200 likes | 346 Views
Not So Fast Flux Networks for Concealing Scam Servers Theodore O. Cochran; James Cannady, Ph.D. Risks and Security of Internet and Systems (CRiSIS), 2010 Fifth International Conference on. Date: 2011/05/26 Reporter: Shu-Ping, Yu Advisor: Chun-Ying, Huang E-mail: b94570036@mail.ntou.edu.tw.
E N D
Not So Fast Flux Networks for Concealing Scam Servers Theodore O. Cochran; James Cannady, Ph.D. Risks and Security of Internet and Systems (CRiSIS), 2010 Fifth International Conference on Date: 2011/05/26 Reporter: Shu-Ping, Yu Advisor: Chun-Ying, Huang E-mail: b94570036@mail.ntou.edu.tw
Outline • Introduction • Background • Methodology • Experimental Result • Limitations and Future Work • Conclusion
Introduction • Cyber crime on the Internet • Fast-flux service networks (FFSNs) • As a proxy layer • Conceal the true identity and location of their servers • High availability • Become a botnet and collect the compromised hosts • Analyze characteristics and trends of networks • Two month from Spam mail URL • Derive distinguishing features
Introduction (cont.) • How significant is the spam problem? • Over 89% of Internet email was spam • On a per recipient basis • Google Mail filtered more than 50 spam emails • Spent on anti-spam technology • Over $1 billion a year • Turns the profit from the spam
Background • Have numerous IP addresses • Swap out quickly (Honeypot: TTL=3min) • Improve availability, protect against DoS, loading balanced • Cyber criminals • Launch DDoS, transmit spam, deliver malware • As a proxy layer • Proxy redirected => “bot”
Background (cont.) • TTL • Threshold 3600 sec • Benign(600~3600 sec) vs. fast-flux(lower 300 sec) • Crawl FFSNs from the site: 77 vs. 45 • 300sec(39), 0&3600sec(2), 60&1800sec(1) • Kind of fast-flux service netwoks • Single-flux: IP addresses • Double-flux: IP addresses and nameserver
Methodology • Data Collection • The web mail system • Its spam filter was configured • Save embedded hyperlinks and do DNS look-ups • TTL is a approximate value • After 10 times (IP address not change) • TTL=30min • Flux activity could have occurred without being observed • telnet session over port 80 • determine the response to the HTTP TRACE command • First 100 domain names in the Alexa
Methodology (cont.) • Data Analysis • Confirm the use of a flux network • Isolate discrete features • Discover dynamic features • Feature set • Number of IP addresses • Number of associated ASNs • Number of associated DNS servers • TTL value • Domain age • Domain registrar
Experimental Result • Data sample • Over 1100 spam emails during two month • More than 97% contain web links • 391 unique domain names • Crawl FFSNs from the site • .com(50), .cn(2), and others • .com domains • Most in China (cn) • A few in USA and others
Experimental Result (cont.) • Clustering and Analysis • Grouped by IP addresses • 27 domains (one IP), 2 domains (two IP and not shared) • For each IP address • Commercial organization • Personal home or small business computer • 65 sites of Alexa Top belong to same or near ASN
Experimental Result (cont.) • TTL value of benign • Fluxing hosts use shorter than average TTL • Median value • 1800sec • One outlier value • 604800 sec
Experimental Result (cont.) • TTL value of scam • Median value • 3600sec • Do not rule out flux • Not strong feature • The rate of flux not fast
Experimental Result (cont.) • Common TTL ranging from 5min to 24 hrs • IP addresses rarely changed • Little risk of exposing the server • The shortest duration for use of an IP was 21 hours and the longest was 26 days • “mothership” will monitor and swap IP out
Experimental Result (cont.) • Scam network grew dynamically • Scam Network #2: 1~5 new domain name • Average age of domain name vs. spam mail • Only two days • Top 100 • Over seven years
Experimental Result (cont.) • A fluxing proxy network by two scams • Ex: network #4 and distinguishable features • domain, domain naming convention, spam email “From” line, and spam email content • Powerful feature: domain naming convention
Experimental Result (cont.) • telnet to port 80 (HTTP TRACE) • Determine it was enabled on the web server and respond • Collect the error message • More error message indicated the nginx was be using
Experimental Result (cont.) • Summary of Finding • Identify several feature for FFSNs • Domain registration date • Growth rate of new domain names per IP • HTTP TRACE error messages • Same email address be use to register domain name
Limitations and Future Work • The data set is too small • Focus specifically on patterns and anomalies • Flux activity observed in these networks occurred over several days and even weeks • Shorter duration(30min) may miss something • No content was actually retrieved from any of the web sites • No real evidence of illegal activity • Not an objective work • Determining the optimal combination of features
Conclusion • Online scam advertised through spam email • Use standard Unix utilities for DNS and HTTP data capture • Static and dynamic features were derived • The networks flux very slowly at times • Relative immunity from shutdown attempts • For high availability to gain more profit from their online scams