Dynamics of Online Scam Hosting Infrastructure

Slides:



Advertisements
Similar presentations
Nick Feamster Georgia Tech
Advertisements

1 Diagnosing Network Disruptions with Network-wide Analysis Yiyi Huang, Nick Feamster, Anukool Lakhina*, Jim Xu College of Computing, Georgia Tech * Guavus,
Network-Level Spam and Scam Defenses
11/20/09 ONR MURI Project Kick-Off 1 Network-Level Monitoring for Tracking Botnets Nick Feamster School of Computer Science Georgia Institute of Technology.
Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.
Understanding the Network- Level Behavior of Spammers Anirudh Ramachandran Nick Feamster Georgia Tech.
Network-Level Spam Filtering Nick Feamster Georgia Tech with Anirudh Ramachandran, Shuang Hao, Maria Konte, Nadeem Syed, Alex Gray, Santosh Vempala, Jaeyeon.
Spam and Botnets: Characterization and Mitigation Nick Feamster Anirudh Ramachandran David Dagon Georgia Tech.
Usage-Based DHCP Lease- Time Optmization Manas Khadilkar, Nick Feamster, Russ Clark, Matt Sanders Georgia Tech.
Network Support for Accountability Nick Feamster Georgia Tech Collaborative Response with David Andersen (CMU), Hari Balakrishnan (MIT), Scott Shenker.
Spamming with BGP Spectrum Agility Anirudh Ramachandran Nick Feamster Georgia Tech.
Spamming with BGP Spectrum Agility Anirudh Ramachandran Nick Feamster Georgia Tech.
Understanding the Network- Level Behavior of Spammers Anirudh Ramachandran Nick Feamster Georgia Tech.
Network-Based Spam Filtering Anirudh Ramachandran Nick Feamster Georgia Tech.
Botnets: Infrastructure and Attacks Nick Feamster CS 6262 Spring 2009.
Network-Based Spam Filtering Nick Feamster Georgia Tech Joint work with Anirudh Ramachandran and Santosh Vempala.
Network Support for Sharing. 2 CABO: Concurrent Architectures are Better than One No single set of protocols or functions –Different applications with.
Network Security Highlights Nick Feamster Georgia Tech.
1 Dynamics of Online Scam Hosting Infrastructure Maria Konte, Nick Feamster Georgia Tech Jaeyeon Jung Intel Research.
1 Network-Level Spam Detection Nick Feamster Georgia Tech.
Spam Sinkholing Nick Feamster. Introduction Goal: Identify bots (and botnets) by observing second-order effects –Observe application behavior thats likely.
Spamming with BGP Spectrum Agility Anirudh Ramachandran Nick Feamster Georgia Tech.
Network Operations Research Nick Feamster
Network-Based Spam Filtering Nick Feamster Georgia Tech with Anirudh Ramachandran, Nadeem Syed, Alex Gray, Sven Krasser, Santosh Vempala.
Network Security Highlights Nick Feamster Georgia Tech.
Network-Level Spam Defenses Nick Feamster Georgia Tech with Anirudh Ramachandran, Shuang Hao, Alex Gray, Santosh Vempala.
Naming: The Domain Name System Nick Feamster CS 4251 Fall 2008.
Monitoring and Intrusion Detection Nick Feamster CS 4251 Fall 2008.
ICANN SSAC, Cairo Nov 2008 Page 1 Summary of Fast Flux Dave Piscitello ICANN SSAC.
Flux in Fraud Infrastructures Minaxi Gupta Computer Science Dept. Indiana University, Bloomington.
Detecting Spam Zombies by Monitoring Outgoing Messages Zhenhai Duan Department of Computer Science Florida State University.
Detecting Malicious Flux Service Networks through Passive Analysis of Recursive DNS Traces Roberto Perdisci, Igino Corona, David Dagon, Wenke Lee ACSAC.
Spam Sagar Vemuri slides courtesy: Anirudh Ramachandran Nick Feamster.
Understanding the Network-Level Behavior of Spammers Anirudh Ramachandran Nick Feamster.
Network Security: Spam Nick Feamster Georgia Tech CS 6250 Joint work with Anirudh Ramachanrdan, Shuang Hao, Santosh Vempala, Alex Gray.
Understanding the Network-Level Behavior of Spammers Mike Delahunty Bryan Lutz Kimberly Peng Kevin Kazmierski John Thykattil By Anirudh Ramachandran and.
Flash Crowds And Denial of Service Attacks: Characterization and Implications for CDNs and Web Sites Aaron Beach Cs395 network security.
