Basheer Al-Duwairi Jordan University of Science & Technology



Similar documents
Basheer Al-Duwairi Jordan University of Science & Technology

Creating "Origin Pull" on Akamai (1)

Domain Name Abuse Detection. Liming Wang

Content Delivery Networks. Shaxun Chen April 21, 2009

Distributed Systems. 23. Content Delivery Networks (CDN) Paul Krzyzanowski. Rutgers University. Fall 2015

Shell over what?! Naughty CDN manipulations. Roee Cnaan, Information Security Consultant

Internet Content Distribution

How To Understand The Power Of A Content Delivery Network (Cdn)

Distributed Systems. 25. Content Delivery Networks (CDN) 2014 Paul Krzyzanowski. Rutgers University. Fall 2014

LASTLINE WHITEPAPER. Using Passive DNS Analysis to Automatically Detect Malicious Domains

EVILSEED: A Guided Approach to Finding Malicious Web Pages

EE 7376: Introduction to Computer Networks. Homework #3: Network Security, , Web, DNS, and Network Management. Maximum Points: 60

Whose IP Is It Anyways: Tales of IP Reputation Failures

Content Delivery Networks: Protection or Threat?

Analysing the impact of CDN based service delivery on traffic engineering

Making the Internet fast, reliable and secure. DE-CIX Customer Summit Steven Schecter <schecter@akamai.com>

DNS Noise: Measuring the Pervasiveness of Disposable Domains in Modern DNS Traffic

THE MASTER LIST OF DNS TERMINOLOGY. First Edition

Course Content: Session 1. Ethics & Hacking

How To Protect Your Data From Being Hacked On Security Cloud

The secret life of a DNS query. Igor Sviridov <sia@nest.org>

THE MASTER LIST OF DNS TERMINOLOGY. v 2.0

CDN and Traffic-structure

Measuring the Web: Part I - - Content Delivery Networks. Prof. Anja Feldmann, Ph.D. Dr. Ramin Khalili Georgios Smaragdakis, PhD

From Internet Data Centers to Data Centers in the Cloud

Web Drive Limited TERMS AND CONDITIONS FOR THE SUPPLY OF SERVER HOSTING

HTG XROADS NETWORKS. Network Appliance How To Guide: EdgeDNS. How To Guide

DDoS Protection. How Cisco IT Protects Against Distributed Denial of Service Attacks. A Cisco on Cisco Case Study: Inside Cisco IT

Where Do You Tube? Uncovering YouTube Server Selection Strategy

HW9 WordPress & Google Analytics

Introduction to Computer Security Benoit Donnet Academic Year

Indirection. science can be solved by adding another level of indirection" -- Butler Lampson. "Every problem in computer

How To Guide Edge Network Appliance How To Guide:

The Value of Content Distribution Networks Mike Axelrod, Google Google Public

API documentation - 1 -

Zscaler Internet Security Frequently Asked Questions

Internet Monitoring via DNS Traffic Analysis. Wenke Lee Georgia Institute of Technology

Operation Liberpy : Keyloggers and information theft in Latin America

AKAMAI SOLUTION BROCHURE CLOUD SECURITY SOLUTIONS FAST RELIABLE SECURE.

Mitigation of Random Query String DoS via Gossip

CHAPTER 4 PERFORMANCE ANALYSIS OF CDN IN ACADEMICS

Internet Services. Amcom. Support & Troubleshooting Guide

Netgator: Malware Detection Using Program Interactive Challenges. Brian Schulte, Haris Andrianakis, Kun Sun, and Angelos Stavrou

CSCI-1680 CDN & P2P Chen Avin

Application Note. SIP Domain Management

Distributed Systems 19. Content Delivery Networks (CDN) Paul Krzyzanowski

Removing Web Spam Links from Search Engine Results

Debugging With Netalyzr

Infoblox Inc. All Rights Reserved. Talks about DNS: architectures & security

DNS, CDNs Weds March Lecture 13. What is the relationship between a domain name (e.g., youtube.com) and an IP address?

