Understanding the Network-Level Behavior of Spammers Anirudh Ramachandran Nick Feamster.

Slides:



Advertisements
Similar presentations
Nick Feamster Georgia Tech
Advertisements

Filtering: Sharpening Both Sides of the Double-Edged Sword Prof. Nick Feamster Georgia Tech feamster cc.gatech.edu.
Revealing Botnet Membership Using DNSBL Counter-Intelligence Anirudh Ramachandran, Nick Feamster, David Dagon College of Computing, Georgia Tech.
Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.
Dynamics of Online Scam Hosting Infrastructure
11/20/09 ONR MURI Project Kick-Off 1 Network-Level Monitoring for Tracking Botnets Nick Feamster School of Computer Science Georgia Institute of Technology.
Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.
Understanding the Network- Level Behavior of Spammers Anirudh Ramachandran Nick Feamster Georgia Tech.
Spam and Botnets: Characterization and Mitigation Nick Feamster Anirudh Ramachandran David Dagon Georgia Tech.
Research Summary Nick Feamster. The Big Picture Improving Internet availability by making networks easier to operate Three approaches –From the ground.
Spamming with BGP Spectrum Agility Anirudh Ramachandran Nick Feamster Georgia Tech.
Spamming with BGP Spectrum Agility Anirudh Ramachandran Nick Feamster Georgia Tech.
Understanding the Network- Level Behavior of Spammers Anirudh Ramachandran Nick Feamster Georgia Tech.
Network-Based Spam Filtering Anirudh Ramachandran Nick Feamster Georgia Tech.
Network-Based Spam Filtering Nick Feamster Georgia Tech Joint work with Anirudh Ramachandran and Santosh Vempala.
Network Security Highlights Nick Feamster Georgia Tech.
1 Dynamics of Online Scam Hosting Infrastructure Maria Konte, Nick Feamster Georgia Tech Jaeyeon Jung Intel Research.
1 Network-Level Spam Detection Nick Feamster Georgia Tech.
Spam Sinkholing Nick Feamster. Introduction Goal: Identify bots (and botnets) by observing second-order effects –Observe application behavior thats likely.
Spamming with BGP Spectrum Agility Anirudh Ramachandran Nick Feamster Georgia Tech.
Network Operations Research Nick Feamster
Network-Based Spam Filtering Nick Feamster Georgia Tech with Anirudh Ramachandran, Nadeem Syed, Alex Gray, Sven Krasser, Santosh Vempala.
Zhiyun Qian, Z. Morley Mao (University of Michigan)
Code-Red : a case study on the spread and victims of an Internet worm David Moore, Colleen Shannon, Jeffery Brown Jonghyun Kim.
A Survey of Botnet Size Measurement PRESENTED: KAI-HSIANG YANG ( 楊凱翔 ) DATE: 2013/11/04 1/24.
Detecting Malicious Flux Service Networks through Passive Analysis of Recursive DNS Traces Roberto Perdisci, Igino Corona, David Dagon, Wenke Lee ACSAC.
1 Experimental Study of Internet Stability and Wide-Area Backbone Failure Craig Labovitz, Abha Ahuja Merit Network, Inc Presented by Changchun Zou.
An Engineering Approach to Computer Networking
 What is a botnet?  How are botnets created?  How are they controlled?  How are bots acquired?  What type of attacks are they responsible for? 
Spam Sagar Vemuri slides courtesy: Anirudh Ramachandran Nick Feamster.
1 Understanding Botnet Phenomenon MITP Kevin Lynch, Will Fiedler, Navin Johri, Sam Annor, Alex Roussev.
Network Security: Spam Nick Feamster Georgia Tech CS 6250 Joint work with Anirudh Ramachanrdan, Shuang Hao, Santosh Vempala, Alex Gray.
Understanding the Network-Level Behavior of Spammers Mike Delahunty Bryan Lutz Kimberly Peng Kevin Kazmierski John Thykattil By Anirudh Ramachandran and.
The problems associated with operating an effective anti-spam blocklist system in an increasingly hostile environment. Robert Gallagher September 2004.
Measurement and Monitoring Nick Feamster Georgia Tech.
Threat infrastructure: proxies, botnets, fast-flux
1 Authors: Anirudh Ramachandran, Nick Feamster, and Santosh Vempala Publication: ACM Conference on Computer and Communications Security 2007 Presenter:
Pro Exchange SPAM Filter An Exchange 2000 based spam filtering solution.
Can DNS Blacklists Keep Up With Bots? Anirudh Ramachandran, David Dagon, and Nick Feamster College of Computing, Georgia Tech.
