1 Million Linux Kernels Booted for Vast Botnet Simulation

Researchers at Sandia National Laboratories have laid the groundwork for an unprecedented simulation of a large-scale botnet after booting up 1 million Linux kernels as virtual machines.

Sandia computer scientists Ron Minnich (foreground) and Don Rudish (background) have successfully run more than a million Linux kernels as virtual machines.
(click image to enlarge)

They now are waiting for completion of a new, faster and more capable supercomputer at the Livermore, Calif., lab, on which they hope to run 10 million kernels in a simulation of the open Internet — complete with Web and mail servers, as well as simulated users clicking on simulated emails, getting simulated infections, and joining a simulated botnet.

A kernel is the core component of the operating system that passes instructions between hardware and software. To make the unprecedented achievement of running 1 million kernels as virtual machines, researchers stripped out support for extraneous devices like Bluetooth and wireless connectivity.

Managing a Challenge

They still had difficulty keeping up with all of the virtual machines, said Sandia computer science researcher Don Rudish, who worked on the experiment.

For instance, the Ethernet switch on the lab’s supercomputer, called “Thunderbird,” wasn’t designed to recognize one million MAC addresses online.

“After 100,000, the whole network came to a crawl,” Rudish told LinuxInsider. “Just looking through 1 million lines on a text log takes some time.”

While the experiment was a success, Rudish said researchers didn’t entirely solve the issue of monitoring the vast network, even after working out ways to visualize some of the data and reduce the amount of information flowing to them.

Virtual Botnet

They hope to solve that in the future by using botnet behavior to help control the network, Rudish said.

Unfortunately, researchers still don’t know much about how botnets actually work. So, they’re planning to use the lab’s new Red Sky supercomputer, currently under construction, to create a 10 million kernel system and introduce botnet software into the system to see what happens, Rudish said.

Other researchers have simulated the behavior of botnets in computer models, but little is known about how they really operate. Sandia’s experiment will be different because it’s much closer to an actual real-world application with what will look to the network like 10 million computers online at once, he said.

“It’s implemented in software, so you can say it’s a simulation, but it’s a much better one in that you’re running real code, real TCP stacks,” Rudish said.

Some of the computers will be programmed to act as Web and mail servers, others as simulated users with a percentage chance to click on incoming “emails” — some of which will download botnet software to infect the virtual machine. That machine will then take on one of several roles in the botnet: storage server, Web server, or aggressor seeking to further propagate the botnet’s control.

The experiment should give researchers more insight into how botnets work and how to combat them, Rudish said.

Project Cost

It’s difficult to calculate the cost of the 1 million kernel experiment because so much of the technology that went into it was developed for other purposes, explained Rudish.

However, direct costs ran about US$100,000, he said. The Department of Energy’s Office of Science, the National Nuclear Security Administration, and Sandia funded the project.


  • Why on this green earth would you create a botnet in Wine? What are they, nuts? They spent all this money on "supertux" or whatever they call it, and they couldn’t shell out $1000 for an MSDN license that would let them run all the Windows VMs they would want, and thus get real botnet data?

    Talk about penny wise and pound foolish. This has to be the dumbest thing I have ever heard of!

  • I will be waiting for actual results, but I won’t hold my breath. Certain folks at a large DOE lab in ABQ are famous for making grandiose boastings about some great research goal, but it never gets done. They just cannot get the underlying h/w and s/w infrastructure to run long enough to produce anything. show me different.

  • Article is somewhat misleading, in that it implies the botnet is "running on Linux". In fact, the botnet is running in a WINDOWS ENVIRONMENT, via Wine. "The Dell Thunderbird supercomputer, named MegaTux, has 4,480 Intel microprocessors running Linux virtual machines with Wine, making it possible to run 1 million copies of a Windows environment without paying licensing fees to Microsoft." Hackers would be hard pressed to create a million machine botnet composed of Linux machines. Doing the same thing in Windows environments is far more trivial.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

Related Stories

LinuxInsider Channels