ICP. Cache Hierarchies. Squid. Squid Cache ICP Use. Squid. Squid

Measurement of the Usage of Several Secure Internet Protocols from Internet Traces

SPAMMING BOTNETS: SIGNATURES AND CHARACTERISTICS

Stopping secure Web traffic from bypassing your content filter. BLACK BOX

Data Center Content Delivery Network

CS 558 Internet Systems and Technologies

Content. Global Delivery Network: Folders

Flow Analysis Versus Packet Analysis. What Should You Choose?

LACNIC 25 CSIRTs Meeting Havana, Cuba May 4 th, 2016

Assignment One. ITN534 Network Management. Title: Report on an Integrated Network Management Product (Solar winds 2001 Engineer s Edition)

Real-Time Analysis of CDN in an Academic Institute: A Simulation Study

Firewalls & Intrusion Detection

2010 Carnegie Mellon University. Malware and Malicious Traffic

DNS traffic analysis -- Issues of IPv6 and CDN --

ATIS Open Web Alliance. Jim McEachern Senior Technology Consultant ATIS

JK WEBCOM TECHNOLOGIES

Signpost: Trusted, Effectful Internet names

F-Secure Internet Security 2014 Data Transfer Declaration

New Trends in FastFlux Networks

Akamai to Incapsula Migration Guide

HTTPS Inspection with Cisco CWS

How To Create A Toecdn (Open Edge Content Delivery Network) From Scratch On A Microsoft Ipad Or Ipad (For Free) On A Pc Or Ipa (For A Free) With A Free Ipad) On An Ip

How Cisco IT Protects Against Distributed Denial of Service Attacks

ANALYSING SERVER LOG FILE USING WEB LOG EXPERT IN WEB DATA MINING

How To Detect An Advanced Persistent Threat Through Big Data And Network Analysis

Large-Scale IP Traceback in High-Speed Internet

How to Prevent Secure Web Traffic (HTTPS) from Crippling Your Content Filter. A Cymphonix White Paper

EvilSeed: A Guided Approach to Finding Malicious Web Pages

How to Configure Dynamic DNS on a Virtual Access Router

WE KNOW IT BEFORE YOU DO: PREDICTING MALICIOUS DOMAINS Wei Xu, Kyle Sanders & Yanxin Zhang Palo Alto Networks, Inc., USA

It should be noted that the installer will delete any existing partitions on your disk in order to install the software required to use BLËSK.

CYBER SCIENCE 2015 AN ANALYSIS OF NETWORK TRAFFIC CLASSIFICATION FOR BOTNET DETECTION

DNS Caching: Running on Zero

WEB SITE SECURITY. Jeff Aliber Verizon Digital Media Services

#splunkconf. Analyzing & Mitigating Malicious Web Activity using Splunk Enterprise

DOSarrest External MULTI-SENSOR ARRAY FOR ANALYSIS OF YOUR CDN'S PERFORMANCE IMMEDIATE DETECTION AND REPORTING OF OUTAGES AND / OR ISSUES

Overview. Tor Circuit Setup (1) Tor Anonymity Network

Click Studios. Passwordstate. Installation Instructions

idatafax Troubleshooting

Transcription:

Basheer Al-Duwairi Jordan University of Science & Technology

Outline Examples of using network measurements /monitoring Example 1: fast flux detection Example 2: DDoS mitigation as a service Future trends Hot topics Challenges

Detection and Characterization of Fast Flux Networks ;; ANSWER SECTION: 09-service.ru. 9 IN A 136.169.214.129 09-service.ru. 9 IN A 158.181.153.20 09-service.ru. 9 IN A 176.215.247.0 09-service.ru. 9 IN A 178.129.215.113 09-service.ru. 9 IN A 194.28.140.134 09-service.ru. 9 IN A 91.226.57.151 09-service.ru. 9 IN A 95.81.53.162 09-service.ru. 9 IN A 176.109.54.103 09-service.ru. 9 IN A 176.97.101.11 09-service.ru. 9 IN A 128.73.112.222 ;; ANSWER SECTION: 09-service.ru. 9 IN A 176.109.54.103 09-service.ru. 9 IN A 176.97.101.11 09-service.ru. 9 IN A 176.8.245.247 09-service.ru. 9 IN A 128.71.255.82 09-service.ru. 9 IN A 46.0.62.42 09-service.ru. 9 IN A 136.169.168.197 09-service.ru. 9 IN A 37.99.17.53 09-service.ru. 9 IN A 180.211.154.217 09-service.ru. 9 IN A 109.254.85.172 09-service.ru. 9 IN A 188.191.237.220

