Transcript FluXOR: Detecting and Monitoring Fast

Not So Fast Flux Networks for
Concealing Scam Servers
Theodore O. Cochran; James Cannady, Ph.D.
Risks and Security of Internet and Systems (CRiSIS), 2010 Fifth
International Conference on
Date: 2011/05/26
Reporter: Shu-Ping, Yu
Advisor: Chun-Ying, Huang
E-mail: [email protected]
1
Outline
•
•
•
•
•
•
Introduction
Background
Methodology
Experimental Result
Limitations and Future Work
Conclusion
2
Introduction
• Cyber crime on the Internet
• Fast-flux service networks (FFSNs)
– As a proxy layer
• Conceal the true identity and location of their servers
• High availability
– Become a botnet and collect the compromised hosts
• Analyze characteristics and trends of networks
– Two month from Spam mail URL
– Derive distinguishing features
3
Introduction (cont.)
• How significant is the spam problem?
– Over 89% of Internet email was spam
– On a per recipient basis
• Google Mail filtered more than 50 spam emails
• Spent on anti-spam technology
– Over $1 billion a year
– Turns the profit from the spam
4
Background
• Have numerous IP addresses
– Swap out quickly (Honeypot: TTL=3min)
– Improve availability, protect against DoS, loading
balanced
• Cyber criminals
– Launch DDoS, transmit spam, deliver malware
– As a proxy layer
– Proxy redirected => “bot”
5
Background (cont.)
6
Background (cont.)
• TTL
– Threshold 3600 sec
– Benign(600~3600 sec) vs. fast-flux(lower 300 sec)
– Crawl FFSNs from the site: 77 vs. 45
• 300sec(39), 0&3600sec(2), 60&1800sec(1)
• Kind of fast-flux service netwoks
– Single-flux: IP addresses
– Double-flux: IP addresses and nameserver
7
Methodology
• Data Collection
– The web mail system
• Its spam filter was configured
• Save embedded hyperlinks and do DNS look-ups
– TTL is a approximate value
• After 10 times (IP address not change)
• TTL=30min
• Flux activity could have occurred without being observed
– telnet session over port 80
• determine the response to the HTTP TRACE command
– First 100 domain names in the Alexa
8
Methodology (cont.)
• Data Analysis
–
–
–
–
Confirm the use of a flux network
Isolate discrete features
Discover dynamic features
Feature set
• Number of IP addresses
• Number of associated ASNs
• Number of associated DNS servers
• TTL value
• Domain age
• Domain registrar
9
Experimental Result
• Data sample
–
–
–
–
Over 1100 spam emails during two month
More than 97% contain web links
391 unique domain names
Crawl FFSNs from the site
• .com(50), .cn(2), and others
• .com domains
– Most in China (cn)
– A few in USA and others
10
Experimental Result (cont.)
• Clustering and Analysis
– Grouped by IP addresses
• 27 domains (one IP), 2 domains (two IP and not shared)
– For each IP address
• Commercial organization
• Personal home or small business computer
• 65 sites of Alexa Top belong to same or near ASN
11
Experimental Result (cont.)
• TTL value of benign
– Fluxing hosts use shorter than average TTL
– Median value
• 1800sec
– One outlier value
• 604800 sec
12
Experimental Result (cont.)
• TTL value of scam
– Median value
• 3600sec
– Do not rule out flux
– Not strong feature
– The rate of flux not fast
13
Experimental Result (cont.)
• Common TTL ranging from 5min to 24 hrs
– IP addresses rarely changed
– Little risk of exposing the server
• The shortest duration for use of an IP was 21
hours and the longest was 26 days
– “mothership” will monitor and swap IP out
14
Experimental Result (cont.)
• Scam network grew dynamically
• Scam Network #2: 1~5 new domain name
• Average age of domain name vs. spam mail
– Only two days
• Top 100
– Over seven years
15
Experimental Result (cont.)
• A fluxing proxy network by two scams
– Ex: network #4 and distinguishable features
• domain, domain naming convention, spam email
“From” line, and spam email content
• Powerful feature: domain naming convention
Experimental Result (cont.)
• telnet to port 80 (HTTP TRACE)
– Determine it was enabled on the web server and
respond
– Collect the error message
– More error message indicated the nginx was be using
17
Experimental Result (cont.)
• Summary of Finding
– Identify several feature for FFSNs
• Domain registration date
• Growth rate of new domain names per IP
• HTTP TRACE error messages
• Same email address be use to register domain name
18
Limitations and Future Work
• The data set is too small
– Focus specifically on patterns and anomalies
• Flux activity observed in these networks
occurred over several days and even weeks
– Shorter duration(30min) may miss something
• No content was actually retrieved from any of
the web sites
– No real evidence of illegal activity
– Not an objective work
– Determining the optimal combination of features19
Conclusion
• Online scam advertised through spam email
• Use standard Unix utilities for DNS and HTTP
data capture
• Static and dynamic features were derived
• The networks flux very slowly at times
– Relative immunity from shutdown attempts
– For high availability to gain more profit from their
online scams
20