Fighting Spam, Phishing and Online Scams at the Network Level Nick Feamster Georgia Tech with Anirudh Ramachandran, Shuang Hao, Nadeem Syed, Alex Gray,
Spam Sonia Jahid University of Illinois Fall 2007.
Team Excel What is SPAM ?. Spam Offense Team Excel '‘a distinctive chopped pork shoulder and ham mixture'' Image Source:Appscout.com.
1 Analysis of SMTP Connection Characteristics for Detecting Spam Relays Authors: P. J. Sandford, J. M. Sandford, and D. J. Parish Speaker: Shu-Fen Chiou(
Detecting Spammers with SNARE: Spatio-temporal Network-level Automatic Reputation Engine Shuang Hao, Nadeem Ahmed Syed, Nick Feamster, Alexander G. Gray,
Revealing Botnet Membership Using DNSBL Counter-Intelligence David Dagon Anirudh Ramachandran, Nick Feamster, College of Computing,
1 Measurements and Mitigation of Peer-to-Peer-based Botnets: A Case Study on Storm Worm T. Holz, M. Steiner, F. Dahl, E. Biersack, and F. Freiling - Proceedings.
Network-Level Spam and Scam Defenses Nick Feamster Georgia Tech with Anirudh Ramachandran, Shuang Hao, Maria Konte Alex Gray, Jaeyeon Jung, Santosh Vempala.
B OTNETS T HREATS A ND B OTNETS DETECTION Mona Aldakheel
 Collection of connected programs communicating with similar programs to perform tasks  Legal  IRC bots to moderate/administer channels  Origin of.
Speaker:Chiang Hong-Ren Botnet Detection by Monitoring Group Activities in DNS Traffic.
1 Detecting Malicious Flux Service Networks through Passive Analysis of Recursive DNS Traces Speaker: Jun-Yi Zheng 2010/03/29.
Understanding the Network-Level Behavior of Spammers Best Student Paper, ACM Sigcomm 2006 Anirudh Ramachandran and Nick Feamster Ye Wang (sando)
A Virtual Honeypot Framework Author: Niels Provos Published in: CITI Report 03-1 Presenter: Tao Li.
1 Characterizing Botnet from Spam Records Presenter: Yi-Ren Yeh ( 葉倚任 ) Authors: L. Zhuang, J. Dunagan, D. R. Simon, H. J. Wang, I. Osipkov, G. Hulten,
Botnet behavior and detection October RONOG Silviu Sofronie – a Head of Forensics.
Automatically Generating Models for Botnet Detection Presenter: 葉倚任 Authors: Peter Wurzinger, Leyla Bilge, Thorsten Holz, Jan Goebel, Christopher Kruegel,
Computing Infrastructure for Large Ecommerce Systems -- based on material written by Jacob Lindeman.
Not So Fast Flux Networks for Concealing Scam Servers Theodore O. Cochran; James Cannady, Ph.D. Risks and Security of Internet and Systems (CRiSIS), 2010.
Spamscatter: Characterizing Internet Scam Hosting Infrastructure By D. Anderson, C. Fleizach, S. Savage, and G. Voelker Presented by Mishari Almishari.
Studying Spamming Botnets Using Botlab 台灣科技大學資工所 楊馨豪 2009/10/201 Machine Learning And Bioinformatics Laboratory.
Guide to TCP/IP, Third Edition Chapter 8: The Dynamic Host Configuration Protocol.
Spamming Botnets: Signatures and Characteristics Yinglian Xie, Fang Yu, Kannan Achan, Rina Panigrahy, Geoff Hulten, and Ivan Osipkov. SIGCOMM, Presented.
Understanding the Network-Level Behavior of Spammers Author: Anirudh Ramachandran, Nick Feamster SIGCOMM ’ 06, September 11-16, 2006, Pisa, Italy Presenter:
Understanding the network level behavior of spammers Published by :Anirudh Ramachandran, Nick Feamster Published in :ACMSIGCOMM 2006 Presented by: Bharat.
Exploiting Temporal Persistence to Detect Covert Botnet Channels Authors: Frederic Giroire, Jaideep Chandrashekar, Nina Taft… RAID 2009 Reporter: Jing.
Exploiting Network Structure for Proactive Spam Mitigation Shobha Venkataraman * Joint work with Subhabrata Sen §, Oliver Spatscheck §, Patrick Haffner.
1 Modeling and Measuring Botnets David Dagon, Wenke Lee Georgia Institute of Technology Cliff C. Zou Univ. of Central Florida Funded by NSF CyberTrust.
Spamming Botnets: Signatures and Characteristics Yinglian Xie, Fang Yu, Kannan Achan, Rina Panigrahy, Microsoft Research, Silicon Valley Geoff Hulten,
1 Detecting Spammers with SNARE: Spatio-temporal Network-level Automatic Reputation Engine Speaker: Jun-Yi Zheng 2010/01/18.
Brett Stone-Gross, Marco Cova, Lorenzo Cavallaro, Bob Gilbert, Martin Szydlowski, Richard Kemmerer, Christopher Kruegel, and Giovanni Vigna Proceedings.
Presentation transcript:

