Spamming with BGP Spectrum Agility Anirudh Ramachandran Nick Feamster Georgia Tech.

Slides:

Advertisements

Similar presentations

Network Security Problems Nick Feamster

Advertisements

Nick Feamster Georgia Tech

Filtering: Sharpening Both Sides of the Double-Edged Sword Prof. Nick Feamster Georgia Tech feamster cc.gatech.edu.

Revealing Botnet Membership Using DNSBL Counter-Intelligence Anirudh Ramachandran, Nick Feamster, David Dagon College of Computing, Georgia Tech.

Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.

Unwanted Network Traffic: Threats and Countermeasures

Dynamics of Online Scam Hosting Infrastructure

1 Diagnosing Network Disruptions with Network-wide Analysis Yiyi Huang, Nick Feamster, Anukool Lakhina*, Jim Xu College of Computing, Georgia Tech * Guavus,

Network-Level Spam and Scam Defenses

11/20/09 ONR MURI Project Kick-Off 1 Network-Level Monitoring for Tracking Botnets Nick Feamster School of Computer Science Georgia Institute of Technology.

Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.

Challenges in Making Tomography Practical

Understanding the Network- Level Behavior of Spammers Anirudh Ramachandran Nick Feamster Georgia Tech.

Network-Level Spam Filtering Nick Feamster Georgia Tech with Anirudh Ramachandran, Shuang Hao, Maria Konte, Nadeem Syed, Alex Gray, Santosh Vempala, Jaeyeon.

Spam and Botnets: Characterization and Mitigation Nick Feamster Anirudh Ramachandran David Dagon Georgia Tech.

Research Summary Nick Feamster. The Big Picture Improving Internet availability by making networks easier to operate Three approaches –From the ground.

Spamming with BGP Spectrum Agility Anirudh Ramachandran Nick Feamster Georgia Tech.

Understanding the Network- Level Behavior of Spammers Anirudh Ramachandran Nick Feamster Georgia Tech.

Network-Based Spam Filtering Anirudh Ramachandran Nick Feamster Georgia Tech.

Network-Based Spam Filtering Nick Feamster Georgia Tech Joint work with Anirudh Ramachandran and Santosh Vempala.

Nick Feamster Research: Network security and operations Teaching CS 7260 in Spring 2007 CS 7001 Mini-projects: –

The Datapository Dave Andersen, CMU James Moss, CMU Nick Feamster, Georgia Tech

1 Dynamics of Online Scam Hosting Infrastructure Maria Konte, Nick Feamster Georgia Tech Jaeyeon Jung Intel Research.

Network Operations Nick Feamster

1 Network-Level Spam Detection Nick Feamster Georgia Tech.

Spam Sinkholing Nick Feamster. Introduction Goal: Identify bots (and botnets) by observing second-order effects –Observe application behavior thats likely.

Spamming with BGP Spectrum Agility Anirudh Ramachandran Nick Feamster Georgia Tech.

Network Operations Research Nick Feamster

Network-Based Spam Filtering Nick Feamster Georgia Tech with Anirudh Ramachandran, Nadeem Syed, Alex Gray, Sven Krasser, Santosh Vempala.

Network-Level Spam Defenses Nick Feamster Georgia Tech with Anirudh Ramachandran, Shuang Hao, Alex Gray, Santosh Vempala.

Traffic Dynamics at a Commercial Backbone POP Nina Taft Sprint ATL Co-authors: Supratik Bhattacharyya, Jorjeta Jetcheva, Christophe Diot.

IPv6 deployment metrics using.JP domain APNIC February 2004 Kenichi Kanayama Intec NetCore, Inc.

Comparing IPv4 and IPv6 from the perspective of BGP dynamic activity Geoff Huston APNIC February 2012.

A Survey of Botnet Size Measurement PRESENTED: KAI-HSIANG YANG ( 楊凱翔 ) DATE: 2013/11/04 1/24.

Detecting Malicious Flux Service Networks through Passive Analysis of Recursive DNS Traces Roberto Perdisci, Igino Corona, David Dagon, Wenke Lee ACSAC.

