how the pursuit of truth led me to selling viagra...how the pursuit of truth led me to selling...
TRANSCRIPT
![Page 1: How The Pursuit of Truth Led Me To Selling Viagra...How The Pursuit of Truth Led Me To Selling Viagra® Vern Paxson EECS Department, University of California International Computer](https://reader030.vdocument.in/reader030/viewer/2022040915/5e8dab335c58f0608863c840/html5/thumbnails/1.jpg)
How The Pursuit of TruthLed Me
To Selling Viagra®
Vern Paxson
EECS Department, University of CaliforniaInternational Computer Science InstituteLawrence Berkeley National Laboratory
Berkeley, California USA
August 13, 2009
![Page 2: How The Pursuit of Truth Led Me To Selling Viagra...How The Pursuit of Truth Led Me To Selling Viagra® Vern Paxson EECS Department, University of California International Computer](https://reader030.vdocument.in/reader030/viewer/2022040915/5e8dab335c58f0608863c840/html5/thumbnails/2.jpg)
Outline:
• This is a broad, retrospective talk aboutnetwork security Data
• Specifically, 2 decades’ worth of Internetmeasurement: What the data tells us about the lay of the land … what’s changed … and what in fact doesn’t change (“invariants”)
• A personal (ivory tower research) view: From general network characterization ⇒ manual
attacks ⇒ worms ⇒ bots ⇒ spam Why all this leads to selling Viagra
![Page 3: How The Pursuit of Truth Led Me To Selling Viagra...How The Pursuit of Truth Led Me To Selling Viagra® Vern Paxson EECS Department, University of California International Computer](https://reader030.vdocument.in/reader030/viewer/2022040915/5e8dab335c58f0608863c840/html5/thumbnails/3.jpg)
First, some acknowledgments:
• ICSI: Mark Allman, Christian Kreibich,Robin Sommer, Nicholas Weaver
• LBL: Craig Leres, Jim Rothfuss,Dwayne Ramsey, Brian Tierney, et al
• UC San Diego: Stefan Savage,Chris Kanich, Kirill Levchenko,Brandon Enright, Geoff Voelker
![Page 4: How The Pursuit of Truth Led Me To Selling Viagra...How The Pursuit of Truth Led Me To Selling Viagra® Vern Paxson EECS Department, University of California International Computer](https://reader030.vdocument.in/reader030/viewer/2022040915/5e8dab335c58f0608863c840/html5/thumbnails/4.jpg)
Part I
Pursuit of Truth + Phobia of Being Fooled =
Thirst for Data
![Page 5: How The Pursuit of Truth Led Me To Selling Viagra...How The Pursuit of Truth Led Me To Selling Viagra® Vern Paxson EECS Department, University of California International Computer](https://reader030.vdocument.in/reader030/viewer/2022040915/5e8dab335c58f0608863c840/html5/thumbnails/5.jpg)
Three Invariants:Growth, Explosive Onset, & Diversity
• Sep 1988: I apply to grad school 56,000 Internet hosts (3.3 MB/day)
• Sep 1990: I enroll in grad “special topics” course onnetworking & start measuring traffic at LBL 313,000 Internet hosts (9.5 MB/day)
• Oct 21 1991: I join Prof. Ferrari’s Tenet group 617,000 Internet hosts (17.5 MB/day)
• May 11, 1994: My paper Growth Trends in WideArea TCP Connections accepted for publication ≈ 3,000,000 Internet hosts (130 MB/day)
![Page 6: How The Pursuit of Truth Led Me To Selling Viagra...How The Pursuit of Truth Led Me To Selling Viagra® Vern Paxson EECS Department, University of California International Computer](https://reader030.vdocument.in/reader030/viewer/2022040915/5e8dab335c58f0608863c840/html5/thumbnails/6.jpg)
“Our data suggests a very recent explosion in commercial use ofthe Internet …” “… relatively new information-retrieval protocols such asGopher and World-Wide Web exhibited explosive growth”
![Page 7: How The Pursuit of Truth Led Me To Selling Viagra...How The Pursuit of Truth Led Me To Selling Viagra® Vern Paxson EECS Department, University of California International Computer](https://reader030.vdocument.in/reader030/viewer/2022040915/5e8dab335c58f0608863c840/html5/thumbnails/7.jpg)
