Understanding the network level behavior of spammers Published by :Anirudh Ramachandran, Nick Feamster Published in :ACMSIGCOMM 2006 Presented by: Bharat.

Slides:

Advertisements

Similar presentations

Nick Feamster Georgia Tech

Advertisements

Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.

Dynamics of Online Scam Hosting Infrastructure

11/20/09 ONR MURI Project Kick-Off 1 Network-Level Monitoring for Tracking Botnets Nick Feamster School of Computer Science Georgia Institute of Technology.

Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.

Understanding the Network- Level Behavior of Spammers Anirudh Ramachandran Nick Feamster Georgia Tech.

Spam and Botnets: Characterization and Mitigation Nick Feamster Anirudh Ramachandran David Dagon Georgia Tech.

Research Summary Nick Feamster. The Big Picture Improving Internet availability by making networks easier to operate Three approaches –From the ground.

Spamming with BGP Spectrum Agility Anirudh Ramachandran Nick Feamster Georgia Tech.

Spamming with BGP Spectrum Agility Anirudh Ramachandran Nick Feamster Georgia Tech.

Understanding the Network- Level Behavior of Spammers Anirudh Ramachandran Nick Feamster Georgia Tech.

Network-Based Spam Filtering Anirudh Ramachandran Nick Feamster Georgia Tech.

Network-Based Spam Filtering Nick Feamster Georgia Tech Joint work with Anirudh Ramachandran and Santosh Vempala.

1 Network-Level Spam Detection Nick Feamster Georgia Tech.

Spam Sinkholing Nick Feamster. Introduction Goal: Identify bots (and botnets) by observing second-order effects –Observe application behavior thats likely.

Spamming with BGP Spectrum Agility Anirudh Ramachandran Nick Feamster Georgia Tech.

Network Operations Research Nick Feamster

Network-Based Spam Filtering Nick Feamster Georgia Tech with Anirudh Ramachandran, Nadeem Syed, Alex Gray, Sven Krasser, Santosh Vempala.

Zhiyun Qian, Z. Morley Mao (University of Michigan)

Detecting Spam Zombies by Monitoring Outgoing Messages Zhenhai Duan Department of Computer Science Florida State University.

A Survey of Botnet Size Measurement PRESENTED: KAI-HSIANG YANG ( 楊凱翔 ) DATE: 2013/11/04 1/24.

Detecting Malicious Flux Service Networks through Passive Analysis of Recursive DNS Traces Roberto Perdisci, Igino Corona, David Dagon, Wenke Lee ACSAC.

Addressing spam and enforcing a Do Not Registry using a Certified Electronic Mail System Information Technology Advisory Group, Inc.

MOSQUITO BREEDING ATTACK: Spread of bots using Peer To Peer INSTRUCTOR: Dr.Cliff Zou PRESENTED BY : BHARAT SOUNDARARAJAN & AMIT SHRIVATSAVA.

1 Aug. 3 rd, 2007Conference on and Anti-Spam (CEAS’07) Slicing Spam with Occam’s Razor Chris Fleizach, Geoffrey M. Voelker, Stefan Savage University.

System Security Scanning and Discovery Chapter 14.

 What is a botnet?  How are botnets created?  How are they controlled?  How are bots acquired?  What type of attacks are they responsible for? 

BotMiner Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology.

Spam Sagar Vemuri slides courtesy: Anirudh Ramachandran Nick Feamster.

Understanding the Network-Level Behavior of Spammers Anirudh Ramachandran Nick Feamster.

1 Understanding Botnet Phenomenon MITP Kevin Lynch, Will Fiedler, Navin Johri, Sam Annor, Alex Roussev.

Network Security: Spam Nick Feamster Georgia Tech CS 6250 Joint work with Anirudh Ramachanrdan, Shuang Hao, Santosh Vempala, Alex Gray.

Understanding the Network-Level Behavior of Spammers Mike Delahunty Bryan Lutz Kimberly Peng Kevin Kazmierski John Thykattil By Anirudh Ramachandran and.

Hands-On Microsoft Windows Server 2003 Networking Chapter 7 Windows Internet Naming Service.

Guide to Operating System Security Chapter 10 Security.

1 Authors: Anirudh Ramachandran, Nick Feamster, and Santosh Vempala Publication: ACM Conference on Computer and Communications Security 2007 Presenter:

Pro Exchange SPAM Filter An Exchange 2000 based spam filtering solution.

