Presentation is loading. Please wait.

Presentation is loading. Please wait.

Not So Fast Flux Networks for Concealing Scam Servers Theodore O. Cochran; James Cannady, Ph.D. Risks and Security of Internet and Systems (CRiSIS), 2010.

Published byPhebe Pitts Modified over 8 years ago

Similar presentations

Presentation on theme: "Not So Fast Flux Networks for Concealing Scam Servers Theodore O. Cochran; James Cannady, Ph.D. Risks and Security of Internet and Systems (CRiSIS), 2010."— Presentation transcript:

1 Not So Fast Flux Networks for Concealing Scam Servers Theodore O. Cochran; James Cannady, Ph.D. Risks and Security of Internet and Systems (CRiSIS), 2010 Fifth International Conference on Date: 2011/05/26 Reporter: Shu-Ping, Yu Advisor: Chun-Ying, Huang E-mail: b94570036@mail.ntou.edu.tw 1

2 Outline Introduction Background Methodology Experimental Result Limitations and Future Work Conclusion 2

3 Introduction Cyber crime on the Internet Fast-flux service networks (FFSNs) –As a proxy layer Conceal the true identity and location of their servers High availability –Become a botnet and collect the compromised hosts Analyze characteristics and trends of networks –Two month from Spam mail URL –Derive distinguishing features 3

4 Introduction (cont.) How significant is the spam problem? –Over 89% of Internet email was spam –On a per recipient basis Google Mail filtered more than 50 spam emails Spent on anti-spam technology –Over $1 billion a year –Turns the profit from the spam 4

5 Background Have numerous IP addresses –Swap out quickly (Honeypot: TTL=3min) –Improve availability, protect against DoS, loading balanced Cyber criminals –Launch DDoS, transmit spam, deliver malware –As a proxy layer –Proxy redirected => “bot” 5

6 Background (cont.) 6

7 TTL –Threshold 3600 sec –Benign(600~3600 sec) vs. fast-flux(lower 300 sec) –Crawl FFSNs from the site: 77 vs. 45 300sec(39), 0&3600sec(2), 60&1800sec(1) Kind of fast-flux service netwoks –Single-flux: IP addresses –Double-flux: IP addresses and nameserver 7

8 Methodology Data Collection –The web mail system Its spam filter was configured Save embedded hyperlinks and do DNS look-ups –TTL is a approximate value After 10 times (IP address not change) TTL=30min Flux activity could have occurred without being observed –telnet session over port 80 determine the response to the HTTP TRACE command –First 100 domain names in the Alexa 8

9 Methodology (cont.) Data Analysis –Confirm the use of a flux network –Isolate discrete features –Discover dynamic features –Feature set Number of IP addresses Number of associated ASNs Number of associated DNS servers TTL value Domain age Domain registrar 9

10 Experimental Result Data sample –Over 1100 spam emails during two month –More than 97% contain web links –391 unique domain names –Crawl FFSNs from the site.com(50),.cn(2), and others.com domains –Most in China (cn) –A few in USA and others 10

11 Experimental Result (cont.) Clustering and Analysis –Grouped by IP addresses 27 domains (one IP), 2 domains (two IP and not shared) –For each IP address Commercial organization Personal home or small business computer 65 sites of Alexa Top belong to same or near ASN 11

12 Experimental Result (cont.) TTL value of benign –Fluxing hosts use shorter than average TTL –Median value 1800sec –One outlier value 604800 sec 12

13 Experimental Result (cont.) TTL value of scam –Median value 3600sec –Do not rule out flux –Not strong feature –The rate of flux not fast 13

14 Experimental Result (cont.) Common TTL ranging from 5min to 24 hrs –IP addresses rarely changed –Little risk of exposing the server The shortest duration for use of an IP was 21 hours and the longest was 26 days –“mothership” will monitor and swap IP out 14

15 Experimental Result (cont.) Scam network grew dynamically Scam Network #2: 1~5 new domain name Average age of domain name vs. spam mail –Only two days Top 100 –Over seven years 15

16 Experimental Result (cont.) A fluxing proxy network by two scams –Ex: network #4 and distinguishable features domain, domain naming convention, spam email “From” line, and spam email content Powerful feature: domain naming convention

17 Experimental Result (cont.) telnet to port 80 (HTTP TRACE) –Determine it was enabled on the web server and respond –Collect the error message –More error message indicated the nginx was be using 17

18 Experimental Result (cont.) Summary of Finding –Identify several feature for FFSNs Domain registration date Growth rate of new domain names per IP HTTP TRACE error messages Same email address be use to register domain name 18

19 Limitations and Future Work The data set is too small –Focus specifically on patterns and anomalies Flux activity observed in these networks occurred over several days and even weeks –Shorter duration(30min) may miss something No content was actually retrieved from any of the web sites –No real evidence of illegal activity –Not an objective work –Determining the optimal combination of features 19

20 Conclusion Online scam advertised through spam email Use standard Unix utilities for DNS and HTTP data capture Static and dynamic features were derived The networks flux very slowly at times –Relative immunity from shutdown attempts –For high availability to gain more profit from their online scams 20

Download ppt "Not So Fast Flux Networks for Concealing Scam Servers Theodore O. Cochran; James Cannady, Ph.D. Risks and Security of Internet and Systems (CRiSIS), 2010."

