bots shut down and which did not? Once non-compliant clients are found, they are blacklisted across the network. An analyst would be forced to shut down their sensor nodes or be blacklisted later.