Can DNS Blacklists Keep Up With Bots? Anirudh Ramachandran, David Dagon, and Nick Feamster College of Computing, Georgia Tech.

Fighting Spam, Phishing and Online Scams at the Network Level Nick Feamster Georgia Tech with Anirudh Ramachandran, Shuang Hao, Nadeem Syed, Alex Gray,

Spam Sonia Jahid University of Illinois Fall 2007.

An Effective Defense Against Spam Laundering Paper by: Mengjun Xie, Heng Yin, Haining Wang Presented at:CCS'06 Presentation by: Devendra Salvi.

Team Excel What is SPAM ?. Spam Offense Team Excel '‘a distinctive chopped pork shoulder and ham mixture'' Image Source:Appscout.com.

Detecting Spammers with SNARE: Spatio-temporal Network-level Automatic Reputation Engine Shuang Hao, Nadeem Ahmed Syed, Nick Feamster, Alexander G. Gray,

Revealing Botnet Membership Using DNSBL Counter-Intelligence David Dagon Anirudh Ramachandran, Nick Feamster, College of Computing,

1 Measurements and Mitigation of Peer-to-Peer-based Botnets: A Case Study on Storm Worm T. Holz, M. Steiner, F. Dahl, E. Biersack, and F. Freiling - Proceedings.

Introduction to Honeypot, Botnet, and Security Measurement

May l Washington, DC l Omni Shoreham The ROI of Messaging Security JF Sullivan VP Marketing, Cloudmark, Inc.

Network-Level Spam and Scam Defenses Nick Feamster Georgia Tech with Anirudh Ramachandran, Shuang Hao, Maria Konte Alex Gray, Jaeyeon Jung, Santosh Vempala.

B OTNETS T HREATS A ND B OTNETS DETECTION Mona Aldakheel

Speaker:Chiang Hong-Ren Botnet Detection by Monitoring Group Activities in DNS Traffic.

1 Chapter 6: Proxy Server in Internet and Intranet Designs Designs That Include Proxy Server Essential Proxy Server Design Concepts Data Protection in.

and VOIP. Definitions Storage- the action or method of storing something for future use. Forward system- Address book- A book for recording the.

Understanding the Network-Level Behavior of Spammers Best Student Paper, ACM Sigcomm 2006 Anirudh Ramachandran and Nick Feamster Ye Wang (sando)

A Virtual Honeypot Framework Author: Niels Provos Published in: CITI Report 03-1 Presenter: Tao Li.

1 Characterizing Botnet from Spam Records Presenter: Yi-Ren Yeh ( 葉倚任 ) Authors: L. Zhuang, J. Dunagan, D. R. Simon, H. J. Wang, I. Osipkov, G. Hulten,

DNS Security Pacific IT Pros Nov. 5, Topics DoS Attacks on DNS Servers DoS Attacks by DNS Servers Poisoning DNS Records Monitoring DNS Traffic Leakage.

FORESEC Academy FORESEC Academy Security Essentials (III)

Botnet behavior and detection October RONOG Silviu Sofronie – a Head of Forensics.

Not So Fast Flux Networks for Concealing Scam Servers Theodore O. Cochran; James Cannady, Ph.D. Risks and Security of Internet and Systems (CRiSIS), 2010.

1 Honeypot, Botnet, Security Measurement, Spam Cliff C. Zou CDA /01/07.

Spamscatter: Characterizing Internet Scam Hosting Infrastructure By D. Anderson, C. Fleizach, S. Savage, and G. Voelker Presented by Mishari Almishari.

Studying Spamming Botnets Using Botlab 台灣科技大學資工所楊馨豪 2009/10/201 Machine Learning And Bioinformatics Laboratory.

Understanding the Network-Level Behavior of Spammers Author: Anirudh Ramachandran, Nick Feamster SIGCOMM ’ 06, September 11-16, 2006, Pisa, Italy Presenter:

Advanced Packet Analysis and Troubleshooting Using Wireshark 23AF

Exploiting Network Structure for Proactive Spam Mitigation Shobha Venkataraman * Joint work with Subhabrata Sen §, Oliver Spatscheck §, Patrick Haffner.

11 Shades of Grey: On the effectiveness of reputation- based “blacklists” Reporter: 林佳宜 /8/16.

1 Modeling and Measuring Botnets David Dagon, Wenke Lee Georgia Institute of Technology Cliff C. Zou Univ. of Central Florida Funded by NSF CyberTrust.

