[Discussion] The approach to detect proxybots
Gurvinder Singh
gurvinde at stud.ntnu.no
Sat May 30 18:22:27 UTC 2009
Nick Rogness wrote:
> This is an intersting approach. I don't know how probablistic the delays will be however. Most isp's will deliberately slow mail connects in the network to act as a sort of tarpit for spam farming. I know we do at least and have talked with others about it as well. This may be in transit or at the actual mail server.
>
>
The approach work near to spam originating point. If ISP of the spam
originating point(proxybot) employ this approach at its IDS then
decision about message sender can be made suggesting whether the sender
is proxy system or legitimate one. Once the spam enters into network
then mail relays will forward it using store and forward method and the
approach is not useful in that scenario. Most of the spam filters mainly
rely on content inspection, the described approach is independent of
contents and works near to originating point, and avoid unwanted use of
network resources too.
> Additionally, with spammers, they are clever little SOBs. Once you have this detection working, they will change the botnet code to react differently to avoid detection.
>
>
To avoid this method they need to change socks proxy to behave as store
and forward relay. Otherwise spammer can not send data early on a
network, he can only delay it which will result in better chances of
detection :)
> Nonetheless, one could increase the probability of detection with a significantly higher sampling...whether using information from other sensors in one network or from other sensors in other networks. A network of OISF sensors independently distributed across the internet would be useful for these types of detections and other like it via some sort of feedback system.
>
> I still think it would be worth investigating as one of many ways to detect these botnets. If you have some code to test I'll put it on our ISP network to see how well it works.
>
>
Unfortunately i am running out of time, it took a lot of time to come up
with the idea and now deadline of submitting thesis is on my head (15th
June). But still i have plan to implement the approach in Bro IDS. If i
will be able to do it in time, you will get the code for sure.
Thanks for giving feedback !!
-Gurvinder
> to detect proxybots
>
> Hi,
>
> First of all thanks to matt for introducing me to the open information
> security foundation. I was in touch with matt and he suggested me to put
> the concept in discussion list to get feedback on it from team. If
> possible we can implement this concept to a preprocessor of the new
> engine (read message from matt below).
>
> The approach is based on Interarrival Packet Time (IPT). The IPT is the
> difference between current packet arrival time and the last packet
> arrival time from the sender under current session. The IPT is recorded
> from incoming packets at the receiving end. Consider the following scenario
> (200ms) (50ms)
> Spammer ------------> Proxybot -------------> Mail
> server
>
> The spammer starts a session by sending a command to a bot. The bot
> initiates a connection with the mail server and establishes a
> connection. The mail server responds with greeting message and the bot
> relays this message to the spammer. After receiving the greeting
> message, the spammer sends HELO message to the bot and bot will relay
> message to the server. The server will receive message after delay of
> 250ms or higher which is the total delay on connection between mail
> server and spammer. If the bot system is the real originator of message
> request, then the HELO message will be received in 50ms by mail server.
> This delay is seen on each command (MAIL FROM, RCPT TO and DATA etc.)
> received from bot at server end.
>
> There is a probability that the delay can be due to congestion on the
> network. But in above case server will receive an ACK message from bot
> system after 50ms which signifies the lack of congestion on the network.
>
> I tested the approach for different protocols and find it working on
> FTP, HTTP GET request (Tor), Telnet and simple data transfer using TCP.
> I will be happy to answer any question regarding above approach and
> looking forward to hear from you about feedback on the concept. The
> above concept is result of my master thesis work. If possible, I would
> like to join the team.
>
> P.S. The code can be released under GPL.
>
> Thanks for your time.
>
> Best Regards,
> Gurvinder Singh
>
>
>> Matt Jonkman wrote:
>>
>>> Forgot to mention that this code will all be GPL. :)
>>>
>>> matt
>>>
>>> Matt Jonkman wrote:
>>>
>>>
>>>> Hello Gurvinder! Your timing couldn't be better.
>>>>
>>>> I'm fascinated by the concept, that would help in a lot of things we
>>>> are
>>>> currently challenged in with IDS.
>>>>
>>>> The timing is perfect because we've received US Dept of homeland
>>>> security funding to build a new next generation IDS. We're about to get
>>>> the bulk of our funding and begin development work.
>>>>
>>>> I'd like to talk to you about applying this concept to a
>>>> preprocessor of
>>>> the new engine. If you're interested I'd like to introduce you to the
>>>> rest of the team. We're having our final planning and hiring meeting
>>>> late next week. So this couldn't be more perfect.
>>>>
>>>> More information about us at http://www.openinfosecfoundation.org
>>>>
>>>> If you hop on the discussion mailing list we could bring the idea up
>>>> and
>>>> see what the community thinks about it as well.
>>>>
>>>> Thanks for contacting me!
>>>>
>>>> Matt
>>>>
>>>> Gurvinder Singh wrote:
>>>>
>>>>
>>>>> Dear Matt Jonkmans,
>>>>>
>>>>> I am Gurvinder Singh, master student at Department of Telematics,
>>>>> NTNU,
>>>>> Trondheim, Norway. Currently i am working on my master thesis on topic
>>>>> tittled "Detection of Intermediary Hosts through TCP latency
>>>>> propagation". I performed experiments for different protocols and
>>>>> find a
>>>>> method to detect the intermediary hosts. After reading your article i
>>>>> realize that my approach can be used to detect the spam coming from a
>>>>> proxy system which is actually sent by some other system behind it. In
>>>>> the scenario like this
>>>>>
>>>>> Spammer ----> ProxyBot ------> Mail Server or Relay
>>>>>
>>>>> at Mail server or relay we can detect the message is relayed via proxy
>>>>> bot and thus server can drop the message and if the behavior is
>>>>> persistent the IP address of Proxybot can be added to blacklists. I
>>>>> was
>>>>> wondering if you have some live traces of communication during arrival
>>>>> of spam messages at mail server from proxybot, then i can have real
>>>>> world data not just data from my lab. If yes, can it be possible to
>>>>> share with me? I would appreciate any comment from you in this regard.
>>>>>
>>>>> Thanks for your valuable time.
>>>>>
>>>>> Best Regards,
>>>>> Gurvinder Singh
>>>>>
>>>>>
>>>
>>>
>>
>
>
> _______________________________________________
> Discussion mailing list
> Discussion at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/discussion
>
>
>
>
More information about the Discussion
mailing list