Presentation is loading. Please wait.

Presentation is loading. Please wait.

Under the Shadow of sunshine

Published byJustin Newton Modified over 6 years ago

Similar presentations

Presentation on theme: "Under the Shadow of sunshine"— Presentation transcript:

1 Under the Shadow of sunshine
Understanding and Detecting Bulletproof Hosting on Legitimate Service Provider Networks [Alrwais SP17] Authors: Sumayah Alrwais, Xiaojing Liao, Xianghang Mi1, Peng Wang, XiaoFeng Wang, Feng Qian, Raheem Beyah and Damon McCoy Published: Security and Privacy (SP), 2017 IEEE Symposium Presented by: Ali Ashraf Date: 18/09/2017

2 Bullet proof hosting (BPH)
Bulletproof Hosting (BPH) offer safe heaven to host different types of Cybercrime operations: Malwares Phishing illicit contents Botnet Scam Cybercriminals BPH Provider Cybercriminal Operations The clients have rights to full freedom and provided protection from any encroachment or take down efforts. Examples: BPservers, 666Hosting, etc.

3 BPH Services Centralized Services Agile Services
Protected Autonomous Systems (ASes) e.g. cyberbunker.com, Compromised Systems (temporary access until detected with small one-time charge) Centralized BPH Services (Owner: BPH Provider) Protected Hosting OR Compromised Systems Cybercriminals Agile Services BPH offer service under multiple legitimate service provider to hide under better reputation of the provider Abused Reputable Hosting Cybercriminals BPH Services Resellers

4 Evade reputation based defences
Better reputation of parent service provider A mix of legitimate and BPH reseller Quickly move client after detecting Blacklisting ASes? Blacklisting IPs?

5 Blacklisting IP Prefix Sub-Allocations !
Blacking listing IP or As? Blacklisting IP Prefix Sub-Allocations !

6 Solution - Finding BPH Sub-Allocations
Implement a malicious Sub- Allocation Detection System Study on the Bullet proof hosting eco-system Identified 39K malicious Sub- Allocations: 3.2K ASes 260M TLD+3

7 Data collection Collecting data source Generating Ground Truth
25 Snapshots of full IPv4 WhoIS records Passive DNS Lookup records TB AS Ranking, Spam Haus, CleanMX, BL-A Generating Ground Truth Finding clean sub-allocation Finding malicious sub-allocation Purchasing from BPH service providers

8 Data Processing and classification
14 Key Features extraction based on WhoIS, Passive DNS and AS reputation lists Finding sub-allocations & Identifying owners & Filtering A unique feature “Domain Churn” Trained two classifiers, Support Vector Machines (SVM) & Random Forest (RF), achieved 98% recall & 1.5% false discovery Starred Features are new PDNS features, not used in previous research.

9 BPH Ecosystem analysis
Recycling (Spanning ASes to avoid blacklisting) Top ASes ranked by their Recycling rate Domain Migration (Average lifetime of 6.7 Months) Selected TLD+3 hoping at least 10 detected sub-allocations

10 Bph clients 50% of the blacklisted domains are used to distribute the malware 46% of the blacklisted domains running botnet command and control servers 1.6M domain have migrated between at least two sub-allocations

11 Limitations & Critique
Slow Detection & Reactive Approach (Extensive PDNS scanning & Detection occurred after the malicious activity) Dependant (Depends upon the accuracy of WhoIS and PDNS data) Smaller Network Block List, Spamhaus Edrop (Used for the training & validation of Machine Learning detection system)

12 Limitations & Critique
Use machine learning approach to predict sub-allocation ranking at the time of registration (timely detection) RIRs authority should collect and verify sub-allocations owners information (accuracy) Establish a large set of network block list for training and validation of Machine Learning Detection System

13 Questions!

Download ppt "Under the Shadow of sunshine"

Similar presentations

Dynamics of Online Scam Hosting Infrastructure

Dynamics of Online Scam Hosting Infrastructure
ICANN SSAC, Cairo Nov 2008 Page 1 Summary of Fast Flux Dave Piscitello ICANN SSAC.

