SpamPots Project: Using Honeypots to Measure the Abuse of End-User Machines to Send Spam



Similar documents
Monitoring the Abuse of Open Proxies for Sending Spam

Preventing your Network from Being Abused by Spammers

Spampots Project First Results of the International Phase and its Regional Utilization

Use of Honeypots for Network Monitoring and Situational Awareness

honeytarg Chapter Activities

Spampots Project Mapping the Abuse of Internet Infrastructure by Spammers

Information Security Awareness Videos

Development of an IPv6 Honeypot

CERT.br Incident Handling and Network Monitoring Activities

The Global ecrime Outlook CERT.br National Report

A Multistakeholder Effort to Reduce Spam The Case of Brazil

Distributed Honeypots Project: How It s Being Useful for CERT.br

DNS Amplification Attacks as a DDoS Tool and Mitigation Techniques

CERT.br: Mission and Services

Challenges and Best Practices in Fighting Financial Fraud in Brazil

Incident Response and Early Warning Initiatives in Brazil

Phishing and Banking Trojan Cases Affecting Brazil

Cybersecurity and Incident Response Initiatives: Brazil and Americas

Incident Handling in Brazil

Evolution of Financial Fraud in Brazil

LACNIC 25 CSIRTs Meeting Havana, Cuba May 4 th, 2016

Fraud and Phishing Scam Response Arrangements in Brazil

A Campaign-based Characterization of Spamming Strategies

The Importance of a Multistakeholder Approach to Cybersecurity Effectiveness

Incident Handling and Internet Security in Brazil

Dynamic Honeypot Construction

Port evolution: a software to find the shady IP profiles in Netflow. Or how to reduce Netflow records efficiently.

Spamming Chains: A New Way of Understanding Spammer Behavior

Mauro Andreolini University of Modena Michele Colajanni. unimore.

SPAM: 101 Cause and Effect

Technical Note. ISP Protection against BlackListing. FORTIMAIL Deployment for Outbound Spam Filtering. Rev 2.2

Contents. vii. Preface. P ART I THE HONEYNET 1 Chapter 1 The Beginning 3. Chapter 2 Honeypots 17. xix

Hosted CanIt. Roaring Penguin Software Inc. 26 April 2011

Internet Governance and Regulation in ICLAC - A Review

Solution Brief FortiMail for Service Providers. Nathalie Rivat

Taxonomy of Hybrid Honeypots

Proxies. Chapter 4. Network & Security Gildas Avoine

Best of Breed of an ITIL based IT Monitoring. The System Management strategy of NetEye

SonicWALL Security Quick Start Guide. Version 4.6

CALNET 3 Category 7 Network Based Management Security. Table of Contents

QUICK START GUIDE. Cisco C170 Security Appliance

F-Secure Messaging Security Gateway. Deployment Guide

A Guide to New Features in Propalms OneGate 4.0

Countermeasure for Detection of Honeypot Deployment

Many network and firewall administrators consider the network firewall at the network edge as their primary defense against all network woes.

D m i t r y S l i n k o v, C I S M SWISS C Y B E R S TO R M Black market of cybercrime in Russia

Introduction to Computer Security Benoit Donnet Academic Year

Using cyber intelligence to detect and localize botnets. ENRICO BRANCA Botconf' December 2013, Nantes, France.

HONEYPOT SECURITY. February The Government of the Hong Kong Special Administrative Region

Chapter 4 Restricting Access From Your Network

Chapter 3 Restricting Access From Your Network

Architecture. The DMZ is a portion of a network that separates a purely internal network from an external network.

Firewall Firewall August, 2003

When Reputation is Not Enough: Barracuda Spam Firewall Predictive Sender Profiling. White Paper

HONEYD (OPEN SOURCE HONEYPOT SOFTWARE)

Project Proposal Active Honeypot Systems By William Kilgore University of Advancing Technology. Project Proposal 1

Copyright 2011 Sophos Ltd. Copyright strictly reserved. These materials are not to be reproduced, either in whole or in part, without permissions.

