Presentation is loading. Please wait.

Presentation is loading. Please wait.

Can DNS Blacklists Keep Up With Bots? Anirudh Ramachandran, David Dagon, and Nick Feamster College of Computing, Georgia Tech.

Published byImogen Jennings Modified over 9 years ago

Similar presentations

Presentation on theme: "Can DNS Blacklists Keep Up With Bots? Anirudh Ramachandran, David Dagon, and Nick Feamster College of Computing, Georgia Tech."— Presentation transcript:

1 Can DNS Blacklists Keep Up With Bots? Anirudh Ramachandran, David Dagon, and Nick Feamster College of Computing, Georgia Tech

2 Background DNS-based Blacklists –The most prevalent network-level spam filtering mechanism today –Various criteria: open relays/proxies, virus senders, bad/unused address spaces etc. –Hundreds of DNSBLs of all sizes Two distinct issues –Detection First opportunity to classify an IP/message –Response How long it takes after detection for blacklisting to occur

3 Effectiveness of A DNSBL – Pertinent Questions What is the responsiveness of the DNSBL? An important metric, esp. with the proliferation of spam hosts with dynamic IPs (botnets) What is the completeness of the DNSBL? How many distinct domains are targeted before blacklisting happens? Does frequency of spam from a host change after it is blacklisted?

4 A Model of Responsiveness Response Time –Difficult to calculate without “ground truth” –Can still estimate lower bound Infection S-Day Possible Detection Opportunity RBL Listing Time Response Time Fig: Conceptual life-cycle of a spamming host

5 Our Approach Data: –1.5 days worth of packet captures of DNSBL queries from a mirror of Spamhaus –46 days of pcaps from a hijacked C&C for a Bobax botnet; overlaps with DNSBL queries Method: –Monitor DNSBL queries for lookups for known Bobax hosts Look for first query (S-Day or Detection opportunity approximation) Look for the first time a query respose had a ‘listed’ status (RBL Listing approximation)

6 Preliminary Results Observed 81,950 DNSBL queries for 4,295 (out of over 2 million) Bobax IPs Completeness: Only 255 (6%) Bobax IPs were blacklisted through the end of the Bobax trace (46 days) Responsiveness: –88 IPs became listed during the 1.5 day DNSBL trace –34 of these were listed after a single detection opportunity

7 Over 60% are queried by just one IP/AS –Increases response time (i.e., decreases chances of getting reported) Domains Performing Lookups Distinct IP addresses/domains CDF

8 Conclusion DNSBL responsiveness is relatively unstudied –Proposal for a Model of Responsiveness –Points to ponder: Blacklist responsiveness and its effects Preliminary results: –Responsiveness might be low –60% bots target just one domain Future work: –Changes in spamming frequency pre/post blacklisting –Reanalyze with complete DNSBL lookups; other spamming bot data

9 Questions?

Download ppt "Can DNS Blacklists Keep Up With Bots? Anirudh Ramachandran, David Dagon, and Nick Feamster College of Computing, Georgia Tech."

Similar presentations

Nick Feamster Georgia Tech

Nick Feamster Georgia Tech
Revealing Botnet Membership Using DNSBL Counter-Intelligence Anirudh Ramachandran, Nick Feamster, David Dagon College of Computing, Georgia Tech.

Revealing Botnet Membership Using DNSBL Counter-Intelligence Anirudh Ramachandran, Nick Feamster, David Dagon College of Computing, Georgia Tech.
Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.

Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.
Dynamics of Online Scam Hosting Infrastructure

Dynamics of Online Scam Hosting Infrastructure
11/20/09 ONR MURI Project Kick-Off 1 Network-Level Monitoring for Tracking Botnets Nick Feamster School of Computer Science Georgia Institute of Technology.

11/20/09 ONR MURI Project Kick-Off 1 Network-Level Monitoring for Tracking Botnets Nick Feamster School of Computer Science Georgia Institute of Technology.
Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.

Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.
Understanding the Network- Level Behavior of Spammers Anirudh Ramachandran Nick Feamster Georgia Tech.

Understanding the Network- Level Behavior of Spammers Anirudh Ramachandran Nick Feamster Georgia Tech.
Spam and Botnets: Characterization and Mitigation Nick Feamster Anirudh Ramachandran David Dagon Georgia Tech.

Spam and Botnets: Characterization and Mitigation Nick Feamster Anirudh Ramachandran David Dagon Georgia Tech.
Research Summary Nick Feamster. The Big Picture Improving Internet availability by making networks easier to operate Three approaches –From the ground.

Research Summary Nick Feamster. The Big Picture Improving Internet availability by making networks easier to operate Three approaches –From the ground.
Spamming with BGP Spectrum Agility Anirudh Ramachandran Nick Feamster Georgia Tech.

Spamming with BGP Spectrum Agility Anirudh Ramachandran Nick Feamster Georgia Tech.
Spamming with BGP Spectrum Agility Anirudh Ramachandran Nick Feamster Georgia Tech.

Spamming with BGP Spectrum Agility Anirudh Ramachandran Nick Feamster Georgia Tech.
Understanding the Network- Level Behavior of Spammers Anirudh Ramachandran Nick Feamster Georgia Tech.

Understanding the Network- Level Behavior of Spammers Anirudh Ramachandran Nick Feamster Georgia Tech.
Network-Based Spam Filtering Anirudh Ramachandran Nick Feamster Georgia Tech.

Network-Based Spam Filtering Anirudh Ramachandran Nick Feamster Georgia Tech.
Botnets: Infrastructure and Attacks Nick Feamster CS 6262 Spring 2009.

Botnets: Infrastructure and Attacks Nick Feamster CS 6262 Spring 2009.
Network-Based Spam Filtering Nick Feamster Georgia Tech Joint work with Anirudh Ramachandran and Santosh Vempala.

Network-Based Spam Filtering Nick Feamster Georgia Tech Joint work with Anirudh Ramachandran and Santosh Vempala.
1 Dynamics of Online Scam Hosting Infrastructure Maria Konte, Nick Feamster Georgia Tech Jaeyeon Jung Intel Research.

1 Dynamics of Online Scam Hosting Infrastructure Maria Konte, Nick Feamster Georgia Tech Jaeyeon Jung Intel Research.
1 Network-Level Spam Detection Nick Feamster Georgia Tech.

1 Network-Level Spam Detection Nick Feamster Georgia Tech.
Spam Sinkholing Nick Feamster. Introduction Goal: Identify bots (and botnets) by observing second-order effects –Observe application behavior thats likely.

Spam Sinkholing Nick Feamster. Introduction Goal: Identify bots (and botnets) by observing second-order effects –Observe application behavior thats likely.
Spamming with BGP Spectrum Agility Anirudh Ramachandran Nick Feamster Georgia Tech.

Spamming with BGP Spectrum Agility Anirudh Ramachandran Nick Feamster Georgia Tech.
Network Operations Research Nick Feamster

Network Operations Research Nick Feamster

Similar presentations

Ads by Google