SlideShare uma empresa Scribd logo

Sec Spampots

Jose Soriano
Jose Soriano

Sec Spampots

Tecnologia
1 de 26
Baixar para ler offline
SpamPots Project: Using Honeypots to Measure the Abuse of End-User Machines to Send Spam Klaus Steding-Jessen jessen@cert.br CERT.br – Computer Emergency Response Team Brazil NIC.br – Network Information Center Brazil CGI.br – Brazilian Internet Steering Committee LACNIC X – Isla Margarita, Venezuela – May 21–25, 2007 – p. 1/26
Our Parent Organization: CGI.br Among the diverse responsibilities of The Brazilian Internet Steering Committee – CGI.br, the main attributions are: • to propose policies and procedures related to the regulation of the Internet activities • to recommend standards for technical and operational procedures • to establish strategic directives related to the use and development of Internet in Brazil • to promote studies and technical standards for the network and services’ security in the country • to coordinate the allocation of Internet addresses (IPs) and the registration of domain names using <.br> • to collect, organize and disseminate information on Internet services, including indicators and statistics LACNIC X – Isla Margarita, Venezuela – May 21–25, 2007 – p. 2/26
CGI.br Structure 11- Internet Service Providers 01- Ministry of Science and Technology 12- Telecom Infrastructure Providers 02- Ministry of Communications 13- Hardware and Software Industries 03- Presidential Cabinet 14- General Business Sector Users 04- Ministry of Defense 15- Non-governamental Entity 05- Ministry of Development, Industry and Foreign Trade 16- Non-governamental Entity 06- Ministry of Planning, Budget and Management 17- Non-governamental Entity 07- National Telecommunications Agency 18- Non-governamental Entity 08- National Council of Scientific and Technological Development 19- Academia 09- National Forum of Estate Science and Technology Secretaries 20- Academia 10- Internet Expert 21- Academia LACNIC X – Isla Margarita, Venezuela – May 21–25, 2007 – p. 3/26
About CERT.br Created in 1997 to receive, review and respond to computer security incident reports and activities related to networks connected to the Internet in Brazil. • National focal point for reporting security incidents • Establishes collaborative relationships with other entities • Helps new CSIRTs to establish their activities • Provides training in incident handling • Provides statistics and best practices’ documents • Helps raise the security awareness in the country http://www.cert.br/mission.html LACNIC X – Isla Margarita, Venezuela – May 21–25, 2007 – p. 4/26
Agenda Motivation The SpamPots Project Open Proxy Abuse Scenario Architecture Honeypots Server Statistics Future Work References LACNIC X – Isla Margarita, Venezuela – May 21–25, 2007 – p. 5/26
Motivation Spam is a source of • – malware/phishing – decrease in productivity – increase in infrastructure costs Spam complaints related to open proxy • abuse have increased in the past few years Scans for open proxies are always in the top • 10 ports in our honeypots’ network stats LACNIC X – Isla Margarita, Venezuela – May 21–25, 2007 – p. 6/26
Motivation (2) Brazil is usually listed as a big source of • spam – is it really the source or is it just being abused by others? Need to better understand the problem • and have more data about it – generate metrics that can help the formulation of policies LACNIC X – Isla Margarita, Venezuela – May 21–25, 2007 – p. 7/26
The SpamPots Project Supported by the CGI.br/NIC.br • – as part of the Anti-spam Commission work Deployment of 10 low-interaction honeypots, • emulating open proxy/relay services and capturing spam Installed on Brazilian ADSL/cable networks, • for one year – 5 broadband providers, 1 residential and 1 business connection each Measure the abuse of end-user machines to • send spam LACNIC X – Isla Margarita, Venezuela – May 21–25, 2007 – p. 8/26
Open Proxy Abuse Scenario End users broadband computers Victim Computer with Victim Open Proxy Computer with Victim Mail Server 1 Open Proxy spammer Victim Computer with Open Proxy Mail Server N Victim Computer with Open Proxy Victim LACNIC X – Isla Margarita, Venezuela – May 21–25, 2007 – p. 9/26