CSE331: Introduction to Networks and Security. Lecture 12 Fall 2006

Promoting Network Security (A Service Provider Perspective)

Securing the system using honeypot in cloud computing environment

How To Integrate Hosted Security With Office 365 And Microsoft Mail Flow Security With Microsoft Security (Hes)

FortiMail Filtering Course 221-v2.2 Course Overview

OpenBSD in the wild...a personal journey

Network Security Fundamentals

About Botnet, and the influence that Botnet gives to broadband ISP

Lehrstuhl für Informatik 4 Kommunikation und verteilte Systeme. Firewall

The Brazilian Internet Steering Committee CGI.br Internet Governance Model in Brazil

When Reputation is Not Enough: Barracuda Spam & Virus Firewall Predictive Sender Profiling

Network Service, Systems and Data Communications Monitoring Policy

APNIC elearning: Network Security Fundamentals. 20 March :30 pm Brisbane Time (GMT+10)

Intercept Anti-Spam Quick Start Guide

A Whirlwind Introduction to Honeypots

12. Firewalls Content

CS 665: Computer System Security. Network Security. Usage environment. Sources of vulnerabilities. Information Assurance Module

Firewalls. Basic Firewall Concept. Why firewalls? Firewall goals. Two Separable Topics. Firewall Design & Architecture Issues

F5 provides a secure, agile, and optimized platform for Microsoft Exchange Server 2007 deployments

GregSowell.com. Mikrotik Security

Symantec Cyber Threat Analysis Program Program Overview. Symantec Cyber Threat Analysis Program Team

Deploying Layered Security. What is Layered Security?

When Reputation is Not Enough. Barracuda Security Gateway s Predictive Sender Profiling. White Paper

Load Balance Mechanism

Volume 2, Issue 3, March 2014 International Journal of Advance Research in Computer Science and Management Studies

4 Messaging Technology

Emerging Network Security Threats and what they mean for internal auditors. December 11, 2013 John Gagne, CISSP, CISA

Linux Network Security

Country Case Study on Incident Management Capabilities CERT-TCC, Tunisia

Chapter 11 Cloud Application Development

NETWORK SECURITY HACKS *

Malicious Network Traffic Analysis

CSM-ACE 2014 Cyber Threat Intelligence Driven Environments

Linux Server Support by Applied Technology Research Center. Proxy Server Configuration

CYBEROAM UTM s. Outbound Spam Protection Subscription for Service Providers. Securing You. Our Products.

Device Log Export ENGLISH

A Domain Name for your PC

Lab 3: Recon and Firewalls

Flow Analysis Versus Packet Analysis. What Should You Choose?

PineApp Anti IP Blacklisting

OnCommand Performance Manager 1.1

Network Services Internet VPN

Transcription:

SpamPots Project: Using Honeypots to Measure the Abuse of End-User Machines to Send Spam Marcelo H. P. C. Chaves mhp@cert.br CERT.br Computer Emergency Response Team Brazil NIC.br Network Information Center Brazil CGI.br Brazilian Internet Steering Committee FIRST Technical Colloquium, Kuala Lumpur, Malaysia August 22 24, 2007 p. 1/28

About CERT.br Created in 1997 to handle computer security incident reports and activities related to networks connected to the Internet in Brazil. National focal point for reporting security incidents Establishes collaborative relationships with other entities Helps new CSIRTs to establish their activities Provides training in incident handling Provides statistics and best practices documents Helps raise the security awareness in the country http://www.cert.br/mission.html FIRST Technical Colloquium, Kuala Lumpur, Malaysia August 22 24, 2007 p. 2/28

CGI.br Structure 01- Ministry of Science and Technology 02- Ministry of Communications 03- Presidential Cabinet 04- Ministry of Defense 05- Ministry of Development, Industry and Foreign Trade 06- Ministry of Planning, Budget and Management 07- National Telecommunications Agency 08- National Council of Scientific and Technological Development 09- National Forum of Estate Science and Technology Secretaries 10- Internet Expert 11- Internet Service Providers 12- Telecom Infrastructure Providers 13- Hardware and Software Industries 14- General Business Sector Users 15- Non-governamental Entity 16- Non-governamental Entity 17- Non-governamental Entity 18- Non-governamental Entity 19- Academia 20- Academia 21- Academia FIRST Technical Colloquium, Kuala Lumpur, Malaysia August 22 24, 2007 p. 3/28

Our Parent Organization: CGI.br Among the diverse responsibilities of The Brazilian Internet Steering Committee CGI.br, the main attributions are: to propose policies and procedures related to the regulation of the Internet activities to recommend standards for technical and operational procedures to establish strategic directives related to the use and development of Internet in Brazil to promote studies and technical standards for the network and services security in the country to coordinate the allocation of Internet addresses (IPs) and the registration of domain names using <.br> to collect, organize and disseminate information on Internet services, including indicators and statistics FIRST Technical Colloquium, Kuala Lumpur, Malaysia August 22 24, 2007 p. 4/28

