![Page 1: CEAS2010% Tatsuya%Mori,%%NTT% …mori/talks/ceas2010slide.pdfBackground spam:%No%longerjust%a%nuisance% Simply%receiving%all%the%SMTP%connections%could%be% harmful%foryourSMTP%servers%](https://reader033.vdocuments.site/reader033/viewer/2022050118/5f4f08b4ec270a77940dd8b2/html5/thumbnails/1.jpg)
CEAS 2010
Tatsuya Mori, NTT Holly Esquivel and Aditya Akella, UW -‐ Madison
Akihiro Shimoda and Shigeki Goto, Waseda University
1
![Page 2: CEAS2010% Tatsuya%Mori,%%NTT% …mori/talks/ceas2010slide.pdfBackground spam:%No%longerjust%a%nuisance% Simply%receiving%all%the%SMTP%connections%could%be% harmful%foryourSMTP%servers%](https://reader033.vdocuments.site/reader033/viewer/2022050118/5f4f08b4ec270a77940dd8b2/html5/thumbnails/2.jpg)
Background spam: No longer just a nuisance
Simply receiving all the SMTP connections could be harmful for your SMTP servers
Botnet: main source of spam Spammers can leverage botnet with close-‐to-‐zero marginal cost “botnet as a service”
Scalable and robust infrastructure
2
![Page 3: CEAS2010% Tatsuya%Mori,%%NTT% …mori/talks/ceas2010slide.pdfBackground spam:%No%longerjust%a%nuisance% Simply%receiving%all%the%SMTP%connections%could%be% harmful%foryourSMTP%servers%](https://reader033.vdocuments.site/reader033/viewer/2022050118/5f4f08b4ec270a77940dd8b2/html5/thumbnails/3.jpg)
Our goal: Know our enemy
Characterizing the large-‐scale botnet from Internet edge sites view Seeking “invariants” that can be used to detect them Estimating the possible worst-‐case damage Correlating locally collected information
Feedback for anti-‐spam solutions How attacking C&C servers could be effective? How locally compiled blacklist could cover entire population?
How the sources of spam are skewed to certain sites? 3
![Page 4: CEAS2010% Tatsuya%Mori,%%NTT% …mori/talks/ceas2010slide.pdfBackground spam:%No%longerjust%a%nuisance% Simply%receiving%all%the%SMTP%connections%could%be% harmful%foryourSMTP%servers%](https://reader033.vdocuments.site/reader033/viewer/2022050118/5f4f08b4ec270a77940dd8b2/html5/thumbnails/4.jpg)
Our approach:
Correlating multi-‐layer data sets collected at multiple Internet edge sites
Multilayer datasets: Packet level data timestamp, TCP fingerprint, sender IP
SMTP timestamp, sender IP, spam, ham
4
![Page 5: CEAS2010% Tatsuya%Mori,%%NTT% …mori/talks/ceas2010slide.pdfBackground spam:%No%longerjust%a%nuisance% Simply%receiving%all%the%SMTP%connections%could%be% harmful%foryourSMTP%servers%](https://reader033.vdocuments.site/reader033/viewer/2022050118/5f4f08b4ec270a77940dd8b2/html5/thumbnails/5.jpg)
Our main target:
Botnet: Srizbi One of the world worst spamming botnet Contributed roughly 50% of spam over the world Full-‐kernel malware
C&C shutdown: McColo takedown
5
![Page 6: CEAS2010% Tatsuya%Mori,%%NTT% …mori/talks/ceas2010slide.pdfBackground spam:%No%longerjust%a%nuisance% Simply%receiving%all%the%SMTP%connections%could%be% harmful%foryourSMTP%servers%](https://reader033.vdocuments.site/reader033/viewer/2022050118/5f4f08b4ec270a77940dd8b2/html5/thumbnails/6.jpg)
Nov 11, 2008: McColo Takedown
McColo was a “bullet-‐proof” hosting company It collocates C&C servers of Srizbi, which was the world worst spamming botnet ever.
