ImageVerifierCode 换一换
格式:PPT , 页数:31 ,大小:1.65MB ,
资源ID:379082      下载积分:2000 积分
快捷下载
登录下载
邮箱/手机:
温馨提示:
如需开发票,请勿充值!快捷下载时,用户名和密码都是您填写的邮箱或者手机号,方便查询和重复下载(系统自动生成)。
如填写123,账号就是123,密码也是123。
特别说明:
请自助下载,系统不会自动发送文件的哦; 如果您已付费,想二次下载,请登录后访问:我的下载记录
支付方式: 支付宝扫码支付 微信扫码支付   
注意:如需开发票,请勿充值!
验证码:   换一换

加入VIP,免费下载
 

温馨提示:由于个人手机设置不同,如果发现不能下载,请复制以下地址【http://www.mydoc123.com/d-379082.html】到电脑端继续下载(重复下载不扣费)。

已注册用户请登录:
账号:
密码:
验证码:   换一换
  忘记密码?
三方登录: 微信登录  

下载须知

1: 本站所有资源如无特殊说明,都需要本地电脑安装OFFICE2007和PDF阅读器。
2: 试题试卷类文档,如果标题没有明确说明有答案则都视为没有答案,请知晓。
3: 文件的所有权益归上传用户所有。
4. 未经权益所有人同意不得将文件中的内容挪作商业或盈利用途。
5. 本站仅提供交流平台,并不能对任何下载内容负责。
6. 下载文件中如有侵权或不适当内容,请与我们联系,我们立即纠正。
7. 本站不保证下载资源的准确性、安全性和完整性, 同时也不承担用户因使用这些下载资源对自己和他人造成任何形式的伤害或损失。

版权提示 | 免责声明

本文(Botnets and spam- What we're doing to deal with the .ppt)为本站会员(progressking105)主动上传,麦多课文库仅提供信息存储空间,仅对用户上传内容的表现方式做保护处理,对上载内容本身不做任何修改或编辑。 若此文所含内容侵犯了您的版权或隐私,请立即通知麦多课文库(发送邮件至master@mydoc123.com或直接QQ联系客服),我们立即给予删除!

Botnets and spam- What we're doing to deal with the .ppt

1、Botnets and spam: What were doing to deal with the blended threat,Jim Lippard FRnOG 6, April 1, 2005,2,Botnets and spam,Overview of the blended threat. Some trends. Rogues gallery. Defense and attack strategies. Our implementation and plans. Help wanted. Q&A.,AGENDA,3,Rise of the botnets,Early 1990s

2、: IRC channel bots (e.g., eggdrop, mIRC scripts, ComBot, etc.). Late 1990s: Denial of service tools (e.g., Trinoo, Tribal Flood Network, Stacheldraht, Shaft, etc.). 2000: Merger of DDoS tools, worms, and rootkits (e.g., Stacheldraht+t0rnkit+Ramen worm; Lion worm+TFN2K). 2002: IRC-controlled bots imp

3、lementing DDoS attacks. 2003: IRC-controlled bots spread with worms and viruses, fully implementing DDoS, spyware, malware distribution activity. (Dave Dittrich, “Invasion Force,” Information Security, March 2005, p. 30) 2003-2005: Botnets used as a criminal tool for extortion, fraud, identity theft

4、, computer crime, spam, and phishing.,4,Botnets today,Botnets are usually compromised Windows machines, usually controlled from a compromised Unix machine running ircd, sometimes with passwords, sometimes with encryption. Controllers are most often found on low-cost, high-volume web hosting provider

5、s. Bots are most often found on home machines of cable modem and DSL customers.Agobot/Phatbot is well-written, modular code supporting DoS attacks, spam proxying, ability to launch viruses, scan for vulnerabilities, steal Windows Product Keys, sniff passwords, support GRE tunnels, self-update, etc.

6、Phatbot control channel is WASTE (encrypted P2P) instead of IRC.Approximately 70% of spam is sent via botnets. (MessageLabs, October 2004 Monthly Report)Bots refute the common argument that “theres nothing on my computer that anyone would want” (usually given as an excuse not to bother securing the

7、system).,5,Malicious traffic comparison,Unique Infected IPs, week ending March 28, 2005: Entire Internet (unique IPs within each category; a single IP may have multiple problems),6,Malicious traffic trends,Spam, viruses, phishing are growing. Possible drop in DoS attacks. Percentage of email that is

