1 Dynamics of Online Scam Hosting Infrastructure Maria Konte, Nick Feamster Georgia Tech Jaeyeon Jung Intel Research.

Slides:



Advertisements
Similar presentations
TWO STEP EQUATIONS 1. SOLVE FOR X 2. DO THE ADDITION STEP FIRST
Advertisements

By D. Fisher Geometric Transformations. Reflection, Rotation, or Translation 1.
Network Monitoring System In CSTNET Long Chun China Science & Technology Network.
Nick Feamster Georgia Tech
Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.
Dynamics of Online Scam Hosting Infrastructure
Network-Level Spam and Scam Defenses
11/20/09 ONR MURI Project Kick-Off 1 Network-Level Monitoring for Tracking Botnets Nick Feamster School of Computer Science Georgia Institute of Technology.
Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.
Challenges in Making Tomography Practical
Understanding the Network- Level Behavior of Spammers Anirudh Ramachandran Nick Feamster Georgia Tech.
Network-Level Spam Filtering Nick Feamster Georgia Tech with Anirudh Ramachandran, Shuang Hao, Maria Konte, Nadeem Syed, Alex Gray, Santosh Vempala, Jaeyeon.
Spam and Botnets: Characterization and Mitigation Nick Feamster Anirudh Ramachandran David Dagon Georgia Tech.
Usage-Based DHCP Lease- Time Optmization Manas Khadilkar, Nick Feamster, Russ Clark, Matt Sanders Georgia Tech.
Spamming with BGP Spectrum Agility Anirudh Ramachandran Nick Feamster Georgia Tech.
Characterizing VLAN-Induced Sharing in a Campus Network
Spamming with BGP Spectrum Agility Anirudh Ramachandran Nick Feamster Georgia Tech.
Understanding the Network- Level Behavior of Spammers Anirudh Ramachandran Nick Feamster Georgia Tech.
Network-Based Spam Filtering Anirudh Ramachandran Nick Feamster Georgia Tech.
Multihoming and Multi-path Routing
Botnets: Infrastructure and Attacks Nick Feamster CS 6262 Spring 2009.
Network-Based Spam Filtering Nick Feamster Georgia Tech Joint work with Anirudh Ramachandran and Santosh Vempala.
1 Resonance: Dynamic Access Control in Enterprise Networks Ankur Nayak, Alex Reimers, Nick Feamster, Russ Clark School of Computer Science Georgia Institute.
1 Network-Level Spam Detection Nick Feamster Georgia Tech.
Network Operations Research Nick Feamster
Network-Based Spam Filtering Nick Feamster Georgia Tech with Anirudh Ramachandran, Nadeem Syed, Alex Gray, Sven Krasser, Santosh Vempala.
Network Security Highlights Nick Feamster Georgia Tech.
Naming: The Domain Name System Nick Feamster CS 4251 Fall 2008.
Monitoring and Intrusion Detection Nick Feamster CS 4251 Fall 2008.
ICANN SSAC, Cairo Nov 2008 Page 1 Summary of Fast Flux Dave Piscitello ICANN SSAC.
Flux in Fraud Infrastructures Minaxi Gupta Computer Science Dept. Indiana University, Bloomington.
1 Resonance: Dynamic Access Control in Enterprise Networks Ankur Nayak, Alex Reimers, Nick Feamster, Russ Clark School of Computer Science Georgia Institute.
Jeopardy Q 1 Q 6 Q 11 Q 16 Q 21 Q 2 Q 7 Q 12 Q 17 Q 22 Q 3 Q 8 Q 13
Jeopardy Q 1 Q 6 Q 11 Q 16 Q 21 Q 2 Q 7 Q 12 Q 17 Q 22 Q 3 Q 8 Q 13
0 - 0.
1  1 =.
DIVIDING INTEGERS 1. IF THE SIGNS ARE THE SAME THE ANSWER IS POSITIVE 2. IF THE SIGNS ARE DIFFERENT THE ANSWER IS NEGATIVE.
MULTIPLYING MONOMIALS TIMES POLYNOMIALS (DISTRIBUTIVE PROPERTY)
MULT. INTEGERS 1. IF THE SIGNS ARE THE SAME THE ANSWER IS POSITIVE 2. IF THE SIGNS ARE DIFFERENT THE ANSWER IS NEGATIVE.
Addition Facts
Year 6 mental test 15 second questions Numbers and number system Numbers and the number system, Measures and Shape.
Year 6/7 mental test 5 second questions
The Internet and the World Wide Web. Una DooneySlide 2Internet and WWW What is the Internet? This is the physical infrastructure or backbone of computers,
INTERNET PROTOCOLS Class 9 CSCI 6433 David C. Roberts Entire contents copyright 2011, David C. Roberts, all rights reserved.
O X Click on Number next to person for a question.
Lets play bingo!!. Calculate: MEAN Calculate: MEDIAN
Past Tense Probe. Past Tense Probe Past Tense Probe – Practice 1.
Addition 1’s to 20.
25 seconds left…...
44212: Web-site Development
Test B, 100 Subtraction Facts
Detecting Spam Zombies by Monitoring Outgoing Messages Zhenhai Duan Department of Computer Science Florida State University.
Week 1.
Number bonds to 10,
We will resume in: 25 Minutes.
1 Ke – Kitchen Elements Newport Ave. – Lot 13 Bethesda, MD.
O X Click on Number next to person for a question.
State of DNS Security Extensions Edward Lewis February 26, 2001 APRICOT 2001 Panel.
Understanding the Network-Level Behavior of Spammers Anirudh Ramachandran Nick Feamster.
Understanding the Network-Level Behavior of Spammers Mike Delahunty Bryan Lutz Kimberly Peng Kevin Kazmierski John Thykattil By Anirudh Ramachandran and.
Can DNS Blacklists Keep Up With Bots? Anirudh Ramachandran, David Dagon, and Nick Feamster College of Computing, Georgia Tech.
Network-Level Spam and Scam Defenses Nick Feamster Georgia Tech with Anirudh Ramachandran, Shuang Hao, Maria Konte Alex Gray, Jaeyeon Jung, Santosh Vempala.
Fundamentals of Information Systems, Second Edition 1 Telecommunications, the Internet, Intranets, and Extranets.
Not So Fast Flux Networks for Concealing Scam Servers Theodore O. Cochran; James Cannady, Ph.D. Risks and Security of Internet and Systems (CRiSIS), 2010.
Spamscatter: Characterizing Internet Scam Hosting Infrastructure By D. Anderson, C. Fleizach, S. Savage, and G. Voelker Presented by Mishari Almishari.
Understanding the Network-Level Behavior of Spammers Author: Anirudh Ramachandran, Nick Feamster SIGCOMM ’ 06, September 11-16, 2006, Pisa, Italy Presenter:
Understanding the network level behavior of spammers Published by :Anirudh Ramachandran, Nick Feamster Published in :ACMSIGCOMM 2006 Presented by: Bharat.
Management Information Systems, 4 th Edition 1 Chapter 7 E-Commerce: The Internet, Intranets, and Extranets.
Week-6 (Lecture-1) Publishing and Browsing the Web: Publishing: 1. upload the following items on the web Google documents Spreadsheets Presentations drawings.
Fast Flux Hosting and DNS ICANN SSAC What is Fast Flux Hosting? An evasion technique Goal of all fast flux variants –Avoid detection and take down of.
Presentation transcript:

1 Dynamics of Online Scam Hosting Infrastructure Maria Konte, Nick Feamster Georgia Tech Jaeyeon Jung Intel Research

2 Online Scams Often advertised in spam messages URLs point to various point-of-sale sites These scams continue to be a menace –As of August 2007, one in every 87 s constituted a phishing attack Scams often hosted on bullet-proof domains Problem: Study the dynamics of online scams, as seen at a large spam sinkhole

3 Online Scam Hosting is Dynamic The sites pointed to by a URL that is received in an message may point to different sites Maintains agility as sites are shut down, blacklisted, etc. One mechanism for hosting sites: fast flux

4 Mechanism for Dynamics: Fast Flux Source: HoneyNet Project

5 Why Study Dynamics? Understanding of fundamental behavior –What are the possible invariants? –How many different scam-hosting sites are there? Automated detection –Today: Blacklisting based on URLs –Instead: Identify the network-level behavior of a scam- hosting site, and blacklist based on dynamics

6 Summary of Findings What are the rates and extents of change? –Different from legitimate load balance –Different cross different scam campaigns How are dynamics implemented? –Many scam campaigns change DNS mappings at all three locations in the DNS hierarchy A, NS, IP address of NS record Conclusion: Might be able to detect based on monitoring the dynamic behavior of URLs

7 Data Collection Method Three months of spamtrap data –384 scam hosting domains –21 unique scam campaigns Baseline comparison: Alexa top 500 Web sites

8 Top 3 Spam Campaigns Some campaigns hosted by thousands of IPs Most scam domains exhibit some type of flux Sharing of IP addresses across different roles (authoritative NS and scam hosting)

9 Rates of Change How (and how quickly) do DNS-record mappings change? Rates of change are much faster than for legitimate load-balanced sites. –Scam domains change on shorter intervals than their TTL values. Domains for different scam campaigns exhibit different rates of change.

10 Rates of Change Domains that exhibit fast flux change more rapidly than legitimate domains Rates of change are inconsistent with actual TTL values Rates of change are much faster than for legitimate load-balanced sites.

11 Rates of Change by Campaign Domains for different scam campaigns exhibit different rates of change.

12 Rates of Accumulation How quickly do scams accumulate new IP addresses? Rates of accumulation differ across campaigns Some scams only begin accumulating IP addresses after some time

13 Rates of Accumulation

14 Location Where in IP address space do hosts for scam sites operate? Scam networks use a different portion of the IP address space than legitimate sites –30/8 – 60/8 --- lots of legitimate sites, no scam sites Sites that host scam domains (both sites and authoritative DNS) are more widely distributed than those for legitimate sites

15 Location: Often in Specific IP Ranges Scam campaign infrastructure is concentrated in the 80/8-90/8 range.

16 Location: Many Distinct Subnets Scam sites appear in many more distinct networks than legitimate load-balanced sites.

17 Registrars Involved in Changes About 70% of domains still active are registered at eight domains Three registrars responsible for 257 domains (95% of those still marked as active)

18 Conclusion Scam campaigns rely on a dynamic hosting infrastructure Studying the dynamics of that infrastructure may help us develop better detection methods Dynamics –Rates of change differ from legitimate sites, and differ across campaigns –Dynamics implemented at all levels of DNS hierarchy Location –Scam sites distributed across distinct subnets Data: TR:

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.