Architecture End users broadband computers Server: Collects data daily; Monitors the honeypots resources. Honeypot emulating an Open Proxy Computer with Victim Open Proxy spammer Victim Mail Server 1 Honeypot emulating an Open Proxy Mail Server N Computer with Victim Open Proxy LACNIC X – Isla Margarita, Venezuela – May 21–25, 2007 – p. 10/26
Honeypots OpenBSD as the base OS • – good proactive security features – pf packet filter: stateful, integrated queueing (ALTQ), port redirect – logs in libpcap format: allows passive fingerprinting Honeyd emulating services • – Niels Provos’ SMTP and HTTP Proxy emulator (with minor modifications) – SOCKS 4/5 emulator written by ourselves – pretends to connect to the final SMTP server destination and starts receiving the emails – doesn’t deliver the emails Fools spammers’ confirmation attempts • LACNIC X – Isla Margarita, Venezuela – May 21–25, 2007 – p. 11/26
Server Collects and stores data from honeypots • – initiates transfers through ssh connections – uses rsync over ssh to copy spam from the honeypots Performs status checks in all honeypots • – daemons, ntp, disk space, load, rsync status Web page interface • – honeypot status – emails stats: daily, last 15min – MRTG: bandwidth, ports used, emails/min, etc LACNIC X – Isla Margarita, Venezuela – May 21–25, 2007 – p. 12/26
Statistics LACNIC X – Isla Margarita, Venezuela – May 21–25, 2007 – p. 13/26
Statistics period 2006-06-10 to 2007-04-30 days 325 ≈ 370M emails ≈ 3.2G recipients ≈ 8.9 avg. recpts/email ≈ 160K unique IPs unique ASNs 2813 unique CCs 157 LACNIC X – Isla Margarita, Venezuela – May 21–25, 2007 – p. 14/26
Spams captured / day LACNIC X – Isla Margarita, Venezuela – May 21–25, 2007 – p. 15/26
Top ASNs sending spam Top 10 emails/ASN: • # ASN ASN Name % 01 9924 TFN-TW Taiwan Fixed Network 32.08 02 3462 HINET Data Communication 25.41 03 17623 CNCGROUP-SZ CNCGROUP 13.37 04 4780 SEEDNET Digital United 12.21 05 9919 NCIC-TW 02.25 06 4837 CHINA169-BACKBONE CNCGROUP 01.69 07 7271 LOOKAS - Look Communications 01.51 08 7482 APOL-AS Asia Pacific On-line 00.98 09 18182 SONET-TW Sony Network Taiwan 00.96 10 18429 EXTRALAN-TW 00.89 LACNIC X – Isla Margarita, Venezuela – May 21–25, 2007 – p. 16/26
Top ASNs sending spam (2) LACNIC X – Isla Margarita, Venezuela – May 21–25, 2007 – p. 17/26
Top CCs sending spam Top 10 emails/CC: • # emails CC % 01 281601310 TW 76.05 02 58912303 CN 15.91 03 14939973 US 04.03 04 6677527 CA 01.80 05 1935648 KR 00.52 06 1924341 JP 00.52 07 816072 HK 00.22 08 776245 DE 00.21 09 642446 BR 00.17 10 355622 PA 00.10 LACNIC X – Isla Margarita, Venezuela – May 21–25, 2007 – p. 18/26
Top CCs sending spam (2) LACNIC X – Isla Margarita, Venezuela – May 21–25, 2007 – p. 19/26
Top TCP ports used TCP ports used: • # TCP Port protocol used by % 01 8080 HTTP 42.68 alt http 02 1080 SOCKS 34.66 socks 03 80 HTTP 11.22 http 04 3128 HTTP 06.61 Squid 05 3127 SOCKS 01.28 MyDoom 06 25 SMTP 01.18 smtp 07 3382 HTTP 01.07 Sobig.f 08 81 HTTP 00.51 alt http 09 8000 HTTP 00.37 alt http 10 6588 HTTP 00.27 AnalogX 11 4480 HTTP 00.15 Proxy+ LACNIC X – Isla Margarita, Venezuela – May 21–25, 2007 – p. 20/26
Top TCP ports used (2) LACNIC X – Isla Margarita, Venezuela – May 21–25, 2007 – p. 21/26
Top Source OS used tcpdump/pf.os used to fingerprint the OS of • hosts originating IPv4 TCP connections # emails Src OS % 01 235990984 Windows 63.74 02 133276691 Unknown 36.00 03 945642 Unix 00.26 04 50096 Other 00.01 http://www.openbsd.org/cgi-bin/man.cgi?query=pf.os LACNIC X – Isla Margarita, Venezuela – May 21–25, 2007 – p. 22/26
Top Source OS used (2) LACNIC X – Isla Margarita, Venezuela – May 21–25, 2007 – p. 23/26
Future Work LACNIC X – Isla Margarita, Venezuela – May 21–25, 2007 – p. 24/26
Future Work Comprehensive spam analysis • – using Data Mining techniques – determine patterns in language, embedded URLs, etc – phishing and other online crime activities Propose best practices to ISPs • – port 25 management – proxy abuse monitoring International cooperation • LACNIC X – Isla Margarita, Venezuela – May 21–25, 2007 – p. 25/26
References • This presentation can be found at: http://www.cert.br/docs/presentations/ • Computer Emergency Response Team Brazil – CERT.br http://www.cert.br/ • NIC.br http://www.nic.br/ • Brazilian Internet Steering Comittee – CGI.br http://www.cgi.br/ • OpenBSD http://www.openbsd.org/ • Honeyd http://www.honeyd.org/ • Brazilian Honeypots Alliance http://www.honeypots-alliance.org.br/ LACNIC X – Isla Margarita, Venezuela – May 21–25, 2007 – p. 26/26