The two upper ISPs shutdown the Internet reachability of McColo
Since all the C&C servers of the Srizbi is collocated on McColo, the botnet becomes inactive as soon as they cut the fiber
6
![Page 7: CEAS2010% Tatsuya%Mori,%%NTT% …mori/talks/ceas2010slide.pdfBackground spam:%No%longerjust%a%nuisance% Simply%receiving%all%the%SMTP%connections%could%be% harmful%foryourSMTP%servers%](https://reader033.vdocuments.site/reader033/viewer/2022050118/5f4f08b4ec270a77940dd8b2/html5/thumbnails/7.jpg)
Shutdown of C&C server
McColo
spam
Mail server
spammer
7
![Page 8: CEAS2010% Tatsuya%Mori,%%NTT% …mori/talks/ceas2010slide.pdfBackground spam:%No%longerjust%a%nuisance% Simply%receiving%all%the%SMTP%connections%could%be% harmful%foryourSMTP%servers%](https://reader033.vdocuments.site/reader033/viewer/2022050118/5f4f08b4ec270a77940dd8b2/html5/thumbnails/8.jpg)
The effect of McColo shutdown (Global Internet view)
Taken from : http://googleenterprise.blogspot.com/2008/11/fighting-‐spam-‐just-‐got-‐little-‐easier.html
Reduction in spam by 50-‐70%
8
![Page 9: CEAS2010% Tatsuya%Mori,%%NTT% …mori/talks/ceas2010slide.pdfBackground spam:%No%longerjust%a%nuisance% Simply%receiving%all%the%SMTP%connections%could%be% harmful%foryourSMTP%servers%](https://reader033.vdocuments.site/reader033/viewer/2022050118/5f4f08b4ec270a77940dd8b2/html5/thumbnails/9.jpg)
Datasets
(1) TCP headers (tcpdump)
Incoming SMTP connections
(2) SMTP logs (with spam score)
Gateway Router
Mail Server
Internet edge site
9
![Page 10: CEAS2010% Tatsuya%Mori,%%NTT% …mori/talks/ceas2010slide.pdfBackground spam:%No%longerjust%a%nuisance% Simply%receiving%all%the%SMTP%connections%could%be% harmful%foryourSMTP%servers%](https://reader033.vdocuments.site/reader033/viewer/2022050118/5f4f08b4ec270a77940dd8b2/html5/thumbnails/10.jpg)
Vantage points: UW-‐Madison (SMTP, tcpdump) Waseda university (tcpdump) Enterprise in Japan (SMTP, tcpdump) GEMnet2: Research test bed (SMTP) MAWI: publicly available data (tcpdump)
2007/7 2008/7 2009/3 2008/11
UW
CORP GEM
MAWI
McColo shutdown
2009/11
10
![Page 11: CEAS2010% Tatsuya%Mori,%%NTT% …mori/talks/ceas2010slide.pdfBackground spam:%No%longerjust%a%nuisance% Simply%receiving%all%the%SMTP%connections%could%be% harmful%foryourSMTP%servers%](https://reader033.vdocuments.site/reader033/viewer/2022050118/5f4f08b4ec270a77940dd8b2/html5/thumbnails/11.jpg)
TCP fingerprint:
A technique of identifying the operating system of a sender leverages the difference in TCP/IP stack implementation We use “p0f” [5840:64:1:44:M*:.:] … Linux 2.4-‐2.6 [65535:118:1:48:M1440,N,N,S:.] … Windows 2000 SP4, XP
SP1+ [24000:128:0:44:M536] … Srizbi [Stern 09]
Full-‐kernel malware (own TCP/IP driver)
Stern used the technique to characterize Srizbi H. Stern, “The Rise and Fall of Reactor Mailer”, MIT Spam
conference, April 2009
11
![Page 12: CEAS2010% Tatsuya%Mori,%%NTT% …mori/talks/ceas2010slide.pdfBackground spam:%No%longerjust%a%nuisance% Simply%receiving%all%the%SMTP%connections%could%be% harmful%foryourSMTP%servers%](https://reader033.vdocuments.site/reader033/viewer/2022050118/5f4f08b4ec270a77940dd8b2/html5/thumbnails/12.jpg)
SMTP logs:
Timestamp: 2009-‐3-‐31T00:01:22 From address: [email protected] User part is anonymized
Sender IP address: ip=zzz.ww.xx.yy Score: [0,1]
12
![Page 13: CEAS2010% Tatsuya%Mori,%%NTT% …mori/talks/ceas2010slide.pdfBackground spam:%No%longerjust%a%nuisance% Simply%receiving%all%the%SMTP%connections%could%be% harmful%foryourSMTP%servers%](https://reader033.vdocuments.site/reader033/viewer/2022050118/5f4f08b4ec270a77940dd8b2/html5/thumbnails/13.jpg)
Key contributions:
1. We evaluate the effectiveness of the C&C (McColo) shut down from Internet edge sites.
2. We reveal the long-term growth and transition of the botnet.
3. We show the differences of spam contribution from the botnet among receiver domains.
13
![Page 14: CEAS2010% Tatsuya%Mori,%%NTT% …mori/talks/ceas2010slide.pdfBackground spam:%No%longerjust%a%nuisance% Simply%receiving%all%the%SMTP%connections%could%be% harmful%foryourSMTP%servers%](https://reader033.vdocuments.site/reader033/viewer/2022050118/5f4f08b4ec270a77940dd8b2/html5/thumbnails/14.jpg)
Analysis:
(1) E-‐mails originating from hosts infected with Srizbi
(2) Effectiveness of C&C shutdown (3) Long-‐term analysis (4) Characterizing the botnet
14
![Page 15: CEAS2010% Tatsuya%Mori,%%NTT% …mori/talks/ceas2010slide.pdfBackground spam:%No%longerjust%a%nuisance% Simply%receiving%all%the%SMTP%connections%could%be% harmful%foryourSMTP%servers%](https://reader033.vdocuments.site/reader033/viewer/2022050118/5f4f08b4ec270a77940dd8b2/html5/thumbnails/15.jpg)
(1) E-‐mail originating from hosts infected with Srizbi (ver. 1) in a month
15
![Page 16: CEAS2010% Tatsuya%Mori,%%NTT% …mori/talks/ceas2010slide.pdfBackground spam:%No%longerjust%a%nuisance% Simply%receiving%all%the%SMTP%connections%could%be% harmful%foryourSMTP%servers%](https://reader033.vdocuments.site/reader033/viewer/2022050118/5f4f08b4ec270a77940dd8b2/html5/thumbnails/16.jpg)
(2) Effectiveness of C&C shutdown
ECL
Enterprise
Research Network
16
![Page 17: CEAS2010% Tatsuya%Mori,%%NTT% …mori/talks/ceas2010slide.pdfBackground spam:%No%longerjust%a%nuisance% Simply%receiving%all%the%SMTP%connections%could%be% harmful%foryourSMTP%servers%](https://reader033.vdocuments.site/reader033/viewer/2022050118/5f4f08b4ec270a77940dd8b2/html5/thumbnails/17.jpg)
(2) Spread of Srizbi: difference in space and time
17
![Page 18: CEAS2010% Tatsuya%Mori,%%NTT% …mori/talks/ceas2010slide.pdfBackground spam:%No%longerjust%a%nuisance% Simply%receiving%all%the%SMTP%connections%could%be% harmful%foryourSMTP%servers%](https://reader033.vdocuments.site/reader033/viewer/2022050118/5f4f08b4ec270a77940dd8b2/html5/thumbnails/18.jpg)
(3) Long-‐term analysis
18
![Page 19: CEAS2010% Tatsuya%Mori,%%NTT% …mori/talks/ceas2010slide.pdfBackground spam:%No%longerjust%a%nuisance% Simply%receiving%all%the%SMTP%connections%could%be% harmful%foryourSMTP%servers%](https://reader033.vdocuments.site/reader033/viewer/2022050118/5f4f08b4ec270a77940dd8b2/html5/thumbnails/19.jpg)
(4) Characterizing Srizbi
Scale estimation
Correlation/Synchronization among sites
Distribution of infected hosts
19
![Page 20: CEAS2010% Tatsuya%Mori,%%NTT% …mori/talks/ceas2010slide.pdfBackground spam:%No%longerjust%a%nuisance% Simply%receiving%all%the%SMTP%connections%could%be% harmful%foryourSMTP%servers%](https://reader033.vdocuments.site/reader033/viewer/2022050118/5f4f08b4ec270a77940dd8b2/html5/thumbnails/20.jpg)
Scale estimation: Mark and recapture Entire population of hosts infected with Srizbi
20
