Network Security Problems Nick Feamster

Slides:



Advertisements
Similar presentations
Aaron Johnson with Joan Feigenbaum Paul Syverson
Advertisements

1. XP 2 * The Web is a collection of files that reside on computers, called Web servers. * Web servers are connected to each other through the Internet.
Computer Networks TCP/IP Protocol Suite.
1 Security for Ad Hoc Network Routing. 2 Ad Hoc Networks Properties Mobile Wireless communication Medium to high bandwidth High variability of connection.
Network Monitoring System In CSTNET Long Chun China Science & Technology Network.
Security Issues In Mobile IP
Nick Feamster Georgia Tech
Filtering: Sharpening Both Sides of the Double-Edged Sword Prof. Nick Feamster Georgia Tech feamster cc.gatech.edu.
Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.
11/20/09 ONR MURI Project Kick-Off 1 Network-Level Monitoring for Tracking Botnets Nick Feamster School of Computer Science Georgia Institute of Technology.
Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.
Accessibility and Trust Nick Feamster Georgia Tech.
Understanding the Network- Level Behavior of Spammers Anirudh Ramachandran Nick Feamster Georgia Tech.
Spam and Botnets: Characterization and Mitigation Nick Feamster Anirudh Ramachandran David Dagon Georgia Tech.
Spamming with BGP Spectrum Agility Anirudh Ramachandran Nick Feamster Georgia Tech.
Spamming with BGP Spectrum Agility Anirudh Ramachandran Nick Feamster Georgia Tech.
Understanding the Network- Level Behavior of Spammers Anirudh Ramachandran Nick Feamster Georgia Tech.
Network-Based Spam Filtering Anirudh Ramachandran Nick Feamster Georgia Tech.
Circumventing Web Censorship Nick Feamster. An Old Problem Many governments/companies trying to limit their citizens access to information –Censorship.
Network-Based Spam Filtering Nick Feamster Georgia Tech Joint work with Anirudh Ramachandran and Santosh Vempala.
Network Security Highlights Nick Feamster Georgia Tech.
1 Dynamics of Online Scam Hosting Infrastructure Maria Konte, Nick Feamster Georgia Tech Jaeyeon Jung Intel Research.
1 Network-Level Spam Detection Nick Feamster Georgia Tech.
Spamming with BGP Spectrum Agility Anirudh Ramachandran Nick Feamster Georgia Tech.
Network Operations Research Nick Feamster
Network Security Highlights Nick Feamster Georgia Tech.
Nick Feamster CS 6262 Spring 2009
Privacy and Anonymity Nick Feamster CS 6262 Spring 2009.
Jeopardy Q 1 Q 6 Q 11 Q 16 Q 21 Q 2 Q 7 Q 12 Q 17 Q 22 Q 3 Q 8 Q 13
Title Subtitle.
Setting up a Gmail Account & Safety
Communicating over the Network
SPATor: Improving Tor Bridges with Single Packet Authorization Paper Presentation by Carlos Salazar.
Internet Number Resources 1. Internet IPv4 addresses IPv6 addresses Autonomous System number Fully Qualified Domain Name Key Internet resources.
The Internet and the World Wide Web. Una DooneySlide 2Internet and WWW What is the Internet? This is the physical infrastructure or backbone of computers,
Protocol layers and Wireshark Rahul Hiran TDTS11:Computer Networks and Internet Protocols 1 Note: T he slides are adapted and modified based on slides.
INTERNET PROTOCOLS Class 9 CSCI 6433 David C. Roberts Entire contents copyright 2011, David C. Roberts, all rights reserved.
Zhiyun Qian, Z. Morley Mao (University of Michigan)
David Luebke 1 6/7/2014 ITCS 6114 Skip Lists Hashing.
1 Welcome Overview of DOCSIS. 2 Data Over Cable Service Interface Specification.
Hash Tables.
1 Contract Inactivation & Replacement Fly-in Action ( Continue to Page Down/Click on each page…) Electronic Document Access (EDA)
A Survey of Web Cache Replacement Strategies Stefan Podlipnig, Laszlo Boszormenyl University Klagenfurt ACM Computing Surveys, December 2003 Presenter:
1 Network Address Translation (NAT) Relates to Lab 7. Module about private networks and NAT.
1 4 Square Questions B A D C Look carefully to the diagram Now I will ask you 4 questions about this square. Are you ready?
Services Course Windows Live SkyDrive Participant Guide.
Introduction to TCP/IP, the Internet, IP Addressing, and Domain Name.
Executional Architecture
25 seconds left…...
XP New Perspectives on Browser and Basics Tutorial 1 1 Browser and Basics Tutorial 1.
What’s New in WatchGuard Dimension v1.2
Detecting Spam Zombies by Monitoring Outgoing Messages Zhenhai Duan Department of Computer Science Florida State University.
Arithmetic of random variables: adding constants to random variables, multiplying random variables by constants, and adding two random variables together.
© 2006 Cisco Systems, Inc. All rights reserved. MPLS v2.2—5-1 MPLS VPN Implementation Configuring BGP as the Routing Protocol Between PE and CE Routers.
Sedex: Registration and Account Set Up Instructions
12 January 2009SDS batch generation, distribution and web interface 1 ExESS IT tool for SDS batch generation, distribution and web interface ExESS IT tool.
Spam Sagar Vemuri slides courtesy: Anirudh Ramachandran Nick Feamster.
Understanding the Network-Level Behavior of Spammers Anirudh Ramachandran Nick Feamster.
Understanding the Network-Level Behavior of Spammers Mike Delahunty Bryan Lutz Kimberly Peng Kevin Kazmierski John Thykattil By Anirudh Ramachandran and.
By: Bryan Carey Randy Cook Richard Jost TOR: ANONYMOUS BROWSING.
Team Excel What is SPAM ?. Spam Offense Team Excel '‘a distinctive chopped pork shoulder and ham mixture'' Image Source:Appscout.com.
B OTNETS T HREATS A ND B OTNETS DETECTION Mona Aldakheel
1 Infranet: Submersible Surfing Nick Feamster Magdalena Balazinska Greg Harfst Hari Balakrishnan David Karger.
Botnet behavior and detection October RONOG Silviu Sofronie – a Head of Forensics.
Understanding the Network-Level Behavior of Spammers Author: Anirudh Ramachandran, Nick Feamster SIGCOMM ’ 06, September 11-16, 2006, Pisa, Italy Presenter:
Understanding the network level behavior of spammers Published by :Anirudh Ramachandran, Nick Feamster Published in :ACMSIGCOMM 2006 Presented by: Bharat.
TCP/IP (Transmission Control Protocol / Internet Protocol)
CSE 592 INTERNET CENSORSHIP (FALL 2015) LECTURE 22 PHILLIPA GILL - STONY BROOK U.
ITP 457 Network Security Networking Technologies III IP, Subnets & NAT.
DNS-sly: Avoiding Censorship through Network Complexity
Presentation transcript:

Network Security Problems Nick Feamster

2 Outline Network-level behavior of spammers Anti-censorship systems Routing Anomaly Detection

3 Spam Forensics: Questions What are the network-level properties of spam? What patterns are exhibited in harvesting? How effective are existing mitigation techniques? Why are we doing this? Curiosity Spam filters based on network-level properties

4 Sending Network-level properties of spam arrival –From where? What IP address space? ASes? What OSes? –What techniques? Botnets Short-lived route announcements Shady ISPs –Capabilities and limitations? Bandwidth Size of botnet army

5 Collection Three domains instrumented with MailAvenger –Sinkhole domain #1: fs.net Continuous spam collection since Aug 2004 No real addresses---sink everything 3 million+ pieces of spam –Sinkhole domain #2: sapm.org Recently registered domain (Nov 2005) Clean control – domain posted at a few places Not much spam yet…perhaps we are being too conservative –Sinkhole domain #3: bogus.com In the works

6 Spam by IP Address Space

7 Spam by IP address space Cable Modems, Hotmail Accounts (24.*, 61.* - 65.*) APNIC

8 Spamming Techniques Mostly botnets, of course Were trying to quantify this –Coordination –Characteristics How were doing this –Correlation with Bobax victims from Georgia Tech botnet sinkhole –Heuristics Distance of Client IP from MX record Coordinated, low-bandwidth sending

9 Spam / BGP Log IP addresses of SMTP relays Join with BGP route advertisements seen at network where spam trap is co-located. A small club of persistent players appears to be using this technique. Common short-lived prefixes / / / / / /

10 Length of short-lived BGP epochs ~ 10% of spam coming from short-lived BGP announcements 1 day Epoch length

11 Harvesting Tracking Web-based harvesting –Register domain, set up MX record –Post, link to page with randomly generated addresses –Log requests –Wait for spam Seed different subdomains in different ways