Recomendados

Napla2007 Pttmetro
Napla2007 PttmetroNapla2007 Pttmetro
Napla2007 Pttmetro
Jose Soriano
 
I Pv4exh Lacnicx 20070523
I Pv4exh Lacnicx 20070523I Pv4exh Lacnicx 20070523
I Pv4exh Lacnicx 20070523
Jose Soriano
 
Margarita Lacnic X May 2007 Yp
Margarita Lacnic X May 2007 YpMargarita Lacnic X May 2007 Yp
Margarita Lacnic X May 2007 Yp
Jose Soriano
 
Ctu Lacnic2007
Ctu Lacnic2007Ctu Lacnic2007
Ctu Lacnic2007
Jose Soriano
 
Implementando E Lac 2007 Cepal Lacnic X
Implementando E Lac 2007 Cepal Lacnic XImplementando E Lac 2007 Cepal Lacnic X
Implementando E Lac 2007 Cepal Lacnic X
Jose Soriano
 
Musica
MusicaMusica
Musica
Jose Catalan
 
como crear una base de datos (tarea de compu.Html
como crear una base de datos (tarea de compu.Htmlcomo crear una base de datos (tarea de compu.Html
como crear una base de datos (tarea de compu.Html
may_campos
 
Napla2007 Nap Co
Napla2007 Nap CoNapla2007 Nap Co
Napla2007 Nap Co
Jose Soriano
 

Recomendados

Napla2007 Pttmetro
Napla2007 PttmetroNapla2007 Pttmetro
Napla2007 Pttmetro
Jose Soriano
 
I Pv4exh Lacnicx 20070523
I Pv4exh Lacnicx 20070523I Pv4exh Lacnicx 20070523
I Pv4exh Lacnicx 20070523
Jose Soriano
 
Margarita Lacnic X May 2007 Yp
Margarita Lacnic X May 2007 YpMargarita Lacnic X May 2007 Yp
Margarita Lacnic X May 2007 Yp
Jose Soriano
 
Ctu Lacnic2007
Ctu Lacnic2007Ctu Lacnic2007
Ctu Lacnic2007
Jose Soriano
 
Implementando E Lac 2007 Cepal Lacnic X
Implementando E Lac 2007 Cepal Lacnic XImplementando E Lac 2007 Cepal Lacnic X
Implementando E Lac 2007 Cepal Lacnic X
Jose Soriano
 
