Not So Fast Flux Networks for Concealing Scam Servers Theodore O. Cochran; James Cannady, Ph.D. Risks and Security of Internet and Systems (CRiSIS), 2010.

Slides:

Advertisements

Similar presentations

Dynamics of Online Scam Hosting Infrastructure

Advertisements

11/20/09 ONR MURI Project Kick-Off 1 Network-Level Monitoring for Tracking Botnets Nick Feamster School of Computer Science Georgia Institute of Technology.

1 Dynamics of Online Scam Hosting Infrastructure Maria Konte, Nick Feamster Georgia Tech Jaeyeon Jung Intel Research.

Code-Red : a case study on the spread and victims of an Internet worm David Moore, Colleen Shannon, Jeffery Brown Jonghyun Kim.

A Survey of Botnet Size Measurement PRESENTED: KAI-HSIANG YANG ( 楊凱翔 ) DATE: 2013/11/04 1/24.

Detecting Malicious Flux Service Networks through Passive Analysis of Recursive DNS Traces Roberto Perdisci, Igino Corona, David Dagon, Wenke Lee ACSAC.

RB-Seeker: Auto-detection of Redirection Botnet Presenter: Yi-Ren Yeh Authors: Xin Hu, Matthew Knysz, Kang G. Shin NDSS 2009 The slides is modified from.

Zombie or not to be: Trough the meshes of Botnets - Guillaume Lovet AVAR 2005 Tianjin, China.

Phishing (pronounced “fishing”) is the process of sending messages to lure Internet users into revealing personal information such as credit card.

Cloak and Dagger. In a nutshell… Cloaking Cloaking in search engines Search engines’ response to cloaking Lifetime of cloaked search results Cloaked pages.

BotMiner Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology.

Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.

Networking Theory (part 2). Internet Architecture The Internet is a worldwide collection of smaller networks that share a common suite of communication.

Understanding the Network-Level Behavior of Spammers Mike Delahunty Bryan Lutz Kimberly Peng Kevin Kazmierski John Thykattil By Anirudh Ramachandran and.

CSC586 Network Forensics IP Tracing/Domain Name Tracing.

(Geneva, Switzerland, September 2014)

Threat infrastructure: proxies, botnets, fast-flux

What’s New in WatchGuard XCS 10.0 Update 3 WatchGuard Training.

Prophiler: A fast filter for the large-scale detection of malicious web pages Reporter : 鄭志欣 Advisor: Hsing-Kuo Pao Date : 2011/03/31 1.

Bayesian Bot Detection Based on DNS Traffic Similarity Ricardo Villamarín-Salomón, José Carlos Brustoloni Department of Computer Science University of.

Team Excel What is SPAM ?. Spam Offense Team Excel '‘a distinctive chopped pork shoulder and ham mixture'' Image Source:Appscout.com.

1. Introduction The underground Internet economy Web-based malware The system analyzing the post-infection network behavior of web-based malware How do.

Hands-On Microsoft Windows Server 2008 Chapter 8 Managing Windows Server 2008 Network Services.

Norman SecureTide Powerful cloud solution to stop spam and threats before it reaches your network.

Examining the Effectiveness and Techniques of the Anti-Phishing Technology in Leading Web Browsers and Security Toolbars. Wesley W. Owen

Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.

GONE PHISHING ECE 4112 Final Lab Project Group #19 Enid Brown & Linda Larmore.

Speaker : YUN–KUAN,CHANG Date : 2009/10/13 Working the botnet: how dynamic DNS is revitalising the zombie army.

B OTNETS T HREATS A ND B OTNETS DETECTION Mona Aldakheel

 Collection of connected programs communicating with similar programs to perform tasks  Legal  IRC bots to moderate/administer channels  Origin of.

«FAST-FLUX problem & domains registrars» Pavel Khramtsov Slovenia-2009 The centre of registration of domains.

ProtectionProfiles. 2 Fortinet Technologies Protection Profiles Protection profiles control t the type of traffic protected t HTTP t FTP t IMAP t POP3.

Chapter 10 Intro to Routing & Switching.  Upon completion of this chapter, you should be able to:  Explain how the functions of the application layer,

1 All Your iFRAMEs Point to Us Mike Burry. 2 Drive-by downloads Malicious code (typically Javascript) Downloaded without user interaction (automatic),

Using Social Networks to Harvest Addresses Reporter: Chia-Yi Lin Advisor: Chun-Ying Huang Mail: 9/14/

Speaker:Chiang Hong-Ren Botnet Detection by Monitoring Group Activities in DNS Traffic.