![Page 8: How The Pursuit of Truth Led Me To Selling Viagra...How The Pursuit of Truth Led Me To Selling Viagra® Vern Paxson EECS Department, University of California International Computer](https://reader030.vdocument.in/reader030/viewer/2022040915/5e8dab335c58f0608863c840/html5/thumbnails/8.jpg)
Data courtesy of Rick Adams
![Page 9: How The Pursuit of Truth Led Me To Selling Viagra...How The Pursuit of Truth Led Me To Selling Viagra® Vern Paxson EECS Department, University of California International Computer](https://reader030.vdocument.in/reader030/viewer/2022040915/5e8dab335c58f0608863c840/html5/thumbnails/9.jpg)
= 80% growth/year
![Page 10: How The Pursuit of Truth Led Me To Selling Viagra...How The Pursuit of Truth Led Me To Selling Viagra® Vern Paxson EECS Department, University of California International Computer](https://reader030.vdocument.in/reader030/viewer/2022040915/5e8dab335c58f0608863c840/html5/thumbnails/10.jpg)
Data courtesy of Rick Adams &David C. Lawrence
![Page 11: How The Pursuit of Truth Led Me To Selling Viagra...How The Pursuit of Truth Led Me To Selling Viagra® Vern Paxson EECS Department, University of California International Computer](https://reader030.vdocument.in/reader030/viewer/2022040915/5e8dab335c58f0608863c840/html5/thumbnails/11.jpg)
= 75% growth/year
![Page 12: How The Pursuit of Truth Led Me To Selling Viagra...How The Pursuit of Truth Led Me To Selling Viagra® Vern Paxson EECS Department, University of California International Computer](https://reader030.vdocument.in/reader030/viewer/2022040915/5e8dab335c58f0608863c840/html5/thumbnails/12.jpg)
AbuseArrives
![Page 13: How The Pursuit of Truth Led Me To Selling Viagra...How The Pursuit of Truth Led Me To Selling Viagra® Vern Paxson EECS Department, University of California International Computer](https://reader030.vdocument.in/reader030/viewer/2022040915/5e8dab335c58f0608863c840/html5/thumbnails/13.jpg)
Mid-1990s: Internet Abuse StartsBecoming a Concern
• Observation: operators increasingly ask whethermy network data sheds light on security incidents• Hmmm, what about doing such measurement
purposefully for security monitoring?• Armed with equipment donation from DEC, the
Bro intrusion detection system starts operating24x7 in 1996• Inspects LBL border traffic in real-time• Who-talks-to-whom, what service, how much data• And, increasingly: what are the semantics of the
conversations
![Page 14: How The Pursuit of Truth Led Me To Selling Viagra...How The Pursuit of Truth Led Me To Selling Viagra® Vern Paxson EECS Department, University of California International Computer](https://reader030.vdocument.in/reader030/viewer/2022040915/5e8dab335c58f0608863c840/html5/thumbnails/14.jpg)
Detecting Attackers, 1990s-style• Inspect access to sensitive objects:
• Hosts, usernames (“lp”, “r00t”), filenames (“/etc/passwd”), services(“mountd”, Windows file sharing)
• Look for specific forms of protocol abuse• E.g., FTP “site exec”, excessively long “finger” requests
• Check for telling behavior• Local host starts running an IRC chat server• Outbound requests to www.uberhax0r.net, anticode.com• Login sessions containing: “unset HISTFILE” ; “eggdrop” ;
“printf(“overflowing” ; “smurf.c by TFreak” ; “u_charsparc_shellcode[] =” ; “Coded by James Seter”
• Attackers exploit systems via interactive login sessions• Motivated by bragging rights / vandalism• Frequent community reuse of tools• Employment of “bots” for automating IRC management
• But what about “serious” attackers rather than weenies?
