FIRE: FInding Rogue nEtworks

For many years, online criminals have been able to conduct their illicit activities by masquerading behind disreputable Internet service providers (ISPs). For example, organizations such as the Russian business network (RBN), Atrivo (a.k.a., Intercage), McColo, and most recently, the triple fiber network (3FN) operated with impunity, providing a safe haven for Internet criminals for their own financial gain. What primarily sets these ISPs apart from others is the significant longevity of the malicious activities on their networks and the apparent lack of action taken in response to abuse reports. Interestingly, even though the Internet provides a certain degree of anonymity, such ISPs fear public attention. Once exposed, rogue networks often cease their malicious activities quickly, or are de-peered (disconnected) by their upstream providers. As a result, the Internet criminals are forced to relocate their operations. In this paper, we present FIRE, a novel system to identify and expose organizations and ISPs that demonstrate persistent, malicious behavior. The goal is to isolate the networks that are consistently implicated in malicious activity from those that are victims of compromise. To this end, FIRE actively monitors Botnet communication channels, drive-by-download servers, and phishing Web sites. This data is refined and correlated to quantify the degree of malicious activity for individual organizations. We present our results in real-time via the Web site maliciousnetworks.org. These results can be used to pinpoint and to track the activity of rogue organizations, preventing criminals from establishing strongholds on the Internet. Also, the information can be compiled into a null-routing blacklist to immediately halt traffic from malicious networks.