Musica
MusicaMusica
Musica
Jose Catalan
 
como crear una base de datos (tarea de compu.Html
como crear una base de datos (tarea de compu.Htmlcomo crear una base de datos (tarea de compu.Html
como crear una base de datos (tarea de compu.Html
may_campos
 
Napla2007 Nap Co
Napla2007 Nap CoNapla2007 Nap Co
Napla2007 Nap Co
Jose Soriano
 
Tim O'Reilly Mashup Camp 2008
Tim O'Reilly Mashup Camp 2008Tim O'Reilly Mashup Camp 2008
Tim O'Reilly Mashup Camp 2008
Tim O'Reilly
 
Critical Infrastructure and Cyber Security: trends and challenges
Critical Infrastructure and Cyber Security: trends and challengesCritical Infrastructure and Cyber Security: trends and challenges
Critical Infrastructure and Cyber Security: trends and challenges
Community Protection Forum
 
Bill what is_us_ignite_06_24-13
Bill what is_us_ignite_06_24-13Bill what is_us_ignite_06_24-13
Bill what is_us_ignite_06_24-13
US-Ignite
 
Telecom Spam Mathan Session2 08 Dec 06
Telecom Spam Mathan Session2 08 Dec 06Telecom Spam Mathan Session2 08 Dec 06
Telecom Spam Mathan Session2 08 Dec 06
SANSEXPERT
 
Alexandros Papanikolaou PROmis
Alexandros Papanikolaou PROmisAlexandros Papanikolaou PROmis
Alexandros Papanikolaou PROmis
Ignite_Athens
 
Future Internet testbeds in Latin America
Future Internet testbeds in Latin AmericaFuture Internet testbeds in Latin America
Future Internet testbeds in Latin America
future-internet
 
Matthias Vallentin - Towards Interactive Network Forensics and Incident Respo...
Matthias Vallentin - Towards Interactive Network Forensics and Incident Respo...Matthias Vallentin - Towards Interactive Network Forensics and Incident Respo...
Matthias Vallentin - Towards Interactive Network Forensics and Incident Respo...
boundary_slides
 
World best web apps security and Active detection of malicious link
World best web apps security and Active detection of malicious linkWorld best web apps security and Active detection of malicious link
World best web apps security and Active detection of malicious link
임채호 박사님
 
Janet in a changing world
Janet in a changing world Janet in a changing world
Janet in a changing world
Jisc
 
Click uy ciudadano
Click uy ciudadanoClick uy ciudadano
Click uy ciudadano
Jose Soriano
 
Monocabinas 1
Monocabinas 1Monocabinas 1
Monocabinas 1
Jose Soriano
 
Modelo rcp de cp 15.0
Modelo rcp de cp 15.0Modelo rcp de cp 15.0
Modelo rcp de cp 15.0
Jose Soriano
 
Red s alud
Red s aludRed s alud
Red s alud
Jose Soriano
 
Porteños
PorteñosPorteños
Porteños
Jose Soriano
 
Presentacion global rcp v5
Presentacion global rcp v5Presentacion global rcp v5
Presentacion global rcp v5
Jose Soriano
 
Proyecto show center 2.0
Proyecto show center 2.0Proyecto show center 2.0
Proyecto show center 2.0
Jose Soriano
 
Resumen cabinas
Resumen cabinas Resumen cabinas
Resumen cabinas
Jose Soriano
 
Rcp red uno 7.0
Rcp red uno 7.0Rcp red uno 7.0
Rcp red uno 7.0
Jose Soriano
 
Aldea RDigital-
Aldea RDigital- Aldea RDigital-
Aldea RDigital-
Jose Soriano
 
Informe fin etapa 1
Informe fin etapa 1Informe fin etapa 1
Informe fin etapa 1
Jose Soriano
 
Click uy ciudadano
Click uy ciudadanoClick uy ciudadano
Click uy ciudadano
Jose Soriano
 
