Presentation is loading. Please wait.

Presentation is loading. Please wait.

Nick Feamster Georgia Tech

Published byAustin Payne Modified over 10 years ago

Similar presentations

Presentation on theme: "Nick Feamster Georgia Tech"— Presentation transcript:

1 Nick Feamster Georgia Tech
Spam, BGP, and Bogons Nick Feamster Georgia Tech

2 Two Small Parts Interaction of spam and BGP
Summary of spam study New phenomenon: BGP “spectrum agility” Historical study of BGP “bogon” route advertisements

3 State-of-the-art: Content-based filtering
Spam Unsolicited commercial As of about February 2005, estimates indicate that about 90% of all is spam Common spam filtering techniques Content-based filters DNS Blacklist (DNSBL) lookups: Significant fraction of today’s DNS traffic! State-of-the-art: Content-based filtering

4 Studying Sending Patterns
Network-level properties of spam arrival From where? What IP address space? ASes? What OSes? What techniques? Botnets Short-lived route announcements Shady ISPs Capabilities and limitations? Bandwidth Size of botnet army

5 Collection Two domains instrumented with MailAvenger (both on same network) Sinkhole domain #1 Continuous spam collection since Aug 2004 No real addresses---sink everything 10 million+ pieces of spam Sinkhole domain #2 Recently registered domain (Nov 2005) “Clean control” – domain posted at a few places Not much spam yet…perhaps we are being too conservative Monitoring BGP route advertisements from same network Also capturing traceroutes, DNSBL results, passive TCP host fingerprinting simultaneous with spam arrival (results in this talk focus on BGP+spam only)

6 Spamming Techniques Mostly botnets, of course How we’re doing this
DNS hijack to get botnet topology and geography How we’re doing this Correlation with Bobax victims from Georgia Tech botnet sinkhole Heuristics Distance in IP space of Client IP from MX record Coordinated, low-bandwidth sending A less popular, but sometimes more effective technique: Short-lived BGP routing announcements

7 A small club of persistent players appears to be using this technique.
BGP Spectrum Agility Log IP addresses of SMTP relays Join with BGP route advertisements seen at network where spam trap is co-located. A small club of persistent players appears to be using this technique. Common short-lived prefixes and ASes /8 4678 / /8 8717 ~ 10 minutes Somewhere between 1-10% of all spam (some clearly intentional, others might be flapping)

8 A Slightly Different Pattern

9 Why Such Big Prefixes? “Agility”
Flexibility: Client IPs can be scattered throughout dark space within a large /8 Same sender usually returns with different IP addresses Visibility: Route typically won’t be filtered (nice and short)

10 Characteristics of IP-Agile Senders
IP addresses are widely distributed across the /8 space IP addresses typically appear only once at our sinkhole Depending on which /8, 60-80% of these IP addresses were not reachable by traceroute when we spot-checked Some IP addresses were in allocated, albeing unannounced space Some AS paths associated with the routes contained reserved AS numbers

11 Some evidence that it’s working
Spam from IP-agile senders tend to be listed in fewer blacklists Vs. ~80% on average Only about half of the IPs spamming from short-lived BGP are listed in any blacklist

12 Thanks Randy Bush David Mazieres More information:
Anirudh Ramachandran and Nick Feamster, Understanding the Network-Level Behavior of Spammers Send mail to Nick Feamster (username: feamster, domain: cc.gatech.edu) for a copy of the draft.

13 Length of short-lived BGP epochs
1 day ~ 10% of spam coming from short-lived BGP announcements (upper bound) Epoch length

14 An Empirical Study of BGP “Bogon” Route Advertisements

15 What are “bogon” routes?
Routes for prefixes that are not allocated to any registry As of December 2004, 94 /8 prefixes not allocated to any registry ASes should filter routes for these prefixes from neighboring ASes

16 Questions: 15-Month Study
How often do bogon route announcements appear (prevalence),and how long do they last (persistence)? Are there certain bogon routes (i.e., bogon prexes and address space) that are leaked by more than one AS? How are bogon announcements distributed across the ASes that originate them, and how often does each AS leak bogon routes? When an AS leaks bogon routes, how many bogon routes are leaked at once? Do ASes update their route filters when IP address space is allocated from previously unallocated space?