![Page 15: How The Pursuit of Truth Led Me To Selling Viagra...How The Pursuit of Truth Led Me To Selling Viagra® Vern Paxson EECS Department, University of California International Computer](https://reader030.vdocument.in/reader030/viewer/2022040915/5e8dab335c58f0608863c840/html5/thumbnails/15.jpg)
Real-World Security: Threat Model
• 1990s academic computer security researchheavily influenced by cryptography’s standard ofmathematical assessment of security strength• Prove security properties …• … given a model of a powerful adversary
• In practice, goal is risk management, notbulletproof protection.• Much of the effort concerns “raising the bar” and
trading off resources• Threat model: what you are defending against
• This can differ from what an academic might expect• Consider the Department of Energy …
![Page 16: How The Pursuit of Truth Led Me To Selling Viagra...How The Pursuit of Truth Led Me To Selling Viagra® Vern Paxson EECS Department, University of California International Computer](https://reader030.vdocument.in/reader030/viewer/2022040915/5e8dab335c58f0608863c840/html5/thumbnails/16.jpg)
Network Security ResearchGrounded in Operational Use• Ties with LBL operational deployment have been
research gold• Transformative compared to working in small, self-contained
environment like a lab
• Along with threat model (policy) realities, scalecompletely alters the problem landscape:• Performance - current target: analyze >> 100K pps
• Research on: clustering; FPGA front end; multicore architecture• Diversity - you see the darnedest (benign) behavior & “crud”
• Greatly complicates anomaly detection & detecting evasion
![Page 17: How The Pursuit of Truth Led Me To Selling Viagra...How The Pursuit of Truth Led Me To Selling Viagra® Vern Paxson EECS Department, University of California International Computer](https://reader030.vdocument.in/reader030/viewer/2022040915/5e8dab335c58f0608863c840/html5/thumbnails/17.jpg)
1 day of “crud” seen at ICSI (155K times)
fragment-with-DFDNS-label-forward-compress-offset
window-recisionPOP3-server-sending-client-commands
FIN-advanced-last-seq
too-many-DNS-queries
unmatched-HTTP-reply
NUL-in-lineexcess-RPCdata-before-established
unescaped-special-URI-char
no-login-promptdouble-%-in-URIdata-after-reset
unescaped-%-in-URImalformed-SSH-identification
DNS-truncated-RR-rdlength
connection-originator-SYN-ack
truncated-NTPline-terminated-with-single-CR
DNS-len-lt-hdr-lenbase64-illegal-encoding
SYN-seq-jumpIRC-invalid-lineDNS-truncated-answer
bad-TCP-header-len
SYN-inside-connection
inappropriate-FINDNS-RR-unknown-type
bad-SYN-ack
SYN-after-resetillegal-%-at-end-of-URI
DNS-RR-length-mismatch
bad-RPC
SYN-after-closeHTTP-version-mismatch
DNS-label-too-longbad-Ident-reply
possible-split-routingHTTP-chunked-multipart
DNS-label-len-gt-pktactive-connection-reuse
![Page 18: How The Pursuit of Truth Led Me To Selling Viagra...How The Pursuit of Truth Led Me To Selling Viagra® Vern Paxson EECS Department, University of California International Computer](https://reader030.vdocument.in/reader030/viewer/2022040915/5e8dab335c58f0608863c840/html5/thumbnails/18.jpg)
Network Security ResearchGrounded in Operational Use• Ties with LBL operational deployment have been
research gold• Transformative compared to working in small, self-contained
environment like a lab• Along with threat model (policy) realities, scale
completely alters the problem landscape:• Performance - current target: analyze >> 100K pps
• Research on: clustering; FPGA front end; multicore architecture• Diversity - you see the darnedest (benign) behavior & “crud”
• Greatly complicates anomaly detection & detecting evasion• Base Rate Fallacy - detector w/ 10-6 error rate might not work!
• Another operational reality: intrusion prevention• Bro enabled to automatically block LBL traffic
• (Very high standard for accuracy!)• #1 gain: dropping scanners
![Page 19: How The Pursuit of Truth Led Me To Selling Viagra...How The Pursuit of Truth Led Me To Selling Viagra® Vern Paxson EECS Department, University of California International Computer](https://reader030.vdocument.in/reader030/viewer/2022040915/5e8dab335c58f0608863c840/html5/thumbnails/19.jpg)
The Worm EraBegins
![Page 20: How The Pursuit of Truth Led Me To Selling Viagra...How The Pursuit of Truth Led Me To Selling Viagra® Vern Paxson EECS Department, University of California International Computer](https://reader030.vdocument.in/reader030/viewer/2022040915/5e8dab335c58f0608863c840/html5/thumbnails/20.jpg)
![Page 21: How The Pursuit of Truth Led Me To Selling Viagra...How The Pursuit of Truth Led Me To Selling Viagra® Vern Paxson EECS Department, University of California International Computer](https://reader030.vdocument.in/reader030/viewer/2022040915/5e8dab335c58f0608863c840/html5/thumbnails/21.jpg)