Agenda Motivation The SpamPots Project End User Abuse Scenario Architecture Honeypots Server Statistics Future Work References FIRST Technical Colloquium, Kuala Lumpur, Malaysia August 22 24, 2007 p. 5/28

Motivation The Nature of the Problem Spam is a source of malware/phishing decrease in productivity increase in infrastructure costs Congress and regulators Are pressed by the general public to do something about it Have several questionable law projects to consider Don t have data that show the real spam scenario FIRST Technical Colloquium, Kuala Lumpur, Malaysia August 22 24, 2007 p. 6/28

Motivation (2) Different Views, Different Data What we hear Open proxies are not an issue anymore Only botnets are used nowadays to send/relay spam Brazil is a big source of spam Our data Spam complaints related to open proxy abuse have increased in the past few years Scans for open proxies are always in the top 10 ports in our honeypots network statistics http://www.honeypots-alliance.org.br/stats/ FIRST Technical Colloquium, Kuala Lumpur, Malaysia August 22 24, 2007 p. 7/28

Motivation (3) Still Lots of Questions How to convince business people of possible mitigation measures needs/effectiveness? Port 25 management, e-mail reputation, etc Who is abusing our infrastructure? And How? Do we have national metrics or only international? How can we gather data and generate metrics to help the formulation of policies and the understanding of the problem? Need to better understand the problem and have more data about it FIRST Technical Colloquium, Kuala Lumpur, Malaysia August 22 24, 2007 p. 8/28

The SpamPots Project Supported by the CGI.br/NIC.br as part of the Anti-spam Commission work Deployment of low-interaction honeypots, emulating open proxy/relay services and capturing spam 10 honeypots in 5 different broadband providers 2 Cable and 3 ADSL 1 residential an 1 business connection each Measure the abuse of end-user machines to send spam FIRST Technical Colloquium, Kuala Lumpur, Malaysia August 22 24, 2007 p. 9/28

End User Abuse Scenario End users broadband computers Computer with Open Proxy Victim Victim Computer with Open Proxy Mail Server 1 Victim spammer Computer with Open Proxy Victim Mail Server N Computer with Open Proxy Victim Victim FIRST Technical Colloquium, Kuala Lumpur, Malaysia August 22 24, 2007 p. 10/28

The Architecture of the Project End users broadband computers Server: Collects data daily; Monitors the honeypots resources. Honeypot emulating an Open Proxy Computer with Open Proxy Victim spammer Honeypot emulating an Open Proxy Mail Server 1 Victim Computer with Open Proxy Mail Server N Victim FIRST Technical Colloquium, Kuala Lumpur, Malaysia August 22 24, 2007 p. 11/28

The Low-Interation Honeypots OpenBSD as the base OS good proactive security features pf packet filter: stateful, integrated queueing (ALTQ), port redirection logs in libpcap format: allows passive fingerprinting Honeyd emulating services Niels Provos SMTP and HTTP Proxy emulator (with minor modifications) SOCKS 4/5 emulator written by ourselves pretends to connect to the final SMTP server destination and starts receiving the emails doesn t deliver the emails Fools spammers confirmation attempts FIRST Technical Colloquium, Kuala Lumpur, Malaysia August 22 24, 2007 p. 12/28

Server Collects and stores data from honeypots initiates transfers through ssh connections uses rsync over ssh to copy spam from the honeypots Performs status checks in all honeypots daemons, ntp, disk space, load, rsync status Web page interface honeypot status emails stats: daily, last 15min MRTG: bandwidth, ports used, emails/min, etc FIRST Technical Colloquium, Kuala Lumpur, Malaysia August 22 24, 2007 p. 13/28

Statistics FIRST Technical Colloquium, Kuala Lumpur, Malaysia August 22 24, 2007 p. 14/28

Statistics period 2006-06-10 to 2007-07-31 days 417 emails captured 480.120.724 recipients 4.307.010.941 avg. recpts/email 8.97 avg. emails/day 1.151.368 unique IPs seen 209.327 unique ASNs 2.966 unique CCs 164 FIRST Technical Colloquium, Kuala Lumpur, Malaysia August 22 24, 2007 p. 15/28