1 Detecting Spammers with SNARE: Spatio-temporal Network-level Automatic Reputation Engine Speaker: Jun-Yi Zheng 2010/01/18.

CERN - IT Department CH-1211 Genève 23 Switzerland t OIS Update on the anti spam system at CERN Pawel Grzywaczewski, CERN IT/OIS HEPIX fall.

An Effective Defense Against Spam Laundering Author: Mengjun Xie, Heng Yin, Haining Wang Presented At: CCS’ 06 Prepared By: Amit Shrivastava.

Presentation transcript:

Understanding the network level behavior of spammers Published by :Anirudh Ramachandran, Nick Feamster Published in :ACMSIGCOMM 2006 Presented by: Bharat Soundararajan

OUTLINE  Spam - Basics of spam - Spam statistics - Spamming methods - Spam filtering  Network level behavior of spam - Network level spam filtering - Data Collection Method - Tools used for data collection - Evaluations - Drawbacks 2

3 SPAM

What is Spam?  spam, also known as "bulk " or "junk ," is a subset of spam that involves nearly identical messages sent to numerous recipients by .  Spammers use unsecured mail servers to send out millions of illegitimate s  (February) 90 billion per day 4

Spam statistics 5

Spamming Methods  Direct spamming –By purchasing upstream connectivity from “spam- friendly ISPs”  Open relays and proxies –Mail servers that allow unauthenticated Internet hosts to connect and relay mail through them  Botnets Using the worm to infect mail servers and sending mail through them e.g.bobax  BGP Spectrum Agility Short lived BGP route announcements 6

Botnet command and control 7  Already captured Command and control center information is used for the sinkhole to act like command and control center  All bots now try to contact the command and control sinkhole and they collected a packet trace to determine the members of botnet  They observed a significantly higher percentage of infected hosts is windows using Pof passive fingerprinting tool  Information collected is not accurate

Sink hole 8

Dns blacklisting 9  A list of open-relay mail servers or open proxies—or of IP addresses known to send spam  Data collected from Spam-trap addresses or honeypots  80% of all spam received from mail relays appear in at least one of eight blacklists  > 50% of spam was listed in two or more blacklists

Spam filtering 10  Spammers are able to easily alter the contents of the  SpamAssasin : a spam filter used for filtering is mainly source Ip and other variables which is easily changed by spammers  They have less flexibility when comes to altering the network level details of

Spam filtering by this paper - Comparing data with the logs from a large ISP - Analyzing the network level behavior using those logs in the sinkhole - Update the filter content using those comparison 11

Network-level Spam Filtering Network-level properties are harder to change than content Network-level properties –IP addresses and IP address ranges –Change of addresses over time –Distribution according to operating system, country and AS –Characteristics of botnets and short-lived route announcements Help develop better spam filters 12

Data collected when the spam is received IP address of the mail relay Trace route to that IP address, to help us estimate the network location of the mail relay Passive “p0f” TCP fingerprint, to determine the OS of the mail relay Result of DNS blacklist (DNSBL) lookups for that mail relay at eight different DNSBLs 13

Mail avenger 14  few of the environment variables Mail Avenger sets  CLIENT_NETPATH the network route to the client  SENDER the sender address of the message  CLIENT_SYNOS a guess of the client's operating system type

Distribution across ASes 15 Still about 40% of spam coming from the U.S.

Pof fingerprinting 16  Passive Fingerprinting is a method to learn more about the enemy, without them knowing it  Specifically, you can determine the operating system and other characteristics of the remote host  TTL – what TTL is used for the operating system Window Size – what window size the operating system uses DF – whether the operating system set the don’t fragment bit TOS – Did the operating system specify what type of service

OS guess from ttl values 17 OPERATING SYSTEM VERSION TTL VALUES LINUX Red Hat 9 64 FREE BSD Solaris2.5.1,2.6,2.7, Windows98 32 windows XP 128

Distribution Among Operating Systems 18 About 4% of known hosts are non-Windows. These hosts are responsible for about 8% of received spam.

Spam Distribution 19 IP Space

Advantages A key to better and efficient filtering Reporting of information about spam helps in updating the blacklist 20

Weaknesses They cannot distinguish between spam obtained from different techniques They didn’t precisely measure using bobax botnet 21

22 THANK YOU