SlideShare una empresa de Scribd logo

Sec Spampots

Jose Soriano
Jose Soriano

Sec Spampots

Tecnología
1 de 26
Descargar para leer sin conexión
SpamPots Project: Using Honeypots to Measure the Abuse of End-User Machines to Send Spam Klaus Steding-Jessen jessen@cert.br CERT.br – Computer Emergency Response Team Brazil NIC.br – Network Information Center Brazil CGI.br – Brazilian Internet Steering Committee LACNIC X – Isla Margarita, Venezuela – May 21–25, 2007 – p. 1/26
Our Parent Organization: CGI.br Among the diverse responsibilities of The Brazilian Internet Steering Committee – CGI.br, the main attributions are: • to propose policies and procedures related to the regulation of the Internet activities • to recommend standards for technical and operational procedures • to establish strategic directives related to the use and development of Internet in Brazil • to promote studies and technical standards for the network and services’ security in the country • to coordinate the allocation of Internet addresses (IPs) and the registration of domain names using <.br> • to collect, organize and disseminate information on Internet services, including indicators and statistics LACNIC X – Isla Margarita, Venezuela – May 21–25, 2007 – p. 2/26
CGI.br Structure 11- Internet Service Providers 01- Ministry of Science and Technology 12- Telecom Infrastructure Providers 02- Ministry of Communications 13- Hardware and Software Industries 03- Presidential Cabinet 14- General Business Sector Users 04- Ministry of Defense 15- Non-governamental Entity 05- Ministry of Development, Industry and Foreign Trade 16- Non-governamental Entity 06- Ministry of Planning, Budget and Management 17- Non-governamental Entity 07- National Telecommunications Agency 18- Non-governamental Entity 08- National Council of Scientific and Technological Development 19- Academia 09- National Forum of Estate Science and Technology Secretaries 20- Academia 10- Internet Expert 21- Academia LACNIC X – Isla Margarita, Venezuela – May 21–25, 2007 – p. 3/26
About CERT.br Created in 1997 to receive, review and respond to computer security incident reports and activities related to networks connected to the Internet in Brazil. • National focal point for reporting security incidents • Establishes collaborative relationships with other entities • Helps new CSIRTs to establish their activities • Provides training in incident handling • Provides statistics and best practices’ documents • Helps raise the security awareness in the country http://www.cert.br/mission.html LACNIC X – Isla Margarita, Venezuela – May 21–25, 2007 – p. 4/26
Agenda Motivation The SpamPots Project Open Proxy Abuse Scenario Architecture Honeypots Server Statistics Future Work References LACNIC X – Isla Margarita, Venezuela – May 21–25, 2007 – p. 5/26
Motivation Spam is a source of • – malware/phishing – decrease in productivity – increase in infrastructure costs Spam complaints related to open proxy • abuse have increased in the past few years Scans for open proxies are always in the top • 10 ports in our honeypots’ network stats LACNIC X – Isla Margarita, Venezuela – May 21–25, 2007 – p. 6/26
Motivation (2) Brazil is usually listed as a big source of • spam – is it really the source or is it just being abused by others? Need to better understand the problem • and have more data about it – generate metrics that can help the formulation of policies LACNIC X – Isla Margarita, Venezuela – May 21–25, 2007 – p. 7/26
The SpamPots Project Supported by the CGI.br/NIC.br • – as part of the Anti-spam Commission work Deployment of 10 low-interaction honeypots, • emulating open proxy/relay services and capturing spam Installed on Brazilian ADSL/cable networks, • for one year – 5 broadband providers, 1 residential and 1 business connection each Measure the abuse of end-user machines to • send spam LACNIC X – Isla Margarita, Venezuela – May 21–25, 2007 – p. 8/26
Open Proxy Abuse Scenario End users broadband computers Victim Computer with Victim Open Proxy Computer with Victim Mail Server 1 Open Proxy spammer Victim Computer with Open Proxy Mail Server N Victim Computer with Open Proxy Victim LACNIC X – Isla Margarita, Venezuela – May 21–25, 2007 – p. 9/26