17 Measurement Setup iBGP monitors at 8 distributed vantage points in the RON testbed Updates logged continuously for 15 months

18 Prevalence 110 origin ASes 403 invalid routes 13,000 updates
About once every 2 days on average Prefix-based event: Begins with an announcement, ends with a withdrawal Origin-AS based: Begins with an announcement at any monitor, ends when no monitors see any bogons for 60+ minutes

19 Persistence 47% of prefix-based events lasted longer than 1 hour
57% lasted longer than one day

20 Common Prefixes Leaked
70% of invalid announcements, half of origin AS-based events involved three portions of address space: /12, /24, and /8 Routes from the space /7 were leaked by 71 different origin ASes

21 Bogon Routes Leaked per Event
The majority of events only leaked a single prefix, and two-thirds leaked two prefixes or fewer. 14 events where a single AS originated more than 100 invalid prefixes.

22 Do ASes Update Their Filters?

Download ppt "Nick Feamster Georgia Tech"

Similar presentations

1 Copyright © 2010, Elsevier Inc. All rights Reserved Fig 2.1 Chapter 2.

1 Copyright © 2010, Elsevier Inc. All rights Reserved Fig 2.1 Chapter 2.
BGP01 An Examination of the Internets BGP Table Behaviour in 2001 Geoff Huston Telstra.

BGP01 An Examination of the Internets BGP Table Behaviour in 2001 Geoff Huston Telstra.
ARIN Public Policy Meeting

ARIN Public Policy Meeting
1 An Update on Multihoming in IPv6 Report on IETF Activity IPv6 Technical SIG 1 Sept 2004 APNIC18, Nadi, Fiji Geoff Huston.

1 An Update on Multihoming in IPv6 Report on IETF Activity IPv6 Technical SIG 1 Sept 2004 APNIC18, Nadi, Fiji Geoff Huston.
BGP Status Update Geoff Huston September 2002. 2 What Happening (AS4637) Date.

BGP Status Update Geoff Huston September What Happening (AS4637) Date.
Network Monitoring System In CSTNET Long Chun China Science & Technology Network.

Network Monitoring System In CSTNET Long Chun China Science & Technology Network.
Network Security Problems Nick Feamster

Network Security Problems Nick Feamster
Filtering: Sharpening Both Sides of the Double-Edged Sword Prof. Nick Feamster Georgia Tech feamster cc.gatech.edu.

Filtering: Sharpening Both Sides of the Double-Edged Sword Prof. Nick Feamster Georgia Tech feamster cc.gatech.edu.
Revealing Botnet Membership Using DNSBL Counter-Intelligence Anirudh Ramachandran, Nick Feamster, David Dagon College of Computing, Georgia Tech.

Revealing Botnet Membership Using DNSBL Counter-Intelligence Anirudh Ramachandran, Nick Feamster, David Dagon College of Computing, Georgia Tech.
Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.

Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.
Unwanted Network Traffic: Threats and Countermeasures

Unwanted Network Traffic: Threats and Countermeasures
Dynamics of Online Scam Hosting Infrastructure

Dynamics of Online Scam Hosting Infrastructure
11/20/09 ONR MURI Project Kick-Off 1 Network-Level Monitoring for Tracking Botnets Nick Feamster School of Computer Science Georgia Institute of Technology.

11/20/09 ONR MURI Project Kick-Off 1 Network-Level Monitoring for Tracking Botnets Nick Feamster School of Computer Science Georgia Institute of Technology.
Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.

Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.
Challenges in Making Tomography Practical

Challenges in Making Tomography Practical
Understanding the Network- Level Behavior of Spammers Anirudh Ramachandran Nick Feamster Georgia Tech.

Understanding the Network- Level Behavior of Spammers Anirudh Ramachandran Nick Feamster Georgia Tech.
Network-Level Spam Filtering Nick Feamster Georgia Tech with Anirudh Ramachandran, Shuang Hao, Maria Konte, Nadeem Syed, Alex Gray, Santosh Vempala, Jaeyeon.

Network-Level Spam Filtering Nick Feamster Georgia Tech with Anirudh Ramachandran, Shuang Hao, Maria Konte, Nadeem Syed, Alex Gray, Santosh Vempala, Jaeyeon.
Spam and Botnets: Characterization and Mitigation Nick Feamster Anirudh Ramachandran David Dagon Georgia Tech.

Spam and Botnets: Characterization and Mitigation Nick Feamster Anirudh Ramachandran David Dagon Georgia Tech.
Usage-Based DHCP Lease- Time Optmization Manas Khadilkar, Nick Feamster, Russ Clark, Matt Sanders Georgia Tech.

Usage-Based DHCP Lease- Time Optmization Manas Khadilkar, Nick Feamster, Russ Clark, Matt Sanders Georgia Tech.
Research Summary Nick Feamster. The Big Picture Improving Internet availability by making networks easier to operate Three approaches –From the ground.

Research Summary Nick Feamster. The Big Picture Improving Internet availability by making networks easier to operate Three approaches –From the ground.

Similar presentations

Ads by Google