DocumentCode
3063674
Title
Fingerprinting custom botnet protocol stacks
Author
DiBenedetto, Steve ; Gadkari, Kaustubh ; Diel, Nicholas ; Steiner, Andrea ; Massey, Dan ; Papadopoulos, Christos
Author_Institution
Dept. of Comput. Sci., Colorado State Univ., Fort Collins, CO, USA
fYear
2010
fDate
5-5 Oct. 2010
Firstpage
61
Lastpage
66
Abstract
This paper explores the use of TCP fingerprints for identifying and blocking spammers. Evidence has shown that some bots use custom protocol stacks for tasks such as sending spam. If a receiver could effectively identify the bot TCP fingerprint, connection requests from spam bots could be dropped immediately, thus reducing the amount of spam received and processed by a mail server. Starting from a list of known spammers flagged by a commercial reputation list, we fingerprinted each spammer and found the roughly 90% have only a single known fingerprint typically associated with well known operating system stacks. For the spammers with multiple fingerprints, a particular combination of native/custom protocol stack fingerprints becomes very prominent. This allows us to extract the fingerprint of the custom stack and then use it to detect more bots that were not flagged by the commercial service. We applied our methodology to a trace captured at our regional ISP, and clearly detected bots belonging to the Srizbi botnet.
Keywords
IP networks; computer network security; fingerprint identification; invasive software; transport protocols; unsolicited e-mail; Srizbi botnet; TCP fingerprint; custom protocol stack; mail server; operating system stack; spammer blocking; Electronic mail; Fingerprint recognition; IP networks; Malware; Monitoring; Protocols; Servers;
fLanguage
English
Publisher
ieee
Conference_Titel
Secure Network Protocols (NPSec), 2010 6th IEEE Workshop on
Conference_Location
Kyoto
Print_ISBN
978-1-4244-8916-9
Type
conf
DOI
10.1109/NPSEC.2010.5634448
Filename
5634448
Link To Document