Architecture End users broadband computers Server: Collects data daily; Monitors the honeypots resources. Honeypot emulating an Open Proxy Computer with Victim Open Proxy spammer Victim Mail Server 1 Honeypot emulating an Open Proxy Mail Server N Computer with Victim Open Proxy LACNIC X – Isla Margarita, Venezuela – May 21–25, 2007 – p. 10/26
Honeypots OpenBSD as the base OS • – good proactive security features – pf packet filter: stateful, integrated queueing (ALTQ), port redirect – logs in libpcap format: allows passive fingerprinting Honeyd emulating services • – Niels Provos’ SMTP and HTTP Proxy emulator (with minor modifications) – SOCKS 4/5 emulator written by ourselves – pretends to connect to the final SMTP server destination and starts receiving the emails – doesn’t deliver the emails Fools spammers’ confirmation attempts • LACNIC X – Isla Margarita, Venezuela – May 21–25, 2007 – p. 11/26
Server Collects and stores data from honeypots • – initiates transfers through ssh connections – uses rsync over ssh to copy spam from the honeypots Performs status checks in all honeypots • – daemons, ntp, disk space, load, rsync status Web page interface • – honeypot status – emails stats: daily, last 15min – MRTG: bandwidth, ports used, emails/min, etc LACNIC X – Isla Margarita, Venezuela – May 21–25, 2007 – p. 12/26
Statistics LACNIC X – Isla Margarita, Venezuela – May 21–25, 2007 – p. 13/26
Statistics period 2006-06-10 to 2007-04-30 days 325 ≈ 370M emails ≈ 3.2G recipients ≈ 8.9 avg. recpts/email ≈ 160K unique IPs unique ASNs 2813 unique CCs 157 LACNIC X – Isla Margarita, Venezuela – May 21–25, 2007 – p. 14/26
Spams captured / day LACNIC X – Isla Margarita, Venezuela – May 21–25, 2007 – p. 15/26
Top ASNs sending spam Top 10 emails/ASN: • # ASN ASN Name % 01 9924 TFN-TW Taiwan Fixed Network 32.08 02 3462 HINET Data Communication 25.41 03 17623 CNCGROUP-SZ CNCGROUP 13.37 04 4780 SEEDNET Digital United 12.21 05 9919 NCIC-TW 02.25 06 4837 CHINA169-BACKBONE CNCGROUP 01.69 07 7271 LOOKAS - Look Communications 01.51 08 7482 APOL-AS Asia Pacific On-line 00.98 09 18182 SONET-TW Sony Network Taiwan 00.96 10 18429 EXTRALAN-TW 00.89 LACNIC X – Isla Margarita, Venezuela – May 21–25, 2007 – p. 16/26
Top ASNs sending spam (2) LACNIC X – Isla Margarita, Venezuela – May 21–25, 2007 – p. 17/26
Top CCs sending spam Top 10 emails/CC: • # emails CC % 01 281601310 TW 76.05 02 58912303 CN 15.91 03 14939973 US 04.03 04 6677527 CA 01.80 05 1935648 KR 00.52 06 1924341 JP 00.52 07 816072 HK 00.22 08 776245 DE 00.21 09 642446 BR 00.17 10 355622 PA 00.10 LACNIC X – Isla Margarita, Venezuela – May 21–25, 2007 – p. 18/26
Top CCs sending spam (2) LACNIC X – Isla Margarita, Venezuela – May 21–25, 2007 – p. 19/26
Top TCP ports used TCP ports used: • # TCP Port protocol used by % 01 8080 HTTP 42.68 alt http 02 1080 SOCKS 34.66 socks 03 80 HTTP 11.22 http 04 3128 HTTP 06.61 Squid 05 3127 SOCKS 01.28 MyDoom 06 25 SMTP 01.18 smtp 07 3382 HTTP 01.07 Sobig.f 08 81 HTTP 00.51 alt http 09 8000 HTTP 00.37 alt http 10 6588 HTTP 00.27 AnalogX 11 4480 HTTP 00.15 Proxy+ LACNIC X – Isla Margarita, Venezuela – May 21–25, 2007 – p. 20/26
Top TCP ports used (2) LACNIC X – Isla Margarita, Venezuela – May 21–25, 2007 – p. 21/26
Top Source OS used tcpdump/pf.os used to fingerprint the OS of • hosts originating IPv4 TCP connections # emails Src OS % 01 235990984 Windows 63.74 02 133276691 Unknown 36.00 03 945642 Unix 00.26 04 50096 Other 00.01 http://www.openbsd.org/cgi-bin/man.cgi?query=pf.os LACNIC X – Isla Margarita, Venezuela – May 21–25, 2007 – p. 22/26
Top Source OS used (2) LACNIC X – Isla Margarita, Venezuela – May 21–25, 2007 – p. 23/26
Future Work LACNIC X – Isla Margarita, Venezuela – May 21–25, 2007 – p. 24/26
Future Work Comprehensive spam analysis • – using Data Mining techniques – determine patterns in language, embedded URLs, etc – phishing and other online crime activities Propose best practices to ISPs • – port 25 management – proxy abuse monitoring International cooperation • LACNIC X – Isla Margarita, Venezuela – May 21–25, 2007 – p. 25/26
References • This presentation can be found at: http://www.cert.br/docs/presentations/ • Computer Emergency Response Team Brazil – CERT.br http://www.cert.br/ • NIC.br http://www.nic.br/ • Brazilian Internet Steering Comittee – CGI.br http://www.cgi.br/ • OpenBSD http://www.openbsd.org/ • Honeyd http://www.honeyd.org/ • Brazilian Honeypots Alliance http://www.honeypots-alliance.org.br/ LACNIC X – Isla Margarita, Venezuela – May 21–25, 2007 – p. 26/26