Seminariosalud
SeminariosaludSeminariosalud
Seminariosalud
Jose Soriano
 

Mais conteúdo relacionado

Semelhante a Sec Spampots

Bill what is_us_ignite_06_24-13
Bill what is_us_ignite_06_24-13Bill what is_us_ignite_06_24-13
Bill what is_us_ignite_06_24-13
US-Ignite
 
Telecom Spam Mathan Session2 08 Dec 06
Telecom Spam Mathan Session2 08 Dec 06Telecom Spam Mathan Session2 08 Dec 06
Telecom Spam Mathan Session2 08 Dec 06
SANSEXPERT
 
Alexandros Papanikolaou PROmis
Alexandros Papanikolaou PROmisAlexandros Papanikolaou PROmis
Alexandros Papanikolaou PROmis
Ignite_Athens
 
Matthias Vallentin - Towards Interactive Network Forensics and Incident Respo...
Matthias Vallentin - Towards Interactive Network Forensics and Incident Respo...Matthias Vallentin - Towards Interactive Network Forensics and Incident Respo...
Matthias Vallentin - Towards Interactive Network Forensics and Incident Respo...
boundary_slides
 

Semelhante a Sec Spampots (9)

Tim O'Reilly Mashup Camp 2008
Tim O'Reilly Mashup Camp 2008Tim O'Reilly Mashup Camp 2008
Tim O'Reilly Mashup Camp 2008
 
Critical Infrastructure and Cyber Security: trends and challenges
Critical Infrastructure and Cyber Security: trends and challengesCritical Infrastructure and Cyber Security: trends and challenges
Critical Infrastructure and Cyber Security: trends and challenges
 
Bill what is_us_ignite_06_24-13
Bill what is_us_ignite_06_24-13Bill what is_us_ignite_06_24-13
Bill what is_us_ignite_06_24-13
 
Telecom Spam Mathan Session2 08 Dec 06
Telecom Spam Mathan Session2 08 Dec 06Telecom Spam Mathan Session2 08 Dec 06
Telecom Spam Mathan Session2 08 Dec 06
 
Alexandros Papanikolaou PROmis
Alexandros Papanikolaou PROmisAlexandros Papanikolaou PROmis
Alexandros Papanikolaou PROmis
 
Future Internet testbeds in Latin America
Future Internet testbeds in Latin AmericaFuture Internet testbeds in Latin America
Future Internet testbeds in Latin America
 
Matthias Vallentin - Towards Interactive Network Forensics and Incident Respo...
Matthias Vallentin - Towards Interactive Network Forensics and Incident Respo...Matthias Vallentin - Towards Interactive Network Forensics and Incident Respo...
Matthias Vallentin - Towards Interactive Network Forensics and Incident Respo...
 
World best web apps security and Active detection of malicious link
World best web apps security and Active detection of malicious linkWorld best web apps security and Active detection of malicious link
World best web apps security and Active detection of malicious link
 
Janet in a changing world
Janet in a changing world Janet in a changing world
Janet in a changing world
 

Mais de Jose Soriano

Click uy ciudadano
Click uy ciudadanoClick uy ciudadano
Click uy ciudadano
Jose Soriano
 
Modelo rcp de cp 15.0
Modelo rcp de cp 15.0Modelo rcp de cp 15.0
Modelo rcp de cp 15.0
Jose Soriano
 
Presentacion global rcp v5
Presentacion global rcp v5Presentacion global rcp v5
Presentacion global rcp v5
Jose Soriano
 
Proyecto show center 2.0
Proyecto show center 2.0Proyecto show center 2.0
Proyecto show center 2.0
Jose Soriano
 
Informe fin etapa 1
Informe fin etapa 1Informe fin etapa 1
Informe fin etapa 1
Jose Soriano
 
Click uy ciudadano
Click uy ciudadanoClick uy ciudadano
Click uy ciudadano
Jose Soriano
 

Mais de Jose Soriano (20)

Click uy ciudadano
Click uy ciudadanoClick uy ciudadano
Click uy ciudadano
 
Monocabinas 1
Monocabinas 1Monocabinas 1
Monocabinas 1
 
Modelo rcp de cp 15.0
Modelo rcp de cp 15.0Modelo rcp de cp 15.0
Modelo rcp de cp 15.0
 
