Can DNS Blacklists Keep Up With Bots? Anirudh Ramachandran, David Dagon, and Nick Feamster College of Computing, Georgia Tech.

Slides:

Advertisements

Similar presentations

Nick Feamster Georgia Tech

Advertisements

Revealing Botnet Membership Using DNSBL Counter-Intelligence Anirudh Ramachandran, Nick Feamster, David Dagon College of Computing, Georgia Tech.

Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.

Dynamics of Online Scam Hosting Infrastructure

11/20/09 ONR MURI Project Kick-Off 1 Network-Level Monitoring for Tracking Botnets Nick Feamster School of Computer Science Georgia Institute of Technology.

Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.

Understanding the Network- Level Behavior of Spammers Anirudh Ramachandran Nick Feamster Georgia Tech.

Spam and Botnets: Characterization and Mitigation Nick Feamster Anirudh Ramachandran David Dagon Georgia Tech.

Research Summary Nick Feamster. The Big Picture Improving Internet availability by making networks easier to operate Three approaches –From the ground.

Spamming with BGP Spectrum Agility Anirudh Ramachandran Nick Feamster Georgia Tech.

Spamming with BGP Spectrum Agility Anirudh Ramachandran Nick Feamster Georgia Tech.

Understanding the Network- Level Behavior of Spammers Anirudh Ramachandran Nick Feamster Georgia Tech.

Network-Based Spam Filtering Anirudh Ramachandran Nick Feamster Georgia Tech.

Botnets: Infrastructure and Attacks Nick Feamster CS 6262 Spring 2009.

Network-Based Spam Filtering Nick Feamster Georgia Tech Joint work with Anirudh Ramachandran and Santosh Vempala.

1 Dynamics of Online Scam Hosting Infrastructure Maria Konte, Nick Feamster Georgia Tech Jaeyeon Jung Intel Research.

1 Network-Level Spam Detection Nick Feamster Georgia Tech.

Spam Sinkholing Nick Feamster. Introduction Goal: Identify bots (and botnets) by observing second-order effects –Observe application behavior thats likely.

Spamming with BGP Spectrum Agility Anirudh Ramachandran Nick Feamster Georgia Tech.

Network Operations Research Nick Feamster

Network-Based Spam Filtering Nick Feamster Georgia Tech with Anirudh Ramachandran, Nadeem Syed, Alex Gray, Sven Krasser, Santosh Vempala.

Network Security Highlights Nick Feamster Georgia Tech.

A Survey of Botnet Size Measurement PRESENTED: KAI-HSIANG YANG ( 楊凱翔 ) DATE: 2013/11/04 1/24.

Detecting Malicious Flux Service Networks through Passive Analysis of Recursive DNS Traces Roberto Perdisci, Igino Corona, David Dagon, Wenke Lee ACSAC.

Kindred Domains: Detecting and Clustering Botnet Domains Using DNS Traffic Matt Thomas Data Architect, Verisign Labs.

BotMiner Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology.

Wide-scale Botnet Detection and Characterization Anestis Karasaridis, Brian Rexroad, David Hoeflin.

Spam Sagar Vemuri slides courtesy: Anirudh Ramachandran Nick Feamster.

Understanding the Network-Level Behavior of Spammers Anirudh Ramachandran Nick Feamster.

Network Security: Spam Nick Feamster Georgia Tech CS 6250 Joint work with Anirudh Ramachanrdan, Shuang Hao, Santosh Vempala, Alex Gray.

Understanding the Network-Level Behavior of Spammers Mike Delahunty Bryan Lutz Kimberly Peng Kevin Kazmierski John Thykattil By Anirudh Ramachandran and.

Correlating Spam Activity with IP Address Characteristics Chris Wilcox, Christos Papadopoulos CSU John Heidemann USC/ISI IEEE Global Internet Symposium.

1 Authors: Anirudh Ramachandran, Nick Feamster, and Santosh Vempala Publication: ACM Conference on Computer and Communications Security 2007 Presenter:

Pro Exchange SPAM Filter An Exchange 2000 based spam filtering solution.

Fighting Spam, Phishing and Online Scams at the Network Level Nick Feamster Georgia Tech with Anirudh Ramachandran, Shuang Hao, Nadeem Syed, Alex Gray,

Bayesian Bot Detection Based on DNS Traffic Similarity Ricardo Villamarín-Salomón, José Carlos Brustoloni Department of Computer Science University of.

2009/9/151 Rishi : Identify Bot Contaminated Hosts By IRC Nickname Evaluation Reporter : Fong-Ruei, Li Machine Learning and Bioinformatics Lab In Proceedings.

Team Excel What is SPAM ?. Spam Offense Team Excel '‘a distinctive chopped pork shoulder and ham mixture'' Image Source:Appscout.com.

Detecting Spammers with SNARE: Spatio-temporal Network-level Automatic Reputation Engine Shuang Hao, Nadeem Ahmed Syed, Nick Feamster, Alexander G. Gray,

Application-Level Attacks, Network-Level Defenses Nick Feamster CS 7260 April 9, 2007.

Revealing Botnet Membership Using DNSBL Counter-Intelligence David Dagon Anirudh Ramachandran, Nick Feamster, College of Computing,

Network-Level Spam and Scam Defenses Nick Feamster Georgia Tech with Anirudh Ramachandran, Shuang Hao, Maria Konte Alex Gray, Jaeyeon Jung, Santosh Vempala.

B OTNETS T HREATS A ND B OTNETS DETECTION Mona Aldakheel

Speaker:Chiang Hong-Ren Botnet Detection by Monitoring Group Activities in DNS Traffic.

Topics to be covered 1. What are bots,botnet ? 2.How does it work? 4.Prevention of botnet. 3.Types of botnets.