![Page 21: CEAS2010% Tatsuya%Mori,%%NTT% …mori/talks/ceas2010slide.pdfBackground spam:%No%longerjust%a%nuisance% Simply%receiving%all%the%SMTP%connections%could%be% harmful%foryourSMTP%servers%](https://reader033.vdocuments.site/reader033/viewer/2022050118/5f4f08b4ec270a77940dd8b2/html5/thumbnails/21.jpg)
Vantage point A (US): Mark
21
![Page 22: CEAS2010% Tatsuya%Mori,%%NTT% …mori/talks/ceas2010slide.pdfBackground spam:%No%longerjust%a%nuisance% Simply%receiving%all%the%SMTP%connections%could%be% harmful%foryourSMTP%servers%](https://reader033.vdocuments.site/reader033/viewer/2022050118/5f4f08b4ec270a77940dd8b2/html5/thumbnails/22.jpg)
Shuffle (Independency of vantage points)
22
![Page 23: CEAS2010% Tatsuya%Mori,%%NTT% …mori/talks/ceas2010slide.pdfBackground spam:%No%longerjust%a%nuisance% Simply%receiving%all%the%SMTP%connections%could%be% harmful%foryourSMTP%servers%](https://reader033.vdocuments.site/reader033/viewer/2022050118/5f4f08b4ec270a77940dd8b2/html5/thumbnails/23.jpg)
Vantage point B (Japan): Recapture
Fraction of red = 1/8 in population #Total = # red × 8 = 40
intersetction 23
![Page 24: CEAS2010% Tatsuya%Mori,%%NTT% …mori/talks/ceas2010slide.pdfBackground spam:%No%longerjust%a%nuisance% Simply%receiving%all%the%SMTP%connections%could%be% harmful%foryourSMTP%servers%](https://reader033.vdocuments.site/reader033/viewer/2022050118/5f4f08b4ec270a77940dd8b2/html5/thumbnails/24.jpg)
Size estimation and global synchronization (Apr 2008)
Correlation cooefficient = 0.72
24
![Page 25: CEAS2010% Tatsuya%Mori,%%NTT% …mori/talks/ceas2010slide.pdfBackground spam:%No%longerjust%a%nuisance% Simply%receiving%all%the%SMTP%connections%could%be% harmful%foryourSMTP%servers%](https://reader033.vdocuments.site/reader033/viewer/2022050118/5f4f08b4ec270a77940dd8b2/html5/thumbnails/25.jpg)
Size estimation and global synchronization (Nov 2009)
No correlation
25
![Page 26: CEAS2010% Tatsuya%Mori,%%NTT% …mori/talks/ceas2010slide.pdfBackground spam:%No%longerjust%a%nuisance% Simply%receiving%all%the%SMTP%connections%could%be% harmful%foryourSMTP%servers%](https://reader033.vdocuments.site/reader033/viewer/2022050118/5f4f08b4ec270a77940dd8b2/html5/thumbnails/26.jpg)
Summary
Temporal but significant effectiveness of C&C attack at Internet edge sites.
• Rapid response (version transition) of spamming botnet operation.
• Differences of spam contribution from the botnet among receiver domains needs for global analysis / localized analysis
26
![Page 27: CEAS2010% Tatsuya%Mori,%%NTT% …mori/talks/ceas2010slide.pdfBackground spam:%No%longerjust%a%nuisance% Simply%receiving%all%the%SMTP%connections%could%be% harmful%foryourSMTP%servers%](https://reader033.vdocuments.site/reader033/viewer/2022050118/5f4f08b4ec270a77940dd8b2/html5/thumbnails/27.jpg)
Future work
Keep collecting long-‐term data sets on Internet edge sites For finding “invariants” Non-‐bigplayer viewpoints Toward a collaborative measurement platform Publicly available spam traps for the research community
Multilayer correlation analysis E-‐mail servers Packet traces DNS Honeypots / Spamtraps
27