Understanding the Network-Level Behavior of Spammers Anirudh Ramachandran Nick Feamster

2 Spam Unsolicited commercial 90% of all is spam and 30 billion messages are sent through the internet everyday Recent researches indicate that spam costs bussinesses worldwide $50 billion every year in terms of: Productivity Network traffic Disk space, etc... Common spam filtering techniques: Content-based filtering DNS Blacklist Lookups

Problems with current filtering techniques Content-based filtering Low cost to evasion: Spammers can easily alter the features and content of spam s High admin/user cost: Filters must be updated continuously and frequently as new type of s are captured Applied at the destination: Wasted network bandwidth and storage,etc… (~950 Tbytes each day) DNS Blacklist Lookups Significant fractions of today’s DNS queries are DNSBL lookups.

Network-level Spam Filtering Instead of highly variable content properties, we focus on network- level properties which are more fixed such as: ISP or AS hosting spammers Location IP address block Routes to destination Botnet membership Operating system … Using network-level properties, spams could be filtered better and stopped closer to the source.

Outline Background Data Collection Network-level Characteristics of Spammers Botnets BGP Spectrum Agility Lessons Conclusion

Spamming Methods Direct Spamming Spammers purchase upstream connection from spam-friendly ISPs They buy connectivity from non spam-friendly ISP and after spamming, switch to another ISP. They sometimes obtain a pool of dispensable dialup IP addresses and proxy traffic through these connections Open Relays and proxies They use mail servers which allows unauthenticated internet hosts to send s through them

Spamming Methods Botnets Collections of software robots(worms) under one centralized controller Infected hosts are used as a mail relay BGP Spectrum Agility A hijacked IP address range is briefly advertised via BGP and used to send spam Once mails are sent, they withdraw the route from the network

Data Collection Spam Traces Registered a domain with no legitimate address Spams are collected between Aug,2005 and Jan, 2006 Runs MailAvenger server Collects following information about each mail: The IP address of the relay A traceroute TCP fingerprint Result of DNSBL lookups

Data Collection

Data collection Spam Traces The amount of spam received per day at our sinkhole from August 2004 through December 2005.