ICANN SSAC, Cairo Nov 2008 Page 1 Summary of Fast Flux Dave Piscitello ICANN SSAC.
A look into Bullet Proof Hosting November 2014 - DefCamp 5 Silviu Sofronie – Head of Forensics

A look into Bullet Proof Hosting November DefCamp 5 Silviu Sofronie – Head of Forensics
Code-Red : a case study on the spread and victims of an Internet worm David Moore, Colleen Shannon, Jeffery Brown Jonghyun Kim.

Code-Red : a case study on the spread and victims of an Internet worm David Moore, Colleen Shannon, Jeffery Brown Jonghyun Kim.
Detecting Malicious Flux Service Networks through Passive Analysis of Recursive DNS Traces Roberto Perdisci, Igino Corona, David Dagon, Wenke Lee ACSAC.

Detecting Malicious Flux Service Networks through Passive Analysis of Recursive DNS Traces Roberto Perdisci, Igino Corona, David Dagon, Wenke Lee ACSAC.
Design and Evaluation of a Real-Time URL Spam Filtering Service

Design and Evaluation of a Real-Time URL Spam Filtering Service
6 The IP Multimedia Subsystem Selected Topics in Information Security – Bazara Barry.

6 The IP Multimedia Subsystem Selected Topics in Information Security – Bazara Barry.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Addressing the Network – IPv4 Network Fundamentals – Chapter 6.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Addressing the Network – IPv4 Network Fundamentals – Chapter 6.
 Malicious or unsolicited mail sent to a mailbox without the option to unsubscribe  Often used as a catch-all of any undesired or questionable mail.

 Malicious or unsolicited mail sent to a mailbox without the option to unsubscribe  Often used as a catch-all of any undesired or questionable mail.
SESSION ID: #RSAC Chaz Lever Characterizing Malicious Traffic on Cellular Networks A Retrospective MBS-W01 Researcher Damballa,

SESSION ID: #RSAC Chaz Lever Characterizing Malicious Traffic on Cellular Networks A Retrospective MBS-W01 Researcher Damballa,
BotMiner Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology.

BotMiner Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology.
Wide-scale Botnet Detection and Characterization Anestis Karasaridis, Brian Rexroad, David Hoeflin.

Wide-scale Botnet Detection and Characterization Anestis Karasaridis, Brian Rexroad, David Hoeflin.
Understanding the Network-Level Behavior of Spammers Mike Delahunty Bryan Lutz Kimberly Peng Kevin Kazmierski John Thykattil By Anirudh Ramachandran and.

Understanding the Network-Level Behavior of Spammers Mike Delahunty Bryan Lutz Kimberly Peng Kevin Kazmierski John Thykattil By Anirudh Ramachandran and.
Botnets Abhishek Debchoudhury Jason Holmes. What is a botnet? A network of computers running software that runs autonomously. In a security context we.

Botnets Abhishek Debchoudhury Jason Holmes. What is a botnet? A network of computers running software that runs autonomously. In a security context we.
Threat infrastructure: proxies, botnets, fast-flux

Threat infrastructure: proxies, botnets, fast-flux
Prophiler: A fast filter for the large-scale detection of malicious web pages Reporter : 鄭志欣 Advisor: Hsing-Kuo Pao Date : 2011/03/31 1.

Prophiler: A fast filter for the large-scale detection of malicious web pages Reporter : 鄭志欣 Advisor: Hsing-Kuo Pao Date : 2011/03/31 1.
Mapping Out Cyber Crime Infrastructure A Law Enforcement Approach Jon Flaherty UK National Cyber Crime Unit 13 th May 2015 RIPE 70 - Amsterdam.

Mapping Out Cyber Crime Infrastructure A Law Enforcement Approach Jon Flaherty UK National Cyber Crime Unit 13 th May 2015 RIPE 70 - Amsterdam.
Domain Name System | DNSSEC. 2  Internet Protocol address uniquely identifies laptops or phones or other devices  The Domain Name System matches IP.

Domain Name System | DNSSEC. 2  Internet Protocol address uniquely identifies laptops or phones or other devices  The Domain Name System matches IP.
Norman SecureSurf Protect your users when surfing the Internet.

Norman SecureSurf Protect your users when surfing the Internet.
Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology USENIX Security '08 Presented by Lei Wu.

Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology USENIX Security '08 Presented by Lei Wu.

Similar presentations

Ads by Google