Threat infrastructure: proxies, botnets, fast-flux
Can DNS Blacklists Keep Up With Bots? Anirudh Ramachandran, David Dagon, and Nick Feamster College of Computing, Georgia Tech.
Fighting Spam, Phishing and Online Scams at the Network Level Nick Feamster Georgia Tech with Anirudh Ramachandran, Shuang Hao, Nadeem Syed, Alex Gray,
Team Excel What is SPAM ?. Spam Offense Team Excel '‘a distinctive chopped pork shoulder and ham mixture'' Image Source:Appscout.com.
Windows Server 2008 Chapter 8 Last Update
Hands-On Microsoft Windows Server 2008 Chapter 8 Managing Windows Server 2008 Network Services.
11.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 11: Introducing WINS, DNS,
1 Domain Name System (DNS). 2 DNS: Domain Name System Internet hosts: – IP address (32 bit) - used for addressing datagrams – “name”, e.g.,
Network-Level Spam and Scam Defenses Nick Feamster Georgia Tech with Anirudh Ramachandran, Shuang Hao, Maria Konte Alex Gray, Jaeyeon Jung, Santosh Vempala.
B OTNETS T HREATS A ND B OTNETS DETECTION Mona Aldakheel
 Collection of connected programs communicating with similar programs to perform tasks  Legal  IRC bots to moderate/administer channels  Origin of.
DNS: Domain Name System
TCP/IP Protocol Suite 1 Chapter 17 Upon completion you will be able to: Domain Name System: DNS Understand how the DNS is organized Know the domains in.
1 Detecting Malicious Flux Service Networks through Passive Analysis of Recursive DNS Traces Speaker: Jun-Yi Zheng 2010/03/29.
Understanding the Network-Level Behavior of Spammers Best Student Paper, ACM Sigcomm 2006 Anirudh Ramachandran and Nick Feamster Ye Wang (sando)
Domain Name System CH 25 Aseel Alturki
FluXOR: Detecting and Monitoring Fast-Flux Service Networks Emanuele Passerini, Roberto Paleari, Lorenzo Martignoni, and Danilo Bruschi 5th international.
CS101 Lecture 13 How the Internet Works When did the Internet start? The Internet was born in 1969 with the invention of ARPANET ARPANET was a research.
Not So Fast Flux Networks for Concealing Scam Servers Theodore O. Cochran; James Cannady, Ph.D. Risks and Security of Internet and Systems (CRiSIS), 2010.
Spamscatter: Characterizing Internet Scam Hosting Infrastructure By D. Anderson, C. Fleizach, S. Savage, and G. Voelker Presented by Mishari Almishari.
CPSC 441: DNS 1. DNS: Domain Name System Internet hosts: m IP address (32 bit) - used for addressing datagrams m “name”, e.g., - used by.
Studying Spamming Botnets Using Botlab 台灣科技大學資工所 楊馨豪 2009/10/201 Machine Learning And Bioinformatics Laboratory.
Cross-Analysis of Botnet Victims: New Insights and Implication Seungwon Shin, Raymond Lin, Guofei Gu Presented by Bert Huang.
Understanding the Network-Level Behavior of Spammers Author: Anirudh Ramachandran, Nick Feamster SIGCOMM ’ 06, September 11-16, 2006, Pisa, Italy Presenter:
Understanding the network level behavior of spammers Published by :Anirudh Ramachandran, Nick Feamster Published in :ACMSIGCOMM 2006 Presented by: Bharat.
Management Information Systems, 4 th Edition 1 Chapter 7 E-Commerce: The Internet, Intranets, and Extranets.
BZUPAGES.COM. Presented to: Sir. Muizuddin sb Presented by: M.Sheraz Anjum Roll NO Atif Aneaq Roll NO Khurram Shehzad Roll NO Wasif.
1 Modeling and Measuring Botnets David Dagon, Wenke Lee Georgia Institute of Technology Cliff C. Zou Univ. of Central Florida Funded by NSF CyberTrust.
Week-6 (Lecture-1) Publishing and Browsing the Web: Publishing: 1. upload the following items on the web Google documents Spreadsheets Presentations drawings.
Fast Flux Hosting and DNS ICANN SSAC What is Fast Flux Hosting? An evasion technique Goal of all fast flux variants –Avoid detection and take down of.
ISYM 540 Current Topics in Information System Management
De-anonymizing the Internet Using Unreliable IDs
Computer Networks Presentation
Presentation transcript:

Dynamics of Online Scam Hosting Infrastructure Maria Konte, Nick Feamster Georgia Tech Jaeyeon Jung Intel Research To appear in Passive and Active Measurement (PAM) 2009

Online Scams Often advertised in spam messages URLs point to various point-of-sale sites These scams continue to be a menace As of August 2007, one in every 87 emails constituted a phishing attack Scams often hosted on bullet-proof domains Problem: Study the dynamics of online scams, as seen at a large spam sinkhole

Online Scam Hosting is Dynamic The sites pointed to by a URL that is received in an email message may point to different sites Maintains agility as sites are shut down, blacklisted, etc. One mechanism for hosting sites: fast flux

Overview of Dynamics Source: HoneyNet Project

Why Study Dynamics? Understanding Detection What are the possible invariants? How many different scam-hosting sites are there? Detection Today: Blacklisting based on URLs Instead: Identify the network-level behavior of a scam-hosting site

Summary of Findings What are the rates and extents of change? Different from legitimate load balance Different cross different scam campaigns How are dynamics implemented? Many scam campaigns change DNS mappings at all three locations in the DNS hierarchy A, NS, IP address of NS record Conclusion: Might be able to detect based on monitoring the dynamic behavior of URLs

Data Collection One month of email spamtrap data 115,000 emails 384 unique domains 24 unique spam campaigns

Top 3 Spam Campaigns Some campaigns hosted by thousands of IPs Most scam domains exhibit some type of flux Sharing of IP addresses across different roles (authoritative NS and scam hosting)

Time Between Changes How quickly do DNS-record mappings change? Scam domains change on shorter intervals than their TTL values Domains within the same campaign exhibit similar rates of change

Rates of Change Domains that exhibit fast flux change more rapidly than legitimate domains Rates of change are inconsistent with actual TTL values

Rates of Accumulation How quickly do scams accumulate new IP addresses? Rates of accumulation differ across campaigns Some scams only begin accumulating IP addresses after some time

Rates of Accumulation

Location of Change in Hierarchy Scam networks use a different portion of the IP address space than legitimate sites 30/8 – 60/8 --- lots of legitimate sites, no scam sites DNS lookups for scam domains are often more widely distributed than those for legitimate sites

Location in IP Address Space Scam campaign infrastructure is considerably more concentrated in the 80/8-90/8 range

Distribution of DNS Records

Registrars Involved in Changes About 70% of domains still active are registered at eight domains Three registrars responsible for 257 domains (95% of those still marked as active)

Conclusion Scam campaigns rely on a dynamic hosting infrastructure Studying the dynamics of that infrastructure may help us develop better detection methods Dynamics Rates of change differ from legitimate sites, and differ across campaigns Dynamics implemented at all levels of DNS hierarchy Location Scam sites distributed more across IP address space http://www.cc.gatech.edu/research/reports/GT-CS-08-07.pdf