Botnets: Infrastructure and Attacks Nick Feamster CS 6262 Spring 2009.
Monitoring and Intrusion Detection Nick Feamster CS 4251 Fall 2008.
Presentation on theme: "Dynamics of Online Scam Hosting Infrastructure"— Presentation transcript:
1 Dynamics of Online Scam Hosting Infrastructure Maria Konte, Nick Feamster Georgia Tech Jaeyeon Jung Intel ResearchTo appear in Passive and Active Measurement (PAM) 2009
2 Online Scams Often advertised in spam messages URLs point to various point-of-sale sitesThese scams continue to be a menaceAs of August 2007, one in every 87 s constituted a phishing attackScams often hosted on bullet-proof domainsProblem: Study the dynamics of online scams, as seen at a large spam sinkhole
3 Online Scam Hosting is Dynamic The sites pointed to by a URL that is received in an message may point to different sitesMaintains agility as sites are shut down, blacklisted, etc.One mechanism for hosting sites: fast flux
5 Why Study Dynamics? Understanding Detection What are the possible invariants?How many different scam-hosting sites are there?DetectionToday: Blacklisting based on URLsInstead: Identify the network-level behavior of a scam-hosting site
6 Summary of Findings What are the rates and extents of change? Different from legitimate load balanceDifferent cross different scam campaignsHow are dynamics implemented?Many scam campaigns change DNS mappings at all three locations in the DNS hierarchyA, NS, IP address of NS recordConclusion: Might be able to detect based on monitoring the dynamic behavior of URLs
7 Data Collection One month of email spamtrap data 115,000 emails 384 unique domains24 unique spam campaigns
8 Top 3 Spam Campaigns Some campaigns hosted by thousands of IPs Most scam domains exhibit some type of fluxSharing of IP addresses across different roles (authoritative NS and scam hosting)
9 Time Between Changes How quickly do DNS-record mappings change? Scam domains change on shorter intervals than their TTL valuesDomains within the same campaign exhibit similar rates of change
10 Rates of ChangeDomains that exhibit fast flux change more rapidly than legitimate domainsRates of change are inconsistent with actual TTL values
11 Rates of AccumulationHow quickly do scams accumulate new IP addresses?Rates of accumulation differ across campaignsSome scams only begin accumulating IP addresses after some time
13 Location of Change in Hierarchy Scam networks use a different portion of the IP address space than legitimate sites30/8 – 60/8 --- lots of legitimate sites, no scam sitesDNS lookups for scam domains are often more widely distributed than those for legitimate sites
14 Location in IP Address Space Scam campaign infrastructure is considerably more concentrated in the 80/8-90/8 range
16 Registrars Involved in Changes About 70% of domains still active are registered at eight domainsThree registrars responsible for 257 domains (95% of those still marked as active)
17 Conclusion Scam campaigns rely on a dynamic hosting infrastructure Studying the dynamics of that infrastructure may help us develop better detection methodsDynamicsRates of change differ from legitimate sites, and differ across campaignsDynamics implemented at all levels of DNS hierarchyLocationScam sites distributed more across IP address space
Your consent to our cookies if you continue to use this website.