12 Harvesting / Sharing Do different groups of spammers share harvested lists? –Use our botnet grouping heuristics to identify groups of spammers and common To: An interesting question, given our collection techniques with no real addresses…

13 Overview Network-level behavior of spammers Anti-censorship systems Routing anomaly detection

14 An Old Problem Many governments/companies trying to limit their citizens access to information –Censorship (prevent access) –Punishment (deter access) –Surveillance (spy on or monitor access) –China, Saudi Arabia, many companies How can we defeat such attempts? –Circumvent censorship –Undetectably

15 Requirements Client deniability –Detection could be embarrassing or worse Client statistical deniability –Even suspicion could be a problem Server covertness/statistical deniability –If server detected, can be blocked –Behave identically for clients and others Communication robustness –Even without detecting, censor could scramble covert channel Performance (bandwidth, latency)

16 Bottom Line Easy to hide what you are getting –E.g., just use SSL or some other confidential channel And easy to get through censors –Reflection (e.g., Safeweb) But hard to hide that you are doing it! To be practical, all these problems must be solved Want both confidentiality and covertness

17 Circumventing Censors Censors allow certain traffic Use to construct a covert channel –Talk to normal servers –Embed requests for censored content in normal- seeming requests –Receive censored content hidden in normal-seeming responses Requester: client asking for hidden content Responder: server covertly providing it

18 CENSOR Block/Tamper E.g., Great Firewall of China User browser User computer Infranet Architecture Requester Std. HTTP Visible responses Hidden responses Visible requests Hidden requests Infranet comm. tunnel Responder Uncensored Web site Ubiquitously deployed! Censored Web site cnn.com GET cnn.com Tunnel is covert in both directions Tunnel is confidential in both directions

19 Outline Upstream –Sending requests covertly to responder Security and performance analysis Enhancements

20 Upstream (Requests) is Harder No random content bits that can be fiddled to send messages to responder –Munging HTTP or TCP header fields problematic Solution: let browsing pattern itself be the message Suppose web page has k links. –GET on i th link signifies symbol i to requester –Result: log 2 (k) message bits from link click Can be automated To prevent censor from seeing message, encrypt with responder key

21 Goals Analysis Deniability: requester generates standard http GETs to allowed web sites –Fact of GETs isnt itself proof of wrongdoing –Known rule for translating GETs to message, but message is encrypted, so not evidence Statistical deniability –Encrypting message produces random string –Sent via series of random GETs –Problem: normal user browsing not random Some links rare Conditional dependence of browsing on past browsing

22 Paranoid Version Settle for one message bit per GET –Odd/even links on page –Or generalize to mod k for some small k User has many link choices for each bit –Can choose one that is reasonable –Incorporate error correcting code in case no reasonable next link sends correct bit Drawback: user must be directly involved in sending each message bit –Very low bandwidth vs time spent

23 Higher Performance Idea: Arithmetic coding of hidden requests –If request i has probability p i, then entropy of request distribution is – p i log p i –Arithmetic coding encodes request i using log p i bits –Result: expected request size equals entropy –Optimal Problem: Requester doesnt know probability distribution of hidden requests –Doesnt have info needed for encoding

24 Solution: Range-Mapping Responder serves many requesters –Uses past requests to build C, distribution of hidden requests –Sends to requester on easy downstream path Requester uses C to build arithmetic code and send encoded request Use visible GETs (clicks) as symbols that are sent (not bits) From its own server access logs, responder knows that different clicks have different conditional probabilities

25 Toy Example Suppose possible hidden requests fewer than links on page Responder sends dictionary: –link 1 means –link 2 means –Assigns common requests to common GETs Requester GETs link matching intended request One GET sends full (possibly huge) request Problem: in general, possible requests –Cant send a dictionary for all

26 Generalize: Twenty Questions Order all hidden request strings lexicographically Identify split string such that –Strings up to split have total probability 0.5 –Strings after split have total probability 0.5 Responder sends split string Requester sends 0/1 as desired request precedes/follows split string Recurse on half of distribution selected Result: requester sends O(entropy) bits

27 Range-Mapping in Pictures If each page has k links, each request transmits lg( k ) bits Expected # of visible requests to modulate a hidden request = ceil[H( C ) / lg ( k )] + 2

28 Problems and Next Steps Responders can be discovered and blocked –The discovery problem: allowing clients to discover responders ahead of censors All clients need not fetch content from the origin. Instead: –Some clients obtain content from origin (e.g., via responder, USB key, etc.) –CDN behind firewall distributes content to rest of clients –General idea: separation of upstream/downstream

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.