Data Collection Legitimate Traces Obtained a huge amount of mail logs from a large provider Logs includes: The timestamp of connection attempt IP address of the host Whether rejected or not Reason of rejection Botnet Command and Control Data Used a trace of hosts infected by W32.Bobax worm BGP Routing Measurement Whether mail relay is reachable and how long it remains reachable BGP Monitor receives BGP updates from router

Network-level Characteristics of Spammers The majority of spam is sent from a relatively small fraction of IP address space Distribution of spam across IP space

Network-level Characteristics of Spammers %85 of client IP addresses sent less than 10 s to the sink The number of distinct times that each client sent mail to the sinkhole

Network-level Characteristics of Spammers The amount of spam received from mail relays in top 20 ASes

Network-level Characteristics of Spammers More than %10 of spam received at the sinkhole originated form mail relays in two ASes %36 of all received spam originated from only 20 ASes With a few exceptions, ASes containing hosts responsible for sending large quantities of spam differ from those sending large quantities of legitimate Although the top two ASes from which the sinkhole received spam were from Asia, 11 of the top 20 ASes were from the United States and 40% of all spam from the top 20 ASes. An ’s country of origin may be an effective filtering technique for some networks

Network-level Characteristics of Spammers Effectiveness of blacklists: Nearly 80% of all spam was received from mail relays that appear in at least one of eight blacklists. A high fraction of Bobax drones were blacklisted, but relatively fewer IP addresses sending spam from short-lived BGP routes were blacklisted.Only half of these mail relays appeared in any blacklist. The fraction of spam s that were listed in a certain number of blacklists or more

Spam from Botnets Spamming hosts and Bobax drones have similar distribution across IP address space Much of the spam received at the sinkhole may be due to botnets such as Bobax Distribution of Bobax drones and the amount of spam received from those drones

Operating Systems of Spamming Hosts 75% of all hosts could be identified for their OS 4% of hosts are not Windows but are responsible for 8% of all spam Operating systems of hosts determined by passive OS fingerprinting

Spamming Bot Activity Profile Intersection Only 4693 of 117,268 Bobax infected hosts sent to the sinkhole Persistence 65% of hosts infected with Bobax send spam only once (?) and 75% of them persisted less than two minutes Volume Spams arrives from bots at very low rates %99 of the bots sent fewer than 100 pieces of spam over entire trace Amount of spam mail and Bobax drone persistence

BGP Spectrum Agility One of the most sophisticated techniques and difficult to track spam to the sources How it works Briefly advertise portions of IP space Send spam from mail relays with IP addresses in that space Subsequently withdraw the routes for that space after spam is sent Common short-lived prefixes and ASes / / /8 8717

BGP Spectrum Agility Not a dominant technique that spam is sent today (at most %10) Critical questions to be answered: How many ASes use short-lived BGP announcements to sent spam? Which ASes send more spam using this techniques and how persistent are they across time? How long do short-lived BGP announcements last? Is it enough for operator to catch?

Network-level Characteristics of Spammers Discovered patterns and locations to sent spam: Most persistent and most voluminous spammer using BGP announcement: AS an ISP in Indianapolis /8 AS 8712an ISP in Sofia, Bulgaria /8 AS 4678Conan Netw. Comm., Japan /8 AS 4788Telekom Malaysia AS 4678Conan Netw. Comm., Japan

Network-level Characteristics of Spammers CDF of length of each short-lived BGP announcement ( Sept 2005-Dec % of the corresponding BGP announcements were announced at least for a day

Lessons for Better Spam Filtering Spam filtering requires a better notion of host identity Detection techniques based on aggregate behaviour(IP space) are more likely to expose spam behavior than techniques based on observation of a single IP address Securing the Internet routing infrastructure is a necessary step for traceability of senders Some network level properties of spam can be integrated into the spam filters easily and detect spam which can not be caught with other techniques

Conclusion Network-level behavior of spammers are presented using a analysis of four datasets as result of 17 months study Bobax drones are used to better understand the spamming botnets Although most of the drones doesn’t send spam more than twice, blacklists works quite well at detecting them BGP spectrum agility technique makes tracebility and blacklisting more difficult Spam filters using network-level behaviors could be more effective than regular content-based filters

Thank you Questions?