8、 spam: 2002: 9%. 2003: 40%. 2004: 73%. (received by GLBC Apr 2004-Mar 2005: 73%) Percentage of email containing viruses: 2002: 0.5%. 2003: 3%. 2004: 6.1%. (received by GLBC Apr 2004-Mar 2005: 5%) Number of phishing emails: Total through September 2003: 273 Total through September 2004: 2 million Mon

9、thly since September 2004: 2-5 million (Above from MessageLabs 2004 end-of-year report.) Denial of Service Attacks (reported): 2002: 48 (16/mo). 2003: 409 (34/mo). 2004: 482 (40/mo). Jan. 1-Mar. 23, 2005: 74 (25/mo). (Above from Global Crossing; 2002 is for Oct-Dec only.),7,GLBC downstream malware-i

10、nfected hosts,8,Infected hosts: Internet/GLBC downstreams,9,GLBC Infected Downstreams,Distribution by region for week ending March 28, 2005; unique infected IPs on ASs with more than 300 infected IPs, which accounts for 91% of unique infected IPs for the week.,10,Money is the main driver,Most botnet

11、-related abuse is driven by financial considerations:Viruses and worms are used to compromise systems to use as bots.Bots are used to send spam to sell products and services (often fraudulent), engage in extortion (denial of service against online gambling, credit card processors, etc.), send phishi

12、ng emails to steal bank account access.Access to bots as proxies (“peas”) is sold to spammers, often with a very commercial-looking front end web interface.,11,Ruslan Ibragimov/send-,12,Ruslan Ibragimov ROKSO Record,13,“FRESH Peas for X-Mas Special Discount”,14,General Interest emails for sale,15,Pr

13、oxies for Sale,16,Jay Echouafni / Foonet,17,Jeremy Jaynes 9 year prison sentence,18,Other miscreants,Others: Howard Carmack, the Buffalo spammer: $16 million judgment for Earthlink, 3.5-7 years on criminal charges from NY AG. Jennifer Murray, Ft. Worth spamming grandmother, arrested and extradited t

14、o VA. Ryan Pitylak, UT Austin philosophy student, sued by Texas AG. 200+ spam lawsuits filed in 2004 by Microsoft (Glenn Hannifin, etc.) Robert Kramer/CIS Internet lawsuit in Iowa: $1 billion judgment. Long list of names at the Registry of Known Spam Operations (ROKSO): http:/www.spamhaus.org,19,Wea

15、k points in need of defense,Weak points being exploited:ISPs not vetting/screening customersspammers set up shop in colo spaces at carriers worldwide.Poorly secured end user machines with high-bandwidth connections.Organizations failing to secure their networks and servers.NSPs/ISPs not monitoring f

16、or malicious traffic, not being aggressive to terminate abusersspammers operating for months or years on major carriers sending proxy spam.Law enforcement not having the right resources or information to catch/prosecute offenders.,20,Defense and attack strategies for NSPs/ISPs,Screen prospective cus

17、tomers against ROKSO and other publicly available information sources.Strengthen AUPs and contracts to allow rapid removal of miscreants (and filtering or nullrouting of specific problems prior to termination).Secure company end-user machines with endpoint security.Monitor for malicious traffic (or

18、interact with security researchers or upstreams who monitor); notify downstreams and escalate if they fail to act.Filter and terminate abusers.Nullroute bot controllers and phishing websites.Collect actionable intelligence and notify law enforcement.,21,Global Crossings implementation,External custo

19、mer-facing components AUP provisions Global Crossing reserves the right to deny or terminate service to a Customer based upon the results of a security/abuse confirmation process used by Global Crossing. Such confirmation process uses publicly available information to primarily examine Customers his

20、tory in relation to its prior or current use of services similar to those being provided by Global Crossing and Customers relationship with previous providers. If a Customer has been listed on an industry-recognized spam abuse list, such Customer will be deemed to be in violation of Global Crossings

21、 Acceptable Use Policy. Customer screening Policy Enforcement/Compliance department reviews new orders for known publicly reported abuse incidents, suspicious contact information (e.g., commercial mail drops, free email addresses, cell phone as only contact). Network monitoring and customer notifica

22、tion We use Arbor Peakflow to detect and mitigate DoS attacks and engage in regular information exchange with peers and security researchers. We have automated processes for sending daily reports to customers of detected issues. Regular review of spam block lists and taking action Reduced Spamhaus S

23、BL listings from 43 in January 2004 to 6 at end of 2004. Currently (25 March 2005) at 11; several removal actions in process.,22,Global Crossings implementation,Law enforcement interaction Participation in the FBIs Operation Slam Spam, which has collected data since September 2003. We are hoping to

