Presentation is loading. Please wait.

Presentation is loading. Please wait.

Correlating Spam Activity with IP Address Characteristics Chris Wilcox, Christos Papadopoulos CSU John Heidemann USC/ISI IEEE Global Internet Symposium.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Correlating Spam Activity with IP Address Characteristics Chris Wilcox, Christos Papadopoulos CSU John Heidemann USC/ISI IEEE Global Internet Symposium."— Presentation transcript:

1 Correlating Spam Activity with IP Address Characteristics Chris Wilcox, Christos Papadopoulos CSU John Heidemann USC/ISI IEEE Global Internet Symposium 2010 March 19, 2010

2 2 Introduction Common belief: spamming hosts exhibit specific address characteristics: dynamically allocated addresses specific geographical areas more tolerant spam policies less stability, more volatility, shorter uptimes Our goal: quantify differences in address characteristics between spammers and legitimate hosts.

3 3 Approach Correlate the results of an IP address visibility study with a commercial IP address blacklist for the same period Quantify differences in address characteristics between spammers and non-spammers Quantify differences in domain names based on the same categorization Investigate collateral damage if a /24 is blocked due to presence of spammers

4 4 Data Sources Address visibility: Survey of reachable Internet addresses every 3 months Survey of reachable Internet addresses every 3 months Uses active probing (ICMP) over ~24,000 /24 IPV4 blocks (1% of the Internet) Uses active probing (ICMP) over ~24,000 /24 IPV4 blocks (1% of the Internet) Reputation-based block list from eSoft.com, based on sender address verification, sender policy framework, heuristic analysis, reputation filtering, historical averaging, etc…, based on sender address verification, sender policy framework, heuristic analysis, reputation filtering, historical averaging, etc…

5 5 Visibility Study Census: ping every internet address every three months Survey: select 1% of /24 subnets and ping addresses every 11m This research uses survey data which has more information

6 6 Visibility Metrics Availability (A) is the fraction of time that an IP address returns positive replies Volatility (V) captures the number of transitions from up to down over survey Uptime (U) is the median duration of positive replies from an IP address Each statistic computed for IP addresses, then averaged over a /24 subnet

7 7 Spammer List Spammer data from eSoft.com Two lists: Block list and Raw list Two lists: Block list and Raw list Both delivered to CSU every 30mins (yes we archive and we can share) (yes we archive and we can share) List of IP addresses with spam score per address Score range: -60 to +70 Score range: -60 to +70 Score >30: high spamming activity (conservative) Score >30: high spamming activity (conservative) Score <10: low spamming activity Score <10: low spamming activity We use eSoft’s Raw List: ~1.43M addresses spanning 262K /24 subnets daily We assume score >= 20 is spammer Distinguish spammers with high confidence

8 8 eSoft World Coverage eSoft has pretty good coverage of the world

9 9 eSoft Score Distribution

10 10 Research Methodology Correlate ping survey data with eSoft list between Sept. 14-28, 2009 Intersect data from the survey and eSoft to identify spamming subnets Remainder are non-spamming subnets which have no spammers (yes, this might be a weak assumption!) Study the differences between spamming and non-spamming subnets

11 11 Spammer Distribution Number of spamming subnets plotted using log scale Most subnets have fewer than 5 spamming hosts

12 12 Non-Spammer Distribution Non-spamming hosts much more evenly distributed… …but large number of subnets are almost fully populated

13 13 Question 1: Address Characteristics Question: Do spammer and non-spammer subnets have different IP characteristics (availability, volatility, uptime)? Approach: intersect blacklist and survey subnets and study their characteristics before intersection: 262k blacklist and 20k survey subnets after intersection: 4k spamming and 15k non- spamming subnets.

14 14 Address Availability 72% of non-spammers but only 50% of spammers have >0.5 availability 50% of non-spammers but only 24% of spammers have >0.8 availability

15 15 Address Volatility 90% of non-spammers but only 75% of spammers have <0.02 volatility 50% of non-spammers but only 28% of spammers have <0.01 volatility

16 16 Address Uptime 70% of non-spammers, 42% of spammers have > 14 hour uptime 44% of non-spammers, 22% of spammers have > 28 hour uptime

17 17 Availability with Spam Score 83% of low spammers have > 0.9 availability. 14% of high spammers have > 0.9 availability.

