[Discussion] The approach to detect proxybots
Gurvinder Singh
gurvinde at stud.ntnu.no
Tue Jun 2 15:15:28 UTC 2009
Matt Jonkman wrote:
> This is a spectacular idea I think. Definitely something we could use in
> a rule for a number of protocols. FTP, telnet, maybe even HTTP (although
> proxying in http isn't an indication of being evil).
>
The motivation for the HTTP protocol is to detect the use of Tor
protocol. As Tor is currently mis-used for the copyright infringement,
web page defacement etc. The most of the method are based on including a
code in their web page and executing it on client system to check out
about the use of Tor. But the method in the given approach monitors the
incoming request at the web server and decide the usage of tor in the
incoming request based on the inter-arrival packet time :-)
-Gurvinder
> Imagine our existing spambot rules being able to also check if the
> connection is proxied. That puts us near 100% confidence in most cases.
>
> Matt
>
>
> Gurvinder Singh wrote:
>
>> Michael Scheidell wrote:
>>
>>> Nick Rogness wrote:
>>>
>>>> This is an intersting approach. I don't know how probablistic the delays will be however. Most isp's will deliberately slow mail connects in the network to act as a sort of tarpit for spam farming. I know we do at least and have talked with others about it as well. This may be in transit or at the actual mail server.
>>>>
>>>> Additionally, with spammers, they are clever little SOBs. Once you have this detection working, they will change the botnet code to react differently to avoid detection.
>>>>
>>>> Nonetheless, one could increase the probability of detection with a significantly higher sampling...whether using information from other sensors in one network or from other sensors in other networks. A network of OISF sensors independently distributed across the internet would be useful for these types of detections and other like it via some sort of feedback system.
>>>>
>>>> I still think it would be worth investigating as one of many ways to detect these botnets. If you have some code to test I'll put it on our ISP network to see how well it works.
>>>>
>>>>
>>>>
>>>>
>>> we run a managed anti-spam service, as well as sell appliances, and,
>>> yes, we do funky things with delays in between helo and data session.
>>>
>> There is a possibility to detect use of proxybots based on the inter
>> arrival packet time of data packets. This will add up to have small
>> false negative rate :)
>>
>>> I would not count on any 'accident' but RFC compliant behavior.
>>>
>>> p0f is still a good source of passive os detection, and from the smtp
>>> side, why do I want windows 95 machines running smtp servers :-)?
>>> you might want to get with Lawrence Baldwin (mynetwatchman) he has
>>> some interesting data on DNS lookup timing and zombies.
>>>
>>>
>> will it be possible for me to get access of data from proxybots. ? It
>> would be great for me, as i am planning to write a paper and it will
>> help me to provide proof from real world data not just from lab :P
>>
>>> in fact, he might be a good one to get involved in this project
>>>
>>>
>>> --
>>> Michael Scheidell, CTO
>>> Phone: 561-999-5000, x 1259
>>>
>>>> *| *SECNAP Network Security Corporation
>>>>
>>> * Certified SNORT Integrator
>>> * 2008-9 Hot Company Award Winner, World Executive Alliance
>>> * Five-Star Partner Program 2009, VARBusiness
>>> * Best Anti-Spam Product 2008, Network Products Guide
>>> * King of Spam Filters, SC Magazine 2008
>>>
>>>
>>> ------------------------------------------------------------------------
>>>
>>> This email has been scanned and certified safe by SpammerTrap®.
>>> For Information please see www.secnap.com/products/spammertrap/
>>> <http://www.secnap.com/products/spammertrap/>
>>>
>>> ------------------------------------------------------------------------
>>>
>>>
>> _______________________________________________
>> Discussion mailing list
>> Discussion at openinfosecfoundation.org
>> http://lists.openinfosecfoundation.org/mailman/listinfo/discussion
>>
>
>
More information about the Discussion
mailing list