Red s alud
Red s aludRed s alud
Red s alud
 
Porteños
PorteñosPorteños
Porteños
 
Presentacion global rcp v5
Presentacion global rcp v5Presentacion global rcp v5
Presentacion global rcp v5
 
Proyecto show center 2.0
Proyecto show center 2.0Proyecto show center 2.0
Proyecto show center 2.0
 
Resumen cabinas
Resumen cabinas Resumen cabinas
Resumen cabinas
 
Rcp red uno 7.0
Rcp red uno 7.0Rcp red uno 7.0
Rcp red uno 7.0
 
Aldea RDigital-
Aldea RDigital- Aldea RDigital-
Aldea RDigital-
 
Informe fin etapa 1
Informe fin etapa 1Informe fin etapa 1
Informe fin etapa 1
 
Click uy ciudadano
Click uy ciudadanoClick uy ciudadano
Click uy ciudadano
 
Seminariosalud
SeminariosaludSeminariosalud
Seminariosalud
 
Seminario salud
Seminario saludSeminario salud
Seminario salud
 
Presentacion Merco Sur Digital
Presentacion Merco Sur DigitalPresentacion Merco Sur Digital
Presentacion Merco Sur Digital
 
Presentacion Gobierno Electronico Foro Mendoza
Presentacion Gobierno Electronico Foro MendozaPresentacion Gobierno Electronico Foro Mendoza
Presentacion Gobierno Electronico Foro Mendoza
 
Frida Lacnic X 2
Frida Lacnic X 2Frida Lacnic X 2
Frida Lacnic X 2
 
Napla2007 Roque Gagliano
Napla2007 Roque GaglianoNapla2007 Roque Gagliano
Napla2007 Roque Gagliano
 
Napla2007 Jose Jaramillo
Napla2007 Jose JaramilloNapla2007 Jose Jaramillo
Napla2007 Jose Jaramillo
 
Eloy Vidal Peru Final
Eloy Vidal Peru FinalEloy Vidal Peru Final
Eloy Vidal Peru Final
 

Último

Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Orbitshub
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Orbitshub
 

Último (20)

AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 
Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital Adaptability
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
 