Spams captured / day FIRST Technical Colloquium, Kuala Lumpur, Malaysia August 22 24, 2007 p. 16/28

Most frequent ASNs Top 10 emails/asn: # ASN AS Name % 01 9924 TFN-TW Taiwan Fixed Network / TW 33.77 02 3462 HINET Data Communication / TW 24.35 03 17623 CNCGROUP-SZ CNCGROUP / CN 12.97 04 4780 SEEDNET Digital United / TW 10.04 05 9919 NCIC-TW / TW 1.91 06 4837 CHINA169-BACKBONE CNCGROUP / CN 1.77 07 33322 NDCHOST / US 1.73 08 4134 CHINANET-BACKBONE / CN 1.29 09 7271 LOOKAS - Look Communications / CA 1.17 10 18429 EXTRALAN-TW / TW 1.08 FIRST Technical Colloquium, Kuala Lumpur, Malaysia August 22 24, 2007 p. 17/28

Most frequent ASNs (2) FIRST Technical Colloquium, Kuala Lumpur, Malaysia August 22 24, 2007 p. 18/28

Most frequent CCs Top 10 emails/cc: # emails CC % 01 354.042.709 TW 73.74 02 77.922.019 CN 16.23 03 26.384.260 US 5.50 04 6.680.596 CA 1.39 05 3.712.431 KR 0.77 06 3.491.197 JP 0.73 07 3.085.048 HK 0.64 08 932.330 DE 0.19 09 771.130 BR 0.16 10 617.714 UA 0.13 FIRST Technical Colloquium, Kuala Lumpur, Malaysia August 22 24, 2007 p. 19/28

Most frequent CCs (2) FIRST Technical Colloquium, Kuala Lumpur, Malaysia August 22 24, 2007 p. 20/28

Most frequent CCs (3) FIRST Technical Colloquium, Kuala Lumpur, Malaysia August 22 24, 2007 p. 21/28

TCP Ports Abused Over the Period TCP ports used: # TCP Port protocol used by % 01 8080 HTTP alt http 36.66 02 1080 SOCKS socks 36.62 03 80 HTTP http 11.24 04 3128 HTTP Squid 6.14 05 8000 HTTP alt http 2.03 06 6588 HTTP AnalogX 1.77 07 25 SMTP smtp 1.54 08 3127 SOCKS MyDoom 1.09 09 81 HTTP alt http 1.02 10 4480 HTTP Proxy+ 0.95 11 3382 HTTP Sobig.f 0.93 FIRST Technical Colloquium, Kuala Lumpur, Malaysia August 22 24, 2007 p. 22/28

TCP Ports Abused Over the Period (2) FIRST Technical Colloquium, Kuala Lumpur, Malaysia August 22 24, 2007 p. 23/28

Source Operating Systems used tcpdump/pf.os used to fingerprint the OS of hosts originating IPv4 TCP connections # emails Src OS % 01 310.084.662 Windows 64.58 02 168.224.476 Unknown 35.04 03 1.569.739 Unix 0.33 04 241.847 Other 0.05 http://www.openbsd.org/cgi-bin/man.cgi?query=pf.os FIRST Technical Colloquium, Kuala Lumpur, Malaysia August 22 24, 2007 p. 24/28

Source Operating Systems used (2) FIRST Technical Colloquium, Kuala Lumpur, Malaysia August 22 24, 2007 p. 25/28

Future Work FIRST Technical Colloquium, Kuala Lumpur, Malaysia August 22 24, 2007 p. 26/28

Future Work Comprehensive spam analysis using Data Mining techniques determine patterns in language, embedded URLs, etc phishing and other online crime activities Propose best practices to ISPs port 25 management proxy abuse monitoring International cooperation FIRST Technical Colloquium, Kuala Lumpur, Malaysia August 22 24, 2007 p. 27/28

References This presentation can be found at: http://www.cert.br/docs/presentations/ Computer Emergency Response Team Brazil CERT.br http://www.cert.br/ NIC.br http://www.nic.br/ Brazilian Internet Steering Comittee CGI.br http://www.cgi.br/ OpenBSD http://www.openbsd.org/ Honeyd http://www.honeyd.org/ Brazilian Honeypots Alliance http://www.honeypots-alliance.org.br/ FIRST Technical Colloquium, Kuala Lumpur, Malaysia August 22 24, 2007 p. 28/28

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information