Recomendados

Napla2007 Pttmetro
Napla2007 PttmetroNapla2007 Pttmetro
Napla2007 PttmetroJose Soriano
 
I Pv4exh Lacnicx 20070523
I Pv4exh Lacnicx 20070523I Pv4exh Lacnicx 20070523
I Pv4exh Lacnicx 20070523Jose Soriano
 
Margarita Lacnic X May 2007 Yp
Margarita Lacnic X May 2007 YpMargarita Lacnic X May 2007 Yp
Margarita Lacnic X May 2007 YpJose Soriano
 
Ctu Lacnic2007
Ctu Lacnic2007Ctu Lacnic2007
Ctu Lacnic2007Jose Soriano
 
Implementando E Lac 2007 Cepal Lacnic X
Implementando E Lac 2007 Cepal Lacnic XImplementando E Lac 2007 Cepal Lacnic X
Implementando E Lac 2007 Cepal Lacnic XJose Soriano
 
Musica
MusicaMusica
MusicaJose Catalan
 
como crear una base de datos (tarea de compu.Html
como crear una base de datos (tarea de compu.Htmlcomo crear una base de datos (tarea de compu.Html
como crear una base de datos (tarea de compu.Htmlmay_campos
 
Napla2007 Nap Co
Napla2007 Nap CoNapla2007 Nap Co
Napla2007 Nap CoJose Soriano
 

Recomendados

Napla2007 Pttmetro
Napla2007 PttmetroNapla2007 Pttmetro
Napla2007 PttmetroJose Soriano
 
I Pv4exh Lacnicx 20070523
I Pv4exh Lacnicx 20070523I Pv4exh Lacnicx 20070523
I Pv4exh Lacnicx 20070523Jose Soriano
 
Margarita Lacnic X May 2007 Yp
Margarita Lacnic X May 2007 YpMargarita Lacnic X May 2007 Yp
Margarita Lacnic X May 2007 YpJose Soriano
 
Ctu Lacnic2007
Ctu Lacnic2007Ctu Lacnic2007
Ctu Lacnic2007Jose Soriano
 
Implementando E Lac 2007 Cepal Lacnic X
Implementando E Lac 2007 Cepal Lacnic XImplementando E Lac 2007 Cepal Lacnic X
Implementando E Lac 2007 Cepal Lacnic XJose Soriano
 
Musica
MusicaMusica
MusicaJose Catalan
 
como crear una base de datos (tarea de compu.Html
como crear una base de datos (tarea de compu.Htmlcomo crear una base de datos (tarea de compu.Html
como crear una base de datos (tarea de compu.Htmlmay_campos
 
Napla2007 Nap Co
Napla2007 Nap CoNapla2007 Nap Co
Napla2007 Nap CoJose Soriano
 
Tim O'Reilly Mashup Camp 2008
Tim O'Reilly Mashup Camp 2008Tim O'Reilly Mashup Camp 2008
Tim O'Reilly Mashup Camp 2008Tim O'Reilly
 