![Page 22: How The Pursuit of Truth Led Me To Selling Viagra...How The Pursuit of Truth Led Me To Selling Viagra® Vern Paxson EECS Department, University of California International Computer](https://reader030.vdocument.in/reader030/viewer/2022040915/5e8dab335c58f0608863c840/html5/thumbnails/22.jpg)
Code Red 2 killsoff Code Red 1
Code Red 2 settlesinto weekly pattern
Nimda entersthe ecosystem
Code Red 2 dies offas programmed
CR 1returnsthanksto badclocks
![Page 23: How The Pursuit of Truth Led Me To Selling Viagra...How The Pursuit of Truth Led Me To Selling Viagra® Vern Paxson EECS Department, University of California International Computer](https://reader030.vdocument.in/reader030/viewer/2022040915/5e8dab335c58f0608863c840/html5/thumbnails/23.jpg)
Code Red 2 dies offas programmed
Nimda hums along,slowly cleaned up
With its predatorgone, Code Red 1comes back!, stillexhibitingmonthly pattern
![Page 24: How The Pursuit of Truth Led Me To Selling Viagra...How The Pursuit of Truth Led Me To Selling Viagra® Vern Paxson EECS Department, University of California International Computer](https://reader030.vdocument.in/reader030/viewer/2022040915/5e8dab335c58f0608863c840/html5/thumbnails/24.jpg)
80% of Code Red 2cleaned up due toonset of Blaster
Code Red 2 re-released withOct. 2003 die-off
Code Red 1 andNimda endemic
Code Red 2 re-re-released Jan 2004(and 2005; not since)
Code Red 2dies offagain
Slammer infects 75K hosts in< 10 min, doubling every 8.5seconds until reachingInternet’s carrying capacity
![Page 25: How The Pursuit of Truth Led Me To Selling Viagra...How The Pursuit of Truth Led Me To Selling Viagra® Vern Paxson EECS Department, University of California International Computer](https://reader030.vdocument.in/reader030/viewer/2022040915/5e8dab335c58f0608863c840/html5/thumbnails/25.jpg)
Witty released Mar. 19, 2004.Targets passive monitoring of commercial intrusion detection systems.Infects 12K victims in 75 minutes.
Remarkable power hidden in traffic structure: forensicanalysis of < 4 scan pkts/1,000 finds not only:
Patient Zero used to launch the worm Witty’s targeting of a US military base
But also:
boot time of each infectee to < 1 sec precision # disk drives attached to each infected machine which specific system infected which other systems
Last Nimda seen @ ICSI: July, 2009Last Slammer seen: August 13, 2009
![Page 26: How The Pursuit of Truth Led Me To Selling Viagra...How The Pursuit of Truth Led Me To Selling Viagra® Vern Paxson EECS Department, University of California International Computer](https://reader030.vdocument.in/reader030/viewer/2022040915/5e8dab335c58f0608863c840/html5/thumbnails/26.jpg)
The Worm EraBegins
![Page 27: How The Pursuit of Truth Led Me To Selling Viagra...How The Pursuit of Truth Led Me To Selling Viagra® Vern Paxson EECS Department, University of California International Computer](https://reader030.vdocument.in/reader030/viewer/2022040915/5e8dab335c58f0608863c840/html5/thumbnails/27.jpg)
= 55% growth/year
![Page 28: How The Pursuit of Truth Led Me To Selling Viagra...How The Pursuit of Truth Led Me To Selling Viagra® Vern Paxson EECS Department, University of California International Computer](https://reader030.vdocument.in/reader030/viewer/2022040915/5e8dab335c58f0608863c840/html5/thumbnails/28.jpg)
= 596% growth/year
![Page 29: How The Pursuit of Truth Led Me To Selling Viagra...How The Pursuit of Truth Led Me To Selling Viagra® Vern Paxson EECS Department, University of California International Computer](https://reader030.vdocument.in/reader030/viewer/2022040915/5e8dab335c58f0608863c840/html5/thumbnails/29.jpg)
Scanning Activity Seen @ LBL
![Page 30: How The Pursuit of Truth Led Me To Selling Viagra...How The Pursuit of Truth Led Me To Selling Viagra® Vern Paxson EECS Department, University of California International Computer](https://reader030.vdocument.in/reader030/viewer/2022040915/5e8dab335c58f0608863c840/html5/thumbnails/30.jpg)
Services Scanned Over Time
![Page 31: How The Pursuit of Truth Led Me To Selling Viagra...How The Pursuit of Truth Led Me To Selling Viagra® Vern Paxson EECS Department, University of California International Computer](https://reader030.vdocument.in/reader030/viewer/2022040915/5e8dab335c58f0608863c840/html5/thumbnails/31.jpg)
/16 at LBL, sampled 1-in-1K
![Page 32: How The Pursuit of Truth Led Me To Selling Viagra...How The Pursuit of Truth Led Me To Selling Viagra® Vern Paxson EECS Department, University of California International Computer](https://reader030.vdocument.in/reader030/viewer/2022040915/5e8dab335c58f0608863c840/html5/thumbnails/32.jpg)
/16 at LBL, sampled 1-in-1K2nd /16, sampled 1-in-1K