Similar presentations

Dynamics of Online Scam Hosting Infrastructure

Dynamics of Online Scam Hosting Infrastructure
11/20/09 ONR MURI Project Kick-Off 1 Network-Level Monitoring for Tracking Botnets Nick Feamster School of Computer Science Georgia Institute of Technology.

11/20/09 ONR MURI Project Kick-Off 1 Network-Level Monitoring for Tracking Botnets Nick Feamster School of Computer Science Georgia Institute of Technology.
1 Dynamics of Online Scam Hosting Infrastructure Maria Konte, Nick Feamster Georgia Tech Jaeyeon Jung Intel Research.

1 Dynamics of Online Scam Hosting Infrastructure Maria Konte, Nick Feamster Georgia Tech Jaeyeon Jung Intel Research.
Code-Red : a case study on the spread and victims of an Internet worm David Moore, Colleen Shannon, Jeffery Brown Jonghyun Kim.

Code-Red : a case study on the spread and victims of an Internet worm David Moore, Colleen Shannon, Jeffery Brown Jonghyun Kim.
A Survey of Botnet Size Measurement PRESENTED: KAI-HSIANG YANG ( 楊凱翔 ) DATE: 2013/11/04 1/24.

A Survey of Botnet Size Measurement PRESENTED: KAI-HSIANG YANG ( 楊凱翔 ) DATE: 2013/11/04 1/24.
Detecting Malicious Flux Service Networks through Passive Analysis of Recursive DNS Traces Roberto Perdisci, Igino Corona, David Dagon, Wenke Lee ACSAC.

Detecting Malicious Flux Service Networks through Passive Analysis of Recursive DNS Traces Roberto Perdisci, Igino Corona, David Dagon, Wenke Lee ACSAC.
RB-Seeker: Auto-detection of Redirection Botnet Presenter: Yi-Ren Yeh Authors: Xin Hu, Matthew Knysz, Kang G. Shin NDSS 2009 The slides is modified from.

RB-Seeker: Auto-detection of Redirection Botnet Presenter: Yi-Ren Yeh Authors: Xin Hu, Matthew Knysz, Kang G. Shin NDSS 2009 The slides is modified from.
Zombie or not to be: Trough the meshes of Botnets - Guillaume Lovet AVAR 2005 Tianjin, China.

Zombie or not to be: Trough the meshes of Botnets - Guillaume Lovet AVAR 2005 Tianjin, China.
Phishing (pronounced “fishing”) is the process of sending e-mail messages to lure Internet users into revealing personal information such as credit card.

Phishing (pronounced “fishing”) is the process of sending messages to lure Internet users into revealing personal information such as credit card.
Cloak and Dagger. In a nutshell… Cloaking Cloaking in search engines Search engines’ response to cloaking Lifetime of cloaked search results Cloaked pages.

Cloak and Dagger. In a nutshell… Cloaking Cloaking in search engines Search engines’ response to cloaking Lifetime of cloaked search results Cloaked pages.
BotMiner Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology.

BotMiner Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology.
Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.

Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.
Networking Theory (part 2). Internet Architecture The Internet is a worldwide collection of smaller networks that share a common suite of communication.

Networking Theory (part 2). Internet Architecture The Internet is a worldwide collection of smaller networks that share a common suite of communication.
Understanding the Network-Level Behavior of Spammers Mike Delahunty Bryan Lutz Kimberly Peng Kevin Kazmierski John Thykattil By Anirudh Ramachandran and.

Understanding the Network-Level Behavior of Spammers Mike Delahunty Bryan Lutz Kimberly Peng Kevin Kazmierski John Thykattil By Anirudh Ramachandran and.
CSC586 Network Forensics IP Tracing/Domain Name Tracing.

CSC586 Network Forensics IP Tracing/Domain Name Tracing.
(Geneva, Switzerland, September 2014)

(Geneva, Switzerland, September 2014)
Threat infrastructure: proxies, botnets, fast-flux

Threat infrastructure: proxies, botnets, fast-flux
What’s New in WatchGuard XCS 10.0 Update 3 WatchGuard Training.

What’s New in WatchGuard XCS 10.0 Update 3 WatchGuard Training.
Prophiler: A fast filter for the large-scale detection of malicious web pages Reporter : 鄭志欣 Advisor: Hsing-Kuo Pao Date : 2011/03/31 1.

Prophiler: A fast filter for the large-scale detection of malicious web pages Reporter : 鄭志欣 Advisor: Hsing-Kuo Pao Date : 2011/03/31 1.
Bayesian Bot Detection Based on DNS Traffic Similarity Ricardo Villamarín-Salomón, José Carlos Brustoloni Department of Computer Science University of.

Bayesian Bot Detection Based on DNS Traffic Similarity Ricardo Villamarín-Salomón, José Carlos Brustoloni Department of Computer Science University of.

Similar presentations

Ads by Google