Critical Infrastructure and Cyber Security: trends and challenges
Critical Infrastructure and Cyber Security: trends and challengesCritical Infrastructure and Cyber Security: trends and challenges
Critical Infrastructure and Cyber Security: trends and challengesCommunity Protection Forum
 
Bill what is_us_ignite_06_24-13
Bill what is_us_ignite_06_24-13Bill what is_us_ignite_06_24-13
Bill what is_us_ignite_06_24-13US-Ignite
 
Telecom Spam Mathan Session2 08 Dec 06
Telecom Spam Mathan Session2 08 Dec 06Telecom Spam Mathan Session2 08 Dec 06
Telecom Spam Mathan Session2 08 Dec 06SANSEXPERT
 
Alexandros Papanikolaou PROmis
Alexandros Papanikolaou PROmisAlexandros Papanikolaou PROmis
Alexandros Papanikolaou PROmisIgnite_Athens
 
Future Internet testbeds in Latin America
Future Internet testbeds in Latin AmericaFuture Internet testbeds in Latin America
Future Internet testbeds in Latin Americafuture-internet
 
Matthias Vallentin - Towards Interactive Network Forensics and Incident Respo...
Matthias Vallentin - Towards Interactive Network Forensics and Incident Respo...Matthias Vallentin - Towards Interactive Network Forensics and Incident Respo...
Matthias Vallentin - Towards Interactive Network Forensics and Incident Respo...boundary_slides
 
World best web apps security and Active detection of malicious link
World best web apps security and Active detection of malicious linkWorld best web apps security and Active detection of malicious link
World best web apps security and Active detection of malicious link임채호 박사님
 
Janet in a changing world
Janet in a changing world Janet in a changing world
Janet in a changing world Jisc
 
Click uy ciudadano
Click uy ciudadanoClick uy ciudadano
Click uy ciudadanoJose Soriano
 
Monocabinas 1
Monocabinas 1Monocabinas 1
Monocabinas 1Jose Soriano
 
Modelo rcp de cp 15.0
Modelo rcp de cp 15.0Modelo rcp de cp 15.0
Modelo rcp de cp 15.0Jose Soriano
 
Red s alud
Red s aludRed s alud
Red s aludJose Soriano
 
Porteños
PorteñosPorteños
PorteñosJose Soriano
 
Presentacion global rcp v5
Presentacion global rcp v5Presentacion global rcp v5
Presentacion global rcp v5Jose Soriano
 
Proyecto show center 2.0
Proyecto show center 2.0Proyecto show center 2.0
Proyecto show center 2.0Jose Soriano
 
Resumen cabinas
Resumen cabinas Resumen cabinas
Resumen cabinas Jose Soriano
 
Rcp red uno 7.0
Rcp red uno 7.0Rcp red uno 7.0
Rcp red uno 7.0Jose Soriano
 
Aldea RDigital-
Aldea RDigital- Aldea RDigital-
Aldea RDigital- Jose Soriano
 
Informe fin etapa 1
Informe fin etapa 1Informe fin etapa 1
Informe fin etapa 1Jose Soriano
 
Click uy ciudadano
Click uy ciudadanoClick uy ciudadano
Click uy ciudadanoJose Soriano
 
Seminariosalud
SeminariosaludSeminariosalud
SeminariosaludJose Soriano
 

Más contenido relacionado

Similar a Sec Spampots

Tim O'Reilly Mashup Camp 2008
Tim O'Reilly Mashup Camp 2008Tim O'Reilly Mashup Camp 2008
Tim O'Reilly Mashup Camp 2008Tim O'Reilly
 
Critical Infrastructure and Cyber Security: trends and challenges
Critical Infrastructure and Cyber Security: trends and challengesCritical Infrastructure and Cyber Security: trends and challenges
Critical Infrastructure and Cyber Security: trends and challengesCommunity Protection Forum
 
Bill what is_us_ignite_06_24-13
Bill what is_us_ignite_06_24-13Bill what is_us_ignite_06_24-13
Bill what is_us_ignite_06_24-13US-Ignite
 
Telecom Spam Mathan Session2 08 Dec 06
Telecom Spam Mathan Session2 08 Dec 06Telecom Spam Mathan Session2 08 Dec 06
Telecom Spam Mathan Session2 08 Dec 06SANSEXPERT
 