BotMiner Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology.

Wide-scale Botnet Detection and Characterization Anestis Karasaridis, Brian Rexroad, David Hoeflin.

Spam Sagar Vemuri slides courtesy: Anirudh Ramachandran Nick Feamster.

Understanding the Network-Level Behavior of Spammers Anirudh Ramachandran Nick Feamster.

Network Security: Spam Nick Feamster Georgia Tech CS 6250 Joint work with Anirudh Ramachanrdan, Shuang Hao, Santosh Vempala, Alex Gray.

Accurate Real-Time Identification of IP Prefix Hijacking Z. Morley Mao Xin Hu 2007 IEEE Symposium on and Privacy Oakland, California 2007 IEEE Symposium.

Understanding the Network-Level Behavior of Spammers Mike Delahunty Bryan Lutz Kimberly Peng Kevin Kazmierski John Thykattil By Anirudh Ramachandran and.

Correlating Spam Activity with IP Address Characteristics Chris Wilcox, Christos Papadopoulos CSU John Heidemann USC/ISI IEEE Global Internet Symposium.

Flash Crowds And Denial of Service Attacks: Characterization and Implications for CDNs and Web Sites Aaron Beach Cs395 network security.

Measurement and Monitoring Nick Feamster Georgia Tech.

Allocations vs Announcements A comparison of RIR IPv4 Allocation Records with Global Routing Announcements Geoff Huston May 2004 (Activity supported by.

1 Authors: Anirudh Ramachandran, Nick Feamster, and Santosh Vempala Publication: ACM Conference on Computer and Communications Security 2007 Presenter:

Can DNS Blacklists Keep Up With Bots? Anirudh Ramachandran, David Dagon, and Nick Feamster College of Computing, Georgia Tech.

Fighting Spam, Phishing and Online Scams at the Network Level Nick Feamster Georgia Tech with Anirudh Ramachandran, Shuang Hao, Nadeem Syed, Alex Gray,

Team Excel What is SPAM ?. Spam Offense Team Excel '‘a distinctive chopped pork shoulder and ham mixture'' Image Source:Appscout.com.

Detecting Spammers with SNARE: Spatio-temporal Network-level Automatic Reputation Engine Shuang Hao, Nadeem Ahmed Syed, Nick Feamster, Alexander G. Gray,

Revealing Botnet Membership Using DNSBL Counter-Intelligence David Dagon Anirudh Ramachandran, Nick Feamster, College of Computing,

Network-Level Spam and Scam Defenses Nick Feamster Georgia Tech with Anirudh Ramachandran, Shuang Hao, Maria Konte Alex Gray, Jaeyeon Jung, Santosh Vempala.

Lecture 8 Page 1 Advanced Network Security Review of Networking Basics: Internet Architecture, Routing, and Naming Advanced Network Security Peter Reiher.

Speaker:Chiang Hong-Ren Botnet Detection by Monitoring Group Activities in DNS Traffic.

Forensic and Investigative Accounting Chapter 14 Internet Forensics Analysis: Profiling the Cybercriminal © 2005, CCH INCORPORATED 4025 W. Peterson Ave.

1 Detecting Malicious Flux Service Networks through Passive Analysis of Recursive DNS Traces Speaker: Jun-Yi Zheng 2010/03/29.

Understanding the Network-Level Behavior of Spammers Best Student Paper, ACM Sigcomm 2006 Anirudh Ramachandran and Nick Feamster Ye Wang (sando)

Botnet behavior and detection October RONOG Silviu Sofronie – a Head of Forensics.

TDTS21: Advanced Networking Lecture 7: Internet topology Based on slides from P. Gill and D. Choffnes Revised 2015 by N. Carlsson.

Wide-scale Botnet Detection and Characterization Anestis Karasaridis, Brian Rexroad, David Hoeflin In First Workshop on Hot Topics in Understanding Botnets,

Studying Spamming Botnets Using Botlab 台灣科技大學資工所楊馨豪 2009/10/201 Machine Learning And Bioinformatics Laboratory.