1 Chapter 6: Proxy Server in Internet and Intranet Designs Designs That Include Proxy Server Essential Proxy Server Design Concepts Data Protection in.

How Web Servers and the Internet Work by by: Marshall Brainby: Marshall Brain

Economics of Malware: Spam Amir Houmansadr CS660: Advanced Information Assurance Spring 2015 Content may be borrowed from other resources. See the last.

Bots Used to Facilitate Spam Matt Ziemniak. Discuss Snort lab improvements Spam as a vehicle behind cyber threats Bots and botnets What can be done.

Module 10: Monitoring ISA Server Overview Monitoring Overview Configuring Alerts Configuring Session Monitoring Configuring Logging Configuring.

FluXOR: Detecting and Monitoring Fast-Flux Service Networks Emanuele Passerini, Roberto Paleari, Lorenzo Martignoni, and Danilo Bruschi 5th international.

Cloak and Dagger: Dynamics of Web Search Cloaking David Y. Wang, Stefan Savage, and Geoffrey M. Voelker University of California, San Diego 左昌國 Seminar.

Botnet behavior and detection October RONOG Silviu Sofronie – a Head of Forensics.

Automatically Generating Models for Botnet Detection Presenter: 葉倚任 Authors: Peter Wurzinger, Leyla Bilge, Thorsten Holz, Jan Goebel, Christopher Kruegel,

CS 7: Introduction to Computer Programming Java and the Internet Sections ,2.1.

Wide-scale Botnet Detection and Characterization Anestis Karasaridis, Brian Rexroad, David Hoeflin In First Workshop on Hot Topics in Understanding Botnets,

Spamscatter: Characterizing Internet Scam Hosting Infrastructure By D. Anderson, C. Fleizach, S. Savage, and G. Voelker Presented by Mishari Almishari.

11 Spamcraft: An Inside Look At Spam Campaign Orchestration Reporter: 林佳宜 Advisor: Chun-Ying Huang /6/3.

Studying Spamming Botnets Using Botlab 台灣科技大學資工所楊馨豪 2009/10/201 Machine Learning And Bioinformatics Laboratory.

Understanding the Network-Level Behavior of Spammers Author: Anirudh Ramachandran, Nick Feamster SIGCOMM ’ 06, September 11-16, 2006, Pisa, Italy Presenter:

Understanding the network level behavior of spammers Published by :Anirudh Ramachandran, Nick Feamster Published in :ACMSIGCOMM 2006 Presented by: Bharat.

Overview of Firewalls. Outline Objective Background Firewalls Software Firewall Hardware Firewall Demilitarized Zone (DMZ) Firewall Types Firewall Configuration.

Spamming Botnets: Signatures and Characteristics Yinglian Xie, Fang Yu, Kannan Achan, Rina Panigrahy, Microsoft Research, Silicon Valley Geoff Hulten,

Brett Stone-Gross, Marco Cova, Lorenzo Cavallaro, Bob Gilbert, Martin Szydlowski, Richard Kemmerer, Christopher Kruegel, and Giovanni Vigna Proceedings.

Network Devices and Firewalls Lesson 14. It applies to our class…

Fast Flux Hosting and DNS ICANN SSAC What is Fast Flux Hosting? An evasion technique Goal of all fast flux variants –Avoid detection and take down of.

Heat-seeking Honeypots: Design and Experience John P. John, Fang Yu, Yinglian Xie, Arvind Krishnamurthy and Martin Abadi WWW 2011 Presented by Elias P.

How dynamic are IP addresses? Yinglian Xie, Fang Yu, Kannan Achan, Eliot Gillum, Moises Goldszmidt, Ted Wobber SIGCOMM ‘07 Chulhyun Park

Internet Vulnerabilities & Criminal Activity Internet Forensics 12.1 April 26, 2010 Internet Forensics 12.1 April 26, 2010.