Alexandros Papanikolaou PROmis
Alexandros Papanikolaou PROmisAlexandros Papanikolaou PROmis
Alexandros Papanikolaou PROmisIgnite_Athens
 
Future Internet testbeds in Latin America
Future Internet testbeds in Latin AmericaFuture Internet testbeds in Latin America
Future Internet testbeds in Latin Americafuture-internet
 
Matthias Vallentin - Towards Interactive Network Forensics and Incident Respo...
Matthias Vallentin - Towards Interactive Network Forensics and Incident Respo...Matthias Vallentin - Towards Interactive Network Forensics and Incident Respo...
Matthias Vallentin - Towards Interactive Network Forensics and Incident Respo...boundary_slides
 
World best web apps security and Active detection of malicious link
World best web apps security and Active detection of malicious linkWorld best web apps security and Active detection of malicious link
World best web apps security and Active detection of malicious link임채호 박사님
 
Janet in a changing world
Janet in a changing world Janet in a changing world
Janet in a changing world Jisc
 

Similar a Sec Spampots (9)

Tim O'Reilly Mashup Camp 2008
Tim O'Reilly Mashup Camp 2008Tim O'Reilly Mashup Camp 2008
Tim O'Reilly Mashup Camp 2008
 
Critical Infrastructure and Cyber Security: trends and challenges
Critical Infrastructure and Cyber Security: trends and challengesCritical Infrastructure and Cyber Security: trends and challenges
Critical Infrastructure and Cyber Security: trends and challenges
 
Bill what is_us_ignite_06_24-13
Bill what is_us_ignite_06_24-13Bill what is_us_ignite_06_24-13
Bill what is_us_ignite_06_24-13
 
Telecom Spam Mathan Session2 08 Dec 06
Telecom Spam Mathan Session2 08 Dec 06Telecom Spam Mathan Session2 08 Dec 06
Telecom Spam Mathan Session2 08 Dec 06
 
Alexandros Papanikolaou PROmis
Alexandros Papanikolaou PROmisAlexandros Papanikolaou PROmis
Alexandros Papanikolaou PROmis
 
Future Internet testbeds in Latin America
Future Internet testbeds in Latin AmericaFuture Internet testbeds in Latin America
Future Internet testbeds in Latin America
 
Matthias Vallentin - Towards Interactive Network Forensics and Incident Respo...
Matthias Vallentin - Towards Interactive Network Forensics and Incident Respo...Matthias Vallentin - Towards Interactive Network Forensics and Incident Respo...
Matthias Vallentin - Towards Interactive Network Forensics and Incident Respo...
 
World best web apps security and Active detection of malicious link
World best web apps security and Active detection of malicious linkWorld best web apps security and Active detection of malicious link
World best web apps security and Active detection of malicious link
 
Janet in a changing world
Janet in a changing world Janet in a changing world
Janet in a changing world
 

Más de Jose Soriano

Click uy ciudadano
Click uy ciudadanoClick uy ciudadano
Click uy ciudadanoJose Soriano
 
Modelo rcp de cp 15.0
Modelo rcp de cp 15.0Modelo rcp de cp 15.0
Modelo rcp de cp 15.0Jose Soriano
 
Presentacion global rcp v5
Presentacion global rcp v5Presentacion global rcp v5
Presentacion global rcp v5Jose Soriano
 
Proyecto show center 2.0
Proyecto show center 2.0Proyecto show center 2.0
Proyecto show center 2.0Jose Soriano
 
Informe fin etapa 1
Informe fin etapa 1Informe fin etapa 1
Informe fin etapa 1Jose Soriano
 
Click uy ciudadano
Click uy ciudadanoClick uy ciudadano
Click uy ciudadanoJose Soriano
 
Presentacion Merco Sur Digital
Presentacion Merco Sur DigitalPresentacion Merco Sur Digital
Presentacion Merco Sur DigitalJose Soriano
 
Presentacion Gobierno Electronico Foro Mendoza
Presentacion Gobierno Electronico Foro MendozaPresentacion Gobierno Electronico Foro Mendoza
Presentacion Gobierno Electronico Foro MendozaJose Soriano
 
Napla2007 Roque Gagliano
Napla2007 Roque GaglianoNapla2007 Roque Gagliano
Napla2007 Roque GaglianoJose Soriano
 