Sec Spampots

  • 1. SpamPots Project: Using Honeypots to Measure the Abuse of End-User Machines to Send Spam Klaus Steding-Jessen jessen@cert.br CERT.br – Computer Emergency Response Team Brazil NIC.br – Network Information Center Brazil CGI.br – Brazilian Internet Steering Committee LACNIC X – Isla Margarita, Venezuela – May 21–25, 2007 – p. 1/26
  • 2. Our Parent Organization: CGI.br Among the diverse responsibilities of The Brazilian Internet Steering Committee – CGI.br, the main attributions are: • to propose policies and procedures related to the regulation of the Internet activities • to recommend standards for technical and operational procedures • to establish strategic directives related to the use and development of Internet in Brazil • to promote studies and technical standards for the network and services’ security in the country • to coordinate the allocation of Internet addresses (IPs) and the registration of domain names using <.br> • to collect, organize and disseminate information on Internet services, including indicators and statistics LACNIC X – Isla Margarita, Venezuela – May 21–25, 2007 – p. 2/26
  • 3. CGI.br Structure 11- Internet Service Providers 01- Ministry of Science and Technology 12- Telecom Infrastructure Providers 02- Ministry of Communications 13- Hardware and Software Industries 03- Presidential Cabinet 14- General Business Sector Users 04- Ministry of Defense 15- Non-governamental Entity 05- Ministry of Development, Industry and Foreign Trade 16- Non-governamental Entity 06- Ministry of Planning, Budget and Management 17- Non-governamental Entity 07- National Telecommunications Agency 18- Non-governamental Entity 08- National Council of Scientific and Technological Development 19- Academia 09- National Forum of Estate Science and Technology Secretaries 20- Academia 10- Internet Expert 21- Academia LACNIC X – Isla Margarita, Venezuela – May 21–25, 2007 – p. 3/26
  • 4. About CERT.br Created in 1997 to receive, review and respond to computer security incident reports and activities related to networks connected to the Internet in Brazil. • National focal point for reporting security incidents • Establishes collaborative relationships with other entities • Helps new CSIRTs to establish their activities • Provides training in incident handling • Provides statistics and best practices’ documents • Helps raise the security awareness in the country http://www.cert.br/mission.html LACNIC X – Isla Margarita, Venezuela – May 21–25, 2007 – p. 4/26
  • 5. Agenda Motivation The SpamPots Project Open Proxy Abuse Scenario Architecture Honeypots Server Statistics Future Work References LACNIC X – Isla Margarita, Venezuela – May 21–25, 2007 – p. 5/26
  • 6. Motivation Spam is a source of • – malware/phishing – decrease in productivity – increase in infrastructure costs Spam complaints related to open proxy • abuse have increased in the past few years Scans for open proxies are always in the top • 10 ports in our honeypots’ network stats LACNIC X – Isla Margarita, Venezuela – May 21–25, 2007 – p. 6/26
  • 7. Motivation (2) Brazil is usually listed as a big source of • spam – is it really the source or is it just being abused by others? Need to better understand the problem • and have more data about it – generate metrics that can help the formulation of policies LACNIC X – Isla Margarita, Venezuela – May 21–25, 2007 – p. 7/26
  • 8. The SpamPots Project Supported by the CGI.br/NIC.br • – as part of the Anti-spam Commission work Deployment of 10 low-interaction honeypots, • emulating open proxy/relay services and capturing spam Installed on Brazilian ADSL/cable networks, • for one year – 5 broadband providers, 1 residential and 1 business connection each Measure the abuse of end-user machines to • send spam LACNIC X – Isla Margarita, Venezuela – May 21–25, 2007 – p. 8/26
  • 9. Open Proxy Abuse Scenario End users broadband computers Victim Computer with Victim Open Proxy Computer with Victim Mail Server 1 Open Proxy spammer Victim Computer with Open Proxy Mail Server N Victim Computer with Open Proxy Victim LACNIC X – Isla Margarita, Venezuela – May 21–25, 2007 – p. 9/26
  • 10. Architecture End users broadband computers Server: Collects data daily; Monitors the honeypots resources. Honeypot emulating an Open Proxy Computer with Victim Open Proxy spammer Victim Mail Server 1 Honeypot emulating an Open Proxy Mail Server N Computer with Victim Open Proxy LACNIC X – Isla Margarita, Venezuela – May 21–25, 2007 – p. 10/26