![Page 33: How The Pursuit of Truth Led Me To Selling Viagra...How The Pursuit of Truth Led Me To Selling Viagra® Vern Paxson EECS Department, University of California International Computer](https://reader030.vdocument.in/reader030/viewer/2022040915/5e8dab335c58f0608863c840/html5/thumbnails/33.jpg)
The Worm EraBegins
5-year Fundingfor NSF Center toFight the Threatof Worms Begins
The Worm Era Ends
The Onset of AggressiveAuto-rooter Tools
Tools Become More Efficient;the Rise of Botnets
Fully Manual AttacksPredominate
Use of ScanningTools Rises
![Page 34: How The Pursuit of Truth Led Me To Selling Viagra...How The Pursuit of Truth Led Me To Selling Viagra® Vern Paxson EECS Department, University of California International Computer](https://reader030.vdocument.in/reader030/viewer/2022040915/5e8dab335c58f0608863c840/html5/thumbnails/34.jpg)
Part II
Selling Viagra®
![Page 35: How The Pursuit of Truth Led Me To Selling Viagra...How The Pursuit of Truth Led Me To Selling Viagra® Vern Paxson EECS Department, University of California International Computer](https://reader030.vdocument.in/reader030/viewer/2022040915/5e8dab335c58f0608863c840/html5/thumbnails/35.jpg)
Know Your Enemy
• A sophisticated underground economy hasemerged to profit from Internet subversion
![Page 36: How The Pursuit of Truth Led Me To Selling Viagra...How The Pursuit of Truth Led Me To Selling Viagra® Vern Paxson EECS Department, University of California International Computer](https://reader030.vdocument.in/reader030/viewer/2022040915/5e8dab335c58f0608863c840/html5/thumbnails/36.jpg)
![Page 37: How The Pursuit of Truth Led Me To Selling Viagra...How The Pursuit of Truth Led Me To Selling Viagra® Vern Paxson EECS Department, University of California International Computer](https://reader030.vdocument.in/reader030/viewer/2022040915/5e8dab335c58f0608863c840/html5/thumbnails/37.jpg)
![Page 38: How The Pursuit of Truth Led Me To Selling Viagra...How The Pursuit of Truth Led Me To Selling Viagra® Vern Paxson EECS Department, University of California International Computer](https://reader030.vdocument.in/reader030/viewer/2022040915/5e8dab335c58f0608863c840/html5/thumbnails/38.jpg)
![Page 39: How The Pursuit of Truth Led Me To Selling Viagra...How The Pursuit of Truth Led Me To Selling Viagra® Vern Paxson EECS Department, University of California International Computer](https://reader030.vdocument.in/reader030/viewer/2022040915/5e8dab335c58f0608863c840/html5/thumbnails/39.jpg)
![Page 40: How The Pursuit of Truth Led Me To Selling Viagra...How The Pursuit of Truth Led Me To Selling Viagra® Vern Paxson EECS Department, University of California International Computer](https://reader030.vdocument.in/reader030/viewer/2022040915/5e8dab335c58f0608863c840/html5/thumbnails/40.jpg)
![Page 41: How The Pursuit of Truth Led Me To Selling Viagra...How The Pursuit of Truth Led Me To Selling Viagra® Vern Paxson EECS Department, University of California International Computer](https://reader030.vdocument.in/reader030/viewer/2022040915/5e8dab335c58f0608863c840/html5/thumbnails/41.jpg)
Know Your Enemy
• A sophisticated underground economy hasemerged to profit from Internet subversion
• Empowered by virtually endless supply ofbots Internet systems under complete attacker control
• Dirt-cheap access to bots fuels monetizationvia relentless torrents of spam
![Page 42: How The Pursuit of Truth Led Me To Selling Viagra...How The Pursuit of Truth Led Me To Selling Viagra® Vern Paxson EECS Department, University of California International Computer](https://reader030.vdocument.in/reader030/viewer/2022040915/5e8dab335c58f0608863c840/html5/thumbnails/42.jpg)
![Page 43: How The Pursuit of Truth Led Me To Selling Viagra...How The Pursuit of Truth Led Me To Selling Viagra® Vern Paxson EECS Department, University of California International Computer](https://reader030.vdocument.in/reader030/viewer/2022040915/5e8dab335c58f0608863c840/html5/thumbnails/43.jpg)
![Page 44: How The Pursuit of Truth Led Me To Selling Viagra...How The Pursuit of Truth Led Me To Selling Viagra® Vern Paxson EECS Department, University of California International Computer](https://reader030.vdocument.in/reader030/viewer/2022040915/5e8dab335c58f0608863c840/html5/thumbnails/44.jpg)
![Page 45: How The Pursuit of Truth Led Me To Selling Viagra...How The Pursuit of Truth Led Me To Selling Viagra® Vern Paxson EECS Department, University of California International Computer](https://reader030.vdocument.in/reader030/viewer/2022040915/5e8dab335c58f0608863c840/html5/thumbnails/45.jpg)
Know Your Enemy
• A sophisticated underground economy hasemerged to profit from Internet subversion
• Empowered by virtually endless supply of“bots” Internet systems under complete attacker control
• Dirt-cheap access to bots fuels monetizationvia relentless torrents of spam
• Just how profitable is all of this?