Napla2007 Jose Jaramillo
Napla2007 Jose JaramilloNapla2007 Jose Jaramillo
Napla2007 Jose JaramilloJose Soriano
 
Eloy Vidal Peru Final
Eloy Vidal Peru FinalEloy Vidal Peru Final
Eloy Vidal Peru FinalJose Soriano
 

Más de Jose Soriano (20)

Click uy ciudadano
Click uy ciudadanoClick uy ciudadano
Click uy ciudadano
 
Monocabinas 1
Monocabinas 1Monocabinas 1
Monocabinas 1
 
Modelo rcp de cp 15.0
Modelo rcp de cp 15.0Modelo rcp de cp 15.0
Modelo rcp de cp 15.0
 
Red s alud
Red s aludRed s alud
Red s alud
 
Porteños
PorteñosPorteños
Porteños
 
Presentacion global rcp v5
Presentacion global rcp v5Presentacion global rcp v5
Presentacion global rcp v5
 
Proyecto show center 2.0
Proyecto show center 2.0Proyecto show center 2.0
Proyecto show center 2.0
 
Resumen cabinas
Resumen cabinas Resumen cabinas
Resumen cabinas
 
Rcp red uno 7.0
Rcp red uno 7.0Rcp red uno 7.0
Rcp red uno 7.0
 
Aldea RDigital-
Aldea RDigital- Aldea RDigital-
Aldea RDigital-
 
Informe fin etapa 1
Informe fin etapa 1Informe fin etapa 1
Informe fin etapa 1
 
Click uy ciudadano
Click uy ciudadanoClick uy ciudadano
Click uy ciudadano
 
Seminariosalud
SeminariosaludSeminariosalud
Seminariosalud
 
Seminario salud
Seminario saludSeminario salud
Seminario salud
 
Presentacion Merco Sur Digital
Presentacion Merco Sur DigitalPresentacion Merco Sur Digital
Presentacion Merco Sur Digital
 
Presentacion Gobierno Electronico Foro Mendoza
Presentacion Gobierno Electronico Foro MendozaPresentacion Gobierno Electronico Foro Mendoza
Presentacion Gobierno Electronico Foro Mendoza
 
Frida Lacnic X 2
Frida Lacnic X 2Frida Lacnic X 2
Frida Lacnic X 2
 
Napla2007 Roque Gagliano
Napla2007 Roque GaglianoNapla2007 Roque Gagliano
Napla2007 Roque Gagliano
 
Napla2007 Jose Jaramillo
Napla2007 Jose JaramilloNapla2007 Jose Jaramillo
Napla2007 Jose Jaramillo
 
Eloy Vidal Peru Final
Eloy Vidal Peru FinalEloy Vidal Peru Final
Eloy Vidal Peru Final
 

Último

Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...gurkirankumar98700
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilV3cube
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 

Último (20)

Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 

Sec Spampots

  • 1. SpamPots Project: Using Honeypots to Measure the Abuse of End-User Machines to Send Spam Klaus Steding-Jessen jessen@cert.br CERT.br – Computer Emergency Response Team Brazil NIC.br – Network Information Center Brazil CGI.br – Brazilian Internet Steering Committee LACNIC X – Isla Margarita, Venezuela – May 21–25, 2007 – p. 1/26
  • 2. Our Parent Organization: CGI.br Among the diverse responsibilities of The Brazilian Internet Steering Committee – CGI.br, the main attributions are: • to propose policies and procedures related to the regulation of the Internet activities • to recommend standards for technical and operational procedures • to establish strategic directives related to the use and development of Internet in Brazil • to promote studies and technical standards for the network and services’ security in the country • to coordinate the allocation of Internet addresses (IPs) and the registration of domain names using <.br> • to collect, organize and disseminate information on Internet services, including indicators and statistics LACNIC X – Isla Margarita, Venezuela – May 21–25, 2007 – p. 2/26
  • 3. CGI.br Structure 11- Internet Service Providers 01- Ministry of Science and Technology 12- Telecom Infrastructure Providers 02- Ministry of Communications 13- Hardware and Software Industries 03- Presidential Cabinet 14- General Business Sector Users 04- Ministry of Defense 15- Non-governamental Entity 05- Ministry of Development, Industry and Foreign Trade 16- Non-governamental Entity 06- Ministry of Planning, Budget and Management 17- Non-governamental Entity 07- National Telecommunications Agency 18- Non-governamental Entity 08- National Council of Scientific and Technological Development 19- Academia 09- National Forum of Estate Science and Technology Secretaries 20- Academia 10- Internet Expert 21- Academia LACNIC X – Isla Margarita, Venezuela – May 21–25, 2007 – p. 3/26
  • 4. About CERT.br Created in 1997 to receive, review and respond to computer security incident reports and activities related to networks connected to the Internet in Brazil. • National focal point for reporting security incidents • Establishes collaborative relationships with other entities • Helps new CSIRTs to establish their activities • Provides training in incident handling • Provides statistics and best practices’ documents • Helps raise the security awareness in the country http://www.cert.br/mission.html LACNIC X – Isla Margarita, Venezuela – May 21–25, 2007 – p. 4/26
  • 5. Agenda Motivation The SpamPots Project Open Proxy Abuse Scenario Architecture Honeypots Server Statistics Future Work References LACNIC X – Isla Margarita, Venezuela – May 21–25, 2007 – p. 5/26
  • 6. Motivation Spam is a source of • – malware/phishing – decrease in productivity – increase in infrastructure costs Spam complaints related to open proxy • abuse have increased in the past few years Scans for open proxies are always in the top • 10 ports in our honeypots’ network stats LACNIC X – Isla Margarita, Venezuela – May 21–25, 2007 – p. 6/26
  • 7. Motivation (2) Brazil is usually listed as a big source of • spam – is it really the source or is it just being abused by others? Need to better understand the problem • and have more data about it – generate metrics that can help the formulation of policies LACNIC X – Isla Margarita, Venezuela – May 21–25, 2007 – p. 7/26
  • 8. The SpamPots Project Supported by the CGI.br/NIC.br • – as part of the Anti-spam Commission work Deployment of 10 low-interaction honeypots, • emulating open proxy/relay services and capturing spam Installed on Brazilian ADSL/cable networks, • for one year – 5 broadband providers, 1 residential and 1 business connection each Measure the abuse of end-user machines to • send spam LACNIC X – Isla Margarita, Venezuela – May 21–25, 2007 – p. 8/26
  • 9. Open Proxy Abuse Scenario End users broadband computers Victim Computer with Victim Open Proxy Computer with Victim Mail Server 1 Open Proxy spammer Victim Computer with Open Proxy Mail Server N Victim Computer with Open Proxy Victim LACNIC X – Isla Margarita, Venezuela – May 21–25, 2007 – p. 9/26
  • 10. Architecture End users broadband computers Server: Collects data daily; Monitors the honeypots resources. Honeypot emulating an Open Proxy Computer with Victim Open Proxy spammer Victim Mail Server 1 Honeypot emulating an Open Proxy Mail Server N Computer with Victim Open Proxy LACNIC X – Isla Margarita, Venezuela – May 21–25, 2007 – p. 10/26
