CEAS2010% Tatsuya%Mori,%%NTT% …mori/talks/ceas2010slide.pdfBackground...
Transcript of CEAS2010% Tatsuya%Mori,%%NTT% …mori/talks/ceas2010slide.pdfBackground...
CEAS 2010
Tatsuya Mori, NTT Holly Esquivel and Aditya Akella, UW -‐ Madison
Akihiro Shimoda and Shigeki Goto, Waseda University
1
Background spam: No longer just a nuisance
Simply receiving all the SMTP connections could be harmful for your SMTP servers
Botnet: main source of spam Spammers can leverage botnet with close-‐to-‐zero marginal cost “botnet as a service”
Scalable and robust infrastructure
2
Our goal: Know our enemy
Characterizing the large-‐scale botnet from Internet edge sites view Seeking “invariants” that can be used to detect them Estimating the possible worst-‐case damage Correlating locally collected information
Feedback for anti-‐spam solutions How attacking C&C servers could be effective? How locally compiled blacklist could cover entire population?
How the sources of spam are skewed to certain sites? 3
Our approach:
Correlating multi-‐layer data sets collected at multiple Internet edge sites
Multilayer datasets: Packet level data timestamp, TCP fingerprint, sender IP
SMTP timestamp, sender IP, spam, ham
4
Our main target:
Botnet: Srizbi One of the world worst spamming botnet Contributed roughly 50% of spam over the world Full-‐kernel malware
C&C shutdown: McColo takedown
5
Nov 11, 2008: McColo Takedown
McColo was a “bullet-‐proof” hosting company It collocates C&C servers of Srizbi, which was the world worst spamming botnet ever.
The two upper ISPs shutdown the Internet reachability of McColo
Since all the C&C servers of the Srizbi is collocated on McColo, the botnet becomes inactive as soon as they cut the fiber
6
Shutdown of C&C server
McColo
spam
Mail server
spammer
7
The effect of McColo shutdown (Global Internet view)
Taken from : http://googleenterprise.blogspot.com/2008/11/fighting-‐spam-‐just-‐got-‐little-‐easier.html
Reduction in spam by 50-‐70%
8
Datasets
(1) TCP headers (tcpdump)
Incoming SMTP connections
(2) SMTP logs (with spam score)
Gateway Router
Mail Server
Internet edge site
9
Vantage points: UW-‐Madison (SMTP, tcpdump) Waseda university (tcpdump) Enterprise in Japan (SMTP, tcpdump) GEMnet2: Research test bed (SMTP) MAWI: publicly available data (tcpdump)
2007/7 2008/7 2009/3 2008/11
UW
CORP GEM
MAWI
McColo shutdown
2009/11
10
TCP fingerprint:
A technique of identifying the operating system of a sender leverages the difference in TCP/IP stack implementation We use “p0f” [5840:64:1:44:M*:.:] … Linux 2.4-‐2.6 [65535:118:1:48:M1440,N,N,S:.] … Windows 2000 SP4, XP
SP1+ [24000:128:0:44:M536] … Srizbi [Stern 09]
Full-‐kernel malware (own TCP/IP driver)
Stern used the technique to characterize Srizbi H. Stern, “The Rise and Fall of Reactor Mailer”, MIT Spam
conference, April 2009
11
SMTP logs:
Timestamp: 2009-‐3-‐31T00:01:22 From address: [email protected] User part is anonymized
Sender IP address: ip=zzz.ww.xx.yy Score: [0,1]
12
Key contributions:
1. We evaluate the effectiveness of the C&C (McColo) shut down from Internet edge sites.
2. We reveal the long-term growth and transition of the botnet.
3. We show the differences of spam contribution from the botnet among receiver domains.
13
Analysis:
(1) E-‐mails originating from hosts infected with Srizbi
(2) Effectiveness of C&C shutdown (3) Long-‐term analysis (4) Characterizing the botnet
14
(1) E-‐mail originating from hosts infected with Srizbi (ver. 1) in a month
15
(2) Effectiveness of C&C shutdown
ECL
Enterprise
Research Network
16
(2) Spread of Srizbi: difference in space and time
17
(3) Long-‐term analysis
18
(4) Characterizing Srizbi
Scale estimation
Correlation/Synchronization among sites
Distribution of infected hosts
19
Scale estimation: Mark and recapture Entire population of hosts infected with Srizbi
20
Vantage point A (US): Mark
21
Shuffle (Independency of vantage points)
22
Vantage point B (Japan): Recapture
Fraction of red = 1/8 in population #Total = # red × 8 = 40
intersetction 23
Size estimation and global synchronization (Apr 2008)
Correlation cooefficient = 0.72
24
Size estimation and global synchronization (Nov 2009)
No correlation
25
Summary
Temporal but significant effectiveness of C&C attack at Internet edge sites.
• Rapid response (version transition) of spamming botnet operation.
• Differences of spam contribution from the botnet among receiver domains needs for global analysis / localized analysis
26
Future work
Keep collecting long-‐term data sets on Internet edge sites For finding “invariants” Non-‐bigplayer viewpoints Toward a collaborative measurement platform Publicly available spam traps for the research community
Multilayer correlation analysis E-‐mail servers Packet traces DNS Honeypots / Spamtraps
27