CompTIA Security+ Study Guide (SY0-401)

A lustrum of malware network communication: Evolution & insights

BotCatch: A Behavior and Signature Correlated Bot Detection Approach

CompTIA Security+ Study Guide (SY0-401)

Hyperlinks and Protocols

Networking Theory (part 2)

The Internet and Electronic mail

Wireless Spoofing Attacks on Mobile Devices

Implementing Firewalls

Networking Theory (part 2)

Presentation transcript:

Not So Fast Flux Networks for Concealing Scam Servers Theodore O. Cochran; James Cannady, Ph.D. Risks and Security of Internet and Systems (CRiSIS), 2010 Fifth International Conference on Date: 2011/05/26 Reporter: Shu-Ping, Yu Advisor: Chun-Ying, Huang 1

Outline Introduction Background Methodology Experimental Result Limitations and Future Work Conclusion 2

Introduction Cyber crime on the Internet Fast-flux service networks (FFSNs) –As a proxy layer Conceal the true identity and location of their servers High availability –Become a botnet and collect the compromised hosts Analyze characteristics and trends of networks –Two month from Spam mail URL –Derive distinguishing features 3

Introduction (cont.) How significant is the spam problem? –Over 89% of Internet was spam –On a per recipient basis Google Mail filtered more than 50 spam s Spent on anti-spam technology –Over $1 billion a year –Turns the profit from the spam 4

Background Have numerous IP addresses –Swap out quickly (Honeypot: TTL=3min) –Improve availability, protect against DoS, loading balanced Cyber criminals –Launch DDoS, transmit spam, deliver malware –As a proxy layer –Proxy redirected => “bot” 5

Background (cont.) 6

TTL –Threshold 3600 sec –Benign(600~3600 sec) vs. fast-flux(lower 300 sec) –Crawl FFSNs from the site: 77 vs sec(39), 0&3600sec(2), 60&1800sec(1) Kind of fast-flux service netwoks –Single-flux: IP addresses –Double-flux: IP addresses and nameserver 7

Methodology Data Collection –The web mail system Its spam filter was configured Save embedded hyperlinks and do DNS look-ups –TTL is a approximate value After 10 times (IP address not change) TTL=30min Flux activity could have occurred without being observed –telnet session over port 80 determine the response to the HTTP TRACE command –First 100 domain names in the Alexa 8

Methodology (cont.) Data Analysis –Confirm the use of a flux network –Isolate discrete features –Discover dynamic features –Feature set Number of IP addresses Number of associated ASNs Number of associated DNS servers TTL value Domain age Domain registrar 9

Experimental Result Data sample –Over 1100 spam s during two month –More than 97% contain web links –391 unique domain names –Crawl FFSNs from the site.com(50),.cn(2), and others.com domains –Most in China (cn) –A few in USA and others 10

Experimental Result (cont.) Clustering and Analysis –Grouped by IP addresses 27 domains (one IP), 2 domains (two IP and not shared) –For each IP address Commercial organization Personal home or small business computer 65 sites of Alexa Top belong to same or near ASN 11

Experimental Result (cont.) TTL value of benign –Fluxing hosts use shorter than average TTL –Median value 1800sec –One outlier value sec 12

Experimental Result (cont.) TTL value of scam –Median value 3600sec –Do not rule out flux –Not strong feature –The rate of flux not fast 13

Experimental Result (cont.) Common TTL ranging from 5min to 24 hrs –IP addresses rarely changed –Little risk of exposing the server The shortest duration for use of an IP was 21 hours and the longest was 26 days –“mothership” will monitor and swap IP out 14

Experimental Result (cont.) Scam network grew dynamically Scam Network #2: 1~5 new domain name Average age of domain name vs. spam mail –Only two days Top 100 –Over seven years 15

Experimental Result (cont.) A fluxing proxy network by two scams –Ex: network #4 and distinguishable features domain, domain naming convention, spam “From” line, and spam content Powerful feature: domain naming convention

Experimental Result (cont.) telnet to port 80 (HTTP TRACE) –Determine it was enabled on the web server and respond –Collect the error message –More error message indicated the nginx was be using 17

Experimental Result (cont.) Summary of Finding –Identify several feature for FFSNs Domain registration date Growth rate of new domain names per IP HTTP TRACE error messages Same address be use to register domain name 18

Limitations and Future Work The data set is too small –Focus specifically on patterns and anomalies Flux activity observed in these networks occurred over several days and even weeks –Shorter duration(30min) may miss something No content was actually retrieved from any of the web sites –No real evidence of illegal activity –Not an objective work –Determining the optimal combination of features 19

Conclusion Online scam advertised through spam Use standard Unix utilities for DNS and HTTP data capture Static and dynamic features were derived The networks flux very slowly at times –Relative immunity from shutdown attempts –For high availability to gain more profit from their online scams 20