![Page 46: How The Pursuit of Truth Led Me To Selling Viagra...How The Pursuit of Truth Led Me To Selling Viagra® Vern Paxson EECS Department, University of California International Computer](https://reader030.vdocument.in/reader030/viewer/2022040915/5e8dab335c58f0608863c840/html5/thumbnails/46.jpg)
Are Bots & Spam the New Black Gold?
• Spam finance elements: Retail-cost-to-send vs. Profit-per-response Key missing element: spams-needed-per-response, i.e., conversion rate
How can we measure this?Seemingly only knowable bythe spammers themselves.
![Page 47: How The Pursuit of Truth Led Me To Selling Viagra...How The Pursuit of Truth Led Me To Selling Viagra® Vern Paxson EECS Department, University of California International Computer](https://reader030.vdocument.in/reader030/viewer/2022040915/5e8dab335c58f0608863c840/html5/thumbnails/47.jpg)
Welcome to Storm!
Would you like to be one of our newest bots?Just read your postcard! (Or even easier: just wait 5 seconds!)
![Page 48: How The Pursuit of Truth Led Me To Selling Viagra...How The Pursuit of Truth Led Me To Selling Viagra® Vern Paxson EECS Department, University of California International Computer](https://reader030.vdocument.in/reader030/viewer/2022040915/5e8dab335c58f0608863c840/html5/thumbnails/48.jpg)
![Page 49: How The Pursuit of Truth Led Me To Selling Viagra...How The Pursuit of Truth Led Me To Selling Viagra® Vern Paxson EECS Department, University of California International Computer](https://reader030.vdocument.in/reader030/viewer/2022040915/5e8dab335c58f0608863c840/html5/thumbnails/49.jpg)
The Storm botnet
Overnet (UDP)Reachability check
![Page 50: How The Pursuit of Truth Led Me To Selling Viagra...How The Pursuit of Truth Led Me To Selling Viagra® Vern Paxson EECS Department, University of California International Computer](https://reader030.vdocument.in/reader030/viewer/2022040915/5e8dab335c58f0608863c840/html5/thumbnails/50.jpg)
Infe
cted
mac
hine
sH
oste
d in
frast
ruct
ure
TCP
HTTP
HTTPproxies
Workers
Proxybots
Botmaster
The Storm botnet
![Page 51: How The Pursuit of Truth Led Me To Selling Viagra...How The Pursuit of Truth Led Me To Selling Viagra® Vern Paxson EECS Department, University of California International Computer](https://reader030.vdocument.in/reader030/viewer/2022040915/5e8dab335c58f0608863c840/html5/thumbnails/51.jpg)
Spam campaign mechanics
TCP
HTTP
HTTPproxies
Workers
Proxybots
Botmaster
![Page 52: How The Pursuit of Truth Led Me To Selling Viagra...How The Pursuit of Truth Led Me To Selling Viagra® Vern Paxson EECS Department, University of California International Computer](https://reader030.vdocument.in/reader030/viewer/2022040915/5e8dab335c58f0608863c840/html5/thumbnails/52.jpg)
Campaign mechanics: harvest
TCP
HTTP
HTTPproxies
Workers
Proxybots
Botmaster
@@@@
@
@@ @
![Page 53: How The Pursuit of Truth Led Me To Selling Viagra...How The Pursuit of Truth Led Me To Selling Viagra® Vern Paxson EECS Department, University of California International Computer](https://reader030.vdocument.in/reader030/viewer/2022040915/5e8dab335c58f0608863c840/html5/thumbnails/53.jpg)
