CEAS  2010  

Tatsuya  Mori,    NTT  Holly  Esquivel  and  Aditya  Akella,  UW  -­‐  Madison  

Akihiro  Shimoda  and  Shigeki  Goto,  Waseda  University  

1  

Background   spam:  No  longer  just  a  nuisance  

  Simply  receiving  all  the  SMTP  connections  could  be  harmful  for  your  SMTP  servers  

  Botnet:  main  source  of  spam    Spammers  can  leverage  botnet    with  close-­‐to-­‐zero  marginal  cost    “botnet  as  a  service”  

  Scalable  and  robust  infrastructure  

2

Our  goal:  Know  our  enemy

  Characterizing  the  large-­‐scale  botnet  from  Internet  edge  sites  view    Seeking  “invariants”  that  can  be  used  to  detect  them    Estimating  the  possible  worst-­‐case  damage    Correlating  locally  collected  information  

  Feedback  for  anti-­‐spam  solutions    How  attacking  C&C  servers  could  be  effective?      How  locally  compiled  blacklist  could  cover  entire  population?    

  How  the  sources  of  spam  are  skewed  to  certain  sites?    3

Our  approach:  

  Correlating  multi-­‐layer  data  sets  collected  at  multiple  Internet  edge  sites    

  Multilayer  datasets:    Packet  level  data        timestamp,  TCP  fingerprint,  sender  IP  

  SMTP    timestamp,  sender  IP,  spam,  ham

4

Our  main  target:

  Botnet:  Srizbi    One  of  the  world  worst  spamming  botnet    Contributed  roughly  50%  of  spam  over  the  world    Full-­‐kernel  malware  

  C&C  shutdown:  McColo  takedown

5

Nov  11,  2008:  McColo  Takedown

  McColo  was  a  “bullet-­‐proof”  hosting  company    It  collocates  C&C  servers  of  Srizbi,  which  was  the  world  worst  spamming  botnet  ever.    

  The  two  upper  ISPs  shutdown  the  Internet  reachability  of  McColo  

  Since  all  the  C&C  servers  of  the  Srizbi  is  collocated  on  McColo,  the  botnet  becomes  inactive  as  soon  as  they  cut  the  fiber  

6

Shutdown  of  C&C  server

McColo

spam

Mail  server

spammer

7

The  effect  of  McColo  shutdown  (Global  Internet  view)

Taken  from  :  http://googleenterprise.blogspot.com/2008/11/fighting-­‐spam-­‐just-­‐got-­‐little-­‐easier.html

Reduction  in  spam  by  50-­‐70%

8

Datasets

(1) TCP headers (tcpdump)

Incoming SMTP connections

(2) SMTP logs (with spam score)

Gateway Router

Mail Server

Internet edge site

9

Vantage  points:   UW-­‐Madison    (SMTP,  tcpdump)    Waseda  university  (tcpdump)      Enterprise  in  Japan  (SMTP,  tcpdump)    GEMnet2:  Research  test  bed  (SMTP)    MAWI:  publicly  available  data  (tcpdump)  

2007/7 2008/7 2009/3 2008/11

UW

CORP GEM

MAWI

McColo  shutdown

2009/11

10

TCP  fingerprint:

  A  technique  of    identifying  the  operating  system  of  a  sender      leverages  the  difference  in  TCP/IP  stack  implementation    We  use  “p0f”    [5840:64:1:44:M*:.:]  …  Linux  2.4-­‐2.6      [65535:118:1:48:M1440,N,N,S:.]  …  Windows  2000  SP4,  XP  

SP1+        [24000:128:0:44:M536]  …  Srizbi  [Stern  09]  

  Full-­‐kernel  malware  (own  TCP/IP  driver)  

  Stern  used  the  technique  to  characterize  Srizbi    H.  Stern,  “The  Rise  and  Fall  of  Reactor  Mailer”,  MIT  Spam  

conference,  April  2009  

11

SMTP  logs:

  Timestamp:  2009-­‐3-­‐31T00:01:22      From  address:  f=092b5eff7c393eee10663e1c327bcb20@example.com    User  part  is  anonymized  

  Sender  IP  address:  ip=zzz.ww.xx.yy    Score:  [0,1]

12

Key  contributions:

1. We evaluate the effectiveness of the C&C (McColo) shut down from Internet edge sites.

2. We reveal the long-term growth and transition of the botnet.

3. We show the differences of spam contribution from the botnet among receiver domains.

13

Analysis:

  (1)    E-­‐mails  originating  from  hosts  infected  with  Srizbi  

  (2)  Effectiveness  of  C&C  shutdown    (3)    Long-­‐term  analysis    (4)  Characterizing  the  botnet

14

(1)  E-­‐mail  originating  from  hosts  infected  with  Srizbi  (ver.  1)  in  a  month

15

(2)  Effectiveness  of  C&C  shutdown

ECL

Enterprise

Research  Network

16

(2)  Spread  of  Srizbi:      difference  in  space  and  time

17

(3)  Long-­‐term  analysis

18

(4)  Characterizing  Srizbi

  Scale  estimation  

  Correlation/Synchronization  among  sites  

 Distribution  of  infected  hosts  

19

Scale  estimation:        Mark  and  recapture   Entire  population  of  hosts  infected  with  Srizbi

20

  Vantage  point  A  (US):  Mark

21

  Shuffle  (Independency  of  vantage  points)

22

  Vantage  point  B  (Japan):  Recapture

Fraction  of  red  =  1/8  in  population    #Total  =  #  red  ×  8  =  40

intersetction 23

Size  estimation  and  global  synchronization  (Apr  2008)

Correlation  cooefficient  =  0.72

24

Size  estimation  and  global  synchronization  (Nov  2009)

No  correlation

25

Summary

  Temporal but significant effectiveness of C&C attack at Internet edge sites.

•  Rapid response (version transition) of spamming botnet operation.

•  Differences of spam contribution from the botnet among receiver domains needs for global analysis / localized analysis  

26

Future  work

  Keep  collecting  long-­‐term  data  sets  on  Internet  edge  sites    For  finding  “invariants”      Non-­‐bigplayer  viewpoints    Toward  a  collaborative  measurement  platform    Publicly  available  spam  traps  for  the  research  community  

  Multilayer  correlation  analysis    E-­‐mail  servers    Packet  traces    DNS    Honeypots  /  Spamtraps  

27