1 / 20

Date: 2011/05/26 Reporter: Shu-Ping, Yu Advisor: Chun-Ying, Huang

Not So Fast Flux Networks for Concealing Scam Servers Theodore O. Cochran; James Cannady, Ph.D. Risks and Security of Internet and Systems (CRiSIS), 2010 Fifth International Conference on. Date: 2011/05/26 Reporter: Shu-Ping, Yu Advisor: Chun-Ying, Huang E-mail: b94570036@mail.ntou.edu.tw.

shelby
Download Presentation

Date: 2011/05/26 Reporter: Shu-Ping, Yu Advisor: Chun-Ying, Huang

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Not So Fast Flux Networks for Concealing Scam Servers Theodore O. Cochran; James Cannady, Ph.D. Risks and Security of Internet and Systems (CRiSIS), 2010 Fifth International Conference on Date: 2011/05/26 Reporter: Shu-Ping, Yu Advisor: Chun-Ying, Huang E-mail: b94570036@mail.ntou.edu.tw

  2. Outline • Introduction • Background • Methodology • Experimental Result • Limitations and Future Work • Conclusion

  3. Introduction • Cyber crime on the Internet • Fast-flux service networks (FFSNs) • As a proxy layer • Conceal the true identity and location of their servers • High availability • Become a botnet and collect the compromised hosts • Analyze characteristics and trends of networks • Two month from Spam mail URL • Derive distinguishing features

  4. Introduction (cont.) • How significant is the spam problem? • Over 89% of Internet email was spam • On a per recipient basis • Google Mail filtered more than 50 spam emails • Spent on anti-spam technology • Over $1 billion a year • Turns the profit from the spam

  5. Background • Have numerous IP addresses • Swap out quickly (Honeypot: TTL=3min) • Improve availability, protect against DoS, loading balanced • Cyber criminals • Launch DDoS, transmit spam, deliver malware • As a proxy layer • Proxy redirected => “bot”

  6. Background (cont.)

  7. Background (cont.) • TTL • Threshold 3600 sec • Benign(600~3600 sec) vs. fast-flux(lower 300 sec) • Crawl FFSNs from the site: 77 vs. 45 • 300sec(39), 0&3600sec(2), 60&1800sec(1) • Kind of fast-flux service netwoks • Single-flux: IP addresses • Double-flux: IP addresses and nameserver

  8. Methodology • Data Collection • The web mail system • Its spam filter was configured • Save embedded hyperlinks and do DNS look-ups • TTL is a approximate value • After 10 times (IP address not change) • TTL=30min • Flux activity could have occurred without being observed • telnet session over port 80 • determine the response to the HTTP TRACE command • First 100 domain names in the Alexa

  9. Methodology (cont.) • Data Analysis • Confirm the use of a flux network • Isolate discrete features • Discover dynamic features • Feature set • Number of IP addresses • Number of associated ASNs • Number of associated DNS servers • TTL value • Domain age • Domain registrar

  10. Experimental Result • Data sample • Over 1100 spam emails during two month • More than 97% contain web links • 391 unique domain names • Crawl FFSNs from the site • .com(50), .cn(2), and others • .com domains • Most in China (cn) • A few in USA and others

  11. Experimental Result (cont.) • Clustering and Analysis • Grouped by IP addresses • 27 domains (one IP), 2 domains (two IP and not shared) • For each IP address • Commercial organization • Personal home or small business computer • 65 sites of Alexa Top belong to same or near ASN

  12. Experimental Result (cont.) • TTL value of benign • Fluxing hosts use shorter than average TTL • Median value • 1800sec • One outlier value • 604800 sec

  13. Experimental Result (cont.) • TTL value of scam • Median value • 3600sec • Do not rule out flux • Not strong feature • The rate of flux not fast

  14. Experimental Result (cont.) • Common TTL ranging from 5min to 24 hrs • IP addresses rarely changed • Little risk of exposing the server • The shortest duration for use of an IP was 21 hours and the longest was 26 days • “mothership” will monitor and swap IP out

  15. Experimental Result (cont.) • Scam network grew dynamically • Scam Network #2: 1~5 new domain name • Average age of domain name vs. spam mail • Only two days • Top 100 • Over seven years

  16. Experimental Result (cont.) • A fluxing proxy network by two scams • Ex: network #4 and distinguishable features • domain, domain naming convention, spam email “From” line, and spam email content • Powerful feature: domain naming convention

  17. Experimental Result (cont.) • telnet to port 80 (HTTP TRACE) • Determine it was enabled on the web server and respond • Collect the error message • More error message indicated the nginx was be using

  18. Experimental Result (cont.) • Summary of Finding • Identify several feature for FFSNs • Domain registration date • Growth rate of new domain names per IP • HTTP TRACE error messages • Same email address be use to register domain name

  19. Limitations and Future Work • The data set is too small • Focus specifically on patterns and anomalies • Flux activity observed in these networks occurred over several days and even weeks • Shorter duration(30min) may miss something • No content was actually retrieved from any of the web sites • No real evidence of illegal activity • Not an objective work • Determining the optimal combination of features

  20. Conclusion • Online scam advertised through spam email • Use standard Unix utilities for DNS and HTTP data capture • Static and dynamic features were derived • The networks flux very slowly at times • Relative immunity from shutdown attempts • For high availability to gain more profit from their online scams

More Related