1 Detecting Malicious Flux Service Networks through Passive Analysis of Recursive DNS Traces Speaker: Jun-Yi Zheng 2010/03/29.

Understanding the Network-Level Behavior of Spammers Best Student Paper, ACM Sigcomm 2006 Anirudh Ramachandran and Nick Feamster Ye Wang (sando)

1 Characterizing Botnet from Spam Records Presenter: Yi-Ren Yeh ( 葉倚任 ) Authors: L. Zhuang, J. Dunagan, D. R. Simon, H. J. Wang, I. Osipkov, G. Hulten,

Botnet behavior and detection October RONOG Silviu Sofronie – a Head of Forensics.

Automatically Generating Models for Botnet Detection Presenter: 葉倚任 Authors: Peter Wurzinger, Leyla Bilge, Thorsten Holz, Jan Goebel, Christopher Kruegel,

1 Honeypot, Botnet, Security Measurement, Spam Cliff C. Zou CDA /01/07.

Wide-scale Botnet Detection and Characterization Anestis Karasaridis, Brian Rexroad, David Hoeflin In First Workshop on Hot Topics in Understanding Botnets,

Studying Spamming Botnets Using Botlab 台灣科技大學資工所楊馨豪 2009/10/201 Machine Learning And Bioinformatics Laboratory.

Cross-Analysis of Botnet Victims: New Insights and Implication Seungwon Shin, Raymond Lin, Guofei Gu Presented by Bert Huang.

Understanding the Network-Level Behavior of Spammers Author: Anirudh Ramachandran, Nick Feamster SIGCOMM ’ 06, September 11-16, 2006, Pisa, Italy Presenter:

Understanding the network level behavior of spammers Published by :Anirudh Ramachandran, Nick Feamster Published in :ACMSIGCOMM 2006 Presented by: Bharat.

Exploiting Temporal Persistence to Detect Covert Botnet Channels Authors: Frederic Giroire, Jaideep Chandrashekar, Nina Taft… RAID 2009 Reporter: Jing.

Studying Spamming Botnets Using Botlab

The Koobface Botnet and the Rise of Social Malware Kurt Thomas David M. Nicol

Exploiting Network Structure for Proactive Spam Mitigation Shobha Venkataraman * Joint work with Subhabrata Sen §, Oliver Spatscheck §, Patrick Haffner.

Inferring Denial of Service Attacks David Moore, Geoffrey Volker and Stefan Savage Presented by Rafail Tsirbas 4/1/20151.

1 Modeling and Measuring Botnets David Dagon, Wenke Lee Georgia Institute of Technology Cliff C. Zou Univ. of Central Florida Funded by NSF CyberTrust.

2009/6/221 BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure- Independent Botnet Detection Reporter : Fong-Ruei, Li Machine.

1 Detecting Spammers with SNARE: Spatio-temporal Network-level Automatic Reputation Engine Speaker: Jun-Yi Zheng 2010/01/18.

Corrupted DNS Resolution Paths: The Rise of a Malicious Resolution Authority Reporter: Jing Chiu Adviser: Yuh-Jye Lee 2016/3/191Data Mining & Machine Learning.

Published: USENIX HotBots, 2007 Presented: Wei-Cheng Xiao 2016/10/11.

A lustrum of malware network communication: Evolution & insights

Design open relay based DNS blacklist system

Botnet Detection by Monitoring Group Activities in DNS Traffic

Presented by Aaron Ballew

Presentation transcript:

Can DNS Blacklists Keep Up With Bots? Anirudh Ramachandran, David Dagon, and Nick Feamster College of Computing, Georgia Tech

Background DNS-based Blacklists –The most prevalent network-level spam filtering mechanism today –Various criteria: open relays/proxies, virus senders, bad/unused address spaces etc. –Hundreds of DNSBLs of all sizes Two distinct issues –Detection First opportunity to classify an IP/message –Response How long it takes after detection for blacklisting to occur

Effectiveness of A DNSBL – Pertinent Questions What is the responsiveness of the DNSBL? An important metric, esp. with the proliferation of spam hosts with dynamic IPs (botnets) What is the completeness of the DNSBL? How many distinct domains are targeted before blacklisting happens? Does frequency of spam from a host change after it is blacklisted?

A Model of Responsiveness Response Time –Difficult to calculate without “ground truth” –Can still estimate lower bound Infection S-Day Possible Detection Opportunity RBL Listing Time Response Time Fig: Conceptual life-cycle of a spamming host

Our Approach Data: –1.5 days worth of packet captures of DNSBL queries from a mirror of Spamhaus –46 days of pcaps from a hijacked C&C for a Bobax botnet; overlaps with DNSBL queries Method: –Monitor DNSBL queries for lookups for known Bobax hosts Look for first query (S-Day or Detection opportunity approximation) Look for the first time a query respose had a ‘listed’ status (RBL Listing approximation)

Preliminary Results Observed 81,950 DNSBL queries for 4,295 (out of over 2 million) Bobax IPs Completeness: Only 255 (6%) Bobax IPs were blacklisted through the end of the Bobax trace (46 days) Responsiveness: –88 IPs became listed during the 1.5 day DNSBL trace –34 of these were listed after a single detection opportunity

Over 60% are queried by just one IP/AS –Increases response time (i.e., decreases chances of getting reported) Domains Performing Lookups Distinct IP addresses/domains CDF

Conclusion DNSBL responsiveness is relatively unstudied –Proposal for a Model of Responsiveness –Points to ponder: Blacklist responsiveness and its effects Preliminary results: –Responsiveness might be low –60% bots target just one domain Future work: –Changes in spamming frequency pre/post blacklisting –Reanalyze with complete DNSBL lookups; other spamming bot data

Questions?