Campaign mechanics: spamming
TCP
HTTP
HTTPproxies
Workers
Proxybots
Botmaster
![Page 54: How The Pursuit of Truth Led Me To Selling Viagra...How The Pursuit of Truth Led Me To Selling Viagra® Vern Paxson EECS Department, University of California International Computer](https://reader030.vdocument.in/reader030/viewer/2022040915/5e8dab335c58f0608863c840/html5/thumbnails/54.jpg)
![Page 55: How The Pursuit of Truth Led Me To Selling Viagra...How The Pursuit of Truth Led Me To Selling Viagra® Vern Paxson EECS Department, University of California International Computer](https://reader030.vdocument.in/reader030/viewer/2022040915/5e8dab335c58f0608863c840/html5/thumbnails/55.jpg)
![Page 56: How The Pursuit of Truth Led Me To Selling Viagra...How The Pursuit of Truth Led Me To Selling Viagra® Vern Paxson EECS Department, University of California International Computer](https://reader030.vdocument.in/reader030/viewer/2022040915/5e8dab335c58f0608863c840/html5/thumbnails/56.jpg)
Campaign mechanics: spamming
TCP
HTTP
HTTPproxies
Workers
Proxybots
Botmaster
![Page 57: How The Pursuit of Truth Led Me To Selling Viagra...How The Pursuit of Truth Led Me To Selling Viagra® Vern Paxson EECS Department, University of California International Computer](https://reader030.vdocument.in/reader030/viewer/2022040915/5e8dab335c58f0608863c840/html5/thumbnails/57.jpg)
Campaign mechanics: reporting
TCP
HTTP
HTTPproxies
Workers
Proxybots
Botmaster
![Page 58: How The Pursuit of Truth Led Me To Selling Viagra...How The Pursuit of Truth Led Me To Selling Viagra® Vern Paxson EECS Department, University of California International Computer](https://reader030.vdocument.in/reader030/viewer/2022040915/5e8dab335c58f0608863c840/html5/thumbnails/58.jpg)
Welcome to Storm! What can we sell you?
![Page 59: How The Pursuit of Truth Led Me To Selling Viagra...How The Pursuit of Truth Led Me To Selling Viagra® Vern Paxson EECS Department, University of California International Computer](https://reader030.vdocument.in/reader030/viewer/2022040915/5e8dab335c58f0608863c840/html5/thumbnails/59.jpg)
Diagram by Stuart Brownmodernlifeisrubbish.co.uk
Anatomy of a modern PharmaAnatomy of a modern Pharmaspam campaignspam campaign
?
![Page 60: How The Pursuit of Truth Led Me To Selling Viagra...How The Pursuit of Truth Led Me To Selling Viagra® Vern Paxson EECS Department, University of California International Computer](https://reader030.vdocument.in/reader030/viewer/2022040915/5e8dab335c58f0608863c840/html5/thumbnails/60.jpg)
These folks seem trustworthy …
![Page 61: How The Pursuit of Truth Led Me To Selling Viagra...How The Pursuit of Truth Led Me To Selling Viagra® Vern Paxson EECS Department, University of California International Computer](https://reader030.vdocument.in/reader030/viewer/2022040915/5e8dab335c58f0608863c840/html5/thumbnails/61.jpg)
… how about these?