  • 11. Honeypots OpenBSD as the base OS • – good proactive security features – pf packet filter: stateful, integrated queueing (ALTQ), port redirect – logs in libpcap format: allows passive fingerprinting Honeyd emulating services • – Niels Provos’ SMTP and HTTP Proxy emulator (with minor modifications) – SOCKS 4/5 emulator written by ourselves – pretends to connect to the final SMTP server destination and starts receiving the emails – doesn’t deliver the emails Fools spammers’ confirmation attempts • LACNIC X – Isla Margarita, Venezuela – May 21–25, 2007 – p. 11/26
  • 12. Server Collects and stores data from honeypots • – initiates transfers through ssh connections – uses rsync over ssh to copy spam from the honeypots Performs status checks in all honeypots • – daemons, ntp, disk space, load, rsync status Web page interface • – honeypot status – emails stats: daily, last 15min – MRTG: bandwidth, ports used, emails/min, etc LACNIC X – Isla Margarita, Venezuela – May 21–25, 2007 – p. 12/26
  • 13. Statistics LACNIC X – Isla Margarita, Venezuela – May 21–25, 2007 – p. 13/26
  • 14. Statistics period 2006-06-10 to 2007-04-30 days 325 ≈ 370M emails ≈ 3.2G recipients ≈ 8.9 avg. recpts/email ≈ 160K unique IPs unique ASNs 2813 unique CCs 157 LACNIC X – Isla Margarita, Venezuela – May 21–25, 2007 – p. 14/26
  • 15. Spams captured / day LACNIC X – Isla Margarita, Venezuela – May 21–25, 2007 – p. 15/26
  • 16. Top ASNs sending spam Top 10 emails/ASN: • # ASN ASN Name % 01 9924 TFN-TW Taiwan Fixed Network 32.08 02 3462 HINET Data Communication 25.41 03 17623 CNCGROUP-SZ CNCGROUP 13.37 04 4780 SEEDNET Digital United 12.21 05 9919 NCIC-TW 02.25 06 4837 CHINA169-BACKBONE CNCGROUP 01.69 07 7271 LOOKAS - Look Communications 01.51 08 7482 APOL-AS Asia Pacific On-line 00.98 09 18182 SONET-TW Sony Network Taiwan 00.96 10 18429 EXTRALAN-TW 00.89 LACNIC X – Isla Margarita, Venezuela – May 21–25, 2007 – p. 16/26
  • 17. Top ASNs sending spam (2) LACNIC X – Isla Margarita, Venezuela – May 21–25, 2007 – p. 17/26
  • 18. Top CCs sending spam Top 10 emails/CC: • # emails CC % 01 281601310 TW 76.05 02 58912303 CN 15.91 03 14939973 US 04.03 04 6677527 CA 01.80 05 1935648 KR 00.52 06 1924341 JP 00.52 07 816072 HK 00.22 08 776245 DE 00.21 09 642446 BR 00.17 10 355622 PA 00.10 LACNIC X – Isla Margarita, Venezuela – May 21–25, 2007 – p. 18/26
  • 19. Top CCs sending spam (2) LACNIC X – Isla Margarita, Venezuela – May 21–25, 2007 – p. 19/26
  • 20. Top TCP ports used TCP ports used: • # TCP Port protocol used by % 01 8080 HTTP 42.68 alt http 02 1080 SOCKS 34.66 socks 03 80 HTTP 11.22 http 04 3128 HTTP 06.61 Squid 05 3127 SOCKS 01.28 MyDoom 06 25 SMTP 01.18 smtp 07 3382 HTTP 01.07 Sobig.f 08 81 HTTP 00.51 alt http 09 8000 HTTP 00.37 alt http 10 6588 HTTP 00.27 AnalogX 11 4480 HTTP 00.15 Proxy+ LACNIC X – Isla Margarita, Venezuela – May 21–25, 2007 – p. 20/26
  • 21. Top TCP ports used (2) LACNIC X – Isla Margarita, Venezuela – May 21–25, 2007 – p. 21/26
  • 22. Top Source OS used tcpdump/pf.os used to fingerprint the OS of • hosts originating IPv4 TCP connections # emails Src OS % 01 235990984 Windows 63.74 02 133276691 Unknown 36.00 03 945642 Unix 00.26 04 50096 Other 00.01 http://www.openbsd.org/cgi-bin/man.cgi?query=pf.os LACNIC X – Isla Margarita, Venezuela – May 21–25, 2007 – p. 22/26
  • 23. Top Source OS used (2) LACNIC X – Isla Margarita, Venezuela – May 21–25, 2007 – p. 23/26
  • 24. Future Work LACNIC X – Isla Margarita, Venezuela – May 21–25, 2007 – p. 24/26
  • 25. Future Work Comprehensive spam analysis • – using Data Mining techniques – determine patterns in language, embedded URLs, etc – phishing and other online crime activities Propose best practices to ISPs • – port 25 management – proxy abuse monitoring International cooperation • LACNIC X – Isla Margarita, Venezuela – May 21–25, 2007 – p. 25/26
  • 26. References • This presentation can be found at: http://www.cert.br/docs/presentations/ • Computer Emergency Response Team Brazil – CERT.br http://www.cert.br/ • NIC.br http://www.nic.br/ • Brazilian Internet Steering Comittee – CGI.br http://www.cgi.br/ • OpenBSD http://www.openbsd.org/ • Honeyd http://www.honeyd.org/ • Brazilian Honeypots Alliance http://www.honeypots-alliance.org.br/ LACNIC X – Isla Margarita, Venezuela – May 21–25, 2007 – p. 26/26