18 18 Question 2: Domain Names Question: How do spammer domain names differ from non-spammer names? Approach: Resolve all names in intersected subnets using Linux host command. Categorize based on key strings in the domain name.

19 19 Domain Name Comparison 2X the spammers in dynamic category, 30.5% vs. 15.3% 3X the non-spammers in static category, 14.1% versus 4.2%

20 20 Question 3: Collateral Damage Question: Is blocking the entire /24 subnet a good idea when one or more addresses have been used for sending spam? Collateral Damage consists of legitimate mail servers that are incorrectly blacklisted. Approach: 1) Compute population of spamming hosts versus non-spamming hosts per subnet. 2) Quantify the number of legitimate mail servers in subnets with spammers.

21 21 Collateral Damage: Population Gray: Subnets with few spammers: may get black listed because of this! Black: Highly compromised subnets: negligent or collaborating provider? Blue: High spammer activity in some subnets: further investigation needed.

22 22 Collateral Damage: Results Collateral damage in 365 subnets out of 4,126 studied (8.8%) This seems significant to us…

23 23 Robustness Ping-based address probes undercount the number of responsive addresses Spam list may not be complete (depends on eSoft’s customer reach) Spam blacklists vary greatly between vendors, no industry standard for scores Email volume from servers isn’t considered, some servers may be receive-only

24 24 Conclusions Network behavior can be used to help identify and mitigate spamming behavior. Significant differences in IP availability, volatility, uptime, and domain names do exist between spamming and non- spamming hosts. Coarse-grained blacklisting of /24 blocks incurs significant collateral damage.

25 25 Acknowledgements Yuri Pradkin, and Xue Cai (USC/ISI) for access to survey data sets. Dan Massey, and Steve DiBenedetto (CSU) for help in many areas.

26 26 Challenges The anonymous nature of the Internet makes it hard to detect and block malicious activity such as spamming. Dynamic addressing, network address translation, and network firewalls impede the use of IP for identification. IP addresses are transient and vulnerable to manipulation malicious hosts, such as spoofing or hijacking

27 27 Probe Responses 1.Echo reply from probe indicates the presence of a host at the probed address. 2.Destination unreachable means that the host is down or the address is currently unused. 3.Administratively prohibited indicates that the owner is prohibiting access to the address. 4.No reply is interpreted as an unoccupied address, lost or intentionally discarded probe.

28 28 Methodology

29 29 Domain Name Category Copied from “Understanding Address Usage in the Visible Internet”

30 30 Related Work  “Census and Survey of the Visible Internet”, Heidemann, Pryadkin, Govindan, Papadopoulos, Bartlett, Bannistger., SIGCOMM 2008  “Understanding the network-level behavior of spammers”, Ramachandran, Feamster, SIGCOMM 2006  “Filtering spam with behavioral blacklisting”, Ramachandran, Feamster, Vempala, CCS 2007  “Spamming botnets: signatures and characteristics”, Xie, Yu, Achan, Panigrahy, Hulten, Osipkov, SIGCOMM 2008  “Behavioral characteristics of spammers and their network reachability properties”, Duan, Gopalan, Yuan, ICC 2007  “Spamming botnets: Are we losing the war?”, Kokkodis, Faloutsos, CEAS 2009  “Can dns-based blacklists keep up with the bots?”, Ramachandran, Feamster, CEAS 2006

Download ppt "Correlating Spam Activity with IP Address Characteristics Chris Wilcox, Christos Papadopoulos CSU John Heidemann USC/ISI IEEE Global Internet Symposium."

Similar presentations

Nick Feamster Georgia Tech

Nick Feamster Georgia Tech
Revealing Botnet Membership Using DNSBL Counter-Intelligence Anirudh Ramachandran, Nick Feamster, David Dagon College of Computing, Georgia Tech.

Revealing Botnet Membership Using DNSBL Counter-Intelligence Anirudh Ramachandran, Nick Feamster, David Dagon College of Computing, Georgia Tech.
Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.

Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.
11/20/09 ONR MURI Project Kick-Off 1 Network-Level Monitoring for Tracking Botnets Nick Feamster School of Computer Science Georgia Institute of Technology.

11/20/09 ONR MURI Project Kick-Off 1 Network-Level Monitoring for Tracking Botnets Nick Feamster School of Computer Science Georgia Institute of Technology.
Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.

Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.
Challenges in Making Tomography Practical

Challenges in Making Tomography Practical
Understanding the Network- Level Behavior of Spammers Anirudh Ramachandran Nick Feamster Georgia Tech.

Understanding the Network- Level Behavior of Spammers Anirudh Ramachandran Nick Feamster Georgia Tech.
Spamming with BGP Spectrum Agility Anirudh Ramachandran Nick Feamster Georgia Tech.

Spamming with BGP Spectrum Agility Anirudh Ramachandran Nick Feamster Georgia Tech.
Spamming with BGP Spectrum Agility Anirudh Ramachandran Nick Feamster Georgia Tech.

Spamming with BGP Spectrum Agility Anirudh Ramachandran Nick Feamster Georgia Tech.
Understanding the Network- Level Behavior of Spammers Anirudh Ramachandran Nick Feamster Georgia Tech.

Understanding the Network- Level Behavior of Spammers Anirudh Ramachandran Nick Feamster Georgia Tech.
Network-Based Spam Filtering Nick Feamster Georgia Tech Joint work with Anirudh Ramachandran and Santosh Vempala.

Network-Based Spam Filtering Nick Feamster Georgia Tech Joint work with Anirudh Ramachandran and Santosh Vempala.
Network Operations Research Nick Feamster

Network Operations Research Nick Feamster
Zhiyun Qian, Z. Morley Mao (University of Michigan)

Zhiyun Qian, Z. Morley Mao (University of Michigan)
Temporal Query Log Profiling to Improve Web Search Ranking Alexander Kotov (UIUC) Pranam Kolari, Yi Chang (Yahoo!) Lei Duan (Microsoft)

Temporal Query Log Profiling to Improve Web Search Ranking Alexander Kotov (UIUC) Pranam Kolari, Yi Chang (Yahoo!) Lei Duan (Microsoft)
A Survey of Botnet Size Measurement PRESENTED: KAI-HSIANG YANG ( 楊凱翔 ) DATE: 2013/11/04 1/24.

A Survey of Botnet Size Measurement PRESENTED: KAI-HSIANG YANG ( 楊凱翔 ) DATE: 2013/11/04 1/24.
Addressing spam email and enforcing a Do Not Email Registry using a Certified Electronic Mail System Information Technology Advisory Group, Inc.

Addressing spam and enforcing a Do Not Registry using a Certified Electronic Mail System Information Technology Advisory Group, Inc.
Using Traffic Analysis to Detect Email Spam Richard Clayton TERENA, Lyngby, 22 nd May 2007.

Using Traffic Analysis to Detect Spam Richard Clayton TERENA, Lyngby, 22 nd May 2007.
1 Aug. 3 rd, 2007Conference on Email and Anti-Spam (CEAS’07) Slicing Spam with Occam’s Razor Chris Fleizach, Geoffrey M. Voelker, Stefan Savage University.

1 Aug. 3 rd, 2007Conference on and Anti-Spam (CEAS’07) Slicing Spam with Occam’s Razor Chris Fleizach, Geoffrey M. Voelker, Stefan Savage University.
Week 5: Internet Protocol Continue to discuss Ethernet and ARP –MTU –Ethernet and ARP packet format IP: Internet Protocol –Datagram format –IPv4 addressing.

Week 5: Internet Protocol Continue to discuss Ethernet and ARP –MTU –Ethernet and ARP packet format IP: Internet Protocol –Datagram format –IPv4 addressing.
Student : Wilson Hidalgo Ramirez Supervisor: Udaya Tupakula Filtering Techniques for Counteracting DDoS Attacks.

Student : Wilson Hidalgo Ramirez Supervisor: Udaya Tupakula Filtering Techniques for Counteracting DDoS Attacks.

Similar presentations

Ads by Google