Not So Fast Flux Networks for Concealing Scam Servers

Theodore O. Cochran; James Cannady, Ph.D. Risks and Security of Internet and Systems (CRiSIS), 2010 Fifth

International Conference on

Date: 2011/05/26Reporter: Shu-Ping, YuAdvisor: Chun-Ying, HuangE-mail: b94570036@mail.ntou.edu.tw

1

Outline

• Introduction• Background• Methodology• Experimental Result• Limitations and Future Work• Conclusion

2

Introduction

• Cyber crime on the Internet• Fast-flux service networks (FFSNs)

– As a proxy layer• Conceal the true identity and location of their servers

• High availability– Become a botnet and collect the compromised hosts

• Analyze characteristics and trends of networks– Two month from Spam mail URL– Derive distinguishing features

3

Introduction (cont.)

• How significant is the spam problem?– Over 89% of Internet email was spam– On a per recipient basis

• Google Mail filtered more than 50 spam emails

• Spent on anti-spam technology– Over $1 billion a year– Turns the profit from the spam

4

Background

• Have numerous IP addresses– Swap out quickly (Honeypot: TTL=3min)– Improve availability, protect against DoS, loading

balanced• Cyber criminals

– Launch DDoS, transmit spam, deliver malware– As a proxy layer– Proxy redirected => “bot”

5

Background (cont.)

6

Background (cont.)

• TTL– Threshold 3600 sec– Benign(600~3600 sec) vs. fast-flux(lower 300 sec)– Crawl FFSNs from the site: 77 vs. 45

• 300sec(39), 0&3600sec(2), 60&1800sec(1)

• Kind of fast-flux service netwoks– Single-flux: IP addresses– Double-flux: IP addresses and nameserver

7

Methodology• Data Collection

– The web mail system• Its spam filter was configured• Save embedded hyperlinks and do DNS look-ups

– TTL is a approximate value• After 10 times (IP address not change)• TTL=30min• Flux activity could have occurred without being observed

– telnet session over port 80• determine the response to the HTTP TRACE command

– First 100 domain names in the Alexa8

Methodology (cont.)• Data Analysis

– Confirm the use of a flux network– Isolate discrete features– Discover dynamic features– Feature set

• Number of IP addresses• Number of associated ASNs• Number of associated DNS servers• TTL value• Domain age• Domain registrar

9

Experimental Result

• Data sample– Over 1100 spam emails during two month– More than 97% contain web links– 391 unique domain names– Crawl FFSNs from the site

• .com(50), .cn(2), and others

• .com domains– Most in China (cn)– A few in USA and others

10

Experimental Result (cont.)• Clustering and Analysis

– Grouped by IP addresses• 27 domains (one IP), 2 domains (two IP and not shared)

– For each IP address• Commercial organization• Personal home or small business computer• 65 sites of Alexa Top belong to same or near ASN

11

Experimental Result (cont.)

• TTL value of benign– Fluxing hosts use shorter than average TTL– Median value

• 1800sec– One outlier value

• 604800 sec

12

Experimental Result (cont.)

• TTL value of scam– Median value

• 3600sec– Do not rule out flux– Not strong feature– The rate of flux not fast

13

Experimental Result (cont.)

• Common TTL ranging from 5min to 24 hrs– IP addresses rarely changed– Little risk of exposing the server

• The shortest duration for use of an IP was 21 hours and the longest was 26 days– “mothership” will monitor and swap IP out

14

Experimental Result (cont.)

• Scam network grew dynamically• Scam Network #2: 1~5 new domain name• Average age of domain name vs. spam mail

– Only two days• Top 100

– Over seven years

15

Experimental Result (cont.)

• A fluxing proxy network by two scams– Ex: network #4 and distinguishable features

• domain, domain naming convention, spam email “From” line, and spam email content

• Powerful feature: domain naming convention

Experimental Result (cont.)

• telnet to port 80 (HTTP TRACE)– Determine it was enabled on the web server and

respond– Collect the error message– More error message indicated the nginx was be using

17

Experimental Result (cont.)

• Summary of Finding– Identify several feature for FFSNs

• Domain registration date• Growth rate of new domain names per IP• HTTP TRACE error messages• Same email address be use to register domain name

18

Limitations and Future Work• The data set is too small

– Focus specifically on patterns and anomalies• Flux activity observed in these networks

occurred over several days and even weeks– Shorter duration(30min) may miss something

• No content was actually retrieved from any of the web sites– No real evidence of illegal activity– Not an objective work– Determining the optimal combination of features19

Conclusion

• Online scam advertised through spam email• Use standard Unix utilities for DNS and HTTP

data capture• Static and dynamic features were derived• The networks flux very slowly at times

– Relative immunity from shutdown attempts– For high availability to gain more profit from their

online scams

20