Cross-Analysis of Botnet Victims: New Insights and Implication Seungwon Shin, Raymond Lin, Guofei Gu Presented by Bert Huang.

Understanding the Network-Level Behavior of Spammers Author: Anirudh Ramachandran, Nick Feamster SIGCOMM ’ 06, September 11-16, 2006, Pisa, Italy Presenter:

Understanding the network level behavior of spammers Published by :Anirudh Ramachandran, Nick Feamster Published in :ACMSIGCOMM 2006 Presented by: Bharat.

Exploiting Network Structure for Proactive Spam Mitigation Shobha Venkataraman * Joint work with Subhabrata Sen §, Oliver Spatscheck §, Patrick Haffner.

1 Modeling and Measuring Botnets David Dagon, Wenke Lee Georgia Institute of Technology Cliff C. Zou Univ. of Central Florida Funded by NSF CyberTrust.

Spamming Botnets: Signatures and Characteristics Yinglian Xie, Fang Yu, Kannan Achan, Rina Panigrahy, Microsoft Research, Silicon Valley Geoff Hulten,

1 Detecting Spammers with SNARE: Spatio-temporal Network-level Automatic Reputation Engine Speaker: Jun-Yi Zheng 2010/01/18.

Brett Stone-Gross, Marco Cova, Lorenzo Cavallaro, Bob Gilbert, Martin Szydlowski, Richard Kemmerer, Christopher Kruegel, and Giovanni Vigna Proceedings.

Presentation transcript:

Spamming with BGP Spectrum Agility Anirudh Ramachandran Nick Feamster Georgia Tech

2 Collection Two domains instrumented with MailAvenger (both on same network) –Sinkhole domain #1 Continuous spam collection since Aug 2004 No real addresses---sink everything 10 million+ pieces of spam –Sinkhole domain #2 Recently registered domain (Nov 2005) Clean control – domain posted at a few places Not much spam yet…perhaps we are being too conservative Monitoring BGP route advertisements from same network Also capturing traceroutes, DNSBL results, passive TCP host fingerprinting simultaneous with spam arrival (results in this talk focus on BGP+spam only)

3 Spamming Techniques Mostly botnets, of course –DNS hijack to get botnet topology and geography How were doing this –Correlation with Bobax victims from Georgia Tech botnet sinkhole –Heuristics Distance in IP space of Client IP from MX record Coordinated, low-bandwidth sending A less popular, but sometimes more effective technique: Short- lived BGP routing announcements

4 BGP Spectrum Agility Log IP addresses of SMTP relays Join with BGP route advertisements seen at network where spam trap is co-located. A small club of persistent players appears to be using this technique. Common short-lived prefixes and ASes / / / ~ 10 minutes Somewhere between 1-10% of all spam (some clearly intentional, others might be flapping)

5 A Slightly Different Pattern

6 Why Such Big Prefixes? Agility (term due to Randy Bush) Flexibility: Client IPs can be scattered throughout dark space within a large /8 –Same sender usually returns with different IP addresses Visibility: Route typically wont be filtered (nice and short)

7 Characteristics of IP-Agile Senders IP addresses are widely distributed across the /8 space IP addresses typically appear only once at our sinkhole Depending on which /8, 60-80% of these IP addresses were not reachable by traceroute when we spot- checked Some IP addresses were in allocated, albeing unannounced space Some AS paths associated with the routes contained reserved AS numbers

8 Some evidence that its working Spam from IP-agile senders tend to be listed in fewer blacklists Only about half of the IPs spamming from short-lived BGP are listed in any blacklist Vs. ~80% on average

9 Thanks Randy Bush David Mazieres More information: Anirudh Ramachandran and Nick Feamster, Understanding the Network-Level Behavior of Spammers Send mail to Nick Feamster (username: feamster, domain: cc.gatech.edu) for a copy of the draft.

10 Length of short-lived BGP epochs ~ 10% of spam coming from short-lived BGP announcements (upper bound) 1 day Epoch length