[B. Al-Duwairi et. al, GFlux: A Google-Based Approach for FFlux Detection, Technical Report. Jordan Univ. of Science & Technology] GFlux- System Overview Input: Suspect domain name (www.xyz.com) List of IP addresses (obtained actively or passively) Form a search query Extract # hits from Google results Classify domain name into FFux or Non-FFlux

GFlux- Input: domain hosted by CDN ;; ANSWER SECTION: images.amazon.com. 60 IN CNAME ecx.imagesamazon.com.c.footprint.net. ecx.images-amazon.com.c.footprint.net. 230 IN A 204.160.107.126 ecx.images-amazon.com.c.footprint.net. 230 IN A 198.78.205.126 ecx.images-amazon.com.c.footprint.net. 230 IN A 198.78.213.126 Input: images.amazon.com List of IP addresses (obtained actively or passively) Form a search query Extract # hits from Google results Classify domain name into FFux or Non-FFlux

;; ANSWER SECTION: 09-service.ru. 9 IN A 136.169.214.129 09-service.ru. 9 IN A 158.181.153.20 09-service.ru. 9 IN A 176.215.247.0 09-service.ru. 9 IN A 178.129.215.113 09-service.ru. 9 IN A 194.28.140.134 09-service.ru. 9 IN A 91.226.57.151 09-service.ru. 9 IN A 95.81.53.162 09-service.ru. 9 IN A 176.109.54.103 09-service.ru. 9 IN A 176.97.101.11 09-service.ru. 9 IN A 128.73.112.222 GFlux- Input: FFlux domain Input: 09-service.ru List of IP addresses (obtained actively or passively) Form a search query Extract # hits from Google results Classify domain name into FFux or Non-FFlux

Data Collection Email spam trap Oct. 2011 Mar. 2012 issue a DNS lookup for every unique domain name using the Linux dig utility Used 240 Planelab nodes Form Query extracted all URLs the Linux urlview utility Record # hits from Google A cleaning stage where only base domain names are produced and repeated entries are removed. Focused on the domain names associated with the highest number of resolved IP addresses. Verified them manually, too, to ascertain they are indeed FFNs. Analyze results

[Zakaria Al-Qudah, Basheer Al-Duwairi, and Osama Al-Khaleel, DDoS Protection as a Service: Hiding Behind the Giants, To appear in International Journal of Computational Science and Engineering] DDoS Protection as a Service Web server (content server) CDN Network Web server (content server) CDN Edge server Web client (a) In the absence of an attack Web client (a) During an attack

Performance evaluation/ experiments Downloading static object from origin server vs. via an CDN edge server acting like a proxy Object type: PDF file Object size: 3.1 MB Origin Server: fedex.com CDN network: Akamai Downloads are performed from 391 Planetlab nodes For each node two downloads for the identified object: one from origin.fedex.com and the other from images.fedex.com Frequency: once every hour for a period of 24 hours Important issue: ensuring that the CDN edge server fetches a fresh copy of the object Solution: We append the download from images.fedex.com with a random query string

Performance Results The figure plots the difference between effective download bandwidth in the two cases (CDN download minus direct download). Most of the Planetlab nodes, downloading via the CDN have better performance. This is due to the fact that CDNs optimize the path through which they fetch objects from the origin server. Correspond to downloads via the CDN Correspond to direct downloads from the origin server

Future trends: Hot topics + main challenges Most of web traffic is referred by search engines + social networks websites Google, yahoo, Facebook, twitter, etc. What traffic needs to be collected/monitored to infer malicious activities? Collecting data from social networks investigating and exploring the tradeoffs between services and privacy guarantees

Challenges / Future Trends Collecting SMS traffic traces across multiple mobile network operators Operators need greater visibility and understanding of the applications running in their networks Explosive growth in the number of web and mobile applications Application hiding techniques like encryption, port abuse, and tunneling Little research has been done to characterize/detect spam/scam campaigns What percentage of email spam received users is effective?

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information