24、see major prosecutions in 2005.Internal components Comprehensive Enterprise Security Program Plan (ESPP) Physical and Information Security merged into single organization; reports directly to Security Committee of corporate board of directors under Network Security Agreement with U.S. government age

25、ncies (a public document obtainable at www.fcc.gov). Endpoint security Sygate Enforcer at corporate VPN access points; Sygate Agent on all corporate laptops (and being deployed to all corporate workstations). Sygate Agent acts as PC firewall, IDS, file integrity checker, and enforces compliance on p

26、atch levels and anti-virus patterns; it reports back to a central management station. The IDS functionality makes every individuals machine into an IDS sensor. Antispam/antivirus Corporate mail servers use open source SpamAssassin plus Trend Micro VirusWall.,23,Future Plans,Partially automated escal

27、ation Automated testing of botnet controllers and phishing websites; ticket generation, customer notification, nullrouting (with human intervention step). More creative monitoring and analysis of Netflow data To automate detection of proxy spamming and botnet activity. More creative monitoring and a

28、nalysis of DNS queries To spot cache poisoning and “pharming” attacks, detection of bots by DNS lookups of botnet controllers; possibly use passive DNS replication to view historical data or find FQDNs associated with botnet controllers where the IP has no rDNS.,24,Help wanted,Peers: Similar impleme

29、ntations: screen customers, strengthen and enforce AUPs, nullroute botnet controllers and phishing websites. Share additional ideas; coordination of defenses.OS/Application vendors: More securely written software, with secure-by-default configurations. Automated, digitally-signed update capability,

30、turned on by default for home users.ISPs with end user customers: Better filtering/quarantining of infected customer systemsautomation and self-service point-and-click tools needed. Any solution that requires end users to become expert system administrators is doomed to failure.Organizations on the

31、Internet: Use firewalls and endpoint security solutions, use spam and anti-virus filtering. Block email from known infected systems using the Composite Blocking List (CBL), cbl.abuseat.org.Law enforcement and prosecutors: Undercover investigations to follow the money and capture the criminals profit

32、ing from spam, phishing, denial of service, and the use of botnets. Follow up civil litigation from large providers like AOL, Earthlink, and Microsoft with criminal charges.,25,Conclusion,An effective response to botnets, spam, phishing, and denial of service requires a combination of policies and p

33、rocedures, technology, and legal responses from network providers, ISPs, organizations on the Internet, and law enforcement and prosecutors. All of these components need to respond and change as the threats continue to evolve.,26,Botnets and spam,Composite Blocking List: http:/cbl.abuseat.org Regist

34、ry Of Known Spam Operations (ROKSO): http:/www.spamhaus.org Bot information: http:/ Message Labs 2004 end-of-year report: http:/ CAIDA Network Telescope: http:/www.caida.org/analysis/security/telescope/ Team Cymru DarkNet: http:/ Internet Motion Sensor: http:/ims.eecs.umich.edu/ Passive DNS Replicat

35、ion: http:/cert.uni-stuttgart.de/stats/dns-replication.php Brian McWilliams, Spam Kings, 2004, OReilly and Associates. Spammer-X, Inside the Spam Cartel, 2004, Syngress. (Read but dont buy.)Jim Lippard ,Further Information,27,Appendix: Global Crossing notifications,The following is a list of IP addr

36、esses on your network which we have good reason to believe may be compromised systems engaging in malicious activity. Please investigate and take appropriate action to stop any malicious activity you verify.The following is a list of types of activity that may appear in this report:BEAGLE BEAGLE3 BL

37、ASTER BOTNETS BOTS BRUTEFORCEDAMEWARE DIPNET DNSBOTS MYDOOM NACHI PHATBOTPHISHING SCAN445 SINIT SLAMMER SPAMOpen proxies and open mail relays may also appear in this report. Open proxies are designated by a two-character identifier (s4, s5, wg, hc, ho, hu, or fu) followed by a colon and a TCP port n

38、umber. Open mail relays are designated by the word “relay“ followed by a colon and a TCP port number.A detailed description of each of these may be found athttps:/ IPs identified as hosting botnet controllers or phishing websites (marked with BOTNETS or PHISHING, respectively) may be null routed by

39、Global Crossing following a separately emailed notice.This report is sent on weekdays, Monday through Friday. If you would prefer a weekly report, sent on Mondays, please contact us by replying to this email to request it. We would prefer, however, that you receive and act upon these reports daily.U

