Understanding large-scale spamming botnets from Internet edge sites

Tatsuya Mori, Holly Esquivel, Aditya Akella, Akihiro Shimoda, Shigeki Goto

Research output: Contribution to conferencePaper

5 Citations (Scopus)

Abstract

This paper aims to understand empirically the impact of a largescale spamming botnet, and the effectiveness of targeting its core infrastructure-C&C servers-from the viewpoint of several Internet edge sites. We also attempt to study the characteristics of the spamming botnet in the long-term to see how quickly bot masters react and what type of action they take. Our primary target in this paper is one of the world's previously worst known spamming botnets, Srizbi, whose C&C servers were shutdown by its upstream ISPs on November 11, 2008. We conduct an extensive measurement study spanning a large volume of e-mail delivery logs and packet traces collected at five vantage points. The measurement period spans three years and includes of the rise and fall of the botnet. We leverage passive TCP fingerprinting on the collected packet traces to identify bot-infected hosts and spam messages sent from them. We first extract variants of the known TCP signatures that are associated with the spamming botnet by correlating the data sets in the time and space domains. Next, by using the signatures, we quantify the volume of spam sent from the botnet and the effectiveness of the C&C server shutdown from an Internet edge siteperspective. We attempt to study the characteristics of the spamming botnet in both the time and space domains. We reveal several findings that are useful in understanding the spread of spamming botnets; specifically, we note the steady growth of the botnet's size and the rapid version transition after the shutdown of C&C servers. We also estimate the entire size of Srizbi botnet. We then study how the botnet membership is distributed around the globe and how its size changed over time.

Original languageEnglish
Publication statusPublished - 2010 Jan 1
Event7th Annual Collaboration, Electronic Messaging, Anti-Abuse and Spam Conference, CEAS 2010 - Redmond, WA, United States
Duration: 2010 Jul 132010 Jul 14

Conference

Conference7th Annual Collaboration, Electronic Messaging, Anti-Abuse and Spam Conference, CEAS 2010
CountryUnited States
CityRedmond, WA
Period10/7/1310/7/14

ASJC Scopus subject areas

  • Software

Fingerprint Dive into the research topics of 'Understanding large-scale spamming botnets from Internet edge sites'. Together they form a unique fingerprint.

  • Cite this

    Mori, T., Esquivel, H., Akella, A., Shimoda, A., & Goto, S. (2010). Understanding large-scale spamming botnets from Internet edge sites. Paper presented at 7th Annual Collaboration, Electronic Messaging, Anti-Abuse and Spam Conference, CEAS 2010, Redmond, WA, United States.