![Page 62: How The Pursuit of Truth Led Me To Selling Viagra...How The Pursuit of Truth Led Me To Selling Viagra® Vern Paxson EECS Department, University of California International Computer](https://reader030.vdocument.in/reader030/viewer/2022040915/5e8dab335c58f0608863c840/html5/thumbnails/62.jpg)
If we controlthese …
… we can monitor &influence these
![Page 63: How The Pursuit of Truth Led Me To Selling Viagra...How The Pursuit of Truth Led Me To Selling Viagra® Vern Paxson EECS Department, University of California International Computer](https://reader030.vdocument.in/reader030/viewer/2022040915/5e8dab335c58f0608863c840/html5/thumbnails/63.jpg)
Template points tospammer’s server
Modified templatepoints to our server
![Page 64: How The Pursuit of Truth Led Me To Selling Viagra...How The Pursuit of Truth Led Me To Selling Viagra® Vern Paxson EECS Department, University of California International Computer](https://reader030.vdocument.in/reader030/viewer/2022040915/5e8dab335c58f0608863c840/html5/thumbnails/64.jpg)
Spam conversion experimentSpam conversion experiment
• Experimented with Storm March 21 – April 15, 2008• Instrumented roughly 1.5% of Storm’s total output
64
PharmacyCampaign
E-card Campaigns
Postcard April Fool
Worker bots 31,348 17,639 3,678
Emails 347,590,389 83,665,479 38,651,124
Duration 19 days 7 days 3 days
![Page 65: How The Pursuit of Truth Led Me To Selling Viagra...How The Pursuit of Truth Led Me To Selling Viagra® Vern Paxson EECS Department, University of California International Computer](https://reader030.vdocument.in/reader030/viewer/2022040915/5e8dab335c58f0608863c840/html5/thumbnails/65.jpg)
Spam pipelineSpam pipeline
65
83.6 M
347.5M
21.1M (25%)
82.7M (24%)
3,827 (0.005%)
10,522 (0.003%)
316 (0.00037%)
28 (0.000008%)
---
Pharma: 12 M spam emails for one “purchase”
Sent MTA Visits ConversionsInbox
40.1 M 10.1M (25%) 2,721 (0.005%) 225 (0.00056%)
E-card: 1 in 10 visitors execute the binary
Spam filtering software• The fraction of spam delivered into user inboxes
depends on the spam filtering software used◆ Combination of site filtering (e.g., blacklists) and
content filtering (e.g., spamassassin)• Difficult to generalize, but we can use our test
accounts for specific services
Fraction of spam sent that was delivered to inboxes
Effects of Blacklisting(CBL Feed)
Unused
Effective
Otherfiltering
Response rates by country
Two ordersof magnitude
No large aberrationsbased on email topic
Site needs to be up hours todays to reap real usersrather than just crawlers
![Page 66: How The Pursuit of Truth Led Me To Selling Viagra...How The Pursuit of Truth Led Me To Selling Viagra® Vern Paxson EECS Department, University of California International Computer](https://reader030.vdocument.in/reader030/viewer/2022040915/5e8dab335c58f0608863c840/html5/thumbnails/66.jpg)
Corresponding Revenue• 28 purchases in 26 days, average “sale” ~$100
Total: $2,731.88, $140/day• But: we interposed on only ~1.5% of workers:
$9,500/day (8,500 new bots per day) $3.5M/year
• Though if selling Viagra via Glavmed affiliation, cut is 40%
• Storm: service provider or integrated operation? Retail price of spam ~$80 per million
• Pharmacy spam would have cost 10x the profit!
Strongly suggests Storm operates as an integratedoperation rather than a reseller
![Page 67: How The Pursuit of Truth Led Me To Selling Viagra...How The Pursuit of Truth Led Me To Selling Viagra® Vern Paxson EECS Department, University of California International Computer](https://reader030.vdocument.in/reader030/viewer/2022040915/5e8dab335c58f0608863c840/html5/thumbnails/67.jpg)
Reflections on the Journey• Network security research has seen enormous change
over the last 15 years, from: Not a field … … to fending off ardent amateurs … to global worm epidemics … to botnets employed for spam campaigns that fuel an emergent
underground economy
• The first of these was pretty tenable (and fun!)• The second was daunting but the field made some
surprising advances Though cyberwarfare remains a major latent threat
• The third is even more daunting … … deeply worrisome because it’s fueled by criminals out to make
money - hastening the pace of adversary innovation
![Page 68: How The Pursuit of Truth Led Me To Selling Viagra...How The Pursuit of Truth Led Me To Selling Viagra® Vern Paxson EECS Department, University of California International Computer](https://reader030.vdocument.in/reader030/viewer/2022040915/5e8dab335c58f0608863c840/html5/thumbnails/68.jpg)
Reflections on the Process• Measuring is easy• Measuring in a meaningful and sound way is hard …
A lot of un-fun grunt work dealing with messiness & error• But: only convincingly way to unearth Truth• And sometimes you get surprised:
Pervasive diversity & exponential growth Unanticipated threats & non-threats Strikingly rapid changes in the landscape
• Security as a field is all about trading off resources vs.perceived risks⇒ Deep fundamental need for well-grounded empirical data
• In today’s threat environment, biggest defense payoffscan come from understanding (= measuring) and thenundermining attacker profit … … rather than securing systems pointwise.