  • 11. Honeypots OpenBSD as the base OS • – good proactive security features – pf packet filter: stateful, integrated queueing (ALTQ), port redirect – logs in libpcap format: allows passive fingerprinting Honeyd emulating services • – Niels Provos’ SMTP and HTTP Proxy emulator (with minor modifications) – SOCKS 4/5 emulator written by ourselves – pretends to connect to the final SMTP server destination and starts receiving the emails – doesn’t deliver the emails Fools spammers’ confirmation attempts • LACNIC X – Isla Margarita, Venezuela – May 21–25, 2007 – p. 11/26
  • 12. Server Collects and stores data from honeypots • – initiates transfers through ssh connections – uses rsync over ssh to copy spam from the honeypots Performs status checks in all honeypots • – daemons, ntp, disk space, load, rsync status Web page interface • – honeypot status – emails stats: daily, last 15min – MRTG: bandwidth, ports used, emails/min, etc LACNIC X – Isla Margarita, Venezuela – May 21–25, 2007 – p. 12/26
  • 13. Statistics LACNIC X – Isla Margarita, Venezuela – May 21–25, 2007 – p. 13/26
  • 14. Statistics period 2006-06-10 to 2007-04-30 days 325 ≈ 370M emails ≈ 3.2G recipients ≈ 8.9 avg. recpts/email ≈ 160K unique IPs unique ASNs 2813 unique CCs 157 LACNIC X – Isla Margarita, Venezuela – May 21–25, 2007 – p. 14/26
  • 15. Spams captured / day LACNIC X – Isla Margarita, Venezuela – May 21–25, 2007 – p. 15/26
  • 16. Top ASNs sending spam Top 10 emails/ASN: • # ASN ASN Name % 01 9924 TFN-TW Taiwan Fixed Network 32.08 02 3462 HINET Data Communication 25.41 03 17623 CNCGROUP-SZ CNCGROUP 13.37 04 4780 SEEDNET Digital United 12.21 05 9919 NCIC-TW 02.25 06 4837 CHINA169-BACKBONE CNCGROUP 01.69 07 7271 LOOKAS - Look Communications 01.51 08 7482 APOL-AS Asia Pacific On-line 00.98 09 18182 SONET-TW Sony Network Taiwan 00.96 10 18429 EXTRALAN-TW 00.89 LACNIC X – Isla Margarita, Venezuela – May 21–25, 2007 – p. 16/26
  • 17. Top ASNs sending spam (2) LACNIC X – Isla Margarita, Venezuela – May 21–25, 2007 – p. 17/26
  • 18. Top CCs sending spam Top 10 emails/CC: • # emails CC % 01 281601310 TW 76.05 02 58912303 CN 15.91 03 14939973 US 04.03 04 6677527 CA 01.80 05 1935648 KR 00.52 06 1924341 JP 00.52 07 816072 HK 00.22 08 776245 DE 00.21 09 642446 BR 00.17 10 355622 PA 00.10 LACNIC X – Isla Margarita, Venezuela – May 21–25, 2007 – p. 18/26
  • 19. Top CCs sending spam (2) LACNIC X – Isla Margarita, Venezuela – May 21–25, 2007 – p. 19/26
  • 20. Top TCP ports used TCP ports used: • # TCP Port protocol used by % 01 8080 HTTP 42.68 alt http 02 1080 SOCKS 34.66 socks 03 80 HTTP 11.22 http 04 3128 HTTP 06.61 Squid 05 3127 SOCKS 01.28 MyDoom 06 25 SMTP 01.18 smtp 07 3382 HTTP 01.07 Sobig.f 08 81 HTTP 00.51 alt http 09 8000 HTTP 00.37 alt http 10 6588 HTTP 00.27 AnalogX 11 4480 HTTP 00.15 Proxy+ LACNIC X – Isla Margarita, Venezuela – May 21–25, 2007 – p. 20/26
  • 21. Top TCP ports used (2) LACNIC X – Isla Margarita, Venezuela – May 21–25, 2007 – p. 21/26
  • 22. Top Source OS used tcpdump/pf.os used to fingerprint the OS of • hosts originating IPv4 TCP connections # emails Src OS % 01 235990984 Windows 63.74 02 133276691 Unknown 36.00 03 945642 Unix 00.26 04 50096 Other 00.01 http://www.openbsd.org/cgi-bin/man.cgi?query=pf.os LACNIC X – Isla Margarita, Venezuela – May 21–25, 2007 – p. 22/26
  • 23. Top Source OS used (2) LACNIC X – Isla Margarita, Venezuela – May 21–25, 2007 – p. 23/26
  • 24. Future Work LACNIC X – Isla Margarita, Venezuela – May 21–25, 2007 – p. 24/26
  • 25. Future Work Comprehensive spam analysis • – using Data Mining techniques – determine patterns in language, embedded URLs, etc – phishing and other online crime activities Propose best practices to ISPs • – port 25 management – proxy abuse monitoring International cooperation • LACNIC X – Isla Margarita, Venezuela – May 21–25, 2007 – p. 25/26
  • 26. References • This presentation can be found at: http://www.cert.br/docs/presentations/ • Computer Emergency Response Team Brazil – CERT.br http://www.cert.br/ • NIC.br http://www.nic.br/ • Brazilian Internet Steering Comittee – CGI.br http://www.cgi.br/ • OpenBSD http://www.openbsd.org/ • Honeyd http://www.honeyd.org/ • Brazilian Honeypots Alliance http://www.honeypots-alliance.org.br/ LACNIC X – Isla Margarita, Venezuela – May 21–25, 2007 – p. 26/26