40、nless otherwise indicated, timestamps are in UTC (GMT).3549 | 208.50.20.164/32 | 2005-01-10 23:23:36 BOTNETS | GBLX Global Crossing Ltd. 3549 | 209.130.174.106/32 | 2005-02-03 15:58:06 TCP 13222 BOTNETS | GBLX Global Crossing Ltd. 3549 | 146.82.109.130 | 2005-03-24 10:01:30 BEAGLE3 | GBLX Global Cr

41、ossing Ltd. 3549 | 195.166.97.130 | 2005-03-24 08:40:03 SPAM | GBLX Global Crossing Ltd. 3549 | 206.132.221.37 | 2005-03-24 01:56:13 PHATBOT | GBLX Global Crossing Ltd. 3549 | 206.132.93.5 | 2005-03-23 22:13:40 NACHI | GBLX Global Crossing Ltd. 3549 | 206.165.142.184 | 2005-03-23 09:35:53 SLAMMER |

42、GBLX Global Crossing Ltd. 3549 | 206.165.192.5 | 2005-03-24 12:35:53 SPAM | GBLX Global Crossing Ltd.,28,Appendix: Phatbot functionality,Phatbot command list (from LURHQ) mand runs a command with system() bot.unsecure enable shares / enable dcom bot.secure delete shares / disable dcom bot.flushdns f

43、lushes the bots dns cache bot.quit quits the bot bot.longuptime If uptime 7 days then bot will respond bot.sysinfo displays the system info bot.status gives status ot.rndnick makes the bot generate a new random nick bot.removeallbut removes the bot if id does not match bot.remove removes the bot bot

44、.open opens a file (whatever) bot.nick changes the nickname of the bot bot.id displays the id of the current code bot.execute makes the bot execute a .exe bot.dns resolves ip/hostname by dns bot.die terminates the bot bot.about displays the info the author wants you to see shell.disable Disable shel

45、l handler shell.enable Enable shell handler shell.handler FallBack handler for shell commands.list Lists all available commands plugin.unload unloads a plugin (not supported yet) plugin.load loads a plugin cvar.saveconfig saves config to a file cvar.loadconfig loads config from a file cvar.set sets

46、the content of a cvar cvar.get gets the content of a cvar cvar.list prints a list of all cvars inst.svcdel deletes a service from scm inst.svcadd adds a service to scm inst.asdel deletes an autostart entry inst.asadd adds an autostart entry logic.ifuptime exec command if uptime is bigger than specif

47、ied mac.login logs the user in mac.logout logs the user out ftp.update executes a file from a ftp url ftp.execute updates the bot from a ftp url ftp.download downloads a file from ftp http.visit visits an url with a specified referrer http.update executes a file from a http url http.execute updates

48、the bot from a http url http.download downloads a file from http,rsl.logoff logs the user off rsl.shutdown shuts the computer down rsl.reboot reboots the computer pctrl.kill kills a process pctrl.list lists all processes scan.stop signal stop to child threads scan.start signal start to child threads

49、 scan.disable disables a scanner module scan.enable enables a scanner module scan.clearnetranges clears all netranges registered with the scanner scan.resetnetranges resets netranges to the localhost scan.listnetranges lists all netranges registered with the scanner scan.delnetrange deletes a netran

50、ge from the scanner scan.addnetrange adds a netrange to the scanner ddos.phatwonk starts phatwonk flood ddos.phaticmp starts phaticmp flood ddos.phatsyn starts phatsyn flood ddos.stop stops all floods ddos.httpflood starts a HTTP flood ddos.synflood starts an SYN flood ddos.udpflood starts a UDP flo

51、od redirect.stop stops all redirects running redirect.socks starts a socks4 proxy redirect.https starts a https proxy redirect.http starts a http proxy redirect.gre starts a gre redirect redirect.tcp starts a tcp port redirect harvest.aol makes the bot get aol stuff harvest.cdkeys makes the bot get

52、a list of cdkeys harvest.emailshttp makes the bot get a list of emails via http harvest.emails makes the bot get a list of emails waste.server changes the server the bot connects to waste.reconnect reconnects to the server waste.raw sends a raw message to the waste server waste.quit waste.privmsg se

53、nds a privmsg waste.part makes the bot part a channel info prints netinfo waste.mode lets the bot perform a mode change waste.join makes the bot join a channel waste.gethost prints netinfo when host matches waste.getedu prints netinfo when the bot is .edu waste.action lets the bot perform an action waste.disconnect disconnects the bot from waste,

copyright@ 2008-2019 麦多课文库(www.mydoc123.com)网站版